Edited 20-may-2008 to clear up confusion about multiple beta versions of Spamblocker3

SpamBlocker3 exim.conf file is now ready for Beta testing. Please feel free to give it your best shot, to try it, or just to look at it.

Note the following information was correct for SpamBlocker version 3-beta:

There are four versions, one each for:

DA with original style mailboxes.

DA with original style mailboxes and ClamAV support.

DA with Dovecot Maildir mailboxes.

DA with Dovecot Maildir mailboxes and ClamAV support.

Note that SpamBlocker version 3.1-beta works only on DirectAdmin servers running Maildir. For more information see the Important Note at the top of this page (http://www.nobaloney.net/downloads/spamblocker/DirectAdminSpamBlocker3/), and also the MUST-READ-FIRST.txt file, the ReadMe-SpamBlocker.3.1.txt file, and line three of the download file itself: exim.conf.3.1-beta, all linkable from that page.

SpamBlocker3 eixm.conf with ClamAV support has been tested with the ClamAV installation described here (http://www.directadmin.com/forum/showthread.php?s=&threadid=10478), but with the latest version of ClamAV as described here (http://www.directadmin.com/forum/showthread.php?s=&threadid=16258).

I simply followed the instructions in the first post, but used version number 88.7 wherever the instructions showed version 87.1.

Don't forget to use the latest version of exim.pl, with the new beta versions, and also to save your old exim.conf and your old exim.pl before updating.

The beta versions can be found here:

http://www.nobaloney.net/downloads/spamblocker/DirectAdminSpamBlocker3/

Jeff

Hey,

If you used Wale's HOW TO: All in 1 (located here (http://www.directadmin.com/forum/showthread.php?threadid=12099)) to install/update ClamAV, then the "av_scanner" line is a bit different.

It would be like this:


av_scanner = clamd:/tmp/clamd

Thought this was worth mentioning.

David

If it's spamblocker 3.0 version, this mean i use myblockerversion 10.0 ! ;)

even sa spamcheck_director is not modified :/

Hope beta not including lot of tests you will include in final.

You don't need system_filter but can include these test in exim.conf mime

Please correct clamd socket to av_scanner = clamd:/tmp/clamd to be compliant with all wael's scripts, like David said.

Jeff,

I understand that you no longer have dealings with the "SpamBlocker Plugin" however, do you know if it will work with Version 3 of exim.conf? I currently have one server using the plugin. I'm curious if the plugin will continue to work if I upgrade that system to Version 3 of exim.conf.

btw, I have upgrade a couple other servers (not running the plugin) to the exim.conf V3 beta and they are working great.

Hey,

I don't think it will without modifications...

I say that because we're making some modifications to our Exim Editor Plugin in order for it to be fully compatible with Version 3.

Among other things, there's a new file that comes in to play for ClamAV and four variations on the exim.conf file as well.

However, I could be wrong!

David

by the way, the best way is to make your own exim.conf

actual spamblocker is just a few block containing files some rules and external files.

Possible this can be rewrited and activated with MACRO language in exim.conf

Originally posted by xemaps
If it's spamblocker 3.0 version, this mean i use myblockerversion 10.0 ! ;)
You can use whatever you want. You've been complaining about SpamBlocker for some time now, but you've never been willing to share anything with the rest of us; you just keep telling us you're better.

I'm glad you're better than the rest of us. Will you share your methods with us? Or just keep complaining?

Remember that while you can certainly do whatever you want for your systems; SpamBlocker doesn't have that luxury; SpamBlocker has to work for all of us, and still be maintainable.


We write SpamBlocker to work as part of DA for all DA users, not just those who use the All-in-1 script, or who don't, or who use Dovecot, or who use mbox, or who use ClamAV, or who don't use ClamAV.

If you have something to share, please do. You can create a thread either in DirectAdmin-related Products and Services [Advertising Forum] or in 3rd Party Software, as I did when I first started the SpamBlocker project, before John and Mark decided to include it in DA.

Thanks.

Jeff

Originally posted by skruf
If you used Wale's HOW TO: All in 1 (located here (http://www.directadmin.com/forum/showthread.php?threadid=12099)) to install/update ClamAV, then the "av_scanner" line is a bit different.

It would be like this:


av_scanner = clamd:/tmp/clamd
Thanks, David. I don't use the All-in-1 script (though I may decide to do so at some time in the future; I searched these forums and picked a standalone ClamAV to install when I first started experimenting with ClamAV, and that's what I use.

If Wael or someone else is willing to write a stand-alone script to install ClamAV then we can consider using that in SpamBlocker, but there will always be a default option set, and instructions for changing it as necessary.

Jeff

Originally posted by rocketcity
I understand that you no longer have dealings with the "SpamBlocker Plugin" however, do you know if it will work with Version 3 of exim.conf? I currently have one server using the plugin. I'm curious if the plugin will continue to work if I upgrade that system to Version 3 of exim.conf.
I don't know and I recommend you contact Onno for that information. He has the same access to the SpamBlocker3 beta code as everyone else :) .

btw, I have upgrade a couple other servers (not running the plugin) to the exim.conf V3 beta and they are working great.
Thanks.

Jeff

Originally posted by xemaps
by the way, the best way is to make your own exim.conf
For you. Have you considered that many DA users may have neither the expertise nor the time to do that?

actual spamblocker is just a few block containing files some rules and external files.
Oh. The original SpamBlocker took months of figuring out what to do; we started it just after Exim4 came out (if I recall correctly, DA first came with exim3), even before anyone had experiences with writing an exim.conf file for exim4.

We started by changing what gets logged so we could see how it does or doesn't work.

We made a fundamental change to the original exim.conf file, which accepted email even for non-existent users, and then tried to bounce it back if it wasn't deliverable.

Possible this can be rewrited and activated with MACRO language in exim.conf
Macros aren't a cureall for everything. Since they're simple text replacements (there really isn't a macro language, such as M4 for sendmail.cf, for exim). So macros may not work anywhere; for example a macro that requires text expansion will only work where text expansion works.

In my opinion, exim macros save time at the expense of flexibility, and sometimes of full understanding.

That said, you certainly may write a version of exim.conf that uses macros, and offer it to the community.

However this thread is for discussing SpamBlocker3, not other ways to do what it does. Please post in the proper location to avoid having your posts deleted.

Thanks.

Jeff

Jeff,

just my 1 cent post,

I'm not complaining, i'd like to see you'll work on a real new true version, rather than replacing your outdated 'new' spamblocker 3
The spam from today has nothing to do with old way spamming.

I have no time, and be not paid to work for this, and play with your conf.

MODERATOR'S NOTE: balance snipped

Interesting ... you dont' do it unless you get paid but you criticize those of us who attempt to do it freely.

Please write your own.

Leave us alone until/unless you have something positive to offer us.

This is a thread for positive discussion about SpamBlocker3. Not for continuing to say you can do it better but you won't.

Jeff

Also please don't post your old spamblocker again since it is obsolete before you post it.

I was offering to participate, but you just deleted the chapter from my post !
( called MODERATOR'S NOTE: balance snipped )

So stay with your obsolete file.

Originally posted by xemaps
Also please don't post your old spamblocker again since it is obsolete before you post it.

I was offering to participate, but you just deleted the chapter from my post !
( called MODERATOR'S NOTE: balance snipped )

So stay with your obsolete file.

Got a pet 'Troll' Jeff ?

Let's keep comments positive please, and criticism only if something of value can be offered with such comments. One post is sufficient, no need to go back and forth.

Mark

Yes. I agree with Mark completely. Lets keep things professional. I have enough of these romper-room threads on other lists. Maybe we need a forum titled:

Romper Room - A place for users to work out their differences where others need not be privy to them unless they want to be.

And of course the first topic.... Maps vs Boloney

I was going to do a ring announcer segment but that might illustrate my opinions of the contenders which would definately be bias and certainly counter productive. ;-)

Now I am off to check out V3 and to fuse my SA into it.

Big Wil

Jeff, perhaps better to use:

dnslists = sbl-xbl.spamhaus.org
dnslists = combined.njabl.org

Instead of? In addition to?

Please be very specific and give reasons... I'm open to discussion.

Thanks.

Jeff

dnslists = sbl-xbl.spamhaus.org instead of dnslists = sbl.spamhaus.org

dnslists = combined.njabl.org instead of dnslists = dnsbl.njabl.org

There is lots of info about these issues on this forum. Just query on it and you will find the answers. Making the suggested changes a few months ago in your much appreciated SpamBlocker, saved us from a lot of spam.

Originally posted by Remco00
dnslists = sbl-xbl.spamhaus.org instead of dnslists = sbl.spamhaus.org
Here's what spamhaus says on their site:

Mail servers already using cbl.abuseat.org should NOT also use xbl.spamhaus.org or you will be making 'double' queries to basically the same data source and only one DNSBL will appear to work (the other(s) will appear to not catch anything). Mail servers already using dnsbl.njabl.org are advised to continue doing so, as dnsbl.njabl.org is itself a composite list and contains more than the open proxy IPs list part now incorporated in XBL.

See: http://www.spamhaus.org/xbl/

We include both dnsbl.njabl.org and spamhaus themselves tell us that we should continue to do what we do. They say we'd lose a lot of blocks if we stopped using cbl and started using xbl.

dnslists = combined.njabl.org instead of dnslists = dnsbl.njabl.org
Maybe. It's passed my preliminary testing.

There is lots of info about these issues on this forum. Just query on it and you will find the answers.
Query on what? blocklist names? I found no useful hits for xbl.spamhaus.org or for njabl.org.

Making the suggested changes a few months ago in your much appreciated SpamBlocker, saved us from a lot of spam.
Real spam? Or perceived spam? If you left the order of the blocklists alone in your exim.conf, but merely edited the names, thenyou're seeing more blocks from spamhaus at the expense of catching then in blocklists further down in exim.conf.

If you're going to do tests on blocklist efficiency you should do at least one week each with the different lists at the top of the heap.

Jeff

Hi Jeff,

Do I have to uncomment the following lines in exim.conf as instructed by DA guideline? Thanks.


# Spam Assassin
#spamcheck_director:
# driver = accept
# condition = "${if and { \
# {!def:h_X-Spam-Flag:} \
# {!eq {$received_protocol}{spam-scanned}} \
# {!eq {$received_protocol}{local}} \
# {exists{/home/${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}/.spamassassin/user_prefs}} \
# } {1}{0}}"
# retry_use_local_part
# transport = spamcheck
# no_verify

Hey,

If you are referring to these instructions:

http://help.directadmin.com/item.php?id=36

Then, yes.

David

Jeff, thanks for your coments. Please take a look at this thread (http://www.directadmin.com/forum/showthread.php?s=&threadid=15391&highlight=combined.njabl.org) for info about njabl.org. Also info on their own site:

* Though dnsbl.njabl.org still contains lots of dialup/dynamic listings, no more are being added. All dialup/dynamic additions are being put into the dynablock.njabl.org zone, also available as part of combined.njabl.org.

About your question if it's real spam or just perceived spam: I know we did some monitoring before we implemented the dnslist changes and we did lose some spam coming through with it. The exact numbers however are lost somewhere.

Originally posted by ak17_hk
Do I have to uncomment the following lines in exim.conf as instructed by DA guideline? Thanks.


# Spam Assassin

Yes for all the lines except the one directly above, if and only if you have SpamAssassin installed on your server and want to use it.

skruf's response is good, but I wanted a specific answer in the thread for anyone searching through the archives.

Jeff

Originally posted by Remco00
Jeff, thanks for your coments. Please take a look at this thread (http://www.directadmin.com/forum/showthread.php?s=&threadid=15391&highlight=combined.njabl.org) for info about njabl.org. Also info on their own site
My gut feeling today is I'll use both the combined list and the old lists as well, in the final release.

Still testing.

Jeff

I found the following lines in the mail log.. not sure what went wrong... anyone got an idea for that? Thanks!


Jan 4 03:00:21 ns3 spamd[2220]: logger: removing stderr method
Jan 4 03:00:22 ns3 spamd[2222]: config: pyzor_path "/usr/bin/pyzor" isn't an executable
Jan 4 03:00:22 ns3 spamd[2222]: config: SpamAssassin failed to parse line, "/usr/bin/pyzor" is not valid for "pyzor_path", skipping: pyzor_path /usr/bin/pyzor
Jan 4 03:00:22 ns3 spamd[2222]: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK'
Jan 4 03:00:22 ns3 spamd[2222]: spamd: server started on port 783/tcp (running version 3.1.7)
Jan 4 03:00:22 ns3 spamd[2222]: spamd: server pid: 2222
Jan 4 03:00:22 ns3 spamd[2222]: spamd: server successfully spawned child process, pid 2223
Jan 4 03:00:22 ns3 spamd[2222]: spamd: server successfully spawned child process, pid 2224
Jan 4 03:00:22 ns3 spamd[2222]: prefork: child states: II

You'd be better off asking SpamAssassin questions in a SpamAssassin thread. I neither use nor believe in using SpamAssassin, so I don't keep track of how it does/doesn't work.

I used SpamAssassin for years, but found I had two issues with it:

1) SpamAssassin takes spam and puts it into another mailbox, where you have to read it anyway to see if it's really spam. It uses a lot of resources on my server, and doesn't do a thing to the spammer, who is able to tell his client the spam was delivered, and get paid for delivering it.

2) Serious spammers run everything through the latest SpamAssassin rules before they send it, and they don't send it until it passes. SpamAssassin is always playing a game of catchup.

My opinion, of course.

Jeff

Hi Jeff,

So any good suggestions?! Thanks!

Anthony.

How could we change the subject of the bounced message to the "spammer"? saying something like "** Message blocked by our junk mail filter**" or something along those lines

Jeff,

I found this:

http://www.exim.org/exim-html-4.66/doc/html/spec_html/ch46.html

But of course I have no clue how to implement it.

That page is how to completely change the default message and its format when your exim notifies a server after the fact that it couldn't deliver a message it had already accepted. Which is behavior we try to avoid by blocking in realtime. You don't have to do that for messages sent by SpamBlocker, the message is included in your exim.conf file right after deny message =.

For example, if the message is blocked because you've got the sending domain in a blocklist, the error message returned in the log, and to the sending server is:

Email blocked by LBL - to unblock see http://www.example.com

You can find that line in your exim.conf file.

You have changed all occurrences of www.example.com to a page of your own where people can get unblocked, haven't you :) ?

You can change any of the messages to say whatever you want. You can even create multi-line messages, although i don't use them because many mailservers don't handle multi-line error messages properly.

Jeff

OK sorry It does work. Here is a copy of what a bounceback looks like and to an average user it is pretty damn confusing, however this isn't the sorbs or other list blocking message, as this would be an on purpose ban but I remember the other messages were near as confusing as well.

Subject: Delivery Status Notification (Failure)

From: Mail Delivery Subsystem

Message:

his is an automatically generated Delivery Status Notification

Delivery to the following recipient failed permanently:

justin@xxxxxxxx.com

Technical details of permanent failure:
PERM_FAILURE: SMTP Error (state 9): 550 Administrative prohibition

----- Original message -----

Received: by 10.82.167.5 with SMTP id p5mr204690bue.1168475042128;
Wed, 10 Jan 2007 16:24:02 -0800 (PST)
Received: by 10.82.182.16 with HTTP; Wed, 10 Jan 2007 16:24:02 -0800 (PST)
Message-ID: <8d0ffdb70701101624h3086de12oa453a47ec2af38e3@mail.gmail.com>
Date: Wed, 10 Jan 2007 17:24:02 -0700
From: "Justin" <jxxxxxx@gmail.com>
To: justin@xxxxxxxxx.com
Subject: testing spam
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_22473_28118588.1168475042110"

------=_Part_22473_28118588.1168475042110
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

test

------=_Part_22473_28118588.1168475042110
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

----- Message truncated -----

My Entire point is the message to a false positive is not user friendly for the average email user. It includes a lot of extra cryptic information that will just confuse them.

A great example is the barracuda spam filter that responds with something like this which alters the subject and displays a clear message before introducing extra information. Just my 2 cents on improving Spamblocker!

Subject: **Message you sent blocked by our bulk email filter**

From: MAILER-DAEMON

Your message to: xxxxxx@gmail.com
was blocked by our Spam Firewall. The email you sent with the following subject has NOT BEEN DELIVERED:

Subject: Hey bro, you really should check this out zagez

-------------- next part --------------
Skipped content of type message/delivery-status
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/rfc822-headers
Size: 755 bytes
Desc: Undelivered-message headers
Url : http://lists.osdl.org/pipermail/opendoc/attachments/20060411/00c23323/attachment.bin

I'm beginning to understand the problem.

Customizing Bounce Messages will only work for senders who send through your server. It won't affect senders who use (for example) hotmail or earthlink, and have their email refused by your server. That's up to the configuration of the bounce messages on their server.

However, there are NO changes you can make to this setting, anyway, which would resolve the problem.

The problem is that exim is NOT passing the error message it should, back to the sending server, or even to the logfile.

It does send it back properly for blocks based on blocklists, in those cases the error message defined in your exim.conf file should show up immediately following:

PERM_FAILURE: SMTP Error (state 9): 550 Administrative prohibition
I don't know why the problem exists; I've posted it on the exim-users list and I'm awating a reply.

Jeff

All I know is spammers were using one of my email addresses and of course I would get the bounce back to my email account like:

Spammer forges my email to some other server. That server is running barracuda and sends the spam trap error back to me.

That's how I found out that they have much cleaner and nicer messages :) A lot easier for the average computer user to understand and really helps it adjusts the subject of the message.

Just wondering how far off this is from moving from Beta to Production? I am considering testing it but I do have a large qty of users and only want to install once.

Thanks,

Mike

Hello Jeff,
How far are we from a rc release now? ;)
Cheers,

I've got a bunch of stuff ready to do but I'm going on vacation next week and the week after. I should be able to get it out in December.

Jeff

Cheers Jeff!

Nice work Jeff.

Wael

Months have passed, but I am getting closer to a release.

Jeff

SpamBlocker3 eixm.conf with ClamAV support has been tested with the ClamAV installation described here (http://www.directadmin.com/forum/showthread.php?s=&threadid=10478), but with the latest version of ClamAV as described here (http://www.directadmin.com/forum/showthread.php?s=&threadid=16258).


I followed the instructions and things appear to be working semi, I downloaded the latest exim.pl and exim.conf and modified them using kdiff to see what had changed from my previous version.

It would appear that exim doesn't like the demime stuff, I had to hash it all out, what will this do and will it be a problem, see one of the errors:


2008-04-07 20:16:12 Exim configuration error in line 688 of /etc/exim.conf:
error in ACL: unknown ACL condition/modifier in "demime = *"

Hi,

I just read post at http://www.directadmin.com/forum/showthread.php?s=&postid=50202#post50202 and it would appear demime is depreciated, is there a replacement for it?

I'm running freebsd and have just done a fresh install ( yesterday) of a brand new directadmin with the latest exim that came with it for freebsd 7. Do I need to download exim and compile it myself?

All fixed, I managed to recompile exim with the correct option.

$sender_helo_name should be checked at SMTP RCPT stage.

See url: http://www.exim-users.org/forums/archive/index.php/t-272.html
"Attempting a deny at the HELO stage in my experience has not worked... you
normally can get a good result at the RCPT ACL stage though."

rejecting based on HELO
http://www.gossamer-threads.com/lists/exim/users/20870?search_string=deny%20helo%20rcpt;#20870

HELO syntax check at RCPT
http://www.gossamer-threads.com/lists/exim/users/31266?search_string=deny%20helo%20rcpt;#31266



acl_check_helo:
#accept email originating on this server unconditionally
accept hosts = @[] : @
endpass

# DO NOT UNCOMMENT SECTION BELOW; IT IS IN WORK AND DOESN'T YET WORK PROPERLY
# deny condition = ${if and{\
# {isip{$smtp_command_argument}}\
# {match_ip{$smtp_command_argument}{@[]}}\
# } {yes}{no}}
# message = How can you possibly have my IP address?
# delay = 30s

# IF YOU CHECK FOR VALID HELO:
# UNCOMMENT THIS SECTION
# WARNING THIS IS UNTESTED AND MAY BREAK ABILITY FOR USERS TO SEND EMAIL THROUGH YOUR SERVER
# deny message = Single word server helo name ($sender_helo_name) rather than a FQDN.
# condition = ${if ! match {$sender_helo_name}{\N^[^.].*\.[^.]+$\N}}
# deny message = IP# server helo name ($sender_helo_name) rather than a FQDN.
# condition = ${if match {$sender_helo_name} {^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\$|^\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\]\$} {yes}{no}}

Months have passed, but I am getting closer to a release.

Jeff

Hello Jeff,

Any idea of when a final release will be available?

Jon

I'm working with John this month on some recent changes. Soon? Soon.

Jeff

Hi Jeff,

Any status updates available?

Still busy. It's on my todo list to get another candidate up as soon as possible.

Jeff

You may want to remove dsbl from your rbl checks since it is now defunct.

I'm making changes quite often now, but wil try to take the time to post my own copy of the file (which I change often) after it's been up a few days with the latest changes.

I suppose it's time to do a feature lock and a release candidate.

Jeff

I'm using the latest script for dovecot.

I've made two modifications:
1) opened an extra smtp port
2) Enabled (uncommented) the entire spamassassin section.

Everything works, however, spamassassin, when a message is marked as spam repeatedly delivers the same message to the spam box multiple times, and the number of times is always random, sometimes twice, sometimes as many as 8 times, sometimes just once. At first I thought it was just spammers being stupidly persistent, but today a valid email got caught by it, which I know was only sent once, and it multiplied into 8 separate messages. Any idea what could cause this?

I just updated everything via custombuild 1.1 and re-updated spamassassin, and the problem still persists.

OS is CentOS 5.2 x64, Dovecot 1.1.7, Exim 4.67, SpamAssassin 3.2.5, Perl 5.8.8

Any input would be appreciated.

Jeff,

I have modified my copy of spamblocker 2 to allow for multiple IP's to be the remote smtp address depending on what domain on the box is being used to send the email.

If you are interested in how I did this, feel free to message me and we can talk :)

Done. Replied by PM.

I have modified my copy of spamblocker 2 to allow for multiple IP's to be the remote smtp address depending on what domain on the box is being used to send the email.



Care to share with the rest of us or is this going to be closed source?

I have modified my copy of spamblocker 2 to allow for multiple IP's to be the remote smtp address depending on what domain on the box is being used to send the email.



Are you using a static file with a list of domain to ip mappings or are you doing a live dns lookup?

Neither. It's good clean code and it works. Evil_Smurf has sent it to me but didn't give me permission to share it, so hopefully he'll be back here to respond, or he'll contact me with permission to share it here.

Jeff

Ok well here is code that I found and it does work

exim.conf:



remote_smtp:
driver = smtp
interface = ${lookup{$sender_address_domain}lsearch{/etc/virtual/interfaces} {$value}{xxx.xxx.xxx.xxx}}



/etc/virtual/interfaces has the domains and ip addresses listed in this format:


domain1.com: xxx.xxx.xxx.xxx
domain2.com: xxx.xxx.xxx.xxx

The xxx.xxx.xxx.xxx in the exim.conf is the default ip in case the domain being used is not listed in the interfaces file.

More info here http://www.mail-archive.com/exim-users@exim.org/msg25906.html

I would like to have a better way of reading the domains but this works for me. I can have a script that sets up the interfaces file in a few seconds.

At some point after the new file comes out, and is hopefully accepted by John and Mark to become part of DirectAdmin, I'd expect at least one commercial or free plugin to be made available.

Jeff

Yep, that's what I found myself and shared with Jeff.

I'd like to see DA keep a file like this on its own. That would be kind of nice.

Thanks for everything Jeff, what I wonder (looked around with no real posts found) is what's new in SpamBlocker3 over SpamBlocker2?

I really appreciate the effort and time you put in this project and hope to see a final version soon.

Jose

Lots...

But my release candidate is a moving target. The beta download on my site is mostly just a redesign, reordering, and a change in blocklists and whitelists; kind of a frame I build on.

But it's still a good idea to use it; it replaces blocklists that no longer exist with some that do :).

Jeff

Any update on the Spamblocker3 release?

I'm still updating mine from time to time; I think I'll freeze it and issue it as an RC; then if people seem to think it's good, I'll issue it and move forward from there. Give me about a week or so; I'm rebuilding two office desktop systems.

EDIT: I've set myself a deadline of the end of March 2009 to have this done.

Jeff

Good news and keep good work Jeff :)

Wael

Thanks Jeff for the update.

regards,

Jon

Yes, thank you for your hard (and free) work on this. It is appreciated.

I'm looking forward to testing your new release as soon as it's available.

Unfortunately I've been impacted hard by taking over some new accounts this week, so while I'm still trying to make the first of the month, it may not make it :(.

Jeff

Don't worry Jeff, you do this for free and you get paid for the other stuff, so that gets priority. Let us know when you can finish the RC and we will gladly help you out testing it!

Thanks!

The latest version seems to be missing the domain_filter patch that was posted by DA admins a while ago.

Are you writing about my SpamBlocker3 version? I presume so because of the forum in which you're posting.

Please show me a link to the patch, and a link to the explanation for the patch. I'll install it if it makes sense.

Thanks.

Jeff

Yep, it's about version 3, but maybe I'm missing something...
http://www.directadmin.com/features.php?id=903

Cheers,

Do you mean that you're using SpamBlocker version 3 and that it doesn't contain the patch in your link?

If so, just post here to let me know, and i'll integrate it into the next version of SpamBlocker3, which is coming out very soon.

Jeff

Hello Jeff,

Yes, I reviewed the latest features and fixes implemented by the DA team recently and stumbled upon that modification which I didn't see in your current Spamblocker 3 file, so I thought I would let you know, just to see if it was an oversight or if you had left it out intentionally.

Cheers,

It wasn't intentional. I have to do a new version soon anyway; sorbs is closing their lists as of July 20th, 2009. More later; I'll make an official announcement as soon as there's a new version of SB2 and of SB3 out.

Jeff

Cool, thx Jeff.

Note that the next version of SpamBlocker is due out very shortly. Hopefully by the end of this weekend or early next week.

Because it has a lot of Edit points and because it may take a while for DirectAdmin to be able to support it as their standard, we'll be offering an installation service for those who want it's advantages and don't feel up to installing it themselves.

Jeff

I've figured out how the code gets the default IP#. So that part of the puzzle is solved IF and only IF, the user edit's his exim.conf file upon install. For the lazy ones among us (most of us), the default will show a nonroutable IP#, and of course most mail won't get deliverred. So that's a negative.


I've found this (http://old.nabble.com/more-than-one-smtp-transport-bounded-to-several-ip-adresses-td15117824.html):

Note that $sender_address_domain contains the domain in the envelope from. If you want something else (e.g., the from header rather than the envelope from), then you'd need to use some other expansion variable.
Please see the exim manual for a full list, under "Expansion variables".
Exim's envelope from appears to be reasonable, depending on what it says.

Someone please test the exim envelope from to see what it says when a user sends email from (for example) his home ISP connection, through your server.

I don't send email through my ISP so I'm not sure.

Thanks.

Jeff

I was just wondering, is this release going to address the backscatter problem?

Hopefully, I'm trying to find all the notes on backscatter. You can help me by emailing me with important thread links.

Jeff

Here is one that I had started http://www.directadmin.com/forum/showthread.php?t=32813&highlight=backscatter

It started out talking about using system_filter.

But upon further meditation I found that using RBLs could probably cause backscatter as well.

I was not able to test it at the time because I did not have any blocklisted ip's.

Not sure what you mean by

I did not have any blocklisted ip's.
Jeff

I could not test if using RBL's would actually send backscatter.

My theory is that if email gets forwarded from server1 to server2 and server2 rejects it because server1 is blocklisted what does server1 do? Will it send it back to the possibly faked from address?

But upon further meditation I found that using RBLs could probably cause backscatter as well.

I was not able to test it at the time because I did not have any blocklisted ip's.

As soon as I removed the RBL function I stopped being labeled as a backscatterer....but of course the amount of spam coming in has increased dramatically.

maybe we need a user option

Engage anti-spam measures and not be able to send emails to many systems
or
Insure that mail can be sent to many systems and accept spam
or
Send money to backscatter scam headquarters to be unlisted because
both options above are unacceptable.

Thom

It doesn't have to be that way, Thom. If I'm on any backscatter lists, I don't know it; how would I find out. And I use RBLs very aggressively.

How can I find out if I'm on backscatter lists?

If someone would be kind enough to write out either just pseudocode, or an actual old-fashioned flow-chart of how anti-backscatter should work, please do so (fast :)) and I'll get to work on it.

Jeff

Perhaps setting up "Safe Mode" as per this page http://www.backscatterer.org/?target=usage would help. They seem to have Exim specific instructions to implement it.

How can I find out if I'm on backscatter lists?

http://www.backscatterer.org/index.php?target=test

And if you do get on their list, here's the bad news:

The listing will expire automatically and free of charge 4 weeks after the last abuse is seen from that IP.
Expedited manual expressdelisting is available as an option, in case you do not want to wait for the automatic and free expiration.
You will be charged 50 Euro's using one of the following payment services.
WARNING: Before requesting expressdelisting make sure the problem which caused the listing is fixed, otherwise you are at risk to get listed again if new abuse becomes known.

So it would appear that every server they list is a potential source of income.

Perhaps setting up "Safe Mode" as per this page http://www.backscatterer.org/?target=usage would help. They seem to have Exim specific instructions to implement it.

But isn't that safe mode for people who use their database...rather than those who are sending mail?

It seems that the major sin in their eyes is bouncing mail if the bounce messages are in response to those that have MAIL FROM: is <> or postmaster only.

Thom

I am using Spamblocker2 and stated using 2 ip addresses for the first time yesterday and they got listed this morning at http://www.backscatterer.org/

Jeff maybe this will help. http://www.backscatterer.org/index.php?target=backscatter

Here is an example of backscatter:


2010-02-24 08:12:23 1NkH2N-0006N2-O0 <= newwebsite0@yahoo.com H=pool-74-110-232-248.rcmdva.east.verizon.net ([192.168.0.98]) [74.110.232.248] P=esmtp S=651 id=4B8525B3.8030307@yahoo.com T="test" from <newwebsite0@yahoo.com> for floyd@biblefinder.com
2010-02-24 08:12:24 1NkH2N-0006N2-O0 ** floyd@biblefinder.com F=<newwebsite0@yahoo.com> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<floyd@biblefinder.com>: host mail.biblefinder.com [74.117.232.12]: 550 "Unknown User"
2010-02-24 08:12:24 1NkH2N-0006N2-O0 Completed

2010-02-24 08:12:24 1NkH2O-0006N5-S4 <= <> R=1NkH2N-0006N2-O0 U=mail P=local S=1604 T="Mail delivery failed: returning message to sender" from <> for newwebsite0@yahoo.com
2010-02-24 08:12:26 1NkH2O-0006N5-S4 => newwebsite0@yahoo.com F=<> R=lookuphost T=remote_smtp S=1647 H=f.mx.mail.yahoo.com [98.137.54.237] C="250 ok dirdel"
2010-02-24 08:12:26 1NkH2O-0006N5-S4 Completed


The recipient server rejected the email because of unknown user. The sending server delivered the bounce to the faked sender address.

The sending server should only be allowed to deliver bounces to email that it sent to a local user.

The concept is simple. How to implement it I have no idea. Sorry.

Maybe if it is "from <>" it can only be delivered to local domains. But then how do legitimate senders get bounces on another server?

Good points, everyone. Still looking for a solution.

Jeff

I think what needs to be done is first determine policies or logic and let each admin determine what he wants his policy to be.

Policy 1: Prevent backscatter. This would mean that if an email sent from server1 to server2 and then server2 forwards it to server3 and server3 rejects the email then server2 must at that point simply drop the email since it cannot possibly return it to the sender since the sender From address cannot be trusted. Nobody gets the rejection notices.

Policy 2: The From address gets rejection notices. This is how it is set up now and potentially creates backscatter. But legit senders get the notices

Backscatter is aka unsolicited bounces.

I do not know of any way for the server in the middle to return the rejection to the original ip, server1, since is past the initial stage of accepting the email from server1.

Here is another thread on the issue http://www.directadmin.com/forum/showthread.php?t=28680

I also see that by default exim accepts email for postmaster@ and then later tries to return it to the forged email address.

This might be technically correct for RFC however if the mail is being returned then it is obviously not getting to the intended recipient and being read. So what is the point of accepting it and then bounce it?

Don't accept mail for anybody unless it is possible to be delivered.

I also see that by default exim accepts email for postmaster@ and then later tries to return it to the forged email address.

Don't accept mail for anybody unless it is possible to be delivered.

But that doesn't solve the problem of mail coming in to a real address on the server that's "from" a fictional address.....if we detect it and bounce it, we're contributing to the pollution.

Me thinks the RFC needs to be rethought.

Thom

But that doesn't solve the problem of mail coming in to a real address on the server that's "from" a fictional address.....if we detect it and bounce it, we're contributing to the pollution.


If its sending to a real local address it should not bounce.

The problem with bounces is when email is forwarded on to another server and that server rejects the email and then the server in the middle then bounces the email to the forged From address. I have not figured out a way to disable bounces yet.

Remember a bounce is different than a rejection.


if we detect it and bounce it, we're contributing to the pollution.

Detect what?

Policy 1: Prevent backscatter. This would mean that if an email sent from server1 to server2 and then server2 forwards it to server3 and server3 rejects the email then server2 must at that point simply drop the email since it cannot possibly return it to the sender since the sender From address cannot be trusted. Nobody gets the rejection notices.
Okay. How do I do it? Anyone?

Policy 2: The From address gets rejection notices. This is how it is set up now and potentially creates backscatter. But legit senders get the notices
There is a way to do this, and still avoid backscatter: simply don't accept mail unless the sender can receive email; check first. The problem is that this breaks the ability to accept a lot of automated email. So it'll never be a standard for anything I produce.

My bottom line is if someone will do the analysis on exactly how to do it I can convert it into exim.conf code.

Jeff

I will state it here too. We need to handle the addresses postmaster, hostmaster, and abuse differently now. We cannot allow exim to accept them and then not be able to deliver to them. I now believe this is how most of the backscatter is generated. Exim accept the email but finds it cannot deliver it and then has no choice but to issue a bounce to the probably forged From address.

I think you're right; I've been considering this for the last few days. It's time to look at changes to the RFC-mandated email addresses.

I've been setting up the addresses for all my clients as part of setting them up on the server. Should they instead be forwards to the admin account?

Jeff

How can we set up DA so that it automatically creates those forwarder addresses for each new account? At the moment I send them to :blackhole: if I am concious of a problem for an account but perhaps it should always be set that way for everyone's account.

Use the custom post scripts.

Which custom post scripts specifically?

Create domain_create_post.sh in the /usr/local/directadmin/scripts/custom/ directory...

The domain_create_post.sh filed should be owned by diradmin and have 755 permissions:


chown diradmin:diradmin /usr/local/directadmin/scripts/custom/domain_create_post.sh
chmod 755 /usr/local/directadmin/scripts/custom/domain_create_post.sh

In the /usr/local/directadmin/scripts/custom/domain_create_post.sh file, add this:


#!/bin/sh
FILE=/etc/virtual/$domain/aliases
grep -v '*' $FILE > $FILE.tmp
echo "abuse: :blackhole:" >> $FILE.tmp
echo "postmaster: :blackhole:" >> $FILE.tmp
echo "hostmaster: :blackhole:" >> $FILE.tmp
echo "*: :fail:" >> $FILE.tmp
mv -f $FILE.tmp $FILE
chmod 600 $FILE
chown mail:mail $FILE
exit 0;

Now that will automatically create the forwarders for abuse, postmaster and hostmaster for newly-created domains. The forwarders are pointing to :blackhole: which will essentially accept and discard the incoming messages.