Spamcop blocking GMail?!?

[GoranTornqvist]

Hello,
A customer contacted me saying he got mail back saying the his e-mail was blocked by spamcop.

Checking the exim log:

2005-12-09 12:13:51 H=wproxy.gmail.com [64.233.184.195] F=<[email protected]> rejected RCPT <[email protected]>: RBL: Email blocked by SPAMCOP - for more info see http://www.our-server.se/spam/info.php?RBL=SPAMCOP

I tried searching for 64.233.184.195 on spamcop but it isnt listed...so why is his mail blocked as spam?

Any ideas?

 

[Chrysalis]

Spamcop tend to add innocent ip's easily but luckily it only lasts 24 hours, so its quite possible it was removed again before you did the lookup.

 

[nobaloney]

GMail wasn't entirely innocent.

Or so says my contact at one of the major blocklists.

You can certainly edit /etc/exim.conf to remove a blocklist check.

Be sure to restart exim afterwards.

Jeff

 

[philmcdonnell]

I am getting users blocked from Gmail today. Should I unblock gmail or just wait to see if it gets removed from SpamCop?

Also what is the best way to unblock people if I get an email from them asking to be unblocked.

Thanks,
Phil

 

[The_cobra666]

Gmail is blocked because it does something with the headers of the email. You can't trace it back.

That's why spamcop is blocking them. I've read some news about it. Check some hardware/software news site you will find it

 

[nobaloney]

And even more important, whitelist either the individual gmail users or the entire gmail domain.

Presuming you're using SpamBlocker, list individual users in the /etc/virtual/whitelist_senders file (format is [email protected]) or list the entire gmail domain in the /etc/virtual/whitelist_domains file (which is what we recommend; format is gmail.com).

Jeff

 

[philmcdonnell]

By whitelisting all of gmail aren't you going to get alot of spam? I thought some are using gmail to send spam?

Thanks,
Phil

 

[nobaloney]

Alwaysl tradeoffs. Which is why I said you can whitelist individual users or the entire domain.

What you do is up to you. Your server and your rules. The alternative is to stop using SpamCop and get even more spam.

Jeff

 

[Chrysalis]

Well my point of view is if you block "any" legitamate email then whats blocking it immediatly isnt worth it so if spamcop blocks legit gmail then stop using spamcop.

 

[philmcdonnell]

Do you need to restart exim once you add domains to the whitelist? I added gmail.com to the whitelist_domains file but someone is still complaining that they are blocked.

Any ideas?

Phil

 

[GXX]

Do you need to restart exim once you add domains to the whitelist? I added gmail.com to the whitelist_domains file but someone is still complaining that they are blocked.

Any ideas?

Phil

I'm seeing the same issue.

gmail.com is added to whitelist, but some users are still complaining that it still bounces back with the block. Exim has been restarted as well. Using latest spamblocker and Exim.

 

[nobaloney]

Check to see which version of the SpamBlocker exim file you're using. Compare your exim.conf file with the one found here.

The on in my link (and also at the DA site here) is the newest one. Whitelisting may not work properly on previous versions.

If you're going to upgrade be sure to read and follow the instructions in the README or your exim won't restart.

Be sure to restart exim after installing the new exim.conf file.

If you have the SpamBlocker Plugin installed you can update through the plugin but you'll still have to manually change the exim.conf file as noted in the README (but you can do it through the plugin).

Note that if you've made custom changes to your exim.conf file you'll have to readd them to the new file.

Jeff

 

[panamaspace]

For what it's worth.

You are not supposed to use Spamcop as a basis for REJECTING email in your EXIM Spamblocker... You should let Spamasassin assign a value to a Spamcop listed domain, along with other possible spam checks.

That said, I in fact block based on Spamcop.

But before the Spamcop check, I do run this simple code in Exim to avoid spoofed gmail addresses.

Trick from http://vamos-wentworth.org/exim-tricks.html

deny message = FAKE GMAIL address - to unblock see http://www.mataspam.com/notspam

log_message = Fake GMAIL - to unblock see http://www.mataspam.com/notspam
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\Ngmail.com|google.com$\N}{no}{yes}}

THEN do I let mails be accepted from whitelist_senders / hosts, on which GMAIL.COM is listed.

Not one complaint yet. And it is SO much fun to sit in front of my computer watching the output from:

tail -f /var/log/exim/rejectlog

And yes, Jeff Lasman is, as usual, absolutely right. Spamcop lists several Gmail IP blocks and neither Spamcop nor Gmail want to back down.

Gmail says it protects the privacy of its users by not letting us see the IP of the domains where the email originates, while Spamcop says that Gmail should in fact let us see and decide. Therefore, Spamcop lists some gmail servers as the originators of the spam and legitimate mail gets flagged as Unsolicited Email.

So...

Check whether the gmail address is not spoofed.

Let gmail through and let something like SURBL check read the content of the message to see if it contains blacklisted domains.

The latest surbl script (http://www.teuton.org/~erik/docs/exim_surbl.shtml ) has just added URIBL support as well due to a conversation I had with the author, and a suggestion for whitelisting messages is being tested. A conversation about how to apply it is on this thread http://directadmin.com/forum/showthread.php?s=&threadid=10036&perpage=20&pagenumber=3

Also, you might want to beef up your SpamAssassin using additional rules from http://www.rulesemporium.com and the Rules du Jour script which can be put on a cron job to check for updated SA rules every day.

My Spam that used to be borderline now regularly hits low 20s and even higher SA points.

 

[nobaloney]

You are not supposed to use Spamcop as a basis for REJECTING email in your EXIM Spamblocker...

SpamBlocker cannot do anything except reject. If you don't want to reject based on SpamBlocker than it's a good idea to comment out the specific section from the exim.conf file (future products from us will let you choose your own blocklists; future commercial products will let individual users choose their own blocklists).

You should let Spamasassin assign a value to a Spamcop listed domain, along with other possible spam checks.

Sure, by rewriting exim.conf.

That said, I in fact block based on Spamcop.

As do many of us .

But before the Spamcop check, I do run this simple code in Exim to avoid spoofed gmail addresses.

Trick from http://vamos-wentworth.org/exim-tricks.html

THEN do I let mails be accepted from whitelist_senders / hosts, on which GMAIL.COM is listed.

This will block anyone using a gmail return address in email originating from their local system, or in fact anywhere but besides gmail.

Which wouldn't work in our environment; perhaps it works in yours.

Jeff

 

[panamaspace]

Oh, it does work FOR my environment. It is tested. I receive real gmail on my accounts.

But yes, you are right. If somebody is using a GMAIL pop account, this would block them. Haven't had complaints yet.

It can still be spam though, so it does go through the *other* checks.

 

[netswitch]

well, I am having the same issue with some customers, I find it really not serious from spamcop to block ip's of gmail and yahoo mail..

This will lead many users to remove spamcop checks from their setup and making them useless..

 

[nobaloney]

But yes, you are right. If somebody is using a GMAIL pop account, this would block them. Haven't had complaints yet.

Not only did we get complaints, it blocked email we needed to get as well.

This would be better off handled with SPF checking, but unfortunately that's not universally implemented, and even if it was, in the case of Gmail and others it would have to allow email from all.

It can still be spam though, so it does go through the *other* checks.

Care to show us your code ?

Jeff

 

[panamaspace]

I posted a reply to you in another forum, explaining how I use SURBL to scan messages for bad URIs (hyperlinks)

http://www.directadmin.com/forum/showthread.php?t=18580

Now let me add some of my personal checks that I use on Exim.conf as of today. You may disagree with some or most of them, but they seem to work for me and my customers. Thankfully, your exim.conf is very easy to manipulate, and you can pick and choose what you are going to use.

My exim.pl has been modified to add the SURBL script referenced on the thread above.

I have both Spamassassin and Clamav enabled on exim.conf as well.

My spamassassin uses Rules Du Jour script croned for daily rules updates. Spammers change tactics, we need to keep up.

Clamav's freshclam runs once per hour and downloads fresh antivirus definitions.

I am using the latest spamblocker 2.1.1, and religiously back it up before doing any changes.

In the ACLs section:

Very first thing:

check_helo:
deny message = Your server announcement ($sender_helo_name) is a single word rather than a FQDN. This is in breach of RFC2821
condition = ${if match {$sender_helo_name} {\.} {no}{yes}}
deny message = Your server announces itself ($sender_helo_name) with a plain IP address which is in breach of RFC2821.
condition = ${if match {$sender_helo_name} {^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\$} {yes}{no}}
accept

after the whitelist/blacklist code in exim.conf. (Be mindful of the very first check here, it has the IP ADDRESS OF ONE OF MY MAIL SERVERS! set it to yours or it will be useless, and I might not be able to mail YOU).

deny message = HELO/EHLO with our address. - You are not us!
log_message = HELO/EHLO my.ip - Using our IP address impossible - to unblock see http://www.mataspam.com/notspam
condition = ${if match {$sender_helo_name}{12.38.3.11} {yes}{no}}

deny message = Invalid EHLO - to unblock see http://www.mataspam.com/notspam
log_message = HELO/EHLO none - to unblock see http://www.mataspam.com/notspam
condition = ${if match {$sender_helo_name}{none} {yes}{no}}

deny message = You can't possibly be localhost! - to unblock see http://www.mataspam.com/notspam
log_message = HELO/EHLO localhost - to unblock see http://www.mataspam.com/notspam
condition = ${if match {$sender_helo_name}{localhost} {yes}{no}}

deny message = FAKE YAHOO address - to unblock see http://www.mataspam.com/notspam
log_message = Fake Yahoo - (US) to unblock see http://www.mataspam.com/notspam
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}

#deny message = FAKE YAHOO address - to unblock see http://www.mataspam.com/notspam
# log_message = Fake Yahoo - (ES) to unblock see http://www.mataspam.com/notspam
# senders = *@yahoo.es
# condition = ${if match {$sender_host_name}{\Nyahoo.es$\N}{no}{yes}}

deny message = FAKE HOTMAIL address - to unblock see http://www.mataspam.com/notspam

log_message = Fake HOTMAIL - to unblock see http://www.mataspam.com/notspam
senders = *@hotmail.com
condition = ${if match {$sender_host_name}{\Nhotmail.com|msn.com$\N}{no}{yes}}

deny message = FAKE MSN address - to unblock see http://www.mataspam.com/notspam

log_message = Fake MSN - to unblock see http://www.mataspam.com/notspam
senders = *@msn.com
condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}

deny message = FAKE AOL address - to unblock see http://www.mataspam.com/notspam

log_message = Fake AOL - to unblock see http://www.mataspam.com/notspam
senders = *@aol.com
condition = ${if match {$sender_host_name}{\Naol.com$\N}{no}{yes}}

deny message = FAKE Lycos address - to unblock see http://www.mataspam.com/notspam

log_message = Fake Lycos - to unblock see http://www.mataspam.com/notspam
senders = *@lycos.*
condition = ${if match {$sender_host_name}{\Nlycos$\N}{no}{yes}}

deny message = FAKE MAIL.COM address - to unblock see http://www.mataspam.com/notspam

log_message = Fake Mail.com - to unblock see http://www.mataspam.com/notspam
senders = *@mail.*
condition = ${if match {$sender_host_name}{\Nmail.com$\N}{no}{yes}}

The above code is very easy to understand... you can add more email providers to the list, or remove the ones that could result in false positives. In fact I removed GMAIL from this list a year ago because of this thread. In any case, senders are getting a response, and can send us an email to our unblocked address.

OK, right after your sorbs RBL check, I added the following RBLs. I have not cleaned up this code in a year and a half, so there may be some repetitions from your latest spamblocker. Definitely needs culling.

############ BEGIN PERSONAL DNS BLOCKS

#25 mar 06
# deny using all other multihop.dsbl.org blocklist (ip based)
deny message = Email blocked by MULTIHOP DSBL BLOCKLIST - to unblock see http://www.mataspam.com/notspam
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = multihop.dsbl.org

#25 mar 06
# deny using all other list.dsbl.org blocklist (ip based)
deny message = Email blocked by LIST DSBL BLOCKLIST - to unblock see http://www.mataspam.com/notspam
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = list.dsbl.org

#25 mar 06
# deny using all other dnsbl.ahbl.org blocklist (ip based)
deny message = Email blocked by DNSBL.AHBL.ORG - to unblock see http://www.mataspam.com/notspam
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = dnsbl.ahbl.org

deny message = Email blocked by RHSBL.AHBL.ORG - $sender_address_domain is listed - to unblock see http://www.mataspam.com/notspam
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = rhsbl.ahbl.org/$sender_address_domain


# MAILPOLICE added 25 mar 2006
# deny using MAIL POLICE name based list
deny message = Email blocked by MAIL POLICE (BLOCK) - $sender_address_domain is listed. To unblock see http://www.mataspam.com/notspam
domains =+use_rbl_domains
# list is name based
!authenticated = *
dnslists = block.rhs.mailpolice.com/$sender_address_domain

# deny using MAIL POLICE name based list
deny message = Email blocked by MAIL POLICE (BULK) - $sender_address_domain is listed. To unblock see http://www.mataspam.com/notspam
domains =+use_rbl_domains
# list is name based
!authenticated = *
dnslists = bulk.rhs.mailpolice.com/$sender_address_domain

# deny using MAIL POLICE name based list
deny message = Email blocked by MAIL POLICE (PORN) - $sender_address_domain is listed. To unblock see http://www.mataspam.com/notspam
domains =+use_rbl_domains
# list is name based
!authenticated = *
dnslists = porn.rhs.mailpolice.com/$sender_address_domain

# deny using spamcop
deny message = Email blocked by SPAMCOP - to unblock see http://www.mataspam.com/notspam
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = bl.spamcop.net

# deny using COMPLETEWHOIS

# deny using COMPLETEWHOIS Combined-HIB
deny message = Email blocked by COMPLETEWHOIS HIB - to unblock see http://www.mataspam.com/notspam
domains =+use_rbl_domains
!authenticated = *
dnslists = bogons.dnsiplists.completewhois.com

# deny using COMPLETEWHOIS BOGONS
deny message = Email blocked by COMPLETEWHOIS BOGONS - to unblock see http://www.mataspam.com/notspam
domains =+use_rbl_domains
!authenticated = *
dnslists = combined-HIB.dnsiplists.completewhois.com

# deny using cbl
deny message = Email blocked by CBL - to unblock see http://www.mataspam.com/notspam
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = cbl.abuseat.org



# deny using RFC-IGNORANT BogusMX
deny message = Email blocked by RFC_IGNORANT - BOGUS MX - to unblock see http://www.mataspam.com/notspam
domains =+use_rbl_domains
# rfc-ignorant list is name based
!authenticated = *
dnslists = bogusmx.rfc-ignorant.org/$sender_address_domain


#25 dec 06
# deny using all combined.rbl.msrbl.net blocklist (ip based)
deny message = Email blocked by MSRBL - to unblock see http://www.mataspam.com/notspam
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = combined.rbl.msrbl.net

#25 dec 06
# deny using all bl.emailbasura.org blocklist (ip based)
deny message = Email blocked by EMAILBASURA.ORG - to unblock see http://www.mataspam.com/notspam
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = bl.emailbasura.org
############ END PERSONAL DNS BLOCKS

A word on that last RBL, emailbasura.org... Most of my customers are in Panama, getting mail in Spanish. It works for us, it'll probably be useless to you unless you get Spanish spam.


OK, I cleaned up a couple. I was doing sorbs twice as it is now on your list. I had several commented out that I don't use after less than estellar results: whois.rfc-ignorant.org, abuse.rfc-ignorant.org ... I leave them in my personal copy so I remember that I commented them out for a reason. But I am not copying them here to avoid FUD.

And yes, a year and a half later... I STILL use spamcop block list, but don't recommend it to everybody. It's easy enough to get delisted from spamcop anyway, so it's a good warning system.


That is pretty much my addition to your SpamBlocker, nothing spectacular, but it works for me. The rest of my hard work goes into Spam Assassin.

My Spam Assasin has DCC, PYZOR, and RAZOR enabled, Rules Du Jour to download rules from , and additional rules like top200 and BOTNET downloaded daily with a cronjob, because RDJ doesn't cover them.

Is all this processor intensive... of course... but I don't host too many sites. Da Forums' Regular Floyd from newwebsite.com is my stellar data center provider, and he set up very sweet boxes for me that can handle all this. And I used to use this same config on a machine that was less than half as powerful as the ones I run on today (Dual Core P4, 2 gigs, FC6), with no problems at all.

 

[OliverScott]

My Spam Assasin has DCC, PYZOR, and RAZOR enabled, Rules Du Jour to download rules from , and additional rules like top200 and BOTNET downloaded daily with a cronjob, because RDJ doesn't cover them.

I am having a lot of problems with PYZOR (as in it not working) - any tips?

 

[panamaspace]

Is your PYTHONPATH environment variable set ? type "env" at shell and read that. PYTHONPATH should show up somewhere in there.

Do a debugging session with spamassassin at shell.

spamassassin -D < somespamsource.txt

where somespamsource.txt is the full source of a spam email.

Read the output (long). Do you see any errors referencing pyzor.module?

paste the pyzor lines here and maybe we can figure it out.