rbl in exim.conf - not rejecting dnsbl.njabl.org

[SupermanInNY]

Hi All,

It is SPAM Season and all the spammers are doing their job properly.

Now it is time for the RBL lists to work too.

I don't think I need to have an Add-on pluggin for basic RBL enablement.

This is a fairly new server (only a month up, so it is current since September 12th, 2006), which has the spamblocker exim file.

I have a soft link from use_rbl_domains -> domains so all my domains are 'covered' under this and they are all happy to get rid of the spam.

However, spam still finds its way through, even though exim.conf should (always use that word when basically have no clue what is going on) be configured to "block" the listed IPs.

OBVIOUSLY,. I'm missing a configuration that actually does the rejection, so I'm looking for some assistance with this configuration.

This is almost vanilla configuration, yet, as noted,. I'm still getting through this even though I see (or believe) the block is enabled.

Specifically I just got an email from: 60.191.227.122

which is listed in the njabl database as a spamming IP.

http://dnsbl.njabl.org/cgi-bin/lookup.cgi?query=60.191.227.122

So, I'm confused about how it made it through the current configuration.

My only thought is that the check is not doing a check against blackholes.njabl.org . Do I need to add this or is this supposed to be implicit in the


# deny using njabl
deny message = Email blocked by NJABL - to unblock see http://www.mydomain.com/spamlistschecker.html
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = dnsbl.njabl.org


Do I need to add another block like this with just a different dnslist? Like this:



# deny using njabl
deny message = Email blocked by NJABL - to unblock see http://www.mydomain.com/spamlistschecker.html
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = blackholes.njabl.org


Thanks for any input.

-Alon.

 

[SupermanInNY]

Here is something that would be of interest:


Proposed Solution:


http://dnsbl.njabl.org/use.html



Though dnsbl.njabl.org still contains lots of dialup/dynamic listings, no more are being added. All dialup/dynamic additions are being put into the dynablock.njabl.org zone, also available as part of combined.njabl.org.


So,. Jeff, if you are reading this,.. it would be a good thing to update the exim.conf file to reflect this change.

I'm now changing it to the combined.njabl.org on my server, hopefully this will 'seal' the spam I'm being bombarded with in the past month.

-Alon.

 

[pluk]

Any possibility that you share/post out your exim.conf file? Thanks!

 

[SupermanInNY]

Any possibility that you share/post out your exim.conf file? Thanks!

hahaha,.. I was just doing this

There is another post titled:

Dovcot + Exim + SpamAssassin exim.conf

Look for the file there.

It is not perfect for 100% rejects, but it certainly helps me reduce it dramatically. Other filters can be added.

There are dozens of RBL lists, but most of them are privatly maintained,. and could be blacklisting on owner's whim.

Hope this helps.

-Alon.

 

[pluk]

Hmmm... I don't use Dovecot (no idea what is that) so does the exim.conf still be run by replacing the current one? I'm not an expert in Linux so I'll need your tip on this issue. Thanks!

 

[SupermanInNY]

Dovcot is a Maildir format mail server.
If you installed DA as a vanilla install, you get vm-pop3 which is using mbox method.

What the hell does that all mean??
Ok.. the 'mbox' method takes all you incoming emails and just use a single file that gets appended at the bottom as more new emails are coming. This could end up to be a huge file (supposed someone sends you attachments).
Maildir on the other hand is set such that each email msg is stored in a separate file. This is the preferred way to keep your server running with no strain as no need to work on large size files.

NOW,. will the exim file with dovcot patch work on your regular vm-pop3? I don't know. But,. you don't need to care for this portion. Just look for the section where you see text that has xbl-rbl and spamcop and spamhause etc and just copy paste it into your existing exim.conf file. The filter portion doesn't care which mail format you use.

Don't forget to do:
service exim restart



HTH

-Alon.

 

[pluk]

Cool! Many thanks!

 

[Dark_Wizard]

Just looked over your conf file and didn't see the change. Also sbl-xbl.spamhaus.org is soon going to be depricated, you can now use zen.spamhaus.org which is a combination of sbl, xbl and pbl...

 

[pluk]

Thanks bud!

Hey, any of you using greylist?

 

[SupermanInNY]

Just looked over your conf file and didn't see the change. Also sbl-xbl.spamhaus.org is soon going to be depricated, you can now use zen.spamhaus.org which is a combination of sbl, xbl and pbl...

I'm no expert on Exim, but the changes that I made include:

1. Dovcot patched
2. Spamassassin patched (and you will notice it differs from the original spam assasin that was originally REMed out.
3. Added the sbl-xbl as it wasn't there at all. It might get kicked out as a whole per your suggestion, but it wasn't there to begin with.
4. corrected the dnsbl.njabl.org to combined.njabl.org as the older database is no longer updated. blackhole.njabl.org may be added later if it is another database that needs to be added.
Small suble changes like these decreased over 80% of my spam. The remaining 20% are still showing from blackhole.njabl.org and from other databases like Blars (which is not to be used as it is not publicly maintained, but rather is declared to be available to be blocking at owner's whim).

But the 4 changes I've made so far, have dramatically affected my spam activity.
I'll proabaly enhanced it a bit more, with your suggested database as well as creating a separate page for each blocking database so it will become more apparent on which database a spammer got nailed (if anyone checks to see why they got blocked).
Perhaps I'll even include a direct link with the IP so the user can open the browser and immediatly click and see the blocking from the database service.

Again,.. just my $0.02.

-Alon.

 

[Dark_Wizard]

I'm no expert on Exim, but the changes that I made include:

1. Dovcot patched
2. Spamassassin patched (and you will notice it differs from the original spam assasin that was originally REMed out.
3. Added the sbl-xbl as it wasn't there at all. It might get kicked out as a whole per your suggestion, but it wasn't there to begin with.
4. corrected the dnsbl.njabl.org to combined.njabl.org as the older database is no longer updated. blackhole.njabl.org may be added later if it is another database that needs to be added.
Small suble changes like these decreased over 80% of my spam. The remaining 20% are still showing from blackhole.njabl.org and from other databases like Blars (which is not to be used as it is not publicly maintained, but rather is declared to be available to be blocking at owner's whim).

But the 4 changes I've made so far, have dramatically affected my spam activity.
I'll proabaly enhanced it a bit more, with your suggested database as well as creating a separate page for each blocking database so it will become more apparent on which database a spammer got nailed (if anyone checks to see why they got blocked).
Perhaps I'll even include a direct link with the IP so the user can open the browser and immediatly click and see the blocking from the database service.

Again,.. just my $0.02.

-Alon.

Thx for the clarification, I did finally see your change. For further info about zen check here -> http://www.spamhaus.org/zen and as for the spamassassin changes do you mind if I ask how you came up with them?

 

[SupermanInNY]

Thx for the clarification, I did finally see your change. For further info about zen check here -> http://www.spamhaus.org/zen and as for the spamassassin changes do you mind if I ask how you came up with them?

I didn't.. ) I mentioned it previously. .those changes were emailed to me by John of DA.

What are the changes doing?

Without those changes, If a user sets the setting of SpamAssasin to:

"Send the spam to the appropriate users's spam folder." (the 3rd option) you would think it would do just that.
Well.. it did. BUT.. and here is the kicker:

suppose a spammer emails to your domain,. say to [email protected]

Obvioulsy you don't have an email called [email protected].

The code.. without the change did the following:

Created a mail user called blahblah (check your /home/user/imap/yourdomain.com/<here>

And you will notice that FOR EACH ficticious email.. a whole set of folders was created.

And since you enabled the "Send the spam to the appropriate users's spam folder.", After it created that mail folder,. it would evaluate the email msg itself.. and placed it inside the spam folder of this bogous mail account.
So,. instead of you removing the spam.. you are actually collecting it!!

BUT (again???!).. you don't see it unless you visit the file system. It doesn't show in the DA GUI.

So I complained about this to John,. and he replied back with the spamassasin code fix.

I mentioned that I got the fix from John of DA. I'm not taking any credit for this. I am only taking the credit for finding that the combined.njabl.org change and that is really such a minor change, but it made a big difference.
I'm thinking this could possibly be maintained more actively every several months or so.

 

[nobaloney]

So,. Jeff, if you are reading this,.. it would be a good thing to update the exim.conf file to reflect this change.

I'm working on a new exim.conf file as we read.

It will include the code to block spoofing of free email services, and also clamd for anti-virus. And a few tweaks to the blocklists.

As quickly as possible. It's running now in my testbed.

Jeff

 

[pluk]

Thanks Jeff! #1 DA Buddy!