Spam not being blocked!

Richard G

Richard G

Verified User
Joined
Jul 6, 2008
Messages
14,143
Location
Maastricht
Some time ago I wrote a post that spam was not being blocked in spite of the fact that the sender ip was in RBL blacklists but it seems nobody had a clue.

My server has all newest exim.conf and spamblocker software and spamassassin running and the latest DA 1.50.1.

Today it happened again, and even looked like spamassassin did not even run, this is from the exim mainlog:
Code: 
2016-11-19 14:27:23 1c85ft-0005JQ-OE <= [email protected] H=(8u1yb84.micronesiaa.xyz) [128.204.199.21] P=esmtp S=15118 id
[email protected] T="The belly fat melting rituals" from <[email protected]> fo
r [email protected]
2016-11-19 14:27:23 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1c85ft-0005JQ-OE
2016-11-19 14:27:24 1c85ft-0005JQ-OE => richard <[email protected]> F=<[email protected]> R=virtual_user T=dovecot_l
mtp_udp S=15638 C="250 2.0.0 <[email protected]> FTQJMDtTMFgFTQAADNWw8g Saved"
2016-11-19 14:27:24 1c85ft-0005JQ-OE Completed
2016-11-19 14:27:40 ReverseDNS: No reverse DNS for mailserver at 117.240.224.65, +100 Spam score

This is from /var/log/maillog:
spamd: checking message <[email protected]> for myaccountname:522
Nov 19 14:27:23 server18 spamd[647]: spamd: result: . 5 - HTML_MESSAGE,RCVD_IN_SORBS_SPAM,RDNS_NONE,T_KAM_HTML_FONT_INVALID,T_REMOTE_IMAGE,URIBL_ABUSE_SURBL,URIBL_BLACK scantime=1.7,size=13500,user=myaccountname,uid=522,required_score=7.5,rhost=localhost,raddr=127.0.0.1,rport=41204,mid=<[email protected]>,autolearn=no autolearn_force=no
Click to expand...

So the ip 128.204.199.21 is on various blacklists, there is a +100 score for not having an Reverse DNS and still this mail is being accepted and in this mainlog. So why does Spamassassin only gives a score of 5?
I do have RBL check enabled on Directadmin.

How is this possible and how can I fix this?
 
Last edited:
Hello Richard,

If you still have the email on the server you can re-check it with spamassassin to get more details on it:

Code: 
spamassassin -t /path/to/email

or with debug output

Code: 
spamassassin -D -t /path/to/email

if you don't like scoring of any test you can adjust it and set your own values in SA configs.
 
Hello Alex.

No it's pop3 so I have the email in my email program.
I don't need to change any value's, they are correct and I did not have this issue before. I don't know exactly when it started but
1.) Before, any email on any RBL in exim.conf would be blocked by Exim even before Spamassassin is called if I remember correctly.
2.) ESF is giving a +100 spam score, which should block the spam email, according to the ESF doc, which is not happening.
So I don't really care that Spamassassin is only giving a score lower then 5 or lower then 7.5 which I setup to block the email, but that spam email should already be blocked due to the other 2 reasons and that is not happening.

That is what is confusing me.
 
Richard,

2016-11-19 14:27:40 ReverseDNS: No reverse DNS for mailserver at 117.240.224.65, +100 Spam score

but email arrived from 128.204.199.21 (has a PTR hosted-by.snel.com.)


Exim.conf has the following lists:

Code: 
[FONT=Verdana]RBL_DNS_LIST=\
[/FONT]       cbl.abuseat.org : \
       bl.spamcop.net : \
       combined.rbl.msrbl.net : \
       b.barracudacentral.org : \
       zen.spamhaus.org : \
       hostkarma.junkemailfilter.com=127.0.0.2

The IP 128.204.199.21 does not look to be blocked at any of them.

So it's only Spamassassin which left to define whether or not it's spam.
 
Alex.

I don't know where you did that check, but my Mailwasher program said the ip was blacklisted in SBL.spamhaus.org.

When I do a check on the mxtoolbox.com site, it also says it's blacklisted in zen.spamhaus.org and if I check on the spamhaus site, it gives the same result as my mailwasher program:
128.204.199.21 is listed in the SBL, in the following records:
SBLCSS
Click to expand...
So it is listed in sbl.spamhaus.org which is part of zen.spamhaus.org blacklist.

The CSS dataset is part of our SBL, return code 127.0.0.3, and thus part of ZEN. If you use ZEN, you are automatically using the CSS dataset. Use of return codes varies by application.
Click to expand...
So I'm still confused why it's not blocked because it's on the spamhaus RBL.
 
I checked it here: https://2ip.ru/spam/

OK I see it's listed 12 times when checking here at mxtoolbox.com

[TABLE="class: table table-striped table-bordered table-condensed tool-result-table, width: 100%"]
[TR]
[TD="bgcolor: #F9F9F9"]LISTED[/TD]
[TD="bgcolor: #F9F9F9"]CASA CBL[/TD]
[TD="class: tool-blacklist-reason, bgcolor: #F9F9F9"]128.204.199.21 was listed Detail[/TD]
[TD="bgcolor: #F9F9F9"]10800[/TD]
[TD="bgcolor: #F9F9F9, align: right"]78[/TD]
[TD="class: ignore, bgcolor: #F9F9F9"]Ignore[/TD]
[/TR]
[TR]
[TD]LISTED[/TD]
[TD]ivmSIP[/TD]
[TD="class: tool-blacklist-reason"]128.204.199.21 was listed Detail[/TD]
[TD]2100[/TD]
[TD="align: right"]94[/TD]
[TD="class: ignore"]Ignore[/TD]
[/TR]
[TR]
[TD="bgcolor: #F9F9F9"]LISTED[/TD]
[TD="bgcolor: #F9F9F9"]ivmSIP24[/TD]
[TD="class: tool-blacklist-reason, bgcolor: #F9F9F9"]128.204.199.21 was listed Detail[/TD]
[TD="bgcolor: #F9F9F9"]2100[/TD]
[TD="bgcolor: #F9F9F9, align: right"]78[/TD]
[TD="class: ignore, bgcolor: #F9F9F9"]Ignore[/TD]
[/TR]
[TR]
[TD]LISTED[/TD]
[TD]NoSolicitado[/TD]
[TD="class: tool-blacklist-reason"]128.204.199.21 was listed Detail[/TD]
[TD]2719[/TD]
[TD="align: right"]94[/TD]
[TD="class: ignore"]Ignore[/TD]
[/TR]
[TR]
[TD="bgcolor: #F9F9F9"]LISTED[/TD]
[TD="bgcolor: #F9F9F9"]Protected Sky[/TD]
[TD="class: tool-blacklist-reason, bgcolor: #F9F9F9"]128.204.199.21 was listed Detail[/TD]
[TD="bgcolor: #F9F9F9"]6319[/TD]
[TD="bgcolor: #F9F9F9, align: right"]94[/TD]
[TD="class: ignore, bgcolor: #F9F9F9"]Ignore[/TD]
[/TR]
[TR]
[TD]LISTED[/TD]
[TD]SORBS NEW[/TD]
[TD="class: tool-blacklist-reason"]128.204.199.21 was listed Detail[/TD]
[TD]3600[/TD]
[TD="align: right"]78[/TD]
[TD="class: ignore"]Ignore[/TD]
[/TR]
[TR]
[TD="bgcolor: #F9F9F9"]LISTED[/TD]
[TD="bgcolor: #F9F9F9"]SORBS SPAM[/TD]
[TD="class: tool-blacklist-reason, bgcolor: #F9F9F9"]128.204.199.21 was listed Detail[/TD]
[TD="bgcolor: #F9F9F9"]3600[/TD]
[TD="bgcolor: #F9F9F9, align: right"]78[/TD]
[TD="class: ignore, bgcolor: #F9F9F9"]Ignore[/TD]
[/TR]
[TR]
[TD]LISTED[/TD]
[TD]SPAMCANNIBAL[/TD]
[TD="class: tool-blacklist-reason"]128.204.199.21 was listed Detail[/TD]
[TD]43200[/TD]
[TD="align: right"]78[/TD]
[TD="class: ignore"]Ignore[/TD]
[/TR]
[TR]
[TD="bgcolor: #F9F9F9"]LISTED[/TD]
[TD="bgcolor: #F9F9F9"]Spamhaus ZEN[/TD]
[TD="class: tool-blacklist-reason, bgcolor: #F9F9F9"]128.204.199.21 was listed Detail[/TD]
[TD="bgcolor: #F9F9F9"]60[/TD]
[TD="bgcolor: #F9F9F9, align: right"]78[/TD]
[TD="class: ignore, bgcolor: #F9F9F9"]Ignore[/TD]
[/TR]
[TR]
[TD]LISTED[/TD]
[TD]TRUNCATE[/TD]
[TD="class: tool-blacklist-reason"]128.204.199.21 was listed Detail[/TD]
[TD]7200[/TD]
[TD="align: right"]78[/TD]
[TD="class: ignore"]Ignore[/TD]
[/TR]
[TR]
[TD="bgcolor: #F9F9F9"]LISTED[/TD]
[TD="bgcolor: #F9F9F9"]WPBL[/TD]
[TD="class: tool-blacklist-reason, bgcolor: #F9F9F9"]128.204.199.21 was listed Detail[/TD]
[TD="bgcolor: #F9F9F9"]2100[/TD]
[TD="bgcolor: #F9F9F9, align: right"]78[/TD]
[TD="class: ignore, bgcolor: #F9F9F9"]Ignore[/TD]
[/TR]
[TR]
[TD]LISTED[/TD]
[TD]ZapBL[/TD]
[TD="class: tool-blacklist-reason"]128.204.199.21 was listed Detail[/TD]
[TD]1219[/TD]
[TD="align: right"]94[/TD]
[TD="class: ignore"]Ignore[/TD]
[/TR]
[/TABLE]

Well, it happened... check your DNS resolvers. I don't have information on why it was not rejected. Make sure it's not in skip or white lists on your server.
 
Nothing is whitelisted on my server. Except my backup-mx (relay.transip.nl).
These are my dns resolvers, at least if you mean what's mentioned in /etc/resolv.conf
nameserver 8.8.8.8
nameserver 213.133.100.100
nameserver 213.133.98.98
nameserver 213.133.99.99
 
I could only suppose here... and if the issue is not happening constantly, then I'd suppose it's somehow related to DNS. For some reasons a DNS lookup did not complete and exim did not block an incoming email.... that's only my guess. I don't know how it was on your server.

Probably others have ideas as well.
 
It happens more often. Today also with an email from which the ip is present in CBL from abuseat. I guess if there would be DNS issues, something about that should be present in the exim logfile, correct?
I've got a ticket in Directadmin and Smtalk has seen in the headers, that in spite of the fact that ESF is running, there is nothing in the headers.

Nothing wrong with my named.conf is there?
Code: 
options {
        //listen-on port 53 { 127.0.0.1; };
        //listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        //allow-query     { localhost; };
        allow-recursion { localnets; };
        allow-transfer {"none";};
        //recursion yes;
        minimal-responses yes;
 
It shouldn't be the named, but the NS that the server is using, so the one in /etc/resolv.conf

Also, some RBL i think limit the amount of request for the non-paying utilizator.

For ESF Header missing, can you ensure is set to yes in options.conf and try to build eximconf again?

Best regards
 
I've got 3 in /etc/resolve.conf which are 2 of my datacenter and 1 is 8.8.8.8 which is the public Google DNS and is mentioned first in that file.
We don't have that much incoming mail so I can't imagine to reach any limit.

ESF is set to yes in options.conf and I did a build eximconf last week, but I will do it again, just to be sure. ;)
 
Thank you Alex.
I send some headers via the ticket system. John is going to have a look at my system to see what could be wrong.
Because today I had another spam mail which was listed in cbl.abuseat.org in spite of the fact that I rebuild exim.conf yesterday evening.
 
Well, it might still be the resolvers as zEitEr already suggested.
I did post my /etc/resolv.conf but like Sellerone said they are still external resolvers. Since the Google DNS is first, I presume this will be used first and John of DA wrote Google DNS is not fine for RBL checks, they somewhat exceed rate limits for RBL checks.
Since the first DNS is reached (Google DNS) I presume the other 2 are not queried anymore.
Since I use my own dns server on the DA server, I was advised to only use "nameserver 127.0.0.1" in /etc/resolv.conf.

I have to wait a few days to see if I still get e-mails passing the RBL's.

We also just have to investigate why some headers still are not added.
I will add more info as soon as I know.
 
Unfortunately it's still not fixed, not even by changing the resolver to 127.0.0.1. It helped for some time though it seems.

Today I got an email from which the sender was on the cbl.abuseat.org blacklist, 203.146.168.254.
So Exim should have blocked this on connection but it did not.:(
 
My mail is not being scanned by RBL at all. Im getting stock quote spam that is not being caught. When i look at the message headers there is no indicator that it tried to lookup the ip using RBLS.

Also, i have errors one email

2017-04-24 20:13:13 H=([42.113.xxx.xxx]) [42.113.xxx.xxx] Warning: ACL "warn" statement skipped: condition test deferred: failed to expand ACL string "${lookup dnsdb{ptr=$sender_host_address}{false}{true}}": lookup of "ptr=42.113.xxx.xxx" gave DEFER:

Since installaling Spamassassin (which is really hate) a few days ago this is the only message that has an error in a lookup

So RBL's are not being checked and errors in ACL.

Not sure why, i installed everything according the DA knowledgebase using custombuild 2. So why are there errors in ACL and what is the problem otherwise????
 
Which version of Exim and exim.conf are you using?
Should be: Exim version 4.89 #2 built 08-Mar-2017 and Eximconf 4.5.4 if you are using spamblocker.
 
You must log in or register to reply here.
Back
Top