SpamBlocker 4.3.0, BlockCracking, Easy Spam Figther, and new exim.pl

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,806
Location
A Coruña, Spain
You would need to set authentication for your outgoing email (so, on your smtp server).

Cause i did that test aswell without any edits and i've got 10/10 result.

Also, are you sure you're using latest exim.conf version? Cause that section should be pretty much different (at least mine is at version 4.3.3)

Regards
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,806
Location
A Coruña, Spain
Same 10/10 and it cause i'd set to authenticate for SMTP send on roundcube config too in this way:

Code:
// SMTP server host (for sending mails).
// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
// If left blank, the PHP mail() function is used
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %t = domain.tld
$config['smtp_server'] = 'ssl://mail.%z';

// SMTP port (default is 25; use 587 for STARTTLS or 465 for the
// deprecated SSL over SMTP (aka SMTPS))
$config['smtp_port'] = 465;

// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$config['smtp_user'] = '%u';

// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
$config['smtp_pass'] = '%p';

In case you have no a valid SSL cert, remove ssl:// before the host and change port 465 to 587

Regards
 

Ankh

Verified User
Joined
Feb 20, 2006
Messages
18
When using ESF it seems some domains are not allowed because of no DKIM.

2015-05-12 13:44:25 1Ys8bp-0002AX-TT DKIM: d=mail.volkskrant.nl s=dpn c=relaxed/relaxed a=rsa-sha256 [email protected] x=1432027060 [invalid - public key record (currently?) unavailable]
2015-05-12 13:44:25 1Ys8bp-0002AX-TT H=x.nl [ipv4] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
2015-05-12 13:44:30 1Ys8bu-0002Ad-Gb DKIM: d=mail.volkskrant.nl s=dpn c=relaxed/relaxed a=rsa-sha256 [email protected] x=1432027060 [invalid - public key record (currently?) unavailable]
2015-05-12 13:44:30 1Ys8bu-0002Ad-Gb H=x.nl [ipv6] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'

Is this correct?
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
9,165
I believe that's telling us that the message does have DKIM headers set, but the actual DKIM "TXT" records are not present in the DNS.
It would be rejected, because the E-Mail claims it's all setup, when the DNS isn't setup.. or at least, not working correctly.

I believe that "dpn" is the tag, so exim would be looking for this record:
Code:
dig TXT dpn._domainkey.mail.volkskrant.nl
which should return the DKIM key info.. but it doesn't seem to be there.

John
 

Richpark

Verified User
Joined
Sep 25, 2014
Messages
23
In:

Code:
check_message.conf

The following line is preventing spam from being dropped:

condition = ${if !eq{$acl_m_spam_user}{nobody}}

On my server, CentOS 7, no SpamAssassin, $acl_m_spam_user always equals nobody.

Anybody know what this is for?
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
9,165
So that any User who does not have SpamAssassin enabled, will not have any spam blocking done.
This includes ESF, because we had some complaints that E-Mail was being blocked as spam, when the DA User explicitly had SpamAssassin disabled.
ESF uses SpamAssassin, so you might need to turn it on anyway... which is almost entirely what check_message.conf is doing.. checking SpamAssassin.

John
 

Peter Laws

Verified User
Joined
Sep 13, 2008
Messages
2,284
Location
London UK
I've a question..... Is this still beta/alpha? If this new system sends email from the domain's IP's, what about new domains?
#cat /usr/local/directadmin/data/templates/dns_spf.conf
|DOMAIN|.="v=spf1 a mx ip4:|SERVER_IP||EXTRA_SPF| ~all"

#cat /usr/local/directadmin/data/templates/dns_txt.conf
|DOMAIN|.="v=spf1 a mx ip4:|SERVER_IP||EXTRA_SPF| ~all"

Also, when will IPv6 support be official with this, seeing Exim listens/sends on IPv6 by default, hence you need to disable IPv6 for SPF to pass
 
Last edited:

bas1968

Verified User
Joined
May 31, 2006
Messages
70
I installed the Spamblocker with Spamassassin, Blockcracking and Easy Spam Fighting, but I still receive lots of SPAM. Don't know if I configured something wrong, but used CB 2.0 to install it. The headers are looking like this:

Return-Path: <[email protected]>
Delivered-To: ***@******.com
Received: from server1.******.com
by server1.*******.com (Dovecot) with LMTP id PZY4EC6ZVlUmSgAAgxJoRA
for <[email protected]>; Fri, 15 May 2015 21:11:10 -0400
Return-path: <[email protected]>
Received: from venn178.idrue.work ([66.248.206.178])
by server1.*******.com with esmtp (Exim 4.85)
(envelope-from <[email protected]>)
id 1YtQdB-0004vE-K6
for ***@********.com; Fri, 15 May 2015 21:11:10 -0400
Date: Fri, 15 May 2015 18:16:37 -0700
To: <***@*******.com>
Xz-Olacr: f2ce2290e05b0ce4204c0020f076692eo.af2ce2290e05b0ce4204c0020f076692e-b23794191
From: Lindsa Peterson <[email protected]>
Message-ID: <[email protected].work>
Subject: Second Notice: Rates Increasing in 2015, Don't Wait to Lock-In -23794191
Content-Type: multipart/alternative; boundary="23794191"
Rxjtg-Gkm: 18011762l.sf2ce2290e05b0ce4204c0020f076692e-t18011762
Bh-Oll: 18011762m.23794191bf2ce2290e05b0ce4204c0020f076692eun
Mime-Version: 1.0
Az-Pze: f2ce2290e05b0ce4204c0020f076692eq.if2ce2290e05b0ce4204c0020f076692e.v18011762
Forward-Confirmed-ReverseDNS: Reverse and forward lookup success on 66.248.206.178, -10 Spam score
X-Spam-Score: -1.9 (-)
X-Spam-Report: Spam detection software, running on the system "server1.*******.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Second Notice- Rates on the Rise, This is Your last chance
to Lock-in Low Now here: http://search.idrue.work My fianc\u00e9 and I happened
upon this unassuming little resataraunt on a sunday funday. It has a very
charming and inviting atmosphere. The food was excellent.... Yum! I love
it here and they always make me Thai iced tea with boba! Don't get the bubble
tea (slush) but get it regular. Trust me. Amazing.....The soup is... You've
gotta love this place. A bit rundown (like most Indian restaurants in the
U.S.) but the food is tasty and reliable. The buffet is great for... I really
like this place!....It is very affordable and the staff is very friendly.
I've gotten take out and eaten in and both were done in a very timely...
Chill spot in the town square that offers food,drinks, and a place to relax.
Entering revelations two entrance doors you're greeted by tables and chairs...
Love, love, love this place!....The wraps are divine! Made to perfection!
The sauce is amazing. I'm drooling just thinkinf2ce2290e05b0ce4204c0020f076692e
[...]

Content analysis details: (-1.9 points, 0.5 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: laarberg.com]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to
background
0.0 T_REMOTE_IMAGE Message contains an external image
SpamTally: Final spam score: -28
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
X-Antivirus: AVG for E-mail 2015.0.5941 [4342/9786]
X-AVG-ID: ID748D1796-5A87E165
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,603
Location
GMT +7.00
If your server has NOT identified this incoming email as spam. Why then the original message has been attached to this report?

Is it a bug?
 

Peter Laws

Verified User
Joined
Sep 13, 2008
Messages
2,284
Location
London UK
I've had a similar issue as bas1968... Was told a client was seeing a lot of increased spam lately, so decided to give SB4.3.3 with ESF.... They still get some spam. I've asked them to forward us the headers so we can see what's going on, still waiiting.
 

Chrysalis

Verified User
Joined
Aug 25, 2004
Messages
1,587
Location
uk
I have been trying out the changes in the latest spamblocker config, but when I send emails via authenticated smtp, there is a noticeable pause, and sometimes its so long it times out failing to send, the cause is blockcracker, I think is related to the callout part of the code.
 

bas1968

Verified User
Joined
May 31, 2006
Messages
70
Does anyone has a idea what I can do to reduce the spam? Like I wrote on 05-16-2015 my spamblocker 4.3.3 with Easy Spam Fighter almost doesn´t filter any spam. Do I need to change some additional setting or is this a bug?
 

bas1968

Verified User
Joined
May 31, 2006
Messages
70
Yes, it´s enabled. I installed them all with the CB 2.0. I guess I receive between 200 and 300 emails with spam every day. After I installed the spamblocker 4.3.3. it didn´t change anything, still receiving this amount of spam.
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
9,165
If you get things like this:
Code:
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
it means you might be using public dns servers for lookups.
Check /etc/resolv.conf to see what's set.
Even your ISPs dns servers would be public enough to fall into the same category, as say google's 8.8.8.8.

The message above is usually caused by a specific DNS server's IP doing too many requests to the specific RBL.
Most RBLs limit how many requests an IP can do.. so if you're using google, there's no way SA will be able to get it's request through to the RBL,as 8.8.8.8 would be pounding away at the RBL all day long, so they block it from making requests.
Even your ISPs dns servers are probably busy enough that many webservers are doing the same thing as you, so the ISPs dns servers get blocked by the RBL too.

The only solution I've found is to use 127.0.0.1 in /etc/resolv.conf, so that your server IP does the RBL query directly, so it's not blocked from too many requests (assuming you don't run a ridiculously busy server).
I believe some RBLs offer whitelisting of some IPs for a fee... but if you're below a certain threshold, it's free.

Without any working RBLs, many of the best blocking systems are essentially useless, and ESF/SA both use RBLs.

John
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
9,165
One other point, when you type:
Code:
./build spamassassin
Often you'll see a list of 'optional' modules that are missing. It goes by fast, so you have to ctrl-z quickly to catch it. (fg to resume).
You can cpan -i each of those missing modules, which gives SpamAssassin more tools in it's inventory to use to check for spam.
For example, Mail::DKIM and Mail::SPF are both optional, but they're quite important.
After adding any bonus modules, redo ./build spamassassin so it looks for them.

John
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,806
Location
A Coruña, Spain
It may also be, that yes you've installed SpamAssassin, but i've asked if you actually enabled it at user level, cause if not, it will not catch anything since is disabled ;)

Regards
 

Peter Laws

Verified User
Joined
Sep 13, 2008
Messages
2,284
Location
London UK
The only solution I've found is to use 127.0.0.1 in /etc/resolv.conf, so that your server IP does the RBL query directly, so it's not blocked from too many requests (assuming you don't run a ridiculously busy server).
Doing local lookups can break things..... Just wondered why I couldn't query the DA API on another server (serverN.domain.co.uk), got a curl error, and as my domain is on this box and I use CloudFlare for all my DNS for my domain, I guess the box thinks all subdomains are on there too!

Is there a way to disable DNS (Local Data = no) for specific domains on boxes, so if we do do local look ups, it searches externally?
 
Last edited:

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,806
Location
A Coruña, Spain
If you're using for that domain a remote NS you can remove the domain from DNS administrator and re-add it setting the remote nameservers for that domain, this will "tell" DA that DNS are not local and he will ask elsewere. (or maybe just remove them from the server if you're not managing DNS on that server and you dont need to)

Regards
 
Top