[RELEASE] SpamBlocker Version 2 released

Probably not in the correct thread or forum (this could also be in email forum), i have a problem with spamblocker though it functions still normally...

I am since 48h receiving tons of spam tentatives on our server, that gets blocked by spamblocker (normal up to there, it functions) :

here is a log of last 50 lines :
2006-04-20 13:33:38 H=(komfa.nl) [61.138.176.144] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:33:56 H=h-67-101-255-17.nycmny83.dynamic.covad.net (patrikpfaff.de) [67.101.255.17] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:33:56 H=h-67-101-255-17.nycmny83.dynamic.covad.net (patrikpfaff.de) [67.101.255.17] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:33:56 H=h-67-101-255-17.nycmny83.dynamic.covad.net (patrikpfaff.de) [67.101.255.17] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:33:56 H=h-67-101-255-17.nycmny83.dynamic.covad.net (patrikpfaff.de) [67.101.255.17] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:33:56 H=h-67-101-255-17.nycmny83.dynamic.covad.net (patrikpfaff.de) [67.101.255.17] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:33:56 H=h-67-101-255-17.nycmny83.dynamic.covad.net (patrikpfaff.de) [67.101.255.17] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:33:56 H=h-67-101-255-17.nycmny83.dynamic.covad.net (patrikpfaff.de) [67.101.255.17] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:00 H=66-215-164-69.dhcp.rvsd.ca.charter.com (kdk-dornscheidt.de) [66.215.164.69] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:00 H=66-215-164-69.dhcp.rvsd.ca.charter.com (kdk-dornscheidt.de) [66.215.164.69] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:00 H=66-215-164-69.dhcp.rvsd.ca.charter.com (kdk-dornscheidt.de) [66.215.164.69] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:00 H=66-215-164-69.dhcp.rvsd.ca.charter.com (kdk-dornscheidt.de) [66.215.164.69] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:00 H=66-215-164-69.dhcp.rvsd.ca.charter.com (kdk-dornscheidt.de) [66.215.164.69] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:00 H=66-215-164-69.dhcp.rvsd.ca.charter.com (kdk-dornscheidt.de) [66.215.164.69] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:00 H=66-215-164-69.dhcp.rvsd.ca.charter.com (kdk-dornscheidt.de) [66.215.164.69] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:00 H=66-215-164-69.dhcp.rvsd.ca.charter.com (kdk-dornscheidt.de) [66.215.164.69] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:00 H=66-215-164-69.dhcp.rvsd.ca.charter.com (kdk-dornscheidt.de) [66.215.164.69] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:03 H=(manni-manier.de) [221.234.34.11] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:03 H=(manni-manier.de) [221.234.34.11] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:03 H=(manni-manier.de) [221.234.34.11] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:03 H=(manni-manier.de) [221.234.34.11] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:03 H=(manni-manier.de) [221.234.34.11] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:03 H=(manni-manier.de) [221.234.34.11] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:03 H=(manni-manier.de) [221.234.34.11] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:03 H=(manni-manier.de) [221.234.34.11] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:03 H=(manni-manier.de) [221.234.34.11] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:06 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (aktionkofferpacken.de) [125.172.23.242] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:06 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (aktionkofferpacken.de) [125.172.23.242] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:06 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (aktionkofferpacken.de) [125.172.23.242] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:06 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (aktionkofferpacken.de) [125.172.23.242] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:06 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (aktionkofferpacken.de) [125.172.23.242] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:06 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (aktionkofferpacken.de) [125.172.23.242] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:06 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (aktionkofferpacken.de) [125.172.23.242] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:06 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (aktionkofferpacken.de) [125.172.23.242] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:06 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (aktionkofferpacken.de) [125.172.23.242] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:39 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (kloter-attorneys.ch) [125.172.23.242] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:39 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (kloter-attorneys.ch) [125.172.23.242] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:39 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (kloter-attorneys.ch) [125.172.23.242] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:39 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (kloter-attorneys.ch) [125.172.23.242] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:39 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (kloter-attorneys.ch) [125.172.23.242] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:39 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (kloter-attorneys.ch) [125.172.23.242] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:39 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (kloter-attorneys.ch) [125.172.23.242] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:39 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (kloter-attorneys.ch) [125.172.23.242] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:34:39 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (kloter-attorneys.ch) [125.172.23.242] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:35:09 H=m230.net81-66-82.noos.fr (petsdiscount.de) [81.66.82.230] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:35:09 H=m230.net81-66-82.noos.fr (petsdiscount.de) [81.66.82.230] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:35:09 H=m230.net81-66-82.noos.fr (petsdiscount.de) [81.66.82.230] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:35:09 H=m230.net81-66-82.noos.fr (petsdiscount.de) [81.66.82.230] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:35:09 H=m230.net81-66-82.noos.fr (petsdiscount.de) [81.66.82.230] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-04-20 13:35:09 H=m230.net81-66-82.noos.fr (petsdiscount.de) [81.66.82.230] F=<[email protected]> rejected RCPT <[email protected]>: authentication required


As you can see there are tons of queries like this, (just for this week and it's not finished, my reject log files went up from 4 Mo to 10 Mo)

I'm wondering in what measure this may affect servers response and performance ???
 
There is not too much you can do about those, they are trying to find an open relay. Your smtp server is doing the right thing and rejecting them, because they don't have the right username and password to send email.
 
Is there a way to allow all domains to use the use_rbls... file but omit any domains that don't want to use the spamblocker.

I currently have a sym-link for the use-rbl... but I have a client that doesn't want to filter spam.

Now I don't want to have to manually adjust the use_rbl file when I add new domains/clients to the server.

If there is a way to add an omit file that will skip over any domains that don't want spamblocker protection?

Thanks,
Phil
 
The plugin stopped working and the helpdesk is unusable, so here is a description of the problem I had today:

I haven't really used Spamblocker for the last couple of month, but today when launching the page I got this:

Warning: explode(): Empty delimiter. in /usr/local/directadmin/plugins/spamblocker/shared/functions.inc.php on line 178
License Error: Cannot communicate with the license server, please notify the helpdesk at http://spamblocker.virtualhelpdesk.info.

So...Problem with PHP 5.1.3?
Click to expand...
 
It may very well be a problem with PHP 5.

Please tell me in what way the helpdesk is unusable; I'd like to get it fixed.

I'll see Onno tonight, so an email to me with specific problems will be helpful.

Thanks for bringing this to our attention.

Jeff
 
On the helpdesk, create a new ticket and try to send it. It won't work because you haven't selected a priority. You can't select one because none are defined ;).

And the other problem wasn't related to PHP at all, it was just you license server that was apparently unreachable since everything is working fine now.
 
Last edited:
I believe Onno has addressed this thread now that he's back at his office, but I'll bring it to his attention.

Jeff
 
Jeff,

Long time no chat. Hope you are doing well.

With your new spamblocker what is the best way to use only authentication. We want to do away with all popb4smtp. I had the change for this before but I upgraded everything even my darn notes and can't find a reference. Something about the pophosts line but I can't recall the syntax exactly.

Oh and one more thing. I used to pass a list of IPs of servers allowed to relay with no interferance from rbl with a my_whitelist file full of the IPs. Can this now be done with your whitelists_hosts file instead?


Big Wil
 
Last edited:
BigWil said:
Long time no chat. Hope you are doing well.
Click to expand...
Aside from being exhausted all the time, quite well, thanks.
With your new spamblocker what is the best way to use only authentication. We want to do away with all popb4smtp. I had the change for this before but I upgraded everything even my darn notes and can't find a reference. Something about the pophosts line but I can't recall the syntax exactly.
Click to expand...
I don't know either; perhaps someone else will respond. Have you searched these forums?
Oh and one more thing. I used to pass a list of IPs of servers allowed to relay with no interferance from rbl with a my_whitelist file full of the IPs. Can this now be done with your whitelists_hosts file instead?
Click to expand...
Yes. That's it's raison pour est (reason for being).

We've got a script we're testing internally that will parse a whole mailbox file of spams, and extract all the IP#s and hostnames just to use in the whielists_hosts file.

Jeff
 
Well get some rest! I definately know where you are coming from though.

I did find an old copy of the exim.conf that was working with the required authentication and my_whitelist. Using the same basic syntax it isn't working with the new one through.

domainlist blacklist_domains = lsearch;/etc/virtual/blacklist_domains
domainlist whitelist_from = lsearch;/etc/virtual/whitelist_from
domainlist local_domains = lsearch;/etc/virtual/domains
domainlist relay_domains = lsearch;/etc/virtual/domains : localhost
domainlist use_rbl_domains = lsearch;/etc/virtual/use_rbl_domains
hostlist relay_hosts = net-lsearch;/etc/virtual/my_whitelist : 127.0.0.1
hostlist auth_relay_hosts = *

If anybody has any idea of how to get that relay_hosts line to work with this new version it would be greatly appreciated. We just don't feel safe around here unless they authenticate for all SMTP traffic.

Thanks,

Big Wil
 
Hi,
I have installed version 2.

I have made a test:
I have added my gmail address to blacklist_senders.
- When I send email from this address in blacklist_sender, a delivery failure message arrives stating that it is a permanent error (PERM_FAILURE: SMTP Error (state 9): 550 Administrative prohibition). Instead of getting a message stating my address is blocked.
Is not gmail servers RFC compliant?
- Secondly, emails from that blacklisted address to any of domains in my server has been treated same. Though these domains are not in use_rbl_domains.
Is this normal?

I have also noticed something in exim.conf.spamblocked, but I am not sure it is a bug because I am not an expert on exim conf file:

#deny using email address in blacklist_senders
block is different than others.
For example:

Code: 
# deny so-called "legal" spammers"
  deny message = Email blocked by LBL - to unblock see [url]http://www.example.com/[/url]
       # only for domains that do want to be tested against RBLs
       [B]domains = +use_rbl_domains[/B]       
       sender_domains = +blacklist_domains

Code: 
# deny using email address in blacklist_senders
  deny message = Email blocked by BSAL - to unblock see [url]http://www.example.com/[/url]
  [B]domains = use_rbl_domains[/B]
  deny senders = +blacklist_senders

Probably due to my ignorance, I could not understand why the lines in bold are different. P.S. I don't need to understand it, it is enough to know if it is ok, or not.

Thanks,
 
rbl never worked on my server, i don't know why

BUT THIS WORK on my DA/FC3 :

# place in exim.conf
drop message = $sender_host_address is blacklisted at
!authenticated = *
dnslists = ${lookup{${lc:$local_part@$domain}}lsearch*@{/etc/virtual/dnslists}}
delay = 20s
#
be carefull dnslists one line

#create file /etc/virtual/dnslists
* bl.spamcop.net : sbl-xbl.spamhaus.org : list.dsbl.org
#

add what rbl you want.
 
eroloz said:

Probably due to my ignorance, I could not understand why the lines in bold are different. P.S. I don't need to understand it, it is enough to know if it is ok, or not.

Thanks,
Click to expand...
From what I know about exim, the first entry is the correct one with the '+'. The '+' in this case says that this is a reference to a named list, and the name is use_rbl_domains. I'm sure it was just something that Jeff missed.
 
eroloz said:
Hi,
I have installed version 2.

I have made a test:
I have added my gmail address to blacklist_senders.
- When I send email from this address in blacklist_sender, a delivery failure message arrives stating that it is a permanent error (PERM_FAILURE: SMTP Error (state 9): 550 Administrative prohibition). Instead of getting a message stating my address is blocked.
Is not gmail servers RFC compliant?
- Secondly, emails from that blacklisted address to any of domains in my server has been treated same. Though these domains are not in use_rbl_domains.
Is this normal?

I have also noticed something in exim.conf.spamblocked, but I am not sure it is a bug because I am not an expert on exim conf file:

#deny using email address in blacklist_senders
block is different than others.
For example:

Code: 
# deny so-called "legal" spammers"
  deny message = Email blocked by LBL - to unblock see [url]http://www.example.com/[/url]
       # only for domains that do want to be tested against RBLs
       [B]domains = +use_rbl_domains[/B]       
       sender_domains = +blacklist_domains

Code: 
# deny using email address in blacklist_senders
  deny message = Email blocked by BSAL - to unblock see [url]http://www.example.com/[/url]
  [B]domains = use_rbl_domains[/B]
  deny senders = +blacklist_senders

Probably due to my ignorance, I could not understand why the lines in bold are different. P.S. I don't need to understand it, it is enough to know if it is ok, or not.

Thanks,
Click to expand...
I have searched forum more, and I have found that Jeff said somewhere that if exim.conf file mangled, it can make similar things. And he warned about copy/paste. I have comment out the lines that I have pasted into exim.conf file, and the problem has been solved.

Sorry for the inconvenience.
 
hopefully this hasn't been asked and i just passed over it... Jeff I purchaused the spamblokcer from you all, and i was wondering do i have the most current version? And if not, how do i upgrade ?

thanks,
Rob



Version Installed Available
SpamBlocker Plugin 1.7.1
SpamBlocker exim.conf 2.0
 
I enabled this for my personal domain on my server and am seeing it block emails, I was getting approximetly 200-300 spam a day to my email address with spamassassin retagging about 90% of them and outlook filtering via the subject tag to junk folder however I got sick of wasting traffic on them so following praises from people who I installed spamblocker for I tried it.

I disabled spamcop checks but left all the others on but am finding still about 30-50 spam a day in my inbox, whats unusual is spamassassin is still managing to tag these as spam with many done via blocklists which is how I thought spamblocker worked, is it maybe the case some blocklists used by spamassassin are not used by spamblocker?

Some examples below.

1.6 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: onlinekmr.info]
4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URIs: onlinekmr.info]

and

4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URIs: tsswyks.com]
3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
[URIs: tsswyks.com]

and

4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URIs: paulamwest.com]
3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
[URIs: paulamwest.com]
4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: paulamwest.com]


there is a few as well that are tagged via non network checks which I guess are not on any blacklists.
 
some more all these were in 1 email.

1.6 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: bumsert.com]
3.8 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
[URIs: bumsert.com]
4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URIs: bumsert.com]
2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: bumsert.com]
3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
[URIs: bumsert.com]
4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: bumsert.com]

it altogether got 35 pts on spamassassin but got through spamblocker. :(
 
why don't you reject if too much points ?
i don't use spamblocker only my dnslist and sa and exim and clamav
 
I have them going to junk folder automatically but was just showing that there is many other block lists spamblocker isnt using. I plan to add these other lists to exim.conf so spamblocker blocks these emails as well.
 
I'm sorry, but anyone who knows anything about mail and keeping their users from bitching due to blocked emails from receipients would never including the list;

SPAMHAUS

ORDB

SORBS SMTP LIST

SORBS IP LISTS

SORBS NAME-BASED LIST

SPAMCOP

NJABL

CBL

RBL's are so yesterday. There are better way to kill spam that will lower the false positives dramatically. There are only one or two RBLS that actually work to the point of not triggering false positives and neither of those two are listed above. The combination of MS + SURBL lookups at SMTP TIME, SA + PYZOR + DCC + TOP 200 SPAMCOP DOWNLOADS, RULES DU JOUR, would kill 94% - 96% of all your spam while keeping your users happy and bitch free. We have been using this combo for over 2yrs. In the past 2 yrs we have had less than 10 clients who have complained about blocked mail. Using the above list exclusively would be a huge mistake.

.... I find it amusing that so many are installing SA at the user level, including SPAMD/C. First of all, SPAMD/C are huge system resource hogs. If you have installed SPAMD/C on your server and its running high in resrouces you'd better check SPAMD. Not to mention what would happen if all of a sudden the box was spam bombed, brute force attacked or dictionary style attacked, SPAMD would we whirrling out of control at about 99% cpu cycles which would surely bring your box to a grinding hault. Second, why would anyone want to scan mail twice? If you are implementing a decent combo, like we are using above, SA at the user level becomes a useless installation. Why? Because mail would be scanned, not only at the server level, but then once again at the user level. What for? Why push your servers resources to the absolute limit? I mean, if you can't catch your spam the first time, without relying on SPAMD to score it, you shouldn't be running spam filters.

I just dont get this thinking. Its very possible, that most people just dont get it or don't know any better and thinking they should be offering their users just one more feature called SpamAssassin controllable from the user control panel, is just another great feature to include. I beg to differ, trust me, i should know. I am the author of countless documents, howtos and other article on the subject posted in various forums. Good luck with this.
 
Last edited:
You must log in or register to reply here.
Back
Top