SpamBlocker 4.3.0, BlockCracking, Easy Spam Figther, and new exim.pl

[bas1968]

I have some customers complaining that they don´t receive the emails if DKIM is not valid:

2015-07-07 11:05:12 1ZCUQp-0007GQ-Ei DKIM: d=dellana.com.br s=default c=relaxed/relaxed a=rsa-sha256 [invalid - public key record (currently?) unavailable]

How can I solve this issue that even the DKIM isn´t valid the email will pass?

 

[DirectAdmin Support]

Simplest would be to delete/rename the file:
/etc/exim.easy_spam_fighter/check_dkim.conf

and restart exim.

Alternatively, you can selectively whitelist IPs, sender emails, or sender domains with the various whitelist files (related exim.conf variable: $acl_m_is_whitelisted)
but that whitelists everything, so not the best.

John

 

[Peter Laws]

I still like have no official response if my theory is valid or not.....

I need to know, for people using this http://www.directadmin.com/features.php?id=1692 and when a new domain is added, the server IP is added to the TXT/SPF records (as per to the templates). So, this will break SPF checks, right?

It relies on the "a" or "mx" values being set in the SPF record, so the IP added should be what they resolve to.In the even that adding to the file fails, it will end up sending from the server IP, so the server IP should always be in the SPF/TXT record.

I haven't seen other people bring this subject up, so, do I assume it's irrelevant?

 

[DirectAdmin Support]

SPF records include "mx" and "a" values, which will resolve to the domain's IP.. so you can send from any of those IPs, including the server IP, and still be fine.

John

 

[czotos]

Hi John

Above, you provide a solution to disable checks for DKIM - thank you for that.

Is there perhaps a way to disable checks for SPF on incoming messages?

I am getting complaints from customers that they are not receiving messages. Upon closer inspection, it appears to be the DKIM and SPF checks included in Easy Spam Fighter which are creating these false negatives.

Now I understand that the actual problem lies with the sending mail server or DNS server. If it hasn't been configured with the correct SPF/DKIM record, then Easy Spam Fighter on my DirectAdmin server will reject those messages. However, I cannot fix the sending mail servers and I am getting way too many false negatives to continuously whitelist the problematic ones. I think it would be easier to simply disable DKIM and SPF checks on my side until system administrators learn how to correctly setup their servers. It's very frustrating.

 

[DirectAdmin Support]

What's the exact exim mainlog message for the rejection?
The /etc/exim.easy_spam_figher/check_mail.conf could be altered to be less strict on whatever level of failure is causing it.

If you're getting a soft fail, then you'd simply lower the EASY_SPF_SOFT_FAIL score to 0 by adding it to:
/etc/exim.easy_spam_fighter/variables.conf.custom

John

 

[ricardo777]

Hello,

Just getting into the spamblocker topic, but I have 1 question maybe stupid but does it really blocks the mails that has no dkim or spf or does it flag them as spam and send them to the spam folder?

 

[DirectAdmin Support]

Easy Spam Fighter uses scores, similar to SpamAssassin, but it's all done at smtp-time, so as to not plug up the queue.
Scoring:

DKIM:
No entry: no score change
Pass: reduction in score (-20)
Fail: increase in score, default score here is enough to drop the message (+100).
Invalid: full block (smtp defer), connection is dropped. Might mean the message has DKIM headers, but DNS has no DKIM entries.

SPF:
No entry: no score change
Pass: reduction in score (-30)
Fail: increase in score (+30)

All scores can be played with in the variables settings.
The spam limit default is 100, so obviously a failed DKIM will hit that limit.

HOWEVER... it does not imply the message will be dropped (except for DKIM invalid, which is always dropped).
The client's SpamAssassin settings on "Drop High Scoring Spam" is enabled, then the limit of 100 is used.
If they client choses not to drop high scoring spam, then they'll still get it delivered, probably to the Spambox, depending on if SpamAssassin's headers think it's spam or not.
ESF will add a bunch of headers too, describing what it found.

Basically, ESF is only used to it's full extent if the user has "drop high scoring spam" enabled.

John

 

[DirectAdmin Support]

You can see all of the ESF scores here, for vesion 1.9:
http://files.directadmin.com/services/easy_spam_fighter/1.9/variables.conf

 

[tristan]

Easy Spam Fighter uses scores, similar to SpamAssassin, but it's all done at smtp-time, so as to not plug up the queue.

The spam limit default is 100, so obviously a failed DKIM will hit that limit.

HOWEVER... it does not imply the message will be dropped (except for DKIM invalid, which is always dropped).
The client's SpamAssassin settings on "Drop High Scoring Spam" is enabled, then the limit of 100 is used.
If they client choses not to drop high scoring spam, then they'll still get it delivered, probably to the Spambox, depending on if SpamAssassin's headers think it's spam or not.
ESF will add a bunch of headers too, describing what it found.

Basically, ESF is only used to it's full extent if the user has "drop high scoring spam" enabled.

John

So the "Would you like to delete high scoring spam?" set to "Yes" will check the SpamTally as well as the X-Spam-Status header? Isn't it possible to have high scoring SpamTally mail delivered to the spambox as well?

 

[ricardo777]

Hello,

I have some issues with DKIM I am getting the error:

mailout c=simple/simple a=rsa-sha256 t=1446972375 [invalid - public key record (currently?) unavailable]
temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'

From OVH.

I have created a /etc/exim.easy_spam_fighter/variables.conf.custom file and put in:

EASY_DKIM_FAIL == 25

And have rebuild exim_conf in custombuild

But the mail is still rejecting.

Am I doing something wrong here? Please advise.

 

[DirectAdmin Support]

Means an error with the sending domain's DKIM setup.
The incoming message has DKIM headers, but the DNS part of the setup is missing for that domain.

If you want to temporarily allow these to come in, edit:

/etc/exim.easy_spam_fighter/check_dkim.conf

and change this code

  defer
    dkim_status = invalid
    log_message = DKIM: Deferred. reason='$dkim_verify_reason'
    message = DKIM Signature validation has failed. May be a temporary problem.

Replace the first word "defer" with the word "warn".

You could also add negative headers to the 'invalid' section if you wanted, similar to the next 'fail' section below it (copy the set acl_m_easy69 and add_header lines to the 'invalid' section).

John

 

[ricardo777]

Thank you for your advise.

> You could also add negative headers to the 'invalid' section if you wanted, similar to the next 'fail' section below it (copy the set acl_m_easy69 and add_header lines to the 'invalid' section).

Does this mean I can adjust the command to add the message to spam folder? I want to allow the DKIM dns problem mails but I want to add them to spam folder if possible.

Also is it possible to create an custom /etc/exim.easy_spam_fighter/check_dkim.conf so that an update does not overwrite my changes. without using chattr

 

[DirectAdmin Support]

Yes, you can give the "invalid" dkim a negative score. Might look like this:

  warn
    dkim_status = invalid    
    set acl_m_easy69 = ${eval:$acl_m_easy69+EASY_DKIM_FAIL}
    add_header = DKIMCheck: Server has invalid DKIM, EASY_DKIM_FAIL Spam score
    log_message = DKIM: Invalid. reason='$dkim_verify_reason'

where we give it the EASY_DKIM_FAIL score, which is 100. Note that it could have a negative score from other areas.

However, it might not be entirely logical to do anything more agressive that this.. if anything at all.
An invalid DKIM does not mean spam.. as I'm not sure that a spammer would intentionally add DKIM headers when the DNS isn't there... so it would usually just mean it's setup incorrectly.
This is why we defer is by default.. but giving it a score is also another option, as above.

John

 

[mr.suchy]

Hi everyone,

I run script from @ SeLLeRoNe. But I have error like this:

archive-iterator: no access to /home/test/imap/test.pl/beata/Maildir/.INBOX.spam/cur: 2 at /usr/share/perl5/Mail/SpamAssassin/ArchiveIterator.pm line 833.

Kind regards

 

[mr.suchy]

anyone ?

 

[SeLLeRoNe]

Is the test user a valid DirectAdmin user? I doubt because DA should prevent to create that user, so you may want to ignore this error (it shouldn't block the script), or edit the script to ignore that user.

Regards

 

[mr.suchy]

Thanks for replay. Yes. 'test' user is a valid DA user. This error I bcs there is no cur folder. My mistake.

-edit

Now it's works. I modify if condition.

#!/bin/sh
if [ "$1" != "" ]; then
        if [ -d /usr/local/directadmin/data/users/$1/ ]; then
                COMMAND="echo $1"
        else
                echo "Invalid user"
        fi
else
        COMMAND="ls /usr/local/directadmin/data/users/"
fi
for DA_USER in `$COMMAND`
        do
        echo ""
        echo "#########################################################################################"
        echo "Starting user $DA_USER"
        echo ""
        DA_HOME=/home/${DA_USER}
        touch $DA_HOME/sa-learn.log
        chown $DA_USER:$DA_USER $DA_HOME/sa-learn.log

        #set this to 1 if you want the spam be removed after the run
        DELETE_SPAM_DATA=0

        learn_Maildir()
                {
                FILESPAM=${1}/.INBOX.spam
                FILEHAM=${1}
                ACCOUNT="`echo $maildir | cut -d/ -f6`@$d"

                if [ "$ACCOUNT" = "@" ]; then
                        ACCOUNT="[email protected]$HOSTNAME"
                fi
                if [ -e ${FILESPAM}/new ]; then
                        echo "Learning SPAM new for account ${ACCOUNT}";
                        su - $DA_USER -s /bin/sh -c "nice sa-learn --no-sync --spam ${FILESPAM}/{new} > ${DA_HOME}/sa-learn.log" >/dev/null
                        cat $DA_HOME/sa-learn.log
                fi
                if [ -e ${FILESPAM}/cur ]; then
                        echo "Learning SPAM cur for account ${ACCOUNT}";
                        su - $DA_USER -s /bin/sh -c "nice sa-learn --no-sync --spam ${FILESPAM}/{cur} > ${DA_HOME}/sa-learn.log" >/dev/null
                        cat $DA_HOME/sa-learn.log
                fi
                if [ -e ${FILEHAM}/new ]; then
                        echo "Learning HAM new for account $ACCOUNT";
                        su - $DA_USER -s /bin/sh -c "nice sa-learn --no-sync --ham ${FILEHAM}/{new} > ${DA_HOME}/sa-learn.log" >/dev/null
                        cat $DA_HOME/sa-learn.log
                fi
                if [ -e ${FILEHAM}/cur ]; then
                        echo "Learning HAM cur for account $ACCOUNT";
                        su - $DA_USER -s /bin/sh -c "nice sa-learn --no-sync --ham ${FILEHAM}/{cur} > ${DA_HOME}/sa-learn.log" >/dev/null
                        cat $DA_HOME/sa-learn.log
                fi
                if [ "$DELETE_SPAM_DATA" -eq 1 ]; then
                        rm -f ${FILESPAM}/new/*
                fi
        }
        if [ -e $DA_HOME/Maildir ]; then
                echo "Starting main E-Mail account for user $DA_USER"
                echo "-----------------------------------------------------------------------------------------"
                learn_Maildir $DA_HOME/Maildir
                echo "-----------------------------------------------------------------------------------------"
                echo ""
        fi
        for d in `ls $DA_HOME/imap`; do
                {
                > $DA_HOME/sa-learn.log
                echo "Starting E-Mail accounts for domain $d"
                echo "-----------------------------------------------------------------------------------------"
                DOMAIN_DIR=${DA_HOME}/imap/${d}
                if [ -h $DOMAIN_DIR ]; then
                        echo "No E-Mail accounts for domain $d"
                        echo "-----------------------------------------------------------------------------------------"
                        echo ""
                        continue;
                fi
                for maildir in `ls -d ${DOMAIN_DIR}/*/Maildir 2>/dev/null`; do
                {
                        learn_Maildir ${maildir}
                };
                done;
                if [ "`cat $DA_HOME/sa-learn.log`" = "" ]; then
                        echo "No E-Mail accounts for domain $d"
                fi
                su - $DA_USER -s /bin/sh -c "nice sa-learn --sync" >/dev/null
                echo "-----------------------------------------------------------------------------------------"
                echo ""
                };
        done;
        echo "Statistics for user $DA_USER:"
        echo "-----------------------------------------------------------------------------------------"
        su - $DA_USER -s /bin/sh -c "nice sa-learn --dump magic > $DA_HOME/sa-learn.log" >/dev/null
        cat $DA_HOME/sa-learn.log
        echo "-----------------------------------------------------------------------------------------"
        rm -rf $DA_HOME/sa-learn.log
        echo "#########################################################################################"
done;

 

[SeLLeRoNe]

That's courious, as far as i knew DA prevent the use of user "test"

Thanks for the update, courios that the folder cur wasn't present actually.

Regards

 

[SeLLeRoNe]

I know a month has passed but i just noticed something..

You removed the header of my script.. that's quite rude.. the least you can do for someone's else work is to keep his credit don't you think?

Regards