SpamBlocker Version 2 for DirectAdmin has just been released.

SpamBlocker Version 2 is a highly recommended upgrade, as it fixes some bugs that were causing certain whitelists to be ineffective under some circumstances.

SpamBlocker implements the availability of port 587 for authenticated SMTP; a feature required so that your clients whose ISPs block port 25 may still use your server for outgoing email.

SpamBlocker Version 2 uses the following public blocklists:

SPAMHAUS
ORDB
SORBS SMTP LIST
SORBS IP LISTS
SORBS NAME-BASED LIST
SPAMCOP
NJABL
CBL


SpamBlocker Version 2 uses the following locally maintained blocklists:

Blocking by Hosts
Blocking by Domains
Blocking by Senders


SpamBlocker Version 2 uses the following locally maintained whitelists:

Whitelist Domains
Whitelist Hosts
Whitelist Senders

SpamBlocker will not block emails from domains, hosts and senders listed in the whitelists even if they are listed in one of the local or public blocklists.

When SpamBlocker Version 2 blocks emails it replies to the sending server with a complete error message specifying which blocklist, local or public, was used. RFC compliant servers will notify the original message senders so senders will know their email wasn't received, will know why it wasn't received, and will know how to get it unblocked so it will be received.

SpamBlocker Version 2 is fully functional on its own, but is also compatible with a soon-to-be-available commercially-distributed plugin to allow simplified management. Look for an announcement soon.

SpamBlocker Version 2 will be included in future releases of DirectAdmin and will be available from the DirectAdmin website as soon as it becomes an official part of DirectAdmin. Beginning immediately it may also be downloaded from the official SpamBlocker site here (http://www.nobaloney.net/downloads/spamblocker/DirectAdmin/).

Note: If you do not make the mandatory changes noted in the README file, then SpamBlocker may not work for you, and may in fact completely stop your server from either receiving or sending email.

If you wish to upgrade to the latest SpamBlocker Version 2 file but do not feel comfortable making changes yourself please contact NoBaloney Internet Services (see my siglines below) to request our help.

It's my honest hope that SpamBlocker helps you in the fight against spam.

Jeff

Added Exiscan and turned on spamassassin on FreeBSD. Works well.

Works very well :)

Only thing I noticed are dead links in the readme/comments of exim.conf.

http://www.nobaloney.net/exim/gnu-gpl-v2.txt

and

http://www.nobaloney.net/exim/exim.conf.spamblocker


Thanks,
Grant

Thanks for the heads up, Grant. They work now.

Jeff

Right, now i have a little time, i'm on the point to install Spamblocker2, and on your website, i see the tar.gz, current and archive, and
exim.conf.spamblocked
exim.conf.spamblocker

Which of the two do i take ??? (or should i use archive rather .???)

tdldp

new DA install need to upgrade
install or not (install date 1/11/2005) ?

Originally posted by tdldp
Which of the two do i take ??? (or should i use archive rather .???)
Use the current file, either spamblocked or spamblocker; they're pointers to the same file.

And be sure to download and read the instructions in the README as well.

The tarball is just for those who want to download only one file.

The archives contain all old versions since SpamBlocker was released.

Jeff

Originally posted by @how@
new DA install need to upgrade
install or not (install date 1/11/2005) ?
The latest version of SpamBlocker is not yet included in DirectAdmin and the older versions have some whitelisting bugs, so you should probably update.

You can update manually, or if you're going to purchase the SpamBlocker plugin, it can manage the update for you.

Jeff

SpamBlocker Version 2 uses the following public blocklists:


* SPAMHAUS
* ORDB
* SORBS SMTP LIST
* SORBS IP LISTS
* SORBS NAME-BASED LIST
* SPAMCOP
* NJABL
* CBL

Since it's going to be in the default DA install, will these blacklists be able to be edited? For instance, if we choose we dont want NJABL filtering, can that be removed?

Sure.

Each blocklist is in it's own set of lines in exim.conf.

You can simply comment out the lines in exim.conf for the blocklists you don't want to use, and restart exim.

In fact, with a bit of skill you can add other blocklists easily as well.

Perhps the ability select blocklists should be added to SpamBlocker Plugin.

Jeff

Originally posted by jlasman
Sure.

Perhps the ability select blocklists should be added to SpamBlocker Plugin.

Jeff


That'd be fantastic! Thanks for working on this!

SpamBlocker Plugin version 1.7.0 is available.

New features:
View exim.conf inside the plugin
Enable/Disable any of the pre-defined external blocklists

BugFixes:
Get's the full version number for the exim.conf file

Jeff

any news from your antivirus solution?

Not yet; catching up this week on client work.

I will post when it's ready. :D

Jeff

Originally posted by jlasman
Use the current file, either spamblocked or spamblocker; they're pointers to the same file.

And be sure to download and read the instructions in the README as well.

The tarball is just for those who want to download only one file.

The archives contain all old versions since SpamBlocker was released.

Jeff


Hey jeff, i didn't return on install...
Well in fact worked great for me, and i managed to personnalise it to all my needs. btw great job, it works incredibly well for us. We have no more spamming problems (new rules work better on our accounts), and in result we have now less than 0,1 % spam passing it against around 2 % on version 1....

Great Great job... and thanks so much....

Tdldp
Tdldp

I don't know if I did something wrong, but 100% of the spam is passing through the server, nothing is being stopped.

Any ideas?

Do you actually have any domains listed in the /etc/virtual/use_rbl_domains ?

If you need a simple way to manage SpamBlocker you might consider the SpamBlocker Plugin (http://www.directadmin.com/forum/showthread.php?s=&threadid=10049) .

I just upgraded to SpamBlocker.exim.conf.2.0-release and everything appears to be working correctly with the Spam Blocker.

However, it looks like my SpamAssassin is no longer running on mail that gets through. Is there a setting I could have missed in exim.conf? Do I have to change something in DA?

My domains still have SpamAssassin enabled, it appears. Is there an easy way to test that it's working? I've tried sending a SpamAssassin GTube email, but spamassassin doesn't kick in on it. Thanks for your help.

Sethp,

Have you enabled SpamAssassin in the exim.conf file? The default is disabled.

Onno,

I did not change any lines related to SpamAssassin in exim.conf. It was not intuitive or clear. I can see two sections in the exim.conf file that appear to be related to Spam Assassin, but I don't really understand what they are doing and whether they are enabled or disabled. And if I want to enable Spam Assassin, I don't know which lines to change or uncomment.


# Spam Assassin
#spamcheck_director:
# driver = accept
# condition = "${if and { \
# {!def:h_X-Spam-Flag:} \
# {!eq {$received_protocol}{spam-scanned}} \
# {!eq {$received_protocol}{local}} \
# {exists{/home/${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}/.spamassassin/user_prefs}} \
# } {1}{0}}"
# retry_use_local_part
# transport = spamcheck
# no_verify

....

# Spam Assassin
begin transports

spamcheck:
driver = pipe
batch_max = 100
command = /usr/sbin/exim -oMr spam-scanned -bS
current_directory = "/tmp"
group = mail
home_directory = "/tmp"
log_output
message_prefix =
message_suffix =
return_fail_output
no_return_path_add
transport_filter = /usr/bin/spamc -u ${lookup{$domain}lsearch*{/etc/virtual/domainowners}{$value}}
use_bsmtp
user = mail
# must use a privileged user to set $received_protocol on the way back in!

Thanks for your help. I'm guessing just to uncomment that first section, but that's just a guess. Let me make another guess: I should buy the plugin :)

Uncomment spamassassin as following


# Spam Assassin
spamcheck_director:
driver = accept
condition = "${if and { \
{!def:h_X-Spam-Flag:} \
{!eq {$received_protocol}{spam-scanned}} \
{!eq {$received_protocol}{local}} \
{exists{/home/${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}/.spamassassin/user_prefs}} \
} {1}{0}}"
retry_use_local_part
transport = spamcheck
no_verify

....

# Spam Assassin
begin transports

spamcheck:
driver = pipe
batch_max = 100
command = /usr/sbin/exim -oMr spam-scanned -bS
current_directory = "/tmp"
group = mail
home_directory = "/tmp"
log_output
message_prefix =
message_suffix =
return_fail_output
no_return_path_add
transport_filter = /usr/bin/spamc -u ${lookup{$domain}lsearch*{/etc/virtual/domainowners}{$value}}
use_bsmtp
user = mail
# must use a privileged user to set $received_protocol on the way back in!

Thank tdldp!

Spam Blocker 2 is working just great now, and my Spam Assassin is running on stuff that gets through Spam Blocker 2.

Jeff

Can you blanket whole ranges? i.e 207.6.6.0/24

regards

Jon

Do I need to restart exim after adding a new domain to the server? It seems like SpamBlocker is not working for a new domain I added to the server. I check the file use_rbl.... and the domain is in there but all SPAM is still getting through just for this domain.

Thanks,
Phil

Originally posted by jjma
Can you blanket whole ranges? i.e 207.6.6.0/24
I believe I responded to this question for someone else but I'm just trying to catch up now, and I really don't remember :( ; can you search for a response?

Thanks.

Jeff

Originally posted by philmcdonnell
Do I need to restart exim after adding a new domain to the server?
Neither SpamBlocker nor exim should require a server restart when adding a new domain.
It seems like SpamBlocker is not working for a new domain I added to the server. I check the file use_rbl.... and the domain is in there but all SPAM is still getting through just for this domain.
How did you set up use_rbl_domains so that it automatically gets new domains? That's not how it works by default.

Are you using the plugin? Or did you set up a link?

I don't know why spam should be getting through if the domain is in use_rbl_domains.

Jeff

Did this Spamblocker v2 include ClamAV? or we need to install ourselves? Do you have any guide on Spamblocker v2 with ClamAV?

Sorry for my stupid question, as I'm newbie on Linux and DA. :(

Lawrence

SpamBlocker doesn't use ClamAV and isn't designed for use with ClamAV. Some users might have made it work.

Note that ClamAV will NOT work with SpamBlocker Plugin.

We're working now (finally) on VirusBlocker, and when that's complete, on VirusBlocker Pro.

VirusBlocker will include SpamBlocker, and as usual, you'll be able to decide to block against blocklists, virus definitions, either or both.

And VirusBlocker Pro will be a commercial package similar to SpamBlocker Plugin, which will offer per domain functionality for both SpamBlocker and VirusBlocker.

No dates, though.

Jeff

Is this included in 1.26.1? If so where are the install instructions?

edit: NM, found the install, but still need to know if it's in 1.26.1 or I have to dl and install it.

A new install of 1.26.1 should include the SpamBlocker Version 2 exim.conf file. An upgrade may not.

If it's not installed you should install it either by downloading the exim.conf file from the DA files page or my download page. Be sure to read the README file at my download page and make sure the required files are properly set up in /etc/virtual/.

Jeff

I dont realy understand how the files:
/etc/virtual/bad_sender_hosts
/etc/virtual/blacklist_domains
(all of the /etc/virutal/* files that are used for SpamBlocker)

works.. do i need to update them manualy?
where can i get a bad sener hosts list?

i update my exim.conf to spamblocker.exim.conf, made all the files, gave them chmod 644 mail:mail, install Spam Assassin but the files are empty, and i keep getting spamed.

Your bad_sender_hosts list should be maintained by you; it's designed to be a local blocklist. If you're not comfortable with maintaining local blocklists and whitelists manually you can buy the SpamBlocker Plugin; you can find it elsewhere on these forums.

What you need to do is put the list of domains for which you want SpamBlocker to work into the /etc/virtual/use_rbl_domains file. You can either copy them from the /etc/virtual/domains file or you can delete the use_rbl_domains file and create a link from it to the domains file (to automatically enable SpamBlocker for all domains on the server).

Again, this can all be automated by the SpamBlocker Plugin.

Jeff

Well, can't get it to work for me.

I followed the instructions to the letter.

According to my logs, the mail is not showing up. I put back my old exim.conf (dovecot version) and mail is showing up again normally.

I think the messages from the spamblocker setup eventually show up later when exim reattempts deliver under the old exim.conf.

Any thoughts? Is there something with dovecot that may be causing this?

When you "update" the dovecot version of exim.conf to exim.conf version 2.0 you need to re-apply the dovecot patch...

# cd /usr/local/directadmin/customapache
# patch -p0 < exim.conf.dovecot.patch

If the exim.conf.dovecot.patch does not exist you need to...

# wget http://files.directadmin.com/services/exim.conf.dovecot.patch

Woot! Working now.

Thanks...probably should be in the instructions as a caveat. :)

Sean

Sorry jeff to bother, but unfortunately, when up to now we knew nearly no spam since Spamblocker V2 was released and modified to our needs, we start getting spam from a system that has probably found a measure to bypass exim / spamblocker ACL...

It doesn't manage to pass SA, for one and only reason : SURBL..

I've posted a subject on this in exim user list, about url checking and tried to apply the documentation given at : http://www.teuton.org/~erik/docs/exim_surbl.shtml but with no succes when applying the patch... I added the pl subscript in exim.pl and i added the acl given :

deny set acl_m1 = ${perl{surblspamcheck}}
message = Message contains blacklisted domain $acl_m1. See http://www.surbl.org/lists.html. (Rule 21)
log_message = Message contains blacklisted domain $acl_m1. See http://www.surbl.org/lists.html. R=$recipients (Rule 21)
condition = ${if eq {$acl_m1}{false} {no}{yes} }


just after the acl :
# deny using .spamhaus

This is maybe the wrong position to place the acl in, as it is under require verify = sender, and should maybe be under check_message.....
As you have more knowledge than me in scripting i wish to submit to you also the problem ... It could be indeed useful in spamblocker to use this system of url checking in spam...

as mentionned above, sender manages to spam us, as he has unknown sender ip in all BL's used in spamblocker...
Mail contains an url listed in surbl as SA reports it :
3.3 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
[URIs: logower.info]
3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URIs: logower.info]
1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: logower.info]
2.6 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
[URIs: logower.info]
3.6 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: logower.info]

How can spamblocker be modified to check url in surbl ??? This would be an ultimate weapon against spam for spamblocker...

Thks for your help and for your precious time spent on this...

Tdldp


EDITED....

Don't be as foolish as ME.... In fact script works from outside.... but localhost sending, between whitelist members, ignores the check... which falsed result for spam detection...
This script works, and works even pretty well... The spammer is finally blocked on this afternoon's test..

Please give a try at :
http://www.teuton.org/~erik/docs/exim_surbl.shtml

Tdldp

My only concern would be that this would slow down email filtering a lot.

EDITED ....

I'll tell you after a few logs if it is really a worry on charge...
Yet we dont use for moment a dedicated mail server, as it is still a multipurpose box for moment... when we will have enough members, we will pass on dedicated mail server, but for me it doesn't seem to be a problem and ressource consuming at this time... A longer test on massive mailing machine would be interesting......

But there again i'm still a noob on this...

I'm mostly happy to stop having url spams... ;)

Tdldp

interfasys,

Any time you use an acl to check during data time instead of during rcpt time the entire message must be scanned before the acl can be applied.

So what we recommend is continuing to use the data acls as we've written, and then add additional rcpt acls as you require.

Our next version of SpamBlocker will include data acls for virus checking, spamassassin, and similar.

Jeff

tdldp,

Can you tell us more about what you mean by modifying to your needs? Perhaps you can give us some ideas.

Thanks.

Jeff

My concern is not really about parsing the whole message, but more about having to wait for an answer from a website.

Hi jeff...

For remembering, we have a strange config on our box...

Catchall on our main domain, towards my email adress... We work with persons who don't understand internet rules and who calls us when they get an email error because they mistyped the email adress...

Moreover, our isp has a bunch of blocked ip's, because of a f***** IT group who is on the same ADSL DSLAM, that sends dozens on mails on mailing lists, and therefore blacklists Local IP's allocated to that dslam every now and then...

In result we have to whitelist our domain to be able to send mail out to our clients and to ourselves... In V1 this was even getting problematic as we received in permanance spam... (Whitelisting ignored totally exim's acl's...).... We managed to reduce a bit by using a "refused destination" list... In clear, if a mail is sent to an adress that is in that list... refuse processing...
Since V2, things have gone much better... with less hassle on exim rules... We had nearly managed to get less than 0.001 % of spam.... Indeed the new acl's seem to work now on our box, blocking all "positive" mails that were not filtered up to now in V1.. (if spam was sent to valid whitelisted emails, it managed to pass exim, but got tagged by Spamassassin)

Recently a zombie has managed to bypass the system...
I don't explain myself yet how he manages to do this... but apparently he masks the mail by using whitelisted senders email, (there is a problem here, because i thought that relaying was forbidden up to know... and i still get several messages refusing relaying... He relays this message having no valid login / password on our server, we had made the test by changing incriminated whitelisted users passwords)... Probably the whitelisting that bypasses relaying check... Moreove we get spam containing Links that are largely detected in SURBL lists...
So the idea whas to check message to see if urls are detected in messages that passes exim sender checks...

And here is where it gets interesting...
I applied the method described upwards (follow link for all method)... Furthermore we allready have an exim rule analysing every message received and sent via exim, for potential refused extensions... So why not use the SURBL check... Important is to place in DATA ACL not in SENDER check acl's.. Like i did..

Since then... No more spam received... we are for the moment at 0% false positives and 100 % spam blocking... Our ressources have not changed (we are still on a 75 % mysql ressource usage having a database linked to softwares everywhere in france, which checks for data every second...)

If you wish i can post here our exim config...

Tdldp

I'm most interested in how you get 100% blocking of spam with 0% false positives. Did you change the blocklists you use? Or do you use some additional method?

If you don't mind, post it as an attachment, but not as a post.

Thanks.

Jeff

Hello,
I'm using Exim 4.60 and dovecot 1.0beta3.
After aplying exim.conf.spam.blocker i didn't receive mails but there are no error in logs, just complete deliverys.

Anyone has it running with dovecot?


Thanks in advance,

The exim.conf.spam.blocker does not have the changes required for delivering to Maildir. You would still need to run the patch script on that exim.conf file. You can see the exact command needed by looking at how DA does it in the /usr/local/directadmin/customapache/build script in the todovcot section.

When dovecot is officially out of beta then SpamBlocker and SpamBlocker Plugin will fully support it.

Until then, the above poster has the right idea :) .

Jeff

Been running under dovecot now for a while...works fine. Course the patch has to be applied...

This modification works great on my server, already cut out 500+ surbl spams in a couple of hours. And Spamblocker had already halted the delivery of some 3,000 others using SORBS since I moved all my domains to a new server.

I know I am making a trade-off between the amazing efficiency of Spamblocker at RCPT time, but I was getting still too much spam into user inboxes. I needed to cut it down. I had noticed that spamassassin was marking most of them, thanks to surbl checks.

I even have a spamtrap address at one of the domains, getting dozens of emails a day. Since introducing SURBL into the exim.conf, perhaps 3 emails made it in in a 5 hour period.

BUT... this mod ignores the domains that DO NOT want their email filtered. Yes, there are always a couple. Can anybody suggest how to get this exim mod to only work on email for those on the use_rbl_domains file?

Tried to do it, but got: "temporarily rejected after DATA: cannot test domains condition in DATA ACL" when I tried to put in "domains = +use_rbldomains" after deny set.

so now I have to check everybody's email for that condition or none at all.

This is my breakdown of rejects. I ran a simple script provided in another thread that generated it, after some tweaks to get a little more info and see how exactly exim using sorbs was rejecting the spam.

authentication required= 3860 <-- my new server is still getting stuff meant for the previous owner of the IP.
BAD MIME = 0
Email blocked by BSAL = 0
Email blocked by BSHL = 0
Email blocked by CBL = 0
Email blocked by LBL = 0
Email blocked by NJABL = 0
Email blocked by ORDB = 0
Email blocked by SORBS = 2042 <-- this is before I made a breakdown of new rejects. I didn't know exactly how sorbs was being used to reject. I suspect most were from the IP Blocklist anyway.
Email blocked by SORBS IP BLOCKLIST = 169
Email blocked by SORBS NAME BASED LIST = 0
Email blocked by SORBS SMTP List = 0
Email blocked by SPAMCOP = 0
Email blocked by SPAMHAUS = 0
Email blocked by SURBL = 295
SURBL blacklisted domain= 193
UNACCEPTABLE ATTACHMENT = 0
VIRUS = 77

Related to this: SORBS seems to get them all, and in the 4 or so days this new server has been up, the other RBLs have caught nothing. I suspect it would be more efficient if I moved the SORBS checks to be the first on the list, and put the others afterwards?


Originally posted by tdldp
[B]Sorry jeff to bother, but unfortunately, when up to now we knew nearly no spam since Spamblocker V2 was released and modified to our needs, we start getting spam from a system that has probably found a measure to bypass exim / spamblocker ACL...

It doesn't manage to pass SA, for one and only reason : SURBL..

I've posted a subject on this in exim user list, about url checking and tried to apply the documentation given at : http://www.teuton.org/~erik/docs/exim_surbl.shtml but with no succes when applying the patch... I added the pl subscript in exim.pl and i added the acl given :

deny set acl_m1 = ${perl{surblspamcheck}}
message = Message contains blacklisted domain $acl_m1. See http://www.surbl.org/lists.html. (Rule 21)
log_message = Message contains blacklisted domain $acl_m1. See http://www.surbl.org/lists.html. R=$recipients (Rule 21)
condition = ${if eq {$acl_m1}{false} {no}{yes} }


just after the acl :
# deny using .spamhaus



Edited April 02, 2006

The author of the mod has been very helpful and has added URIBL support as well after an e-mail exchange with me.

Now you can use SURBL, URIBL or toggle them.

This mod does support a whitelisting feature. I have made the link to /etc/virtual/whitelist_domains and it now works fine.

He also suggested the following to avoid checking certain domains all together:

Well, not quite as easy as I thought and not entirely perfect. But if you add the following condition to the SURBL data ACL it should only apply the check to recpients in your list.

condition=${lookup{${lc:$recipients}}lsearch{/etc/exim/chkdoms}{yes}{no}}

/etc/exim/chkdoms should be set to the path of your file.This is the part that makes it difficult. There can be multiple recipients to a message and the DATA ACL only knows about all of them. So it is hard to to apply a check to just one domain and not another.
So the above condition works if the domain is the ONLY domain being processed. In other words if domain1.com is in your list and that is the only domain in the TO, CC, or BCC field then it will work.

If the message is being sent to domain1.com and CCd to domain2.com then the condition will not work because $recipients is no longer justa single address but something likeuser@domain1.com,user2@domain2.com.It is much easier to make a condition based on the sender host name,IP, sender address, or domain.

Erik

Notice that /etc/exim/chkdoms corresponds to SpamBlocker's /etc/virtual/use_rbl_domains, so make that change.

The error is very descriptive. The variable domains isn't available at data time.

I'd suggest reading the exim online documentation to see if there's something else you can test on during data time.

Our fix, when released, will run SpamAssassin for all domains, but ignore the SA headers for domains that don't want it.

Jeff

Thank you! I could have gone for hours looking in the wrong place.

I now have homework to do.

Playing around with Exim's ACLs over the last two days has been a great experience. I am now blocking more spam than ever. I am carefully looking over the logs every few minutes to make sure I am not getting false positives, but SO LITTLE spam is now making it in.

The main reason my customer wants his email unfiltered is that he is subscribed to Yahoo Groups, and it only takes a couple of bounces for them to drop you.

The surbl block rejects yahoo groups and he gets dropped...

I GUESS I could do the whitelist file from the example above (not Spamblocker/Exim's, but the surbl script)... worth a try.

Hi jeff, sorry for the delay in responding,

I'll get you on your email my exact exim configuration for you to see...

Up to now have not received any spam since using surbl.
All mails that had to be blocked where blocked with no problem...
We have had no false positives, and don't think after one month test, that we will get one...

In last 10 000 mails that were treated, we have had 2 spams that manage to bypass exim and SA... (apparently a new ip not listed up to now), We had 8 spams that managed to pass exim but not SA (these mails pass spamblocker, because apparently it's a relay only that is listed in RBL's...)... and the rest were effectively blocked...

My only question in this case is ??? Why are relays not treated in spamblocker ??? (Those 8 spams were with relays listed in XBL-SBL , etc...). Is there something particular to check or to use ???

tdldp

Well now I know why I got that email :) .

I'm very far behind in everything, as you can see.

I have no idea why those open-relays weren't caught.

You can test the same relays spamblocker does, manually, to see if things are getting through or why.

Note that we don't use xbl-sbl, but rather we use separate lists selectively.

Perhaps we're not aggressive enough?

Jeff

Jeff, we are running into a problem with SB where users are getting email from Yahoo Groups bounced. And because they bounce back to Yahoo, they can't really supply us with proper headers. And since Yahoo uses a large array of mail servers, trying to find the IP's to add to whitelist_hosts is almost impossible.

Any suggestions?

Originally posted by sullise
Jeff, we are running into a problem with SB where users are getting email from Yahoo Groups bounced. And because they bounce back to Yahoo, they can't really supply us with proper headers. And since Yahoo uses a large array of mail servers, trying to find the IP's to add to whitelist_hosts is almost impossible.

Any suggestions?

I'm seeing the same issue. I've even added yahoogroups.com in the whitelist, still doesn't seem to let the emails come through.

You want to unblock/whitelist:

returns.groups.yahoo.com

to allow mail from the yahoo groups to come in.

This has worked for me.

OTH, if you have a SURBL check enabled, like a few messages, they might get bounced anyway.

Originally posted by jlasman
When dovecot is officially out of beta then SpamBlocker and SpamBlocker Plugin will fully support it.

Until then, the above poster has the right idea :) .

Jeff

OK fixed it but had to go all the way around as had 24 hours worth of mail in the wrong place LOL

Just be carefull with dovecourt as it will kill your mail off if you dont patch it quickly !!

Regards

Les

Jeff,

Is there anyway to have a domain excluded from spamblocker?

I have a client that wants all his spam :(

I have use_rbl... setup as a Link to the domains list so that when I add a domain it automatically adds to spamblocker.

Is there a place where I can add the domains that don't want filtering without breaking the auto add system?

Thanks,
Phil

When I put a domain on blacklist like gmail for example mail still comes through. I am using the spamassassin setup on directadmin for the user.

Originally posted by philmcdonnell
Is there anyway to have a domain excluded from spamblocker?

I have a client that wants all his spam :(

I have use_rbl... setup as a Link to the domains list so that when I add a domain it automatically adds to spamblocker.

Is there a place where I can add the domains that don't want filtering without breaking the auto add system?
No. You probably should remove the link linking the two files, and create /etc/virtual/use_rbl_domains as a separate file, and maintain both files separately.

The SpamBlocker plugin makes the management a lot easier.

Note if you're going to install the SpamBlocker plugin you should delete the link first, and then manage the files through SpamBlocker.

Jeff

Originally posted by chatwizrd
When I put a domain on blacklist like gmail for example mail still comes through. I am using the spamassassin setup on directadmin for the user.
SpamBlocker has nothing to do with SpamAssassin.

SpamBlocker works for the domains listed in /etc/virtual/use_rbl_domains, so the first step is to make sure the receiving domain (the one you host) is listed in /etc/virtual/use_rbl_domains.

If it is and you're sure you've got the gmail.com domain listed in the right place, you should try an emulated email dialogue from the command line, and see how the check is failing.

Jeff

Probably not in the correct thread or forum (this could also be in email forum), i have a problem with spamblocker though it functions still normally...

I am since 48h receiving tons of spam tentatives on our server, that gets blocked by spamblocker (normal up to there, it functions) :

here is a log of last 50 lines :
2006-04-20 13:33:38 H=(komfa.nl) [61.138.176.144] F=<mvsjeytu@appartement-lanzarote.de> rejected RCPT <blondebomshell1970@yahoo.com>: authentication required
2006-04-20 13:33:56 H=h-67-101-255-17.nycmny83.dynamic.covad.net (patrikpfaff.de) [67.101.255.17] F=<judgwl@latinroots.ch> rejected RCPT <hcso4805@yahoo.com>: authentication required
2006-04-20 13:33:56 H=h-67-101-255-17.nycmny83.dynamic.covad.net (patrikpfaff.de) [67.101.255.17] F=<judgwl@latinroots.ch> rejected RCPT <hct1@yahoo.com>: authentication required
2006-04-20 13:33:56 H=h-67-101-255-17.nycmny83.dynamic.covad.net (patrikpfaff.de) [67.101.255.17] F=<judgwl@latinroots.ch> rejected RCPT <hermanhester@yahoo.com>: authentication required
2006-04-20 13:33:56 H=h-67-101-255-17.nycmny83.dynamic.covad.net (patrikpfaff.de) [67.101.255.17] F=<judgwl@latinroots.ch> rejected RCPT <hcsmom43@yahoo.com>: authentication required
2006-04-20 13:33:56 H=h-67-101-255-17.nycmny83.dynamic.covad.net (patrikpfaff.de) [67.101.255.17] F=<judgwl@latinroots.ch> rejected RCPT <hbmedear@yahoo.com>: authentication required
2006-04-20 13:33:56 H=h-67-101-255-17.nycmny83.dynamic.covad.net (patrikpfaff.de) [67.101.255.17] F=<judgwl@latinroots.ch> rejected RCPT <hbmdhqvw@yahoo.com>: authentication required
2006-04-20 13:33:56 H=h-67-101-255-17.nycmny83.dynamic.covad.net (patrikpfaff.de) [67.101.255.17] F=<judgwl@latinroots.ch> rejected RCPT <hbmd2000@yahoo.com>: authentication required
2006-04-20 13:34:00 H=66-215-164-69.dhcp.rvsd.ca.charter.com (kdk-dornscheidt.de) [66.215.164.69] F=<nncjjfbji@kaiworld.de> rejected RCPT <bnugz3000@yahoo.com>: authentication required
2006-04-20 13:34:00 H=66-215-164-69.dhcp.rvsd.ca.charter.com (kdk-dornscheidt.de) [66.215.164.69] F=<nncjjfbji@kaiworld.de> rejected RCPT <bnug08@yahoo.com>: authentication required
2006-04-20 13:34:00 H=66-215-164-69.dhcp.rvsd.ca.charter.com (kdk-dornscheidt.de) [66.215.164.69] F=<nncjjfbji@kaiworld.de> rejected RCPT <brkcorley@yahoo.com>: authentication required
2006-04-20 13:34:00 H=66-215-164-69.dhcp.rvsd.ca.charter.com (kdk-dornscheidt.de) [66.215.164.69] F=<nncjjfbji@kaiworld.de> rejected RCPT <brkeene@yahoo.com>: authentication required
2006-04-20 13:34:00 H=66-215-164-69.dhcp.rvsd.ca.charter.com (kdk-dornscheidt.de) [66.215.164.69] F=<nncjjfbji@kaiworld.de> rejected RCPT <brainoffline@yahoo.com>: authentication required
2006-04-20 13:34:00 H=66-215-164-69.dhcp.rvsd.ca.charter.com (kdk-dornscheidt.de) [66.215.164.69] F=<nncjjfbji@kaiworld.de> rejected RCPT <bntkywmn@yahoo.com>: authentication required
2006-04-20 13:34:00 H=66-215-164-69.dhcp.rvsd.ca.charter.com (kdk-dornscheidt.de) [66.215.164.69] F=<nncjjfbji@kaiworld.de> rejected RCPT <bntheword2@yahoo.com>: authentication required
2006-04-20 13:34:00 H=66-215-164-69.dhcp.rvsd.ca.charter.com (kdk-dornscheidt.de) [66.215.164.69] F=<nncjjfbji@kaiworld.de> rejected RCPT <bnthere30@yahoo.com>: authentication required
2006-04-20 13:34:00 H=66-215-164-69.dhcp.rvsd.ca.charter.com (kdk-dornscheidt.de) [66.215.164.69] F=<nncjjfbji@kaiworld.de> rejected RCPT <bntguzman@yahoo.com>: authentication required
2006-04-20 13:34:03 H=(manni-manier.de) [221.234.34.11] F=<tpnkalqqxo@patrickschultheis.de> rejected RCPT <crystalnshea@yahoo.com>: authentication required
2006-04-20 13:34:03 H=(manni-manier.de) [221.234.34.11] F=<tpnkalqqxo@patrickschultheis.de> rejected RCPT <crystalnotathome@yahoo.com>: authentication required
2006-04-20 13:34:03 H=(manni-manier.de) [221.234.34.11] F=<tpnkalqqxo@patrickschultheis.de> rejected RCPT <crystalprincess_82@yahoo.com>: authentication required
2006-04-20 13:34:03 H=(manni-manier.de) [221.234.34.11] F=<tpnkalqqxo@patrickschultheis.de> rejected RCPT <crystalmuseb@yahoo.com>: authentication required
2006-04-20 13:34:03 H=(manni-manier.de) [221.234.34.11] F=<tpnkalqqxo@patrickschultheis.de> rejected RCPT <crystalnicoleriley@yahoo.com>: authentication required
2006-04-20 13:34:03 H=(manni-manier.de) [221.234.34.11] F=<tpnkalqqxo@patrickschultheis.de> rejected RCPT <crystalmx55@yahoo.com>: authentication required
2006-04-20 13:34:03 H=(manni-manier.de) [221.234.34.11] F=<tpnkalqqxo@patrickschultheis.de> rejected RCPT <crystalmountainsprings@yahoo.com>: authentication required
2006-04-20 13:34:03 H=(manni-manier.de) [221.234.34.11] F=<tpnkalqqxo@patrickschultheis.de> rejected RCPT <crystaln82002@yahoo.com>: authentication required
2006-04-20 13:34:03 H=(manni-manier.de) [221.234.34.11] F=<tpnkalqqxo@patrickschultheis.de> rejected RCPT <crystalmornoe2000@yahoo.com>: authentication required
2006-04-20 13:34:06 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (aktionkofferpacken.de) [125.172.23.242] F=<cabeyu@latinroots.ch> rejected RCPT <deheaven2002@yahoo.com>: authentication required
2006-04-20 13:34:06 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (aktionkofferpacken.de) [125.172.23.242] F=<cabeyu@latinroots.ch> rejected RCPT <deheda2002@yahoo.com>: authentication required
2006-04-20 13:34:06 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (aktionkofferpacken.de) [125.172.23.242] F=<cabeyu@latinroots.ch> rejected RCPT <ddzygurl@yahoo.com>: authentication required
2006-04-20 13:34:06 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (aktionkofferpacken.de) [125.172.23.242] F=<cabeyu@latinroots.ch> rejected RCPT <ddwalk50@yahoo.com>: authentication required
2006-04-20 13:34:06 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (aktionkofferpacken.de) [125.172.23.242] F=<cabeyu@latinroots.ch> rejected RCPT <ddwj105@yahoo.com>: authentication required
2006-04-20 13:34:06 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (aktionkofferpacken.de) [125.172.23.242] F=<cabeyu@latinroots.ch> rejected RCPT <ddwarneke@yahoo.com>: authentication required
2006-04-20 13:34:06 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (aktionkofferpacken.de) [125.172.23.242] F=<cabeyu@latinroots.ch> rejected RCPT <ddwalton78@yahoo.com>: authentication required
2006-04-20 13:34:06 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (aktionkofferpacken.de) [125.172.23.242] F=<cabeyu@latinroots.ch> rejected RCPT <ddwalker1968@yahoo.com>: authentication required
2006-04-20 13:34:06 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (aktionkofferpacken.de) [125.172.23.242] F=<cabeyu@latinroots.ch> rejected RCPT <ddwagner32@yahoo.com>: authentication required
2006-04-20 13:34:39 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (kloter-attorneys.ch) [125.172.23.242] F=<voijnt@kloter-attorneys.ch> rejected RCPT <ajabe43x@yahoo.com>: authentication required
2006-04-20 13:34:39 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (kloter-attorneys.ch) [125.172.23.242] F=<voijnt@kloter-attorneys.ch> rejected RCPT <ajacobs28551@yahoo.com>: authentication required
2006-04-20 13:34:39 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (kloter-attorneys.ch) [125.172.23.242] F=<voijnt@kloter-attorneys.ch> rejected RCPT <ajguidish@yahoo.com>: authentication required
2006-04-20 13:34:39 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (kloter-attorneys.ch) [125.172.23.242] F=<voijnt@kloter-attorneys.ch> rejected RCPT <ajabear0504@yahoo.com>: authentication required
2006-04-20 13:34:39 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (kloter-attorneys.ch) [125.172.23.242] F=<voijnt@kloter-attorneys.ch> rejected RCPT <alwayskasinos@yahoo.com>: authentication required
2006-04-20 13:34:39 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (kloter-attorneys.ch) [125.172.23.242] F=<voijnt@kloter-attorneys.ch> rejected RCPT <alwaysinnocent2006@yahoo.com>: authentication required
2006-04-20 13:34:39 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (kloter-attorneys.ch) [125.172.23.242] F=<voijnt@kloter-attorneys.ch> rejected RCPT <aja_james2000@yahoo.com>: authentication required
2006-04-20 13:34:39 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (kloter-attorneys.ch) [125.172.23.242] F=<voijnt@kloter-attorneys.ch> rejected RCPT <alyssapachiano@yahoo.com>: authentication required
2006-04-20 13:34:39 H=p4242-ipbf07koufu.yamanashi.ocn.ne.jp (kloter-attorneys.ch) [125.172.23.242] F=<voijnt@kloter-attorneys.ch> rejected RCPT <airliner2000@yahoo.com>: authentication required
2006-04-20 13:35:09 H=m230.net81-66-82.noos.fr (petsdiscount.de) [81.66.82.230] F=<zigsapseu@kalker-clowns.de> rejected RCPT <donnert@wanadoo.fr>: authentication required
2006-04-20 13:35:09 H=m230.net81-66-82.noos.fr (petsdiscount.de) [81.66.82.230] F=<zigsapseu@kalker-clowns.de> rejected RCPT <donnet@wanadoo.fr>: authentication required
2006-04-20 13:35:09 H=m230.net81-66-82.noos.fr (petsdiscount.de) [81.66.82.230] F=<zigsapseu@kalker-clowns.de> rejected RCPT <drlanger@wanadoo.fr>: authentication required
2006-04-20 13:35:09 H=m230.net81-66-82.noos.fr (petsdiscount.de) [81.66.82.230] F=<zigsapseu@kalker-clowns.de> rejected RCPT <dragonlance@wanadoo.fr>: authentication required
2006-04-20 13:35:09 H=m230.net81-66-82.noos.fr (petsdiscount.de) [81.66.82.230] F=<zigsapseu@kalker-clowns.de> rejected RCPT <dwillkomm@wanadoo.fr>: authentication required
2006-04-20 13:35:09 H=m230.net81-66-82.noos.fr (petsdiscount.de) [81.66.82.230] F=<zigsapseu@kalker-clowns.de> rejected RCPT <donneth@wanadoo.fr>: authentication required


As you can see there are tons of queries like this, (just for this week and it's not finished, my reject log files went up from 4 Mo to 10 Mo)

I'm wondering in what measure this may affect servers response and performance ???

There is not too much you can do about those, they are trying to find an open relay. Your smtp server is doing the right thing and rejecting them, because they don't have the right username and password to send email.

Is there a way to allow all domains to use the use_rbls... file but omit any domains that don't want to use the spamblocker.

I currently have a sym-link for the use-rbl... but I have a client that doesn't want to filter spam.

Now I don't want to have to manually adjust the use_rbl file when I add new domains/clients to the server.

If there is a way to add an omit file that will skip over any domains that don't want spamblocker protection?

Thanks,
Phil

The plugin stopped working and the helpdesk is unusable, so here is a description of the problem I had today:

I haven't really used Spamblocker for the last couple of month, but today when launching the page I got this:

Warning: explode(): Empty delimiter. in /usr/local/directadmin/plugins/spamblocker/shared/functions.inc.php on line 178
License Error: Cannot communicate with the license server, please notify the helpdesk at http://spamblocker.virtualhelpdesk.info.

So...Problem with PHP 5.1.3?

It may very well be a problem with PHP 5.

Please tell me in what way the helpdesk is unusable; I'd like to get it fixed.

I'll see Onno tonight, so an email to me with specific problems will be helpful.

Thanks for bringing this to our attention.

Jeff

On the helpdesk, create a new ticket and try to send it. It won't work because you haven't selected a priority. You can't select one because none are defined ;).

And the other problem wasn't related to PHP at all, it was just you license server that was apparently unreachable since everything is working fine now.

I believe Onno has addressed this thread now that he's back at his office, but I'll bring it to his attention.

Jeff

Jeff,

Long time no chat. Hope you are doing well.

With your new spamblocker what is the best way to use only authentication. We want to do away with all popb4smtp. I had the change for this before but I upgraded everything even my darn notes and can't find a reference. Something about the pophosts line but I can't recall the syntax exactly.

Oh and one more thing. I used to pass a list of IPs of servers allowed to relay with no interferance from rbl with a my_whitelist file full of the IPs. Can this now be done with your whitelists_hosts file instead?


Big Wil

Originally posted by BigWil
Long time no chat. Hope you are doing well.
Aside from being exhausted all the time, quite well, thanks.
With your new spamblocker what is the best way to use only authentication. We want to do away with all popb4smtp. I had the change for this before but I upgraded everything even my darn notes and can't find a reference. Something about the pophosts line but I can't recall the syntax exactly.
I don't know either; perhaps someone else will respond. Have you searched these forums?
Oh and one more thing. I used to pass a list of IPs of servers allowed to relay with no interferance from rbl with a my_whitelist file full of the IPs. Can this now be done with your whitelists_hosts file instead?
Yes. That's it's raison pour est (reason for being).

We've got a script we're testing internally that will parse a whole mailbox file of spams, and extract all the IP#s and hostnames just to use in the whielists_hosts file.

Jeff

Well get some rest! I definately know where you are coming from though.

I did find an old copy of the exim.conf that was working with the required authentication and my_whitelist. Using the same basic syntax it isn't working with the new one through.

domainlist blacklist_domains = lsearch;/etc/virtual/blacklist_domains
domainlist whitelist_from = lsearch;/etc/virtual/whitelist_from
domainlist local_domains = lsearch;/etc/virtual/domains
domainlist relay_domains = lsearch;/etc/virtual/domains : localhost
domainlist use_rbl_domains = lsearch;/etc/virtual/use_rbl_domains
hostlist relay_hosts = net-lsearch;/etc/virtual/my_whitelist : 127.0.0.1
hostlist auth_relay_hosts = *

If anybody has any idea of how to get that relay_hosts line to work with this new version it would be greatly appreciated. We just don't feel safe around here unless they authenticate for all SMTP traffic.

Thanks,

Big Wil

Hi,
I have installed version 2.

I have made a test:
I have added my gmail address to blacklist_senders.
- When I send email from this address in blacklist_sender, a delivery failure message arrives stating that it is a permanent error (PERM_FAILURE: SMTP Error (state 9): 550 Administrative prohibition). Instead of getting a message stating my address is blocked.
Is not gmail servers RFC compliant?
- Secondly, emails from that blacklisted address to any of domains in my server has been treated same. Though these domains are not in use_rbl_domains.
Is this normal?

I have also noticed something in exim.conf.spamblocked, but I am not sure it is a bug because I am not an expert on exim conf file:

#deny using email address in blacklist_senders
block is different than others.
For example:


# deny so-called "legal" spammers"
deny message = Email blocked by LBL - to unblock see http://www.example.com/
# only for domains that do want to be tested against RBLs
domains = +use_rbl_domains
sender_domains = +blacklist_domains



# deny using email address in blacklist_senders
deny message = Email blocked by BSAL - to unblock see http://www.example.com/
domains = use_rbl_domains
deny senders = +blacklist_senders


Probably due to my ignorance, I could not understand why the lines in bold are different. P.S. I don't need to understand it, it is enough to know if it is ok, or not.

Thanks,

rbl never worked on my server, i don't know why

BUT THIS WORK on my DA/FC3 :

# place in exim.conf
drop message = $sender_host_address is blacklisted at
!authenticated = *
dnslists = ${lookup{${lc:$local_part@$domain}}lsearch*@{/etc/virtual/dnslists}}
delay = 20s
#
be carefull dnslists one line

#create file /etc/virtual/dnslists
* bl.spamcop.net : sbl-xbl.spamhaus.org : list.dsbl.org
#

add what rbl you want.

Originally posted by eroloz

Probably due to my ignorance, I could not understand why the lines in bold are different. P.S. I don't need to understand it, it is enough to know if it is ok, or not.

Thanks,
From what I know about exim, the first entry is the correct one with the '+'. The '+' in this case says that this is a reference to a named list, and the name is use_rbl_domains. I'm sure it was just something that Jeff missed.

Originally posted by eroloz
Hi,
I have installed version 2.

I have made a test:
I have added my gmail address to blacklist_senders.
- When I send email from this address in blacklist_sender, a delivery failure message arrives stating that it is a permanent error (PERM_FAILURE: SMTP Error (state 9): 550 Administrative prohibition). Instead of getting a message stating my address is blocked.
Is not gmail servers RFC compliant?
- Secondly, emails from that blacklisted address to any of domains in my server has been treated same. Though these domains are not in use_rbl_domains.
Is this normal?

I have also noticed something in exim.conf.spamblocked, but I am not sure it is a bug because I am not an expert on exim conf file:

#deny using email address in blacklist_senders
block is different than others.
For example:


# deny so-called "legal" spammers"
deny message = Email blocked by LBL - to unblock see http://www.example.com/
# only for domains that do want to be tested against RBLs
domains = +use_rbl_domains
sender_domains = +blacklist_domains



# deny using email address in blacklist_senders
deny message = Email blocked by BSAL - to unblock see http://www.example.com/
domains = use_rbl_domains
deny senders = +blacklist_senders


Probably due to my ignorance, I could not understand why the lines in bold are different. P.S. I don't need to understand it, it is enough to know if it is ok, or not.

Thanks,
I have searched forum more, and I have found that Jeff said somewhere that if exim.conf file mangled, it can make similar things. And he warned about copy/paste. I have comment out the lines that I have pasted into exim.conf file, and the problem has been solved.

Sorry for the inconvenience.

hopefully this hasn't been asked and i just passed over it... Jeff I purchaused the spamblokcer from you all, and i was wondering do i have the most current version? And if not, how do i upgrade ?

thanks,
Rob



Version Installed Available
SpamBlocker Plugin 1.7.1
SpamBlocker exim.conf 2.0

I enabled this for my personal domain on my server and am seeing it block emails, I was getting approximetly 200-300 spam a day to my email address with spamassassin retagging about 90% of them and outlook filtering via the subject tag to junk folder however I got sick of wasting traffic on them so following praises from people who I installed spamblocker for I tried it.

I disabled spamcop checks but left all the others on but am finding still about 30-50 spam a day in my inbox, whats unusual is spamassassin is still managing to tag these as spam with many done via blocklists which is how I thought spamblocker worked, is it maybe the case some blocklists used by spamassassin are not used by spamblocker?

Some examples below.

1.6 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: onlinekmr.info]
4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URIs: onlinekmr.info]

and

4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URIs: tsswyks.com]
3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
[URIs: tsswyks.com]

and

4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URIs: paulamwest.com]
3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
[URIs: paulamwest.com]
4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: paulamwest.com]


there is a few as well that are tagged via non network checks which I guess are not on any blacklists.

some more all these were in 1 email.

1.6 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: bumsert.com]
3.8 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
[URIs: bumsert.com]
4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URIs: bumsert.com]
2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: bumsert.com]
3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
[URIs: bumsert.com]
4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: bumsert.com]

it altogether got 35 pts on spamassassin but got through spamblocker. :(

why don't you reject if too much points ?
i don't use spamblocker only my dnslist and sa and exim and clamav

I have them going to junk folder automatically but was just showing that there is many other block lists spamblocker isnt using. I plan to add these other lists to exim.conf so spamblocker blocks these emails as well.

I'm sorry, but anyone who knows anything about mail and keeping their users from bitching due to blocked emails from receipients would never including the list;

SPAMHAUS

ORDB

SORBS SMTP LIST

SORBS IP LISTS

SORBS NAME-BASED LIST

SPAMCOP

NJABL

CBL

RBL's are so yesterday. There are better way to kill spam that will lower the false positives dramatically. There are only one or two RBLS that actually work to the point of not triggering false positives and neither of those two are listed above. The combination of MS + SURBL lookups at SMTP TIME, SA + PYZOR + DCC + TOP 200 SPAMCOP DOWNLOADS, RULES DU JOUR, would kill 94% - 96% of all your spam while keeping your users happy and bitch free. We have been using this combo for over 2yrs. In the past 2 yrs we have had less than 10 clients who have complained about blocked mail. Using the above list exclusively would be a huge mistake.

.... I find it amusing that so many are installing SA at the user level, including SPAMD/C. First of all, SPAMD/C are huge system resource hogs. If you have installed SPAMD/C on your server and its running high in resrouces you'd better check SPAMD. Not to mention what would happen if all of a sudden the box was spam bombed, brute force attacked or dictionary style attacked, SPAMD would we whirrling out of control at about 99% cpu cycles which would surely bring your box to a grinding hault. Second, why would anyone want to scan mail twice? If you are implementing a decent combo, like we are using above, SA at the user level becomes a useless installation. Why? Because mail would be scanned, not only at the server level, but then once again at the user level. What for? Why push your servers resources to the absolute limit? I mean, if you can't catch your spam the first time, without relying on SPAMD to score it, you shouldn't be running spam filters.

I just dont get this thinking. Its very possible, that most people just dont get it or don't know any better and thinking they should be offering their users just one more feature called SpamAssassin controllable from the user control panel, is just another great feature to include. I beg to differ, trust me, i should know. I am the author of countless documents, howtos and other article on the subject posted in various forums. Good luck with this.

Originally posted by pucky

RBL's are so yesterday. Granted, a very select few, one or two would yeild results, The combination of MS + SURBL lookups at SMTP TIME, SA + PYZOR + DCC would kill 94% of your spam while keeping your users happy and bitch free. We have been using this combo for over 2yrs. In the past 2 yrs we have had less than 10 clients who have complained about blocked mail. Using the above list exclusively would be a huge mistake.

Could you explain how to set this up? I am currently using SpamBlocker and have been getting alot of spam and also users complaining about being blocked.

Thanks,
Phil

Originally posted by philmcdonnell
Could you explain how to set this up? I am currently using SpamBlocker and have been getting alot of spam and also users complaining about being blocked.

Thanks,
Phil

Thats because of the RBL list being used. Writing a complete howto for this would be impossible. There is just so much that goes into setting this up but it can be done, full implamention in about 3hrs then comes the testing and tweaking. Once it down and set its magic. There are a few people doing this type of installation who i will not mention here for the sake of advertising.

I agree on the RBL lists, I am seeing the ones picked arent the best choice and spamcop is a big no no so many false positives.

Originally posted by Chrysalis
I agree on the RBL lists, I am seeing the ones picked arent the best choice and spamcop is a big no no so many false positives.

So what is everyone doing? Can you give me a list of what RBL's you recommend? If no RBL's than what do you recommend?

Regards,
Phil

Originally posted by pucky
I'm sorry, but anyone who knows anything about mail and keeping their users from bitching due to blocked emails from receipients would never including the list;

SPAMHAUS

ORDB

SORBS SMTP LIST

SORBS IP LISTS

SORBS NAME-BASED LIST

SPAMCOP

NJABL

CBL

RBL's are so yesterday. There are better way to kill spam that will lower the false positives dramatically. There are only one or two RBLS that actually work to the point of not triggering false positives and neither of those two are listed above. The combination of MS + SURBL lookups at SMTP TIME, SA + PYZOR + DCC + TOP 200 SPAMCOP DOWNLOADS, RULES DU JOUR, would kill 94% - 96% of all your spam while keeping your users happy and bitch free. We have been using this combo for over 2yrs. In the past 2 yrs we have had less than 10 clients who have complained about blocked mail. Using the above list exclusively would be a huge mistake.

.... I find it amusing that so many are installing SA at the user level, including SPAMD/C. First of all, SPAMD/C are huge system resource hogs. If you have installed SPAMD/C on your server and its running high in resrouces you'd better check SPAMD. Not to mention what would happen if all of a sudden the box was spam bombed, brute force attacked or dictionary style attacked, SPAMD would we whirrling out of control at about 99% cpu cycles which would surely bring your box to a grinding hault. Second, why would anyone want to scan mail twice? If you are implementing a decent combo, like we are using above, SA at the user level becomes a useless installation. Why? Because mail would be scanned, not only at the server level, but then once again at the user level. What for? Why push your servers resources to the absolute limit? I mean, if you can't catch your spam the first time, without relying on SPAMD to score it, you shouldn't be running spam filters.

I just dont get this thinking. Its very possible, that most people just dont get it or don't know any better and thinking they should be offering their users just one more feature called SpamAssassin controllable from the user control panel, is just another great feature to include. I beg to differ, trust me, i should know. I am the author of countless documents, howtos and other article on the subject posted in various forums. Good luck with this.

For someone who is so knowledgable in the field of spam blocking and an author of countless documents and howto's it would be very helpful to at least link to one instead of just bagging on RBL's.

You're right, most people don't "get it", but your post doesn't seem to do much to change this.

Hi Guys,

I've installed the spamblocker config a while ago. For a long time things went fine , but I'm pretty sure that online spamlists are not used.

How can I check if the config uses them actively? I don't see anything in the log and tcpdumping the ip's from the blacklists does not show any traffic at all.

Thanksm

tail /var/log/exim/rejectlog ?

or you can do a 'tail -f' and watch it as it updates live. :)

Lasman, you have an updated exim.conf yet to remove ORDB? Since they are defunct, be nice to get them out of it. :)

I'd do it myself, but rather have the master do it to be sure I don't screw it up..lol.

Or is there anything other then removing this that needs to be done?


# deny using ordb
deny message = Email blocked by ORDB - to unblock see http://www.capitalwebhost.net/blocked.html
# only for domains that do want to be tested against RBLs
domains = +use_rbl_domains
dnslists = relays.ordb.org

The quick and easy is to just comment out the ordb lines. Search for ordb and comment like so.

# deny using ordb
# deny message = Email blocked by ORDB - some message
# #only for domains that do want to be tested against RBLs
# domains = +use_rbl_domains
# dnslists = relays.ordb.org

And if you have another section for fuzzy lists do the same to that one. Then restart Exim.

Big Wil

Or of course move to SpamBlocker3 :) .

Jeff

We just removed the ORDB ACL and it worked fine... thanks Jeff.

Jeff,

Well that is a good option too. I guess I missed a few posts. Do you have a changelog for 2->3?

Big Wil

Nope.

But ...

I cleaned up some code.

Added (optional) ClamAV support.

Added (optional) Dovecot support.

Removed references to the ORDB blocklist.

Added a new blocklist: dsbl.org.

Modified how I use the SORBS blocklist; we removed individual blocklists and replaced them with safe.dnsbl.sorbs.net.

Added the DA fix for multiple emails through pipes.

We'll probably add optional greylisting before the end of the weekend. I'm still not sure about adding anti-dictionary-attack code, so be sure to vote in the poll :) .

Note that by the end of New Years day SpamBlocker3 shall most likely come out of beta, and at that time DA staff may very well decide to include it as their exim.conf file. So you may eventually get it on all new servers :) .

Jeff

Jeff

Great work Jeff, will try out the new spamblocker on my new server.