SpamBlocker2.1.1 released

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
SpamBlocker version 2.1.1 has been released. It offers a completely reworked and optimized set of blocklists, and a fix (which you may or may not already have on your server) to help with plaintext authorization when using certain email clients.

While SpamBlocker version 2.1.1 is not mandatory, it's strongly suggested, since it removes a nonworking blocklist and will fix authentication issues for some clients.

SpamBlocker version 2.1.1 requires the latest version of exim.pl.

SpamBlocker version 2.1.1 is currently only available for mbox-based systems. The exim.conf.dovecot.patch file available dated 15-December-2005 will NOT convert it to work with Dovecot/Maildir, so if you're running Dovecot/Maildir you should either wait until a new patch file is available, manually patch your new exim.conf file, or update to the SpamBlocker3 file specifically available for your Maildir configuration (either with or without ClamAV).

Remember that the SpamBlocker version 2.1.1 file you down load will not include your changes to point senders of emails detected as false positives to your whitelist page; be sure to search and replace for all instances of example.com before installing the file.

SpamBlocker version 2.1.1 may be found here:
Code:
http://files.directadmin.com/services/exim.conf
and also at:
Code:
http://www.nobaloney.net/downloads/spamblocker/DirectAdminSpamBlocker2/SpamBlocker.exim.conf.2.1.1-release
The latest exim.pl file may be found here:
Code:
http://files.directadmin.com/services/exim.pl
and also at:
Code:
http://www.nobaloney.net/downloads/spamblocker/DirectAdminSpamBlocker2/exim.pl
Jeff
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
I posted somewhere (obviously not here :( ) that the patch published by DA should work. At least that's what John told me.

Have you tried it?

Jeff
 

Duboux

Verified User
Joined
Apr 20, 2007
Messages
264
Took me some time to do this..

Had to update exim first, which I thought I already did earlier, but apparently http://help.directadmin.com/item.php?id=51 doesn't work for me.
But http://help.directadmin.com/item.php?id=126 plus this did the trick.

I downloaded the http://www.nobaloney.net/downloads/spamblocker/DirectAdmin/exim.conf.spamblocker file, edited it into notepad, got it as exim.conf using VI. (just noticed that I could have used DA to edit the exim.conf file -_-; )

Anyway, got it to work, with a lovely help page for non-spammers.
That's a form that sends an email from me to me, and from me to the client that the non-spammer whishes to contact (from me so spamblocker, me and the client knows it's good).
It checks on all the bot-infiltrate-nastyness stuff, like headers, bad email addresses, and even checks with a captcha and the php function: gethostbyname() if the domain matches the ip-range we have.

If my client replies to me with OK, then then I'll add that address to the whitelist and send an email. :)
(I suppose I could automate this as well, but let's see how often it will be used)
 
Last edited:

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Yes, Duboux; please keep us posted. I never automated because on average I get less than one whitelist request a week.

Jeff
 

Duboux

Verified User
Joined
Apr 20, 2007
Messages
264
Okay, since the update, I've seen Exim log lines like these:

Exim Mainlog said:
2007-08-01 21:52:42 H=([89.240.167.159]) [89.240.167.159] incomplete transaction (connection lost) from <lincomputerfotomet@computerfoto.de>
2007-08-01 21:52:42 unexpected disconnection while reading SMTP command from ([89.240.167.159]) [89.240.167.159]
2007-08-01 21:52:47 H=([89.240.167.159]) [89.240.167.159] incomplete transaction (connection lost) from <linallendorfmet@allendorf.de>
2007-08-01 21:52:47 unexpected disconnection while reading SMTP command from ([89.240.167.159]) [89.240.167.159]
2007-08-01 21:52:51 H=([89.240.167.159]) [89.240.167.159] incomplete transaction (connection lost) from <lincollinmet@collin.de>
2007-08-01 21:52:51 unexpected disconnection while reading SMTP command from ([89.240.167.159]) [89.240.167.159]
2007-08-01 21:52:56 H=([89.240.167.159]) [89.240.167.159] incomplete transaction (connection lost) from <linaiesecmet@aiesec.de>
2007-08-01 21:52:56 unexpected disconnection while reading SMTP command from ([89.240.167.159]) [89.240.167.159]
2007-08-01 22:17:52 H=(yahoo.com) [12.32.39.254] F=<aazlan_cauaqzj@yahoo.com> rejected RCPT <****@****>: Email blocked by SPAMHAUS - to unblock see http://****
2007-08-01 22:17:52 H=(yahoo.com) [12.32.39.254] incomplete transaction (connection lost) from <aazlan_cauaqzj@yahoo.com>
2007-08-01 22:17:52 unexpected disconnection while reading SMTP command from (yahoo.com) [12.32.39.254]
Exim Paniclog said:
2007-08-01 02:14:14 1IG0i0-0006l6-JD User 0 set for local_delivery transport is on the never_users list
2007-08-01 02:14:14 1IG1qw-0007rw-N8 User 0 set for local_delivery transport is on the never_users list
2007-08-01 04:02:44 1IG3Xw-0000XJ-IH User 0 set for local_delivery transport is on the never_users list
2007-08-01 04:02:45 1IG3Xx-0000Xd-Da User 0 set for local_delivery transport is on the never_users list
Exim Reject Log said:
2007-08-01 21:49:26 H=cpc3-stkn8-0-0-cust696.midd.cable.ntl.com (GRAHAM-EFNU14F3) [81.96.158.185] F=<palmerq0a8@hotmail.com> rejected RCPT <****@****.com>: Email blocked by SPAMHAUS - to unblock see http://*****
2007-08-01 21:49:28 H=cpc3-stkn8-0-0-cust696.midd.cable.ntl.com (GRAHAM-EFNU14F3.2euu91.org) [81.96.158.185] F=<trickeroge0@hotmail.com> rejected RCPT <****@****.com>: Email blocked by SPAMHAUS - to unblock see http://*****
2007-08-01 21:49:31 H=cpc3-stkn8-0-0-cust696.midd.cable.ntl.com (rr1a4.e9aai.ameritech.net) [81.96.158.185] F=<hirdz4012@hotmail.com> rejected RCPT <****@****.com>: Email blocked by SPAMHAUS - to unblock see http://*****
2007-08-01 22:17:52 H=(yahoo.com) [12.32.39.254] F=<aazlan_cauaqzj@yahoo.com> rejected RCPT <****@****>: Email blocked by SPAMHAUS - to unblock see http://****@****
Seems all spammers, but are the "unexpected disconnection while reading SMTP command" lines in the Main log errors or rejection lines from spamblocker ?

And I see double lines in both EximMain and EximReject on the same actions. Are the rejections supposed to show in the main log as well ? or can they only show in the rejectlog ?

Also I used to receive emails from US NMA, who use different email addresses and domains with every message. But I don't know if they are blocked yet. (hard to see in the logs as the email address is varies constantly). Is there a way to filter on contents too ?
 
Last edited:

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Seems all spammers, but are the "unexpected disconnection while reading SMTP command" lines in the Main log errors or rejection lines from spamblocker ?
The sender is closing the connection.
And I see double lines in both EximMain and EximReject on the same actions. Are the rejections supposed to show in the main log as well ? or can they only show in the rejectlog ?
I never heard of EximMain or EximReject; do you mean the exim mainlog and the rejectlog? Yes, they'll both show the same information; the purpose of the mainlog is to give you one log where you see everything; the purpose of the rejectlog is to help you focus on just rejected email, for example if you get a whitelist request and you want to look instead of just whitelist.
Also I used to receive emails from US NMA, who use different email addresses and domains with every message. But I don't know if they are blocked yet. (hard to see in the logs as the email address is varies constantly). Is there a way to filter on contents too ?
Yes, but not in SpamBlocker. You can use the mail filter settings from the control panel. I hate those emails too :0 .

Jeff
 

Duboux

Verified User
Joined
Apr 20, 2007
Messages
264
Bugger, Spam Cannibal blocks smtp servers o_0

And who's ip are in the mail logs... indeed the smtp servers'

Spam Cannibal blocked an ip that wasn't blocked on it's own, but 2 ip's that looked alike were blocked, so this one got blocked as well:
http://spamcannibal.org/cannibal.cgi search on: 213.75.38.85
hpsmtp-eml20.kpnxchange.com
spam source
see
213.75.38.115
213.75.38.116
Another thing.
A client has 2 client-accounts on that block.
He sends an email from one account to the other.
But get's rejected by SpamCannibal, because his ISP's smtp server (he obviously doesn't use the mail.hisdomain.com for smtp) is marked as spam.
ANd with SpanCannibal the whole ip get's blocked after someone used it to send a spam message :eek:



Some global data:
# grep -c 2007-08-02.*"Email blocked by SPAMCANNIBAL" /var/log/exim/mainlog
31
# grep -c 2007-08-02.*"Email blocked by SPAMHAUS" /var/log/exim/mainlog
2072
# grep -c 2007-08-02.*"Email blocked by LBL" /var/log/exim/mainlog
0
# grep -c 2007-08-02.*"Email blocked by BSHL" /var/log/exim/mainlog
0
# grep -c 2007-08-02.*"Email blocked by BSAL" /var/log/exim/mainlog
0
# grep -c 2007-08-02.*"Email blocked by NJABL" /var/log/exim/mainlog
0
# grep -c 2007-08-02.*"Email blocked by CBL" /var/log/exim/mainlog
0
# grep -c 2007-08-02.*"Email blocked by DSBL" /var/log/exim/mainlog
3
# grep -c 2007-08-02.*"Email blocked by SORBS" /var/log/exim/mainlog
0
 
Last edited:

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
I've removed the SpamCannibal blocklist on my own system and will block it on final releases and next updates.

Jeff
 

Duboux

Verified User
Joined
Apr 20, 2007
Messages
264
Is it possible to use more than 1 line in the reply message when an email is blocked ?

Like that line "blocked by SPAMHAUS, see http... for details"
Could it be multiple lines ?
 

Duboux

Verified User
Joined
Apr 20, 2007
Messages
264
oi.. when installing this on another box, I got this line in the Exim paniclog:
2007-08-16 03:01:29 non-existent configuration file(s): /config/file.new
What does this mean ?
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Is it possible to use more than 1 line in the reply message when an email is blocked ?

Like that line "blocked by SPAMHAUS, see http... for details"
Could it be multiple lines ?
It's been many years since I visited this issue.

I think you can do it (my guess is you'd add something which would be understood by mail programs as a newline character; you can find that on the 'net). However my understanding is that most error handling systems will only return the first line.

Jeff
 

Duboux

Verified User
Joined
Apr 20, 2007
Messages
264
oi.. when installing this on another box, I got this line in the Exim paniclog:


What does this mean ?
I actually get this too on the first box I installed it on..

# exim -C /config/file.new -bV
Exim version 4.67 #1 built 31-Jul-2007 22:10:38
Copyright (c) University of Cambridge 2006
Berkeley DB: Sleepycat Software: Berkeley DB 4.2.52: (September 21, 2004)
Support for: crypteq iconv() Perl OpenSSL move_frozen_messages Content_Scanning Old_Demime
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Size of off_t: 8
2007-08-17 00:18:05 non-existent configuration file(s): /config/file.new
:(
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
What were you installing when you got this? Exim? DirectAdmin?

On what OS Distribution?

Were you installing from a DirectAdmin supplied RPM, or some other kind of package? Or from source?

Why were you running this line:
Code:
# exim -C /config/filenew -bV
Where did you get the instructions to run that?

Jeff
 

Duboux

Verified User
Joined
Apr 20, 2007
Messages
264
What were you installing when you got this? Exim? DirectAdmin?

On what OS Distribution?

Were you installing from a DirectAdmin supplied RPM, or some other kind of package? Or from source?

Why were you running this line:
Code:
# exim -C /config/filenew -bV
Where did you get the instructions to run that?

Jeff
I was updating exim and installing SpamBlocker.
OS = FC3

I started from the rpm:
# wget http://files.directadmin.com/services/da_exim-4.67-2.src.rpm

That # exim -C /config/filenew -bV line, I ran to check, as was advised by your SpamBlocker txt file.
 
Top