SpamBlocker-Powered exim.conf, Version 4

Scanned Mail Relaying

Hi there,
I have DA servers with spamblocker v4 in use, and everything is fine. Each server hosts many domains. I am wondering if it is possible to have exim relay mail (After all scans have been completed) to a specific IP address, rather than deliver it locally, on a per-domain basis?. Quarantined email would remain on the DA Server. Thus the DA server would become a mail filter, but would not store the email or determine if a user is valid for that domain.

Regards,

Niall
 
I am setting up SpamBlocker right now. Stepping through the Readme.txt, I'm at the point I have to make a choice between these two:

BLOCK SPAM FOR ALL DOMAINS NOT IN EXCLUSION LIST:
Instead of a file at /etc/virtual/use_rbl_domains, create a
symbolic link from /etc/virtual/use_rbl_domains to /etc/virtual/domains
and
Populate the file at /etc/virtual/skip_rbl_domains as an exclusion
list, copying the domain names as they appear in /etc/virtual/domains
to /etc/virtual/skip_rbl_domains

BLOCK SPAM ONLY FOR DOMAINS IN INCLUSION LIST:
Maintain a file at /etc/virtual/use_rbl_domains, copying the domain
names as they appear in /etc/virtual/domains to
/etc/virtual/use_rbl_domains
Click to expand...

But I can't find anywhere what the physical differences are. I mean, I can't find what the one and the other does. Can someone enlighten me?

Does "BLOCK SPAM FOR ALL DOMAINS NOT IN EXCLUSION LIST" check EVERY e-mail, even the domain is not added to Direct Admin? If I choose this, does that mean the server will be checking ALL incoming e-mail, and after it's classified, will it bounce/drop the e-mail then?

Or if I choose "BLOCK SPAM ONLY FOR DOMAINS IN INCLUSION LIST", does the server drop the e-mail right away?

How can I decide what the best choice is?
 
Last edited:
Either way it has to check whether a match exists. Since the vast majority of mine use spamblocker, I find it is easier to maintain a short EXCLUSION list.
 
POP3 b4 SMTP not working with SpamBlocker 4?

In order to deal with backscatter blacklisting problems, I just updated an exim install to the latest via custombuild. Then I changed exim.conf from the default bundled 2.0 to the latest SB 4 from http://www.nobaloney.net/downloads/...1/ReadMe-SpamBlockerVersion-4.1.exim.conf.txt

However, after updating, I find that pop3 b4 smtp auth is no longer working. The rule that is triggered seems to be #Edit 25 bad helo and #Edit 26. "relay not permitted, authentication required"

rejected EHLO or HELO machine.*****.com: Bad HELO - Host impersonating hostname [machine.****.com]
rejected EHLO or HELO machine.*****.com: Bad HELO - Host impersonating hostname [machine.*****.com]
F=<sender@*****.com> rejected RCPT <test@*****.com>: relay not permitted, authentication required
Click to expand...

The IP address and email account appears in /etc/virtual/pophosts so the dapop3smtp daemon is working fine. The sending machine was also set to use port 587 to avoid the issue noted in #Edit 27.

Nevertheless, based on the notes for #Edit 27, I removed the 3 tests under #Edit 27. But the exim mainlog still shows the HELO error, followed by the relay not permitted error.

Just in case, I've also updated exim.pl to the one on nobaloney.net although I don't think it is part of the problem.

As I have to support some users on pretty old software and equipment, some do not have smtp auth capabilities and must rely on pop3 before SMTP.

Is this due entirely to auth before sent being disabled in SB4.1 mentioned earlier in this thread? If so, how can I change it to work as before, or perhaps somewhere I can download a slightly earlier version of SB4?

Thanks for any advice on this.
 
Last edited:
My recollection is it no longer works. I no longer support it. It was always a kluge; RFC has required smtp submission for relay to be on port 587.

What software do your clients use which doesn't support authenticated submission on port 587? What part of it specifically does it not support?

Jeff
 
Quarantine blocked mail?

I just started using the latest spamblocker powered exim.conf. Looks good so far but I am a bit worried about DNS block listing. Sometimes mail servers get on those lists for the wrong reasons and legit mail might be blocked. But because it's still a very good spam blocking method I do want to keep using it. But just in case legit mail gets blocked I would like to help my customers by looking up the mail somewhere. I guess it would be possible to save all blocked mail into a specific folder with the exim save command, but I have no idea how to implement it myself. Anyone here got some pointers for me?
 
You can't save mail blocked by SpamBlocker for the simple reason that SpamBlocker blocks it from ever getting onto your server.

You could completely rewrite the ACLs to accept the email but tag it as spam (hint, see exim.pl) and then deliver it based on the tags.

Or you can use SpamAssassin to score high based on servers listed in blocklists.

SpamBlocker is carefully tailored and on my servers results on less than 100 false positives per year (inclusive, all our servers, not per server).

Jeff
 
Block broadband dynamic IP spammers

We are seeing lots of spammers trying to send spam from broadband connections with dynamic IP and virus infected zombie computers. Here is a mod for Spamblocker 4.1 to block them and easily create new rules as spammer patterns change.

Got the idea from http://www.janoszen.com/2013/01/07/filtering-spam-with-exim-only/

# Create block list
touch /etc/virtual/bad_sender_hosts_ip_dy

chown mail:mail /etc/virtual/bad_sender_hosts_ip_dy

nano /etc/virtual/bad_sender_hosts_ip_dy

# add and customize the block list as per your server, dynamic IP spammer patterns.

^\N.*ppp-(.*)\N
^\Ndsl-pool\N
^\N.*\.(pool|pppoe|adsl|dsl|xdsl|dialup|broad|cust-adsl|dynamicip|dynamicIP|dyn)\..*\N
^\N(pool|pppoe|adsl|dsl|xdsl|dialup|broad|cust-adsl|dynamicip|dynamicIP|dyn)\..*\N
^\N(pool|pppoe|adsl|dsl|xdsl|dialup|broad|cust-adsl|dynamicip|dynamicIP|dyn)-.*\N
^\Nip\-[a-fA-F0-9]+\-.*\N
^\N.*([0-9]+)(\.|-)([0-9]+)(\.|-)([0-9]+).*\N
^\N([0-9]+)-([0-9]+)-([0-9]+)-([0-9]+)\..*\N
^\N([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)\..*\N
^\N.*\.ip([0-9]+)\.fastwebnet\.it$\N
*.dip.t-dialin.net
*.telecomitalia.it
*.shawcable.net
*.codetel.net.do
*.vie.surfer.at
*.pip.digsys.bg
*.dip0.t-ipconnect.de
*.cablenet.net.ar
*.telecom.net.ar
*.anbid.com.br
*.codetel.net.do
*.avc.upei.ca
*.dyn.telnor.net
*.speedy.com.ar


# Edit exim.conf

nano /etc/exim.conf

# Ensure host lookup is enabled.

#EDIT#18:
host_lookup = *


# change

#EDIT#34:
deny message = Email blocked by local blacklist
hosts = +bad_sender_hosts_ip

# to


#EDIT#34:
deny message = Email blocked by local blacklist
hosts = +bad_sender_hosts_ip

# Block Spam from broadband ISP dynamic IP pools
deny message = Reverse DNS indicates dynamic IP : Please use ISP SMTP
!authenticated = *
sender_domains = !+whitelist_domains
condition = ${lookup{$sender_host_name}wildlsearch{/etc/virtual/bad_sender_hosts_ip_dy}{true}{false}}



# restart exim
service exim restart

Note : got few false positives from couple of datacenters with reverse DNS config that looks like dynamic IP, we can whitelist such hosts
and if any specific IP's in these datacenters do spamming we can block them in bad_sender_hosts_ip as below:

#EDIT#31:

accept hosts = +whitelist_hosts
logwrite = $sender_host_address whitelisted in local hosts whitelist

to

accept hosts = +whitelist_hosts
hosts = !+bad_sender_hosts_ip
logwrite = $sender_host_address whitelisted in local hosts whitelist
 
You really shouldn't need a separate whitelist :).

Let's have some discussion as to whether or not this should be a permanent part of SpamBlocker going into the future.

Please post your results over time, and give us an idea of how much it increases your false positives.

Jeff
 
Wildcarts in whitelist_senders

Is it possible to use wildcards in /etc/virtual/whitelist_senders?
Some customers rely on receiving mail from certain windows servers and have sender email addresses like '[email protected]'
I don't want to turn of sender verify completely since it does catch some spam so for now I manually add each address to whitelist_senders. I've tried @*.local but that didn't seem to work.
 
Dnmax said:
^\N.*([0-9]+)(\.|-)([0-9]+)(\.|-)([0-9]+).*\N
^\N([0-9]+)-([0-9]+)-([0-9]+)-([0-9]+)\..*\N
^\N([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)\..*\N
Click to expand...

I'm not sure about these, they seem too much aggressive.
 
@Neildxmhost: That is stated in the spamblocker 4.1 readme file, which you can find here.

Jeff: I'm running standard exim.conf which is spamblocker 2.0 as I believe, slightly adjusted.
I was wondering if I could just implement edit 25 and 27 about the helo in there and then I read this in edit 25:

# deny if the HELO pretends to be this host
Click to expand...
This won't effect mail which is going from somedomain.com to anotherdomain.org on the same server, correct?
 
ok DUMB question
please go easy on me
is installing spamassassin the same thing as spamblocker?
or is spamblocker the lists spamassassin uses?
I am a little confused on how the spam stuff works with exim on DA.
I am on CB2 and my exim conf says
This is version "2.0 of the SpamBlocker exim.conf file
 
I was reading that last night. don't have many spam issues but wanted to learn ahead of time in case needed.
think I will give it a try.
thank you.
 
Derevko said:
I'm not sure about these, they seem too much aggressive.
Click to expand...

Yes, it is aggressive catches 100% broadband spam.

Already mentioned in the above post, got false positives from few well known data centers that use similar host name pattern for vps, cloud servers etc when host names are assigned automatically. We can whitelist these data centers, spam from these data centers are rare.

@Nobaloney - been using this mode last 2 months and results are good, apart from the aggressive rules pointed out by @derevko rest of it is pretty safe. Removing aggressive rules and adding custom rules for ISP's that send spam will avoid false positives.
 
You must log in or register to reply here.
Back
Top