Not sure if this is the right thread for this request, but I'd like to add my agreement. A couple of clients get LOTS of spam and they insist on forwarding everything to their gmail accounts, so gmail frequently gives warnings about rate-limiting our server.
SpamBlocker 4.3.0, BlockCracking, Easy Spam Figther, and new exim.pl
- Thread starter DirectAdmin Support
- Start date
Not sure if this is the right thread for this request, but I'd like to add my agreement. A couple of clients get LOTS of spam and they insist on forwarding everything to their gmail accounts, so gmail frequently gives warnings about rate-limiting our server.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
One of our clients is seeing a lot of spam all from a servername ending in .link (which of course doesn't exist). Lots of different IP#s.
I seem to remember someone had a fix to exim.conf so we could use one of our files with a wildcard at the beginning, so it could block all domains ending in .link (for example).
Anyone remember what that was? I'm probably searching wrong because I can't find it
.
Thanks.
Jeff
I seem to remember someone had a fix to exim.conf so we could use one of our files with a wildcard at the beginning, so it could block all domains ending in .link (for example).
Anyone remember what that was? I'm probably searching wrong because I can't find it
.Thanks.
Jeff
unihostbrasil
Verified User
Code:
domainlist blacklist_domains = wildlsearch;/etc/virtual/blacklist_domains
hostlist bad_sender_hosts = wildlsearch;/etc/virtual/bad_sender_hosts
...
SeLLeRoNe
Super Moderator
How is aggressive? Any log hint? What rule did was aggressive?
I do use this since month now.. and i had any false positive at all... Just some MX server in some RBL's, but that is not exim.conf SB relative.. the 4.2 had same RBL's...
So, before say "this can not be used in production"... give us some informations in detail about what and how... so that can be "fixed/improoved" in next release
Regards
I do use this since month now.. and i had any false positive at all... Just some MX server in some RBL's, but that is not exim.conf SB relative.. the 4.2 had same RBL's...
So, before say "this can not be used in production"... give us some informations in detail about what and how... so that can be "fixed/improoved" in next release
Regards
You are right, here some details:
I've a lot of temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
Some DKIM: Failed. reason='bodyhash_mismatch'
And a lot of false marked spam with "rejected after DATA: Your message was classified as SPAM"
But the critical issue for me is that the whitelist file is not considered., for example:
2014-12-05 10:24:15 1Xwp7V-0007E0-0o H=(ctu.ctu.iuculano.org) [10.0.0.10] X=TLSv1.1
HE-RSA-AES256-SHA:256 F=<[email protected]> rejected after DATA: Your message was classified as SPAM. Please add more content, cut down on HTML links, use fewer naughty words etc. Also, ask your IT dept to make sure your mailserver has REVERSEDNS, SPF and is not on any black lists. Your score: 130(10.0.0.0/24 is whitelisted.)
I don't know if the DKIM issue is misconfiguration or not, I didn't investigate but what I mean is that this is not a configuration that can be used "out of the box", and unfortunately I've no time to debug and tuning this.
SeLLeRoNe
Super Moderator
Well...
Regarding the DKIM: defer you should check this: http://forum.directadmin.com/showthread.php?t=50456&highlight=DKIM:+Deferred.
And check the file: /etc/exim.easy_spam_fighter/check_dkim.conf
Also, keep in mind.. that if a mail server pretend to have mail with DKIM sign and he dont provide the sign key in DNS.. well.. is not your missconfiguration but the sending host's side issue...
Regarding the second issue, i never saw something like that, should be needed an investigation yes...
Regarding the whitelist not working that's actually strange, what whitelist file did you filled?
The error you give is probably set from file /etc/exim.easy_spam_fighter/variables.conf (you should lower values to sign as spam in that file) since its true, the internal IP have no rDNS and SPF (so a local DNS missconfiguration), but itself the whitelist should work...
The file related to whitelist an IP should be: /etc/virtual/whitelist_hosts_ip and it is working since i do use it... so, if you set that file, be also sure is set to mail:mail as owner
Regards
Regarding the DKIM: defer you should check this: http://forum.directadmin.com/showthread.php?t=50456&highlight=DKIM:+Deferred.
And check the file: /etc/exim.easy_spam_fighter/check_dkim.conf
Also, keep in mind.. that if a mail server pretend to have mail with DKIM sign and he dont provide the sign key in DNS.. well.. is not your missconfiguration but the sending host's side issue...
Regarding the second issue, i never saw something like that, should be needed an investigation yes...
Regarding the whitelist not working that's actually strange, what whitelist file did you filled?
The error you give is probably set from file /etc/exim.easy_spam_fighter/variables.conf (you should lower values to sign as spam in that file) since its true, the internal IP have no rDNS and SPF (so a local DNS missconfiguration), but itself the whitelist should work...
The file related to whitelist an IP should be: /etc/virtual/whitelist_hosts_ip and it is working since i do use it... so, if you set that file, be also sure is set to mail:mail as owner
Regards
The file is processed, infact I've:
2014-12-05 09:01:14 10.0.0.10 whitelisted in local hosts IP# whitelist
But it is rejected.
Regarding other issues, as I wrote before, I don't have time to fix conf and my feedback was simply "this is not a configuration that can be used out of the box" because you will have a lot of false positives.
Last edited:
SeLLeRoNe
Super Moderator
I see your point, maybe the easy_spam_fighter isnt checking the whitelist, that should definitly be a sort of bug and should be fixed.
Regards
Regards
- Joined
- Feb 27, 2003
- Messages
- 8,509
Ah thanks for the report.
I've moved this line:
From just before #EDIT#27
and moved it just before #COMMENT#43
Moving it lower, allows the whitelist bits to do their job.
exim.conf 4.3.0 alpha 4 now available on files1.
John
I've moved this line:
Code:
.include_if_exists /etc/exim.easy_spam_fighter/check_rcpt.confand moved it just before #COMMENT#43
Moving it lower, allows the whitelist bits to do their job.
exim.conf 4.3.0 alpha 4 now available on files1.
John
Thanks John, you should also move the whitelist stuff before #EDIT#27. In this way whitelisted hosts will not be checked against HELO_SHOULD_BE_FQDN and they are really whitelisted
Cheers,
Giuseppe
- Joined
- Feb 27, 2003
- Messages
- 8,509
Uploaded alpha 6.
Did some rework for the white-listing, where it does the checks as soon as it can (moved from the rcpt acl to the mail acl), and then sets a variable:
acl_m_is_whitelisted=1
checked later in the other ACLs.
The future ACLs can then pass early, bypassing possible drops (like SPF, bad hostnames, DKIM, etc..)
It doesn't 100% overrule absolute everything though.. just to be safe.
Specifically, a few checks in acl_check_recipient are still done before the whitelist accepts it.
Still have to pass:
- invalid domains
- send limit already hit (to prevent spammer, even if it's whitelisted)
- too many bounced recipients
- too many failed recipients
- domain is supended
- authenticated, but in /etc/virtual/blacklist_usernames
The diff from alpha4 to alpha5 is here:
http://files1.directadmin.com/servi...chnology-v4.3.0-alphta4-to-v4.3.0-alpha6.diff
Alpha 5 is here:
http://files1.directadmin.com/services/SpamBlocker/4.3.0/exim.conf-SpamBlockerTechnology-v4.3.0.txt
John
Did some rework for the white-listing, where it does the checks as soon as it can (moved from the rcpt acl to the mail acl), and then sets a variable:
acl_m_is_whitelisted=1
checked later in the other ACLs.
The future ACLs can then pass early, bypassing possible drops (like SPF, bad hostnames, DKIM, etc..)
It doesn't 100% overrule absolute everything though.. just to be safe.
Specifically, a few checks in acl_check_recipient are still done before the whitelist accepts it.
Still have to pass:
- invalid domains
- send limit already hit (to prevent spammer, even if it's whitelisted)
- too many bounced recipients
- too many failed recipients
- domain is supended
- authenticated, but in /etc/virtual/blacklist_usernames
The diff from alpha4 to alpha5 is here:
http://files1.directadmin.com/servi...chnology-v4.3.0-alphta4-to-v4.3.0-alpha6.diff
Alpha 5 is here:
http://files1.directadmin.com/services/SpamBlocker/4.3.0/exim.conf-SpamBlockerTechnology-v4.3.0.txt
John
Last edited:
SeLLeRoNe
Super Moderator
I suppose you did made already other edits since the newer version is Alpha 6
Also CB doenst recognize with ./build versions the newer version, before it was, but now it show only:
Latest version of exim.conf: 4.3.0
Installed version of exim.conf: 4.3.0
I supose it's cause you moved the alpha version in a new line, this prvent CB to notice updated, could that be fixed?
Regards
Also CB doenst recognize with ./build versions the newer version, before it was, but now it show only:
Latest version of exim.conf: 4.3.0
Installed version of exim.conf: 4.3.0
I supose it's cause you moved the alpha version in a new line, this prvent CB to notice updated, could that be fixed?
Regards
SeLLeRoNe
Super Moderator
Martynas pointed me to the thread where was explained why the check for alpha was removed
Regards
Regards
More info about customizations/installation (URL is now mentioned in the first post of the thread too): http://help.directadmin.com/item.php?id=576
duke28
Verified User
hi, just for verify, i test on one of ours servers
and i see this error sometimes into /var/log/maillog
Dec 17 04:50:26 box2 spamd[676119]: spamd: creating default_prefs: //.spamassassin/user_prefs
Dec 17 04:50:26 box2 spamd[676119]: config: cannot create user preferences file //.spamassassin/user_prefs: No such file or directory
Dec 17 04:50:26 box2 spamd[676119]: spamd: failed to create readable default_prefs: //.spamassassin/user_prefs
somethings is wrong or not ?
more logs :
Dec 17 04:50:26 box2 spamd[676119]: spamd: connection from 127.0.0.1 [127.0.0.1]:38462 to port 783, fd 5
Dec 17 04:50:26 box2 spamd[676119]: spamd: setuid to nobody succeeded
Dec 17 04:50:26 box2 spamd[676119]: spamd: creating default_prefs: //.spamassassin/user_prefs
Dec 17 04:50:26 box2 spamd[676119]: config: cannot create user preferences file //.spamassassin/user_prefs: No such file or directory
Dec 17 04:50:26 box2 spamd[676119]: spamd: failed to create readable default_prefs: //.spamassassin/user_prefs
Dec 17 04:50:26 box2 spamd[676119]: spamd: checking message <[email protected]> for nobody:99
Dec 17 04:50:27 box2 spamd[676119]: plugin: eval failed: bayes: (in learn) locker: safe_lock: cannot create tmp lockfile /.spamassassin/bayes.lock.box2.domaineinternet.ca.676119 for /.spamassassin/bayes.lock: No such file or directory
Dec 17 04:50:27 box2 spamd[676119]: spamd: clean message (6.0/7.5) for nobody:99 in 1.1 seconds, 3897 bytes.
Dec 17 04:50:27 box2 spamd[676119]: spamd: result: . 6 - URIBL_BLOCKED scantime=1.1,size=3897,user=nobody,uid=99,required_score=7.5,rhost=127.0.0.1,raddr=127.0.0.1,rport=38462,mid=<[email protected]>,autolearn=unavailable autolearn_force=no
Dec 17 04:50:27 box2 spamd[676118]: prefork: child states: IB
Dec 17 04:50:27 box2 spamd[676120]: spamd: connection from ::1 [::1]:48425 to port 783, fd 6
Dec 17 04:50:27 box2 spamd[676120]: spamd: setuid to fleblanc succeeded
Dec 17 04:50:27 box2 spamd[676120]: spamd: processing message <[email protected]> for fleblanc:603
Dec 17 04:50:27 box2 spamd[676120]: spamd: clean message (4.1/5.2) for fleblanc:603 in 0.3 seconds, 3885 bytes.
Dec 17 04:50:27 box2 spamd[676120]: spamd: result: . 4 - BAYES_00,URIBL_BLOCKED scantime=0.3,size=3885,user=fleblanc,uid=603,required_score=5.2,rhost=::1,raddr=::1,rport=48425,mid=<[email protected]>,bayes=0.000000,autolearn=ham autolearn_force=no
Dec 17 04:50:27 box2 spamd[676118]: prefork: child states: II
Dec 17 04:50:27 box2 dovecot[674142]: lmtp(676237): Connect from local
Dec 17 04:50:27 box2 dovecot[674142]: lmtp(676237, [email protected]): P58MBb5RkVSNUQoAEmL42g: msgid=<[email protected]>: saved mail to INBOX
Dec 17 04:50:27 box2 dovecot[674142]: lmtp(676237): Disconnect from local: Successful quit
and i see this error sometimes into /var/log/maillog
Dec 17 04:50:26 box2 spamd[676119]: spamd: creating default_prefs: //.spamassassin/user_prefs
Dec 17 04:50:26 box2 spamd[676119]: config: cannot create user preferences file //.spamassassin/user_prefs: No such file or directory
Dec 17 04:50:26 box2 spamd[676119]: spamd: failed to create readable default_prefs: //.spamassassin/user_prefs
somethings is wrong or not ?
more logs :
Dec 17 04:50:26 box2 spamd[676119]: spamd: connection from 127.0.0.1 [127.0.0.1]:38462 to port 783, fd 5
Dec 17 04:50:26 box2 spamd[676119]: spamd: setuid to nobody succeeded
Dec 17 04:50:26 box2 spamd[676119]: spamd: creating default_prefs: //.spamassassin/user_prefs
Dec 17 04:50:26 box2 spamd[676119]: config: cannot create user preferences file //.spamassassin/user_prefs: No such file or directory
Dec 17 04:50:26 box2 spamd[676119]: spamd: failed to create readable default_prefs: //.spamassassin/user_prefs
Dec 17 04:50:26 box2 spamd[676119]: spamd: checking message <[email protected]> for nobody:99
Dec 17 04:50:27 box2 spamd[676119]: plugin: eval failed: bayes: (in learn) locker: safe_lock: cannot create tmp lockfile /.spamassassin/bayes.lock.box2.domaineinternet.ca.676119 for /.spamassassin/bayes.lock: No such file or directory
Dec 17 04:50:27 box2 spamd[676119]: spamd: clean message (6.0/7.5) for nobody:99 in 1.1 seconds, 3897 bytes.
Dec 17 04:50:27 box2 spamd[676119]: spamd: result: . 6 - URIBL_BLOCKED scantime=1.1,size=3897,user=nobody,uid=99,required_score=7.5,rhost=127.0.0.1,raddr=127.0.0.1,rport=38462,mid=<[email protected]>,autolearn=unavailable autolearn_force=no
Dec 17 04:50:27 box2 spamd[676118]: prefork: child states: IB
Dec 17 04:50:27 box2 spamd[676120]: spamd: connection from ::1 [::1]:48425 to port 783, fd 6
Dec 17 04:50:27 box2 spamd[676120]: spamd: setuid to fleblanc succeeded
Dec 17 04:50:27 box2 spamd[676120]: spamd: processing message <[email protected]> for fleblanc:603
Dec 17 04:50:27 box2 spamd[676120]: spamd: clean message (4.1/5.2) for fleblanc:603 in 0.3 seconds, 3885 bytes.
Dec 17 04:50:27 box2 spamd[676120]: spamd: result: . 4 - BAYES_00,URIBL_BLOCKED scantime=0.3,size=3885,user=fleblanc,uid=603,required_score=5.2,rhost=::1,raddr=::1,rport=48425,mid=<[email protected]>,bayes=0.000000,autolearn=ham autolearn_force=no
Dec 17 04:50:27 box2 spamd[676118]: prefork: child states: II
Dec 17 04:50:27 box2 dovecot[674142]: lmtp(676237): Connect from local
Dec 17 04:50:27 box2 dovecot[674142]: lmtp(676237, [email protected]): P58MBb5RkVSNUQoAEmL42g: msgid=<[email protected]>: saved mail to INBOX
Dec 17 04:50:27 box2 dovecot[674142]: lmtp(676237): Disconnect from local: Successful quit
duke28
Verified User
without this.. i got one problem into imap support ( for now i just verify in roundcube )
since i installed this, few new messages dont cannot be read and look well, the email on the list dont have any date
http://www.shareimg.co/thumbs/7/141880976863-0.png
i can find the message on the imap folder but he is in Maildir/cur and not Maildir/new but in roundcube he see him same of a new email
and i dont find any error logs about it into roundcube and into maillog
some clues please ?
but its work well into afterlogic webmail
but its since really i install this setup for spamblocker and lmtp..
sorry for my english
since i installed this, few new messages dont cannot be read and look well, the email on the list dont have any date
http://www.shareimg.co/thumbs/7/141880976863-0.png
i can find the message on the imap folder but he is in Maildir/cur and not Maildir/new but in roundcube he see him same of a new email
and i dont find any error logs about it into roundcube and into maillog
some clues please ?
but its work well into afterlogic webmail
but its since really i install this setup for spamblocker and lmtp..
sorry for my english
duke28
Verified User
why this mail is not flag to be spam ?
since few month spamassassin is really bad..
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from box2.domaineinternet.ca
by box2.domaineinternet.ca (Dovecot) with LMTP id Rv6zIwQrlFTBhgMAEmL42g
for <[email protected]>; Fri, 19 Dec 2014 08:48:01 -0500
Return-path: <[email protected]>
Received: from mail by box2.domaineinternet.ca with spam-scanned (Exim 4.84)
(envelope-from <[email protected]>)
id 1Y1xuN-000z3A-F5
for [email protected]; Fri, 19 Dec 2014 08:48:01 -0500
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
box2.domaineinternet.ca
X-Spam-Level:
X-Spam-Status: No, score=-0.0 required=6.5 tests=HTML_IMAGE_RATIO_06,
HTML_MESSAGE,RCVD_IN_SORBS_DUL,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY,
URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0
Received: from j5t2s6r.snoadd.eu ([172.245.242.32])
by box2.domaineinternet.ca with esmtp (Exim 4.84)
(envelope-from <[email protected]>)
id 1Y1xuH-000z2C-H7
for [email protected]; Fri, 19 Dec 2014 08:47:55 -0500
Received: from 1a632d11.j5t2s6r.snoadd.eu (amavisd, port 10572)
by j5t2s6r.snoadd.eu with ESMTP id 1AGNTXN632DYAMGG11;
for <[email protected]>; Fri, 19 Dec 2014 06:46:32 -0700
Subject: Christmas Wine from Virgin: Save $80 on 12 Fantastic + 3 FREE Bottles
Message-ID: <5572YFVVTXDUL442701645-diffusion=fortier-danse.com@j5t2s6r.snoadd.eu>
To: <[email protected]>
From: "Virgin Wines" <[email protected]>
Date: Fri, 19 Dec 2014 06:46:32 -0700
Content-Language: en-us
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: multipart/alternative;
boundary="----=Part.448.5307.1418996792"
SPFCheck: Server passes SPF test, -30 Spam score
SpamTally: Final spam score: -30
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
since few month spamassassin is really bad..
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from box2.domaineinternet.ca
by box2.domaineinternet.ca (Dovecot) with LMTP id Rv6zIwQrlFTBhgMAEmL42g
for <[email protected]>; Fri, 19 Dec 2014 08:48:01 -0500
Return-path: <[email protected]>
Received: from mail by box2.domaineinternet.ca with spam-scanned (Exim 4.84)
(envelope-from <[email protected]>)
id 1Y1xuN-000z3A-F5
for [email protected]; Fri, 19 Dec 2014 08:48:01 -0500
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
box2.domaineinternet.ca
X-Spam-Level:
X-Spam-Status: No, score=-0.0 required=6.5 tests=HTML_IMAGE_RATIO_06,
HTML_MESSAGE,RCVD_IN_SORBS_DUL,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY,
URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0
Received: from j5t2s6r.snoadd.eu ([172.245.242.32])
by box2.domaineinternet.ca with esmtp (Exim 4.84)
(envelope-from <[email protected]>)
id 1Y1xuH-000z2C-H7
for [email protected]; Fri, 19 Dec 2014 08:47:55 -0500
Received: from 1a632d11.j5t2s6r.snoadd.eu (amavisd, port 10572)
by j5t2s6r.snoadd.eu with ESMTP id 1AGNTXN632DYAMGG11;
for <[email protected]>; Fri, 19 Dec 2014 06:46:32 -0700
Subject: Christmas Wine from Virgin: Save $80 on 12 Fantastic + 3 FREE Bottles
Message-ID: <5572YFVVTXDUL442701645-diffusion=fortier-danse.com@j5t2s6r.snoadd.eu>
To: <[email protected]>
From: "Virgin Wines" <[email protected]>
Date: Fri, 19 Dec 2014 06:46:32 -0700
Content-Language: en-us
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: multipart/alternative;
boundary="----=Part.448.5307.1418996792"
SPFCheck: Server passes SPF test, -30 Spam score
SpamTally: Final spam score: -30
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
haywardweb
Verified User
Is there a mechanism to provide a custom override for /etc/exim.easy_spam_fighter/check_dkim.conf (via CB2)? After reviewing my logs, I found that 100% of messages rejected with "DKIM: Failed" were mangled by mailing lists. My users want these messages.
My workaround (not even sure if this is valid syntax) is to change deny to warn in check_dkim.conf:
I suspect this will get overwritten by CB2. I'd like to make it permanent (until I find a more appropriate solution).
My workaround (not even sure if this is valid syntax) is to change deny to warn in check_dkim.conf:
Code:
sed -i s/deny/warn/ /etc/exim.easy_spam_fighter/check_dkim.conf
Code:
warn
add_header = X-DKIM: signer='$dkim_cur_signer' status='$dkim_verify_status' reason='$dkim_verify_reason'
defer
dkim_status = invalid
log_message = DKIM: Deferred. reason='$dkim_verify_reason'
message = DKIM Signature validation has failed. May be a temporary problem.
warn
dkim_status = fail
log_message = DKIM: Failed. reason='$dkim_verify_reason'
message = DKIM Signature validation has failed.
warn
dkim_status = pass
set acl_m_easy69 = ${eval:$acl_m_easy69+EASY_DKIM_PASS}
add_header = DKIMCheck: Server passes DKIM test, EASY_DKIM_PASS Spam scoreI suspect this will get overwritten by CB2. I'd like to make it permanent (until I find a more appropriate solution).
zEitEr
Super Moderator
With exim.conf 4.3.2 you can use whitelists to skip some tests, including DKIM check.
So all what is needed is to add trusted IPs into /etc/virtual/whitelist_hosts_ip (one IP per line with empty bottom line).
At least this is what we started to use. I hope we could disable test other way.
So all what is needed is to add trusted IPs into /etc/virtual/whitelist_hosts_ip (one IP per line with empty bottom line).
At least this is what we started to use. I hope we could disable test other way.