SpamBlocker 4.3.0, BlockCracking, Easy Spam Figther, and new exim.pl

twv

Verified User
Joined
Oct 31, 2003
Messages
185
Regarding forwarders in DirectAdmin. When customer forwards emails to for example their gmail accounts, then spam is also forwarded. Gmail see the spam as if it is sent from our mail server.

I ask that DirectAdmin can change the forwarders so that the envelope sender is not changed when forwarding emails, so that Gmail don't see it as spam sent from our mail server. Here is a quote from "Best practices for forwarding mail to Gmail" at https://support.google.com/mail/answer/175365?hl=en
Not sure if this is the right thread for this request, but I'd like to add my agreement. A couple of clients get LOTS of spam and they insist on forwarding everything to their gmail accounts, so gmail frequently gives warnings about rate-limiting our server.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
One of our clients is seeing a lot of spam all from a servername ending in .link (which of course doesn't exist). Lots of different IP#s.

I seem to remember someone had a fix to exim.conf so we could use one of our files with a wildcard at the beginning, so it could block all domains ending in .link (for example).

Anyone remember what that was? I'm probably searching wrong because I can't find it :(.

Thanks.

Jeff
 

unihostbrasil

Verified User
Joined
Nov 23, 2009
Messages
170
Location
São Paulo - Brazil
I seem to remember someone had a fix to exim.conf so we could use one of our files with a wildcard at the beginning, so it could block all domains ending in .link (for example).
Code:
domainlist blacklist_domains = wildlsearch;/etc/virtual/blacklist_domains
hostlist bad_sender_hosts = wildlsearch;/etc/virtual/bad_sender_hosts
...
 

Derevko

Verified User
Joined
Feb 18, 2012
Messages
41
Hey guys,

I've tried this and my feedback is that the default conf is too much aggressive!
This can not be used in production, I saw a lot of false positive.
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,794
Location
A Coruña, Spain
How is aggressive? Any log hint? What rule did was aggressive?

I do use this since month now.. and i had any false positive at all... Just some MX server in some RBL's, but that is not exim.conf SB relative.. the 4.2 had same RBL's...

So, before say "this can not be used in production"... give us some informations in detail about what and how... so that can be "fixed/improoved" in next release

Regards
 

Derevko

Verified User
Joined
Feb 18, 2012
Messages
41
So, before say "this can not be used in production"... give us some informations in detail about what and how... so that can be "fixed/improoved" in next release
You are right, here some details:

I've a lot of temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'

Some DKIM: Failed. reason='bodyhash_mismatch'

And a lot of false marked spam with "rejected after DATA: Your message was classified as SPAM"

But the critical issue for me is that the whitelist file is not considered., for example:

2014-12-05 10:24:15 1Xwp7V-0007E0-0o H=(ctu.ctu.iuculano.org) [10.0.0.10] X=TLSv1.1:DHE-RSA-AES256-SHA:256 F=<giuseppe@ctmobi.it> rejected after DATA: Your message was classified as SPAM. Please add more content, cut down on HTML links, use fewer naughty words etc. Also, ask your IT dept to make sure your mailserver has REVERSEDNS, SPF and is not on any black lists. Your score: 130
(10.0.0.0/24 is whitelisted.)

I don't know if the DKIM issue is misconfiguration or not, I didn't investigate but what I mean is that this is not a configuration that can be used "out of the box", and unfortunately I've no time to debug and tuning this.
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,794
Location
A Coruña, Spain
Well...

Regarding the DKIM: defer you should check this: http://forum.directadmin.com/showthread.php?t=50456&highlight=DKIM:+Deferred.
And check the file: /etc/exim.easy_spam_fighter/check_dkim.conf
Also, keep in mind.. that if a mail server pretend to have mail with DKIM sign and he dont provide the sign key in DNS.. well.. is not your missconfiguration but the sending host's side issue...

Regarding the second issue, i never saw something like that, should be needed an investigation yes...

Regarding the whitelist not working that's actually strange, what whitelist file did you filled?

The error you give is probably set from file /etc/exim.easy_spam_fighter/variables.conf (you should lower values to sign as spam in that file) since its true, the internal IP have no rDNS and SPF (so a local DNS missconfiguration), but itself the whitelist should work...

The file related to whitelist an IP should be: /etc/virtual/whitelist_hosts_ip and it is working since i do use it... so, if you set that file, be also sure is set to mail:mail as owner

Regards
 

Derevko

Verified User
Joined
Feb 18, 2012
Messages
41
Well...

Regarding the whitelist not working that's actually strange, what whitelist file did you filled?

The error you give is probably set from file /etc/exim.easy_spam_fighter/variables.conf (you should lower values to sign as spam in that file) since its true, the internal IP have no rDNS and SPF (so a local DNS missconfiguration), but itself the whitelist should work...

The file related to whitelist an IP should be: /etc/virtual/whitelist_hosts_ip and it is working since i do use it... so, if you set that file, be also sure is set to mail:mail as owner

Regards
The file is processed, infact I've:
2014-12-05 09:01:14 10.0.0.10 whitelisted in local hosts IP# whitelist

But it is rejected.

Regarding other issues, as I wrote before, I don't have time to fix conf and my feedback was simply "this is not a configuration that can be used out of the box" because you will have a lot of false positives.
 
Last edited:

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,794
Location
A Coruña, Spain
I see your point, maybe the easy_spam_fighter isnt checking the whitelist, that should definitly be a sort of bug and should be fixed.

Regards
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
9,035
Ah thanks for the report.
I've moved this line:
Code:
.include_if_exists /etc/exim.easy_spam_fighter/check_rcpt.conf
From just before #EDIT#27
and moved it just before #COMMENT#43

Moving it lower, allows the whitelist bits to do their job.

exim.conf 4.3.0 alpha 4 now available on files1.

John
 

Derevko

Verified User
Joined
Feb 18, 2012
Messages
41
Ah thanks for the report.
I've moved this line:
Code:
.include_if_exists /etc/exim.easy_spam_fighter/check_rcpt.conf
From just before #EDIT#27
and moved it just before #COMMENT#43

Moving it lower, allows the whitelist bits to do their job.

exim.conf 4.3.0 alpha 4 now available on files1.

John

Thanks John, you should also move the whitelist stuff before #EDIT#27. In this way whitelisted hosts will not be checked against HELO_SHOULD_BE_FQDN and they are really whitelisted :)

Cheers,
Giuseppe
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
9,035
Uploaded alpha 6.
Did some rework for the white-listing, where it does the checks as soon as it can (moved from the rcpt acl to the mail acl), and then sets a variable:
acl_m_is_whitelisted=1
checked later in the other ACLs.

The future ACLs can then pass early, bypassing possible drops (like SPF, bad hostnames, DKIM, etc..)

It doesn't 100% overrule absolute everything though.. just to be safe.
Specifically, a few checks in acl_check_recipient are still done before the whitelist accepts it.
Still have to pass:
- invalid domains
- send limit already hit (to prevent spammer, even if it's whitelisted)
- too many bounced recipients
- too many failed recipients
- domain is supended
- authenticated, but in /etc/virtual/blacklist_usernames

The diff from alpha4 to alpha5 is here:
http://files1.directadmin.com/servi...chnology-v4.3.0-alphta4-to-v4.3.0-alpha6.diff

Alpha 5 is here:
http://files1.directadmin.com/services/SpamBlocker/4.3.0/exim.conf-SpamBlockerTechnology-v4.3.0.txt

John
 
Last edited:

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,794
Location
A Coruña, Spain
I suppose you did made already other edits since the newer version is Alpha 6 :)

Also CB doenst recognize with ./build versions the newer version, before it was, but now it show only:

Latest version of exim.conf: 4.3.0
Installed version of exim.conf: 4.3.0


I supose it's cause you moved the alpha version in a new line, this prvent CB to notice updated, could that be fixed?

Regards
 

duke28

Verified User
Joined
Oct 30, 2005
Messages
303
Location
Montreal - Canada
hi, just for verify, i test on one of ours servers

and i see this error sometimes into /var/log/maillog

Dec 17 04:50:26 box2 spamd[676119]: spamd: creating default_prefs: //.spamassassin/user_prefs
Dec 17 04:50:26 box2 spamd[676119]: config: cannot create user preferences file //.spamassassin/user_prefs: No such file or directory
Dec 17 04:50:26 box2 spamd[676119]: spamd: failed to create readable default_prefs: //.spamassassin/user_prefs


somethings is wrong or not ?

more logs :

Dec 17 04:50:26 box2 spamd[676119]: spamd: connection from 127.0.0.1 [127.0.0.1]:38462 to port 783, fd 5
Dec 17 04:50:26 box2 spamd[676119]: spamd: setuid to nobody succeeded
Dec 17 04:50:26 box2 spamd[676119]: spamd: creating default_prefs: //.spamassassin/user_prefs
Dec 17 04:50:26 box2 spamd[676119]: config: cannot create user preferences file //.spamassassin/user_prefs: No such file or directory
Dec 17 04:50:26 box2 spamd[676119]: spamd: failed to create readable default_prefs: //.spamassassin/user_prefs
Dec 17 04:50:26 box2 spamd[676119]: spamd: checking message <f7879b25db3dfab3cd134bd976dc079b@www.ailesquebecoises.net> for nobody:99
Dec 17 04:50:27 box2 spamd[676119]: plugin: eval failed: bayes: (in learn) locker: safe_lock: cannot create tmp lockfile /.spamassassin/bayes.lock.box2.domaineinternet.ca.676119 for /.spamassassin/bayes.lock: No such file or directory
Dec 17 04:50:27 box2 spamd[676119]: spamd: clean message (6.0/7.5) for nobody:99 in 1.1 seconds, 3897 bytes.
Dec 17 04:50:27 box2 spamd[676119]: spamd: result: . 6 - URIBL_BLOCKED scantime=1.1,size=3897,user=nobody,uid=99,required_score=7.5,rhost=127.0.0.1,raddr=127.0.0.1,rport=38462,mid=<f7879b25db3dfab3cd134bd976dc079b@www.ailesquebecoises.net>,autolearn=unavailable autolearn_force=no
Dec 17 04:50:27 box2 spamd[676118]: prefork: child states: IB
Dec 17 04:50:27 box2 spamd[676120]: spamd: connection from ::1 [::1]:48425 to port 783, fd 6
Dec 17 04:50:27 box2 spamd[676120]: spamd: setuid to fleblanc succeeded
Dec 17 04:50:27 box2 spamd[676120]: spamd: processing message <f7879b25db3dfab3cd134bd976dc079b@www.ailesquebecoises.net> for fleblanc:603
Dec 17 04:50:27 box2 spamd[676120]: spamd: clean message (4.1/5.2) for fleblanc:603 in 0.3 seconds, 3885 bytes.
Dec 17 04:50:27 box2 spamd[676120]: spamd: result: . 4 - BAYES_00,URIBL_BLOCKED scantime=0.3,size=3885,user=fleblanc,uid=603,required_score=5.2,rhost=::1,raddr=::1,rport=48425,mid=<f7879b25db3dfab3cd134bd976dc079b@www.ailesquebecoises.net>,bayes=0.000000,autolearn=ham autolearn_force=no
Dec 17 04:50:27 box2 spamd[676118]: prefork: child states: II
Dec 17 04:50:27 box2 dovecot[674142]: lmtp(676237): Connect from local
Dec 17 04:50:27 box2 dovecot[674142]: lmtp(676237, intairbraff@intairbraff.com): P58MBb5RkVSNUQoAEmL42g: msgid=<f7879b25db3dfab3cd134bd976dc079b@www.ailesquebecoises.net>: saved mail to INBOX
Dec 17 04:50:27 box2 dovecot[674142]: lmtp(676237): Disconnect from local: Successful quit
 

duke28

Verified User
Joined
Oct 30, 2005
Messages
303
Location
Montreal - Canada
without this.. i got one problem into imap support ( for now i just verify in roundcube )

since i installed this, few new messages dont cannot be read and look well, the email on the list dont have any date

http://www.shareimg.co/thumbs/7/141880976863-0.png

i can find the message on the imap folder but he is in Maildir/cur and not Maildir/new but in roundcube he see him same of a new email

and i dont find any error logs about it into roundcube and into maillog

some clues please ?

but its work well into afterlogic webmail

but its since really i install this setup for spamblocker and lmtp..

sorry for my english
 

duke28

Verified User
Joined
Oct 30, 2005
Messages
303
Location
Montreal - Canada
why this mail is not flag to be spam ?

since few month spamassassin is really bad..

Return-Path: <VirginWines@snoadd.eu>
Delivered-To: diffusion@fortier-danse.com
Received: from box2.domaineinternet.ca
by box2.domaineinternet.ca (Dovecot) with LMTP id Rv6zIwQrlFTBhgMAEmL42g
for <diffusion@fortier-danse.com>; Fri, 19 Dec 2014 08:48:01 -0500
Return-path: <VirginWines@snoadd.eu>
Received: from mail by box2.domaineinternet.ca with spam-scanned (Exim 4.84)
(envelope-from <VirginWines@snoadd.eu>)
id 1Y1xuN-000z3A-F5
for diffusion@fortier-danse.com; Fri, 19 Dec 2014 08:48:01 -0500
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
box2.domaineinternet.ca
X-Spam-Level:
X-Spam-Status: No, score=-0.0 required=6.5 tests=HTML_IMAGE_RATIO_06,
HTML_MESSAGE,RCVD_IN_SORBS_DUL,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY,
URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0
Received: from j5t2s6r.snoadd.eu ([172.245.242.32])
by box2.domaineinternet.ca with esmtp (Exim 4.84)
(envelope-from <VirginWines@snoadd.eu>)
id 1Y1xuH-000z2C-H7
for diffusion@fortier-danse.com; Fri, 19 Dec 2014 08:47:55 -0500
Received: from 1a632d11.j5t2s6r.snoadd.eu (amavisd, port 10572)
by j5t2s6r.snoadd.eu with ESMTP id 1AGNTXN632DYAMGG11;
for <diffusion@fortier-danse.com>; Fri, 19 Dec 2014 06:46:32 -0700
Subject: Christmas Wine from Virgin: Save $80 on 12 Fantastic + 3 FREE Bottles
Message-ID: <5572YFVVTXDUL442701645-diffusion=fortier-danse.com@j5t2s6r.snoadd.eu>
To: <diffusion@fortier-danse.com>
From: "Virgin Wines" <VirginWines@snoadd.eu>
Date: Fri, 19 Dec 2014 06:46:32 -0700
Content-Language: en-us
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: multipart/alternative;
boundary="----=Part.448.5307.1418996792"
SPFCheck: Server passes SPF test, -30 Spam score
SpamTally: Final spam score: -30
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
 

haywardweb

Verified User
Joined
Jan 12, 2005
Messages
19
Location
WA
Is there a mechanism to provide a custom override for /etc/exim.easy_spam_fighter/check_dkim.conf (via CB2)? After reviewing my logs, I found that 100% of messages rejected with "DKIM: Failed" were mangled by mailing lists. My users want these messages.

My workaround (not even sure if this is valid syntax) is to change deny to warn in check_dkim.conf:

Code:
sed -i s/deny/warn/ /etc/exim.easy_spam_fighter/check_dkim.conf
Code:
  warn
    add_header = X-DKIM: signer='$dkim_cur_signer' status='$dkim_verify_status' reason='$dkim_verify_reason'

  defer
    dkim_status = invalid
    log_message = DKIM: Deferred. reason='$dkim_verify_reason'
    message = DKIM Signature validation has failed. May be a temporary problem.

  warn
    dkim_status = fail
    log_message = DKIM: Failed. reason='$dkim_verify_reason'
    message = DKIM Signature validation has failed.

  warn
    dkim_status = pass
    set acl_m_easy69 = ${eval:$acl_m_easy69+EASY_DKIM_PASS}
    add_header = DKIMCheck: Server passes DKIM test, EASY_DKIM_PASS Spam score
I suspect this will get overwritten by CB2. I'd like to make it permanent (until I find a more appropriate solution).
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
With exim.conf 4.3.2 you can use whitelists to skip some tests, including DKIM check.
So all what is needed is to add trusted IPs into /etc/virtual/whitelist_hosts_ip (one IP per line with empty bottom line).

At least this is what we started to use. I hope we could disable test other way.
 
Top