system_filter and backscatter

floyd

floyd

Verified User
Joined
Mar 29, 2005
Messages
6,271
I have been doing some testing it appears that one of the causes of backscatter is using the system_filter to reject emails. Evidently by the time the system_filter is used it is too late to reject an email. It tries to bounce the email back to the From address instead.

So the question: Is there any way to get exim to use the system filter so that it rejects the email?

If not then can I use the exim.pl to reject email?
 
Both system_filter and exim.pl are called by exim after the email has been accepted.

Where do you set the system_filter to bounce the email? Isn't the system_filter configured by DirectAdmin at the user level? If so, then it only gives you the ability to drop email, or to send it to the spambox.

Or am I thinking of something else? Or am I missing something?

Jeff
 
DA configures users individual filters. The /etc/system_filter has to be configured manually if used.

When a filter is manually configured it gives you so many more options. For instance:

Code: 
        fail text "Blah blah blah"
        seen finish

I have now learned that the above code bounces the email to the From address. I originally thought it rejected the email. I am trying to figure out how to reject email based on several things one of them being content.

So I guess the filters are worthless for rejecting spam.

I also use SURBL which code is in the exim.pl file. In the log I get this:

Code: 
2009-09-18 00:53:52 1MoVTe-0000HO-Ur H=mail.launchedmirr.com [208.53.129.118] F=<[email protected]> rejected after DATA: Blacklisted URL in message. (launchedmirr.com) in [jp] [ob]. See http://www.surbl.org/lists.html.

So I guess it is not really rejecting the email.

And I see I have had a similar discussion over a year ago and forgot about it: http://www.directadmin.com/forum/showthread.php?t=25602

I forgot where I left my memory.

Back to the drawing board.
 
I just did some testing. I was using http://www.surbl.org/exim_surbl.shtml to reject email I thought but as it turns out it bounces and it could indeed bounce to an incorrect address.

So now the question becomes is there any way to reject a message based on content much like the above link?

I never want to blindly drop an email and also not filter it to another box since then I would have to check yet another email box. I want to either accept it or reject it.
 
floyd said:
I have now learned that the above code bounces the email to the From address. I originally thought it rejected the email. I am trying to figure out how to reject email based on several things one of them being content.
Click to expand...
You can reject based on content, in the data acl. It appears you are; see below.
I also use SURBL which code is in the exim.pl file. In the log I get this:

Code: 
2009-09-18 00:53:52 1MoVTe-0000HO-Ur H=mail.launchedmirr.com [208.53.129.118] F=<[email protected]> rejected after DATA: Blacklisted URL in message. (launchedmirr.com) in [jp] [ob]. See http://www.surbl.org/lists.html.

So I guess it is not really rejecting the email.
Click to expand...
That logfile snippet says it is. Rejecting after data is rejecting. It can't reject until after it's read it, and in some cases this rejection gets ignored by the sending server, but it's a valid smtp rejection.

Jeff
 
I was able to get it to bounce mail to the wrong address using the surbl code so something is screwy.

Code: 
2009-09-19 17:22:12 1Mp7Nk-0005bX-1L <= [email protected] H=wireless.router.newwebsite.com ([192.168.1.101]) [12.180.200.2] P=esmtp S=704 [email protected] T="Go to this site" from <[email protected]> for [email protected]

2009-09-19 17:22:46 1Mp7Nk-0005bX-1L ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mail server after end of data: host mail.cliborne.com [12.191.44.56]: 550-Blacklisted URL in message. (cheaprxmed.net) in [jp] [ab] [ob] [ws]. See\n550 http://www.surbl.org/lists.html.

2009-09-19 17:22:46 1Mp7Nk-0005bX-1L Completed

I used my local mail client with a yahoo mail address in the From header to use one of my servers (server1) as the mail server not using surbl sending to another one of my servers (server2) using the surbl code. Server2 rejected the email. Server1 sent a bounce to [email protected] even though [email protected] did not actually send it.


So now another thought came to mind. What will a sending mail server do if mail is rejected by RBL on the receiving server? Will it also possibly send a bounce to the incorrect address? I do not have a blacklisted ip address in order to try that scenario.
 
Server2 rejected the mail using surbl. As it was supposed to. Server1 sent a bounce to you at yahoo, because it couldn't reject it; this was already anywhere between a millisecond and days after it had accepted it. At this point it has no way of knowing what to do with it except return it.

Any fix would be in violation of RFC requirements. This is specifically backscatter, and as I've written before, it's hard to fix. Try with the latest SpamBlocker release candidate; see if it eliminates it.

Jeff
 
It seems to me that the same could happen with RBL's. Someone uses Server1 to send mail and it's ip is blacklisted and then Server2 rejects it and then Server1 returns it to the FROM address.

You are right it probably has been discussed before but I think I understand it better now.

I cannot use Spamblocker3 yet since I do not use Dovecot.
 
I know its the future but I don't have to like it. This subject might for another thread. I have only tried it once and switched back as soon as I could. I found it more confusing from an admin point of view because there are more email files to deal with.

Maybe I will try it again. I hate learning something new just so that I can keep doing the same thing I have always done. I do not see Dovecot as being better, just different. I hated changing from sendmail to exim but that is what I had to do in order to use DA. Is exim better than sendmail? I don't think so for my needs. Its just different. I have not had any problems using vm-pop3d or imapd. Why should I change?

I know I will change to Dovecot when DA makes me change.
 
Let's start by separating out Dovecot from Maildir, as it's the Maildir directory structure that you're referring to. It's true that there's no reason to change to Dovecot with DirectAdmin unless you're using Maildir, and so no method to switch to Dovecot exists for keeping mbox mailboxes.

So let's first look at the disadvantage of mbox.

There are two problems with using mbox for email storage. One is that it stores all emails in one file. That file can get very big for users who don't delete email, meaning it can take so long to anything using any of the webmail clients that webmail just doesn't work; it times out. Other issues are that you can run out of space for a user's email if his email quota isn't at least twice the amount of email he's got, because POP and IMAP servers both make a copy of the entire mbox file whenever the user logs in. And that any time an email is deleted from the server, the entire mbox file has to be rewritten.

The second problem is less important; you've probably seen it and ignored it. mbox uses a blank line, followed by a line which begins
Code: 
From
(There's a space after the "m") to delimit a new email.

So if an email contains this exact combination of two lines, when it's stored into an mbox mailbox, the transport (in our systems this is done by Exim) adds the > character in front of the F in from.

But the first problem is a real problem now that many clients are keeping email on the server and/or using IMAP.

Now that disadvantage you've mentioned concerning Maildir.

Of course you're right, but you shouldn't often have to look at the mailboxes that way.

Maildir was invented by Dan Bernstein, who wrote it for machine efficiency, not to make it easy for us humans.

Jeff
 
You must log in or register to reply here.
Back
Top