server receiving a lot of spam.

[skym4n]

Guys, my server is currently receiving a lot of spam. What basic settings do you recommend to try to filter these messages?

I use some rbls, but they don't seem to help much.

RBL_DNS_LIST=\
b.barracudacentral.org : \
zen.spamhaus.org

 

[zEitEr]

Hello,

First make sure to check the following pages:

- SPAM mitigation tools in DirectAdmin -> https://docs.directadmin.com/other-hosting-services/preventing-spam/general.html
- Filtering incoming spam -> https://docs.directadmin.com/other-...am/incoming-spam.html#filtering-incoming-spam

If questions remain, you know how to find us)

 

[Richard G]

zen.spamhaus.org

Be sure to not use an open resolver (like 1.1.1.1 or the one from Google) as first one in your /etc/resolv.conf file when using this one. Because in that case there is a rate limit. Once you go over the rate limit, all incoming mail (even legit) will be flagged as spam by Spamhaus. You can find it in the /var/log/maillog that you hit the rate limit.

Additional to the above tips, you can add some more blacklists like spamcop, if you want to add spamcop, do not edit your exim.conf but create a file in the /etc directory and call it exim.strings.conf.custom and add like this:

bl.spamcop.net : b.barracudacentral.org : zen.spamhaus.org

for example.

After that rebuild exim and exim.conf

da build exim
da build eximconf

so changes will take effect. You can also add other RBL's to your liking this way.

 

[dbbrito]

Friends, I also have a big problem with spam. Most of the IPs, according to research, are in the spamhause CSS Blocklist (CSS). I already have the SPAMDROP|86400|0|http://www.spamhaus.org/drop/drop.txt blocklist active in the CSF, but this list does not contain any of these IPs. How can I configure this list to check these IPs and return or delete these emails so that they do not reach the client?

I was even able to register on the spamhaus website and they gave me a query key and a link, but I am confused about where and how to configure this.

Thank you

 

[Richard G]

but I am confused about where and how to configure this.

If all is correct, under Product -> DQS you should find your key and also the exact fqdn name to use.

I've read somewhere it should read:
xxxxxxxxxxxxxxxxxx.zen.dq.spamhaus.net

where xxxxxx is your key (don't ever share or publicise that key).
In this case it's zen.dq.spamhaus.net but it could be another fqdn in your case so you have to doublecheck.

Now you can change this in exim.conf and restart exim, but on the next update, it will be overwritten.
So if not existing, you have to create a /etc/exim.strings.conf.custom file and put it in there next to others you want to use.
For example:
RBL_DNS_LIST==b.barracudacentral.org : xxxxxxxxxxxxxxxxxx.zen.dq.spamhaus.net : bl.spamcop.net
again replace xxx with your key.

Just to be sure, rebuild exim and exim.conf
da build exim
da build eximconf

and then it should work.

 

[dbbrito]

If all is correct, under Product -> DQS you should find your key and also the exact fqdn name to use.

I've read somewhere it should read:
xxxxxxxxxxxxxxxxxx.zen.dq.spamhaus.net

where xxxxxx is your key (don't ever share or publicise that key).
In this case it's zen.dq.spamhaus.net but it could be another fqdn in your case so you have to doublecheck.

Now you can change this in exim.conf and restart exim, but on the next update, it will be overwritten.
So if not existing, you have to create a /etc/exim.strings.conf.custom file and put it in there next to others you want to use.
For example:
RBL_DNS_LIST==b.barracudacentral.org : xxxxxxxxxxxxxxxxxx.zen.dq.spamhaus.net : bl.spamcop.net
again replace xxx with your key.

Just to be sure, rebuild exim and exim.conf
da build exim
da build eximconf

and then it should work.

Okay Richard, I did exactly as you described. In this case, will exim start checking the IPs and, since they are on these lists, they will no longer reach the spam boxes? Will exim return or delete the abusive email? When I run the da build eximconf command, it shows:
Enabling Easy Spam Fighter...
Easy Spam Fighter is now enabled.
Restarting exim.
Is this correct?
Thank you very much.

 

[Richard G]

they will no longer reach the spam boxes?

If all is correct, then yes. You might find proof of that in the exim mainlog or rejectlog if/when that happens.
Ip's in RBL's will be refused to connect, discarded. So I guess the sender is getting them back.

When I run the da build eximconf command, it shows:

Yes that is correct.

 

[dbbrito]

If all is correct, then yes. You might find proof of that in the exim mainlog or rejectlog if/when that happens.
Ip's in RBL's will be refused to connect, discarded. So I guess the sender is getting them back.


Yes that is correct.

Have you been using these Spamhaus lists for a long time? Can you tell me if these queries are free, or if there will come a time when they will charge you? From the moment I activated them until now, looking at the rejectlog, they have already rejected several spams.
Thank you

 

[Richard G]

Have you been using these Spamhaus lists for a long time?

I never used the paid version but used the zen.spamhause.org list and yes for free.
But there is a big BUT here. Since some time there are limits to query's which can be made when open resolvers are used. For example if you have 1.1.1.1 or 8.8.8.8 as first ip's in your /etc/resolv.conf file you will hit those limits.
We also discovered the hard way, that at least one of the Hetzner datacenter gateway ip's is also flagged as open resolver by Spamhaus.
And when hitting those limits, spamhause works very nasty. Instead of just blocking the checks, every mail is flagged as spam, which is also a reason we haven't use spamhaus for some time.

However, we do run our own nameservers on the server and caching DNS, so we now have our first line 127.0.0.1 in the /etc/resolv.conf and then things work fine. We're working like that for 17 years now and never have seen a charge. And also using it again for around half a year now.

Could it be they will charge in the future? Such thing is always possible, one never kndows. But in that case that spamhaus list is the first we remove again just as we did when they had a bit too much false positives a couple of years ago.

 

[dbbrito]

This is my concern, because you use the zen.spamhaus.org list and I am using xxxxxxxxxxxxxxxxxx.zen.dq.spamhaus.net, I hope they don't charge me, if they do I will delete it because their fees are very high.

The problem is that one of the abusive IPs 139.99.195.31 is not on the zen.spamhaus.org list but is on the xxxxxxxxxxxxxxxxxx.zen.dq.spamhaus.net list
I don't use Google DNS!

 

[Richard G]

I hope they don't charge me,

Well... officiale those are not for commercial use and fees for commercial subscribtions are very high, so I don't know if they do checks but that is a risk.
Indeed the CSS list is not included in zen.spamhaus.org but CSS also often inclused false positives like new ip's never used or had spam before but now is from a valid company.

Maybe somebody else with a key can enlighten you a bit more about this.

The 139.99.195.31 ip is from OVH. You could also just block the ip in either firewall or the Exim blacklist if it's just one ip.

 

[ccto]

It may be better to check RBL return value, e.g. -

  warn  dnslists = bl.spamcop.net=127.0.0.2
        then do something...

  warn  dnslists = zen.spamhaus.org=127.0.0.2,127.0.0.4,127.0.0.5,127.0.0.10,127.0.0.11
        then do something...

In case, e.g., spamhaus.org return 127.255.255.* for whatever reason, it should hopefully not tag incorrectly.

ref.: https://www.spamhaus.org/faqs/dnsbl-usage/

 

[floyd]

I would like to know how many is a lot of spam? I have never in 25 years, using a number of different email address, received what I would consider a lot of spam.