SPAMHAUS - Senders IP's being listed in SPAMHAUS

[Digital Essence]

Hi,

I'm using CFS MailScanner to manage my incoming spam and I've noticed some of my customers' sending IP's are being flagged as spam because they are on the SPAMHAUS RBL.

Config Server MailScanner Front End Report
SpamAssassin RBLs: spam, SPAMHAUS

So, armed with the info I (initially... Later I checked exim.strings.conf.custom) read on this forum about spamhaus digging down too deep into ISP's dynamic IP's and them being listed in the RBL, I decided to remove the spamhaus RBL. I edited /etc/exim/conf and in the RBL_DNS_LIST and I removed the line containing zen.spamhaus.org

/etc/exim.conf

RBL_DNS_LIST=\
       cbl.abuseat.org!&0.255.0.0 : \
       b.barracudacentral.org : \
       zen.spamhaus.org!&0.255.0.0

And restarted Exim with:

systemctl restart exim.service

This has made no difference and client IP's are still being flagged.

I then read that the RBL List should go into a custom file otherwise it will be stomped over the next time we do a custom build of Exim. So thinking that this was overwriting my edits, I checked exim.strings.conf.custom but there are no RBL lists present and the exm.conf file still only shows abuseat & barracudea so it hasn't been overwritten.

So thinking that the list must be within Spam Assassin itself, I checked /etc/mail/spamassassin/local.cf but this just contains:

required_hits 5
report_safe 0
rewrite_header Subject [SPAM]

And there, I've come to screeching to a halt in my knowledge.

Sorry for the beginners questions but I have done some reading on the subject and have tried my best.

Thanks.

 

[Richard G]

I edited /etc/exim/conf

Check this again if it's gone, because normally on any update, it will be overwritten and it will be present again.
As you discovered, you need to use the exim.strings.conf.custom for that.

I can tell you that it's not spamassassin as I've got that running too and I only created the custom file and recompiled exim.conf and then the issue was over.

However, since a newer version of DA, it might be one of these custom files needs to be placed somewhere else in a custom directory.
I'm trying to find out the post where it said this a few days ago.

 

[Richard G]

Ah foun dit.
Check this thread:

exim.variables.conf.custom broken

Since DirectAdmin version 1.646 we have issues on servers with exim.variables.conf.custom. We have many servers with custom openssl_options, tls_require_ciphers, tls_certificate or other settings. For example: /usr/local/directadmin/custombuild/build exim_conf 2023-01-05 14:41:20 Exim...

forum.directadmin.com

Seems you can put it where it was before, but just to be sure remove the spaces before and after the = character.

If restarting exim service does not help, try recompiling exim and exim.conf.

 

[Digital Essence]

Thanks Richard,

I've added the following to exim.settings.conf

RBL_DNS_LIST==\
       cbl.abuseat.org!&0.255.0.0 : \
       b.barracudacentral.org : \

and a systemctl restart exim.service doesn't appear to do anything. I don't get anything written to the screen. I would have expected a exim stop, exim start or similar.

I then tried a build of the conf file:

cd /usr/local/directadmin/custombuild
./build update
./build exim_conf

And this gives me the following:

You cannot update Exim configuration files, because you do not have it set in options.conf file.

 

[Richard G]

I've added the following to exim.settings.conf

Wrong file. You stated the correct file yourself.
Remove those lines from exim.settings.conf again.

Try like this. Create an /etc/exim.strings.conf.custom file.
Edit the content and do like this, is maybe easier:

RBL_DNS_LIST==cbl.abuseat.org : bl.spamcop.net : b.barracudacentral.org

Then take care that the exim.conf file can be build, so like this:

cd /usr/local/directadmin/custombuild
./build set eximconf yes
./build update

After that:

cd /usr/local/directadmin/custombuild
./build update
./build exim_conf

 

[Digital Essence]

I've added the following to exim.settings.conf

Wrong file. You stated the correct file yourself.

Oh my. What a complete buffoon.

So the .custom didn't actually exist so i created one, added the RBL line.

Then take care that the exim.conf file can be build, so like this:

./build set eximconf yes

That did it!

Changed eximconf option from no to yes

And I get a Restarting exim.

EDIT My MailScanner i now disabled and I can't restart it

Fabulous, you are a star Richard and thank you for sticking with me.

 

[Richard G]

So the .custom didn't actually exist so i created one, added the RBL line.

Yes, the .custom files always need to be created manually.

Glad to hear it's working now.

You're welcome.

 

[Digital Essence]

Unfortunately my MailScanner has stopped and is showing as disabled and i can't restart it.
All sorted now. Don't know why but it has now enabled.

 

[Richard G]

The exim.conf file is newly created. If you made changes for Mailscanner before, they need to be done again. I don't know what mailscanner exactly changes on DA.
However, with the new DA files it's better not to edit the exim.conf file but use the custom folder for this.

That is described here:

Configuring and customizing Exim | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

 

[Digital Essence]

Sadly this hasn't resolved the issue.

MailScanner has just marked an email as spam, SPAMHAUS despite me removing the spamhaus RBL from /etc/exim.strings.conf.custom and then rebuilding exim.

There's nothing that helps in /var/log/exim/mainlog

 

[Richard G]

Hmmz... that is odd. However, could it be some Mailscanner rules? I'm not using Mailscanner and I'm not getting a single entry in my mainlog or rejectlog from Exim.

It might be that Mailscanner is checking exim.conf directly which also might cause it. In that case the exim.conf has to be changed indeed.

Also be aware that abuseat will be replaced by spamhaus, not sure when. I also use abuseat and have no spamhaus notices in any logs, so it seems so far they did not replace it yet.

I think you might best ask over at CSF for support. Especially since that is payware, they should be able to shed some light on why this is happening.

You can refer to this thread if you want, because I can confirm without MailScanner and the configuration with the exim.strings.conf.custom things are working as designed, so no spamhaus blocks.

 

[Digital Essence]

Hi Richard,

I asked CSF and they pointed me to the MailScanner GUI Config option called Spam List. I have changed this to only contain SPAMCOP which edits the file:

/usr/mailscanner/etc/MailScanner.conf

And the lookup file within/usr/mailscanner/etc/ is spam.lists.conf which has the format:

# http://barracudacentral.org/rbl
BARRACUDA                       b.barracudacentral.org

# aggregate list - http://www.sorbs.net/using.shtml
SORBS                           dnsbl.sorbs.net

# aggregate list - http://www.spamhaus.org/zen/
SPAMHAUS                        zen.spamhaus.org

# aggregate list - https://www.spamcop.net/bl.shtml
SPAMCOP                         bl.spamcop.net

Just in case this helps anyone else.

 

[Richard G]

Ha so I was right, it was the Mailscanner still using the spamhaus list. Good to know.

Seems both mailscanner and Exim then using the same RBL's, you have a double check.

 

[Digital Essence]

Well, I'm not sure if MailScanner was over riding the Exim list or not. Would have to test to check and aint nobody got time for that!

Next job is to system wide block some TLD's.
I used to use an antivirus/empty file when I used cPanel which would match tld's and send any emails to an account for me to chcek but this isn't working in DA so I need to have a bit of a dig about.

 

[Richard G]

Next job is to system wide block some TLD's.

Íf it's systemwide, then you can use both the /etc/virtual/bad_sender_hosts and /etc/virtual/blacklist_domains files for that and you can use wildcards.
Don't forget to restart Exim after changing those.

 

[Hostmavi]

HI Digital Essence ;

I'm using CFS MailScanner to manage my incoming spam and I've noticed some of my customers' sending IP's are being flagged as spam because they are on the SPAMHAUS RBL.

You should add your custemers email or domainname or (IP/CDIR) in whitelist

login -->directadmin as admin-->>Extra Features-->> ConfigServerMSFE -->
Front-End Setting--> scroll down on the left site "Windows " Server Spam Whitelist:

if your custemer have email adress [email protected]
add this [email protected] only one entry per line
if you want all email adress from @domain.tld

add *@domain.tld

you can also add your custermers
IP 1.1.1.1 or
CDIR like this 1.1.1.0/24 ( 1.1.1.0 -- 1.1.1.255 all ips )

--->> Save Changes


if you want to to remove SPAMHAUS RBL from MailScanner

pls remove from this /usr/mailscanner/etc/spam.list.conf

if you edit the file spam.list.conf restart MailScanner


hope this help

 

[Digital Essence]

HI Digital Essence ;

You should add your custemers email or domainname or (IP/CDIR) in whitelist

login -->directadmin as admin-->>Extra Features-->> ConfigServerMSFE -->
Front-End Setting--> scroll down on the left site "Windows " Server Spam Whitelist:

if your custemer have email adress [email protected]
add this [email protected] only one entry per line
if you want all email adress from @domain.tld

add *@domain.tld

you can also add your custermers
IP 1.1.1.1 or
CDIR like this 1.1.1.0/24 ( 1.1.1.0 -- 1.1.1.255 all ips )

--->> Save Changes


if you want to to remove SPAMHAUS RBL from MailScanner

pls remove from this /usr/mailscanner/etc/spam.list.conf

if you edit the file spam.list.conf restart MailScanner


hope this help

Hi Hostmavi,
thanks for that. Currently addding a couple of *@domain.tld's to the whitelist.
re spam.list.conf, I was under the impression that this was more of a lookup file that mapped the RBL friendly name with the URL and that adding or removing the RBL's from MailScanner is done through the GUi or editing MailScanner.conf and editing the Spam List = line.

 

[Hostmavi]

Hi ;

 GUi or editing MailScanner.conf and editing the Spam List = line.

yes you can add or remove the rlb ther.
but if you add RLB in Spam List =

it should exist name and url from rlb in /usr/mailscanner/etc/spam.list.conf
like this

# http://barracudacentral.org/rbl
BARRACUDA b.barracudacentral.org

# aggregate list - http://www.sorbs.net/using.shtml
SORBS dnsbl.sorbs.net

# aggregate list - http://www.spamhaus.org/zen/
SPAMHAUS zen.spamhaus.org

# aggregate list - https://www.spamcop.net/bl.shtml
SPAMCOP bl.spamcop.net

 

[Digital Essence]

Hi,

Just opening this thread back up as I would really appreciate some further advice.

Because of the high number of false positives I was getting with the RBL's I was using in MailScanner:

b.barracudacentral.org
dnsbl.sorbs.net
zen.spamhaus.org
bl.spamcop.net

I have disabled all RBL's. My issue was as before. Customers home or office DHCP IP's were added to the lists and being blocked and this caused a lot of complaints.

Obviously now everyone is getting a lot of spam and complaining so I'm now testing bl.mxrbl.com and will see how I go with this.

My questions after this long winded intro are:
1) Am I able to give emails that are on an RBL a +ve score to bump up the total score rather than them being given a score of 0.00, instantly being marked as High scoring spam and bypassing all other checks? I'm struggling to find anything in the MailScanner rules.

2) Has anyone enabled the "Spam List Skip If Authenticated" option in MailScanner?
"If an user sends a mails after authenticating to the local mta this option disables the rbl checks if set to "yes". If set to "no" or not defined the rbl check will be executed even when the user is authenticated."

This appears that it would disable the RBL check if the email is sent after authenticating and it would perhaps resolve the issue of my customers being blocked if they are on an RBL.

EDIT: I enabled this by changing the value from no to yes and it stopped all incoming email and just sat adding more and more emails to the batch to be scanned but didn't scan them. Disabled this featyre and I've put a post up at CSF to see if they can help.

3) I've currently got "Spam Lists To Be Spam =" set to 1. Which means that a message only needs to appear on one RBL to be flagged. What setting do you use for this and which RBL's are you using?

EDIT: I've kep this at 1 but noticed that there was also a "Spam Lists To Reach High Score" option which was also set to 1. Since changing this to 2, emails that are on one RBL are being marked as spam with a score of 0.00 and emails on two or more lists are being flagged as High scoring spam which seems to be working well.

I would still like to see the option of emails in an RBL being given a score annd also continuing to be tested for other rules.



Thanks again.

 

[dbbrito]

Wrong file. You stated the correct file yourself.
Remove those lines from exim.settings.conf again.

Try like this. Create an /etc/exim.strings.conf.custom file.
Edit the content and do like this, is maybe easier:

RBL_DNS_LIST==cbl.abuseat.org : bl.spamcop.net : b.barracudacentral.org

Then take care that the exim.conf file can be build, so like this:

cd /usr/local/directadmin/custombuild
./build set eximconf yes
./build update

After that:

cd /usr/local/directadmin/custombuild
./build update
./build exim_conf

Hi Richard G, do you still use this configuration?
The problem with blocking IPs is that spammers are using the same domain and changing IPs frequently. There is no way to download a list of domains to block, so every time they change IPs, the domain will be blocked in the same way!
I got a free account at Spamhaus for Content Data [DBL + ZRD] but I don't know how to configure it in DA. If there was a configuration like CSF's /etc/csf/csf.blocklists that automatically updates the domains, it would be great.