Edited 20-may-2008 to clear up confusion about multiple beta versions of Spamblocker3

SpamBlocker3 exim.conf file is now ready for Beta testing. Please feel free to give it your best shot, to try it, or just to look at it.

Note the following information was correct for SpamBlocker version 3-beta:

There are four versions, one each for:

DA with original style mailboxes.

DA with original style mailboxes and ClamAV support.

DA with Dovecot Maildir mailboxes.

DA with Dovecot Maildir mailboxes and ClamAV support.

Note that SpamBlocker version 3.1-beta works only on DirectAdmin servers running Maildir. For more information see the Important Note at the top of this page (http://www.nobaloney.net/downloads/spamblocker/DirectAdminSpamBlocker3/), and also the MUST-READ-FIRST.txt file, the ReadMe-SpamBlocker.3.1.txt file, and line three of the download file itself: exim.conf.3.1-beta, all linkable from that page.

SpamBlocker3 eixm.conf with ClamAV support has been tested with the ClamAV installation described here (http://www.directadmin.com/forum/showthread.php?s=&threadid=10478), but with the latest version of ClamAV as described here (http://www.directadmin.com/forum/showthread.php?s=&threadid=16258).

I simply followed the instructions in the first post, but used version number 88.7 wherever the instructions showed version 87.1.

Don't forget to use the latest version of exim.pl, with the new beta versions, and also to save your old exim.conf and your old exim.pl before updating.

The beta versions can be found here:

http://www.nobaloney.net/downloads/spamblocker/DirectAdminSpamBlocker3/

Jeff

Hey,

If you used Wale's HOW TO: All in 1 (located here (http://www.directadmin.com/forum/showthread.php?threadid=12099)) to install/update ClamAV, then the "av_scanner" line is a bit different.

It would be like this:

av_scanner = clamd:/tmp/clamd

Thought this was worth mentioning.

David

If it's spamblocker 3.0 version, this mean i use myblockerversion 10.0 ! ;)

even sa spamcheck_director is not modified :/

Hope beta not including lot of tests you will include in final.

You don't need system_filter but can include these test in exim.conf mime

Please correct clamd socket to av_scanner = clamd:/tmp/clamd to be compliant with all wael's scripts, like David said.

Jeff,

I understand that you no longer have dealings with the "SpamBlocker Plugin" however, do you know if it will work with Version 3 of exim.conf? I currently have one server using the plugin. I'm curious if the plugin will continue to work if I upgrade that system to Version 3 of exim.conf.

btw, I have upgrade a couple other servers (not running the plugin) to the exim.conf V3 beta and they are working great.

Hey,

I don't think it will without modifications...

I say that because we're making some modifications to our Exim Editor Plugin in order for it to be fully compatible with Version 3.

Among other things, there's a new file that comes in to play for ClamAV and four variations on the exim.conf file as well.

However, I could be wrong!

David

by the way, the best way is to make your own exim.conf

actual spamblocker is just a few block containing files some rules and external files.

Possible this can be rewrited and activated with MACRO language in exim.conf

Originally posted by xemaps
If it's spamblocker 3.0 version, this mean i use myblockerversion 10.0 ! ;)
You can use whatever you want. You've been complaining about SpamBlocker for some time now, but you've never been willing to share anything with the rest of us; you just keep telling us you're better.

I'm glad you're better than the rest of us. Will you share your methods with us? Or just keep complaining?

Remember that while you can certainly do whatever you want for your systems; SpamBlocker doesn't have that luxury; SpamBlocker has to work for all of us, and still be maintainable.


We write SpamBlocker to work as part of DA for all DA users, not just those who use the All-in-1 script, or who don't, or who use Dovecot, or who use mbox, or who use ClamAV, or who don't use ClamAV.

If you have something to share, please do. You can create a thread either in DirectAdmin-related Products and Services [Advertising Forum] or in 3rd Party Software, as I did when I first started the SpamBlocker project, before John and Mark decided to include it in DA.

Thanks.

Jeff

Originally posted by skruf
If you used Wale's HOW TO: All in 1 (located here (http://www.directadmin.com/forum/showthread.php?threadid=12099)) to install/update ClamAV, then the "av_scanner" line is a bit different.

It would be like this:

av_scanner = clamd:/tmp/clamd
Thanks, David. I don't use the All-in-1 script (though I may decide to do so at some time in the future; I searched these forums and picked a standalone ClamAV to install when I first started experimenting with ClamAV, and that's what I use.

If Wael or someone else is willing to write a stand-alone script to install ClamAV then we can consider using that in SpamBlocker, but there will always be a default option set, and instructions for changing it as necessary.

Jeff

Originally posted by rocketcity
I understand that you no longer have dealings with the "SpamBlocker Plugin" however, do you know if it will work with Version 3 of exim.conf? I currently have one server using the plugin. I'm curious if the plugin will continue to work if I upgrade that system to Version 3 of exim.conf.
I don't know and I recommend you contact Onno for that information. He has the same access to the SpamBlocker3 beta code as everyone else :) .
btw, I have upgrade a couple other servers (not running the plugin) to the exim.conf V3 beta and they are working great.
Thanks.

Jeff

Originally posted by xemaps
by the way, the best way is to make your own exim.conf
For you. Have you considered that many DA users may have neither the expertise nor the time to do that?
actual spamblocker is just a few block containing files some rules and external files.
Oh. The original SpamBlocker took months of figuring out what to do; we started it just after Exim4 came out (if I recall correctly, DA first came with exim3), even before anyone had experiences with writing an exim.conf file for exim4.

We started by changing what gets logged so we could see how it does or doesn't work.

We made a fundamental change to the original exim.conf file, which accepted email even for non-existent users, and then tried to bounce it back if it wasn't deliverable.
Possible this can be rewrited and activated with MACRO language in exim.conf
Macros aren't a cureall for everything. Since they're simple text replacements (there really isn't a macro language, such as M4 for sendmail.cf, for exim). So macros may not work anywhere; for example a macro that requires text expansion will only work where text expansion works.

In my opinion, exim macros save time at the expense of flexibility, and sometimes of full understanding.

That said, you certainly may write a version of exim.conf that uses macros, and offer it to the community.

However this thread is for discussing SpamBlocker3, not other ways to do what it does. Please post in the proper location to avoid having your posts deleted.

Thanks.

Jeff

Jeff,

just my 1 cent post,

I'm not complaining, i'd like to see you'll work on a real new true version, rather than replacing your outdated 'new' spamblocker 3
The spam from today has nothing to do with old way spamming.

I have no time, and be not paid to work for this, and play with your conf.

MODERATOR'S NOTE: balance snipped

Interesting ... you dont' do it unless you get paid but you criticize those of us who attempt to do it freely.

Please write your own.

Leave us alone until/unless you have something positive to offer us.

This is a thread for positive discussion about SpamBlocker3. Not for continuing to say you can do it better but you won't.

Jeff

Also please don't post your old spamblocker again since it is obsolete before you post it.

I was offering to participate, but you just deleted the chapter from my post !
( called MODERATOR'S NOTE: balance snipped )

So stay with your obsolete file.

Originally posted by xemaps
Also please don't post your old spamblocker again since it is obsolete before you post it.

I was offering to participate, but you just deleted the chapter from my post !
( called MODERATOR'S NOTE: balance snipped )

So stay with your obsolete file.

Got a pet 'Troll' Jeff ?

Let's keep comments positive please, and criticism only if something of value can be offered with such comments. One post is sufficient, no need to go back and forth.

Mark

Yes. I agree with Mark completely. Lets keep things professional. I have enough of these romper-room threads on other lists. Maybe we need a forum titled:

Romper Room - A place for users to work out their differences where others need not be privy to them unless they want to be.

And of course the first topic.... Maps vs Boloney

I was going to do a ring announcer segment but that might illustrate my opinions of the contenders which would definately be bias and certainly counter productive. ;-)

Now I am off to check out V3 and to fuse my SA into it.

Big Wil

Jeff, perhaps better to use:

dnslists = sbl-xbl.spamhaus.org
dnslists = combined.njabl.org

Instead of? In addition to?

Please be very specific and give reasons... I'm open to discussion.

Thanks.

Jeff

dnslists = sbl-xbl.spamhaus.org instead of dnslists = sbl.spamhaus.org

dnslists = combined.njabl.org instead of dnslists = dnsbl.njabl.org

There is lots of info about these issues on this forum. Just query on it and you will find the answers. Making the suggested changes a few months ago in your much appreciated SpamBlocker, saved us from a lot of spam.

Originally posted by Remco00
dnslists = sbl-xbl.spamhaus.org instead of dnslists = sbl.spamhaus.org
Here's what spamhaus says on their site:
Mail servers already using cbl.abuseat.org should NOT also use xbl.spamhaus.org or you will be making 'double' queries to basically the same data source and only one DNSBL will appear to work (the other(s) will appear to not catch anything). Mail servers already using dnsbl.njabl.org are advised to continue doing so, as dnsbl.njabl.org is itself a composite list and contains more than the open proxy IPs list part now incorporated in XBL.

See: http://www.spamhaus.org/xbl/

We include both dnsbl.njabl.org and spamhaus themselves tell us that we should continue to do what we do. They say we'd lose a lot of blocks if we stopped using cbl and started using xbl.
dnslists = combined.njabl.org instead of dnslists = dnsbl.njabl.org
Maybe. It's passed my preliminary testing.
There is lots of info about these issues on this forum. Just query on it and you will find the answers.
Query on what? blocklist names? I found no useful hits for xbl.spamhaus.org or for njabl.org.
Making the suggested changes a few months ago in your much appreciated SpamBlocker, saved us from a lot of spam.
Real spam? Or perceived spam? If you left the order of the blocklists alone in your exim.conf, but merely edited the names, thenyou're seeing more blocks from spamhaus at the expense of catching then in blocklists further down in exim.conf.

If you're going to do tests on blocklist efficiency you should do at least one week each with the different lists at the top of the heap.

Jeff

Hi Jeff,

Do I have to uncomment the following lines in exim.conf as instructed by DA guideline? Thanks.


# Spam Assassin
#spamcheck_director:
# driver = accept
# condition = "${if and { \
# {!def:h_X-Spam-Flag:} \
# {!eq {$received_protocol}{spam-scanned}} \
# {!eq {$received_protocol}{local}} \
# {exists{/home/${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}/.spamassassin/user_prefs}} \
# } {1}{0}}"
# retry_use_local_part
# transport = spamcheck
# no_verify

Hey,

If you are referring to these instructions:

http://help.directadmin.com/item.php?id=36

Then, yes.

David

Jeff, thanks for your coments. Please take a look at this thread (http://www.directadmin.com/forum/showthread.php?s=&threadid=15391&highlight=combined.njabl.org) for info about njabl.org. Also info on their own site:

* Though dnsbl.njabl.org still contains lots of dialup/dynamic listings, no more are being added. All dialup/dynamic additions are being put into the dynablock.njabl.org zone, also available as part of combined.njabl.org.

About your question if it's real spam or just perceived spam: I know we did some monitoring before we implemented the dnslist changes and we did lose some spam coming through with it. The exact numbers however are lost somewhere.

Originally posted by ak17_hk
Do I have to uncomment the following lines in exim.conf as instructed by DA guideline? Thanks.


# Spam Assassin

Yes for all the lines except the one directly above, if and only if you have SpamAssassin installed on your server and want to use it.

skruf's response is good, but I wanted a specific answer in the thread for anyone searching through the archives.

Jeff

Originally posted by Remco00
Jeff, thanks for your coments. Please take a look at this thread (http://www.directadmin.com/forum/showthread.php?s=&threadid=15391&highlight=combined.njabl.org) for info about njabl.org. Also info on their own site
My gut feeling today is I'll use both the combined list and the old lists as well, in the final release.

Still testing.

Jeff

I found the following lines in the mail log.. not sure what went wrong... anyone got an idea for that? Thanks!


Jan 4 03:00:21 ns3 spamd[2220]: logger: removing stderr method
Jan 4 03:00:22 ns3 spamd[2222]: config: pyzor_path "/usr/bin/pyzor" isn't an executable
Jan 4 03:00:22 ns3 spamd[2222]: config: SpamAssassin failed to parse line, "/usr/bin/pyzor" is not valid for "pyzor_path", skipping: pyzor_path /usr/bin/pyzor
Jan 4 03:00:22 ns3 spamd[2222]: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK'
Jan 4 03:00:22 ns3 spamd[2222]: spamd: server started on port 783/tcp (running version 3.1.7)
Jan 4 03:00:22 ns3 spamd[2222]: spamd: server pid: 2222
Jan 4 03:00:22 ns3 spamd[2222]: spamd: server successfully spawned child process, pid 2223
Jan 4 03:00:22 ns3 spamd[2222]: spamd: server successfully spawned child process, pid 2224
Jan 4 03:00:22 ns3 spamd[2222]: prefork: child states: II

You'd be better off asking SpamAssassin questions in a SpamAssassin thread. I neither use nor believe in using SpamAssassin, so I don't keep track of how it does/doesn't work.

I used SpamAssassin for years, but found I had two issues with it:

1) SpamAssassin takes spam and puts it into another mailbox, where you have to read it anyway to see if it's really spam. It uses a lot of resources on my server, and doesn't do a thing to the spammer, who is able to tell his client the spam was delivered, and get paid for delivering it.

2) Serious spammers run everything through the latest SpamAssassin rules before they send it, and they don't send it until it passes. SpamAssassin is always playing a game of catchup.

My opinion, of course.

Jeff

Hi Jeff,

So any good suggestions?! Thanks!

Anthony.

How could we change the subject of the bounced message to the "spammer"? saying something like "** Message blocked by our junk mail filter**" or something along those lines

Jeff,

I found this:

http://www.exim.org/exim-html-4.66/doc/html/spec_html/ch46.html

But of course I have no clue how to implement it.

That page is how to completely change the default message and its format when your exim notifies a server after the fact that it couldn't deliver a message it had already accepted. Which is behavior we try to avoid by blocking in realtime. You don't have to do that for messages sent by SpamBlocker, the message is included in your exim.conf file right after deny message =.

For example, if the message is blocked because you've got the sending domain in a blocklist, the error message returned in the log, and to the sending server is:

Email blocked by LBL - to unblock see http://www.example.com

You can find that line in your exim.conf file.

You have changed all occurrences of www.example.com to a page of your own where people can get unblocked, haven't you :) ?

You can change any of the messages to say whatever you want. You can even create multi-line messages, although i don't use them because many mailservers don't handle multi-line error messages properly.

Jeff

OK sorry It does work. Here is a copy of what a bounceback looks like and to an average user it is pretty damn confusing, however this isn't the sorbs or other list blocking message, as this would be an on purpose ban but I remember the other messages were near as confusing as well.

Subject: Delivery Status Notification (Failure)

From: Mail Delivery Subsystem

Message:

his is an automatically generated Delivery Status Notification

Delivery to the following recipient failed permanently:

justin@xxxxxxxx.com

Technical details of permanent failure:
PERM_FAILURE: SMTP Error (state 9): 550 Administrative prohibition

----- Original message -----

Received: by 10.82.167.5 with SMTP id p5mr204690bue.1168475042128;
Wed, 10 Jan 2007 16:24:02 -0800 (PST)
Received: by 10.82.182.16 with HTTP; Wed, 10 Jan 2007 16:24:02 -0800 (PST)
Message-ID: <8d0ffdb70701101624h3086de12oa453a47ec2af38e3@mail.gmail.com>
Date: Wed, 10 Jan 2007 17:24:02 -0700
From: "Justin" <jxxxxxx@gmail.com>
To: justin@xxxxxxxxx.com
Subject: testing spam
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_22473_28118588.1168475042110"

------=_Part_22473_28118588.1168475042110
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

test

------=_Part_22473_28118588.1168475042110
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

----- Message truncated -----

My Entire point is the message to a false positive is not user friendly for the average email user. It includes a lot of extra cryptic information that will just confuse them.

A great example is the barracuda spam filter that responds with something like this which alters the subject and displays a clear message before introducing extra information. Just my 2 cents on improving Spamblocker!

Subject: **Message you sent blocked by our bulk email filter**

From: MAILER-DAEMON

Your message to: xxxxxx@gmail.com
was blocked by our Spam Firewall. The email you sent with the following subject has NOT BEEN DELIVERED:

Subject: Hey bro, you really should check this out zagez

-------------- next part --------------
Skipped content of type message/delivery-status
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/rfc822-headers
Size: 755 bytes
Desc: Undelivered-message headers
Url : http://lists.osdl.org/pipermail/opendoc/attachments/20060411/00c23323/attachment.bin

I'm beginning to understand the problem.

Customizing Bounce Messages will only work for senders who send through your server. It won't affect senders who use (for example) hotmail or earthlink, and have their email refused by your server. That's up to the configuration of the bounce messages on their server.

However, there are NO changes you can make to this setting, anyway, which would resolve the problem.

The problem is that exim is NOT passing the error message it should, back to the sending server, or even to the logfile.

It does send it back properly for blocks based on blocklists, in those cases the error message defined in your exim.conf file should show up immediately following:
PERM_FAILURE: SMTP Error (state 9): 550 Administrative prohibition
I don't know why the problem exists; I've posted it on the exim-users list and I'm awating a reply.

Jeff

All I know is spammers were using one of my email addresses and of course I would get the bounce back to my email account like:

Spammer forges my email to some other server. That server is running barracuda and sends the spam trap error back to me.

That's how I found out that they have much cleaner and nicer messages :) A lot easier for the average computer user to understand and really helps it adjusts the subject of the message.

Just wondering how far off this is from moving from Beta to Production? I am considering testing it but I do have a large qty of users and only want to install once.

Thanks,

Mike

Hello Jeff,
How far are we from a rc release now? ;)
Cheers,

I've got a bunch of stuff ready to do but I'm going on vacation next week and the week after. I should be able to get it out in December.

Jeff

Cheers Jeff!

Nice work Jeff.

Wael

Months have passed, but I am getting closer to a release.

Jeff

SpamBlocker3 eixm.conf with ClamAV support has been tested with the ClamAV installation described here (http://www.directadmin.com/forum/showthread.php?s=&threadid=10478), but with the latest version of ClamAV as described here (http://www.directadmin.com/forum/showthread.php?s=&threadid=16258).


I followed the instructions and things appear to be working semi, I downloaded the latest exim.pl and exim.conf and modified them using kdiff to see what had changed from my previous version.

It would appear that exim doesn't like the demime stuff, I had to hash it all out, what will this do and will it be a problem, see one of the errors:

2008-04-07 20:16:12 Exim configuration error in line 688 of /etc/exim.conf:
error in ACL: unknown ACL condition/modifier in "demime = *"

Hi,

I just read post at http://www.directadmin.com/forum/showthread.php?s=&postid=50202#post50202 and it would appear demime is depreciated, is there a replacement for it?

I'm running freebsd and have just done a fresh install ( yesterday) of a brand new directadmin with the latest exim that came with it for freebsd 7. Do I need to download exim and compile it myself?

All fixed, I managed to recompile exim with the correct option.

$sender_helo_name should be checked at SMTP RCPT stage.

See url: http://www.exim-users.org/forums/archive/index.php/t-272.html
"Attempting a deny at the HELO stage in my experience has not worked... you
normally can get a good result at the RCPT ACL stage though."

rejecting based on HELO
http://www.gossamer-threads.com/lists/exim/users/20870?search_string=deny%20helo%20rcpt;#20870

HELO syntax check at RCPT
http://www.gossamer-threads.com/lists/exim/users/31266?search_string=deny%20helo%20rcpt;#31266


acl_check_helo:
#accept email originating on this server unconditionally
accept hosts = @[] : @
endpass

# DO NOT UNCOMMENT SECTION BELOW; IT IS IN WORK AND DOESN'T YET WORK PROPERLY
# deny condition = ${if and{\
# {isip{$smtp_command_argument}}\
# {match_ip{$smtp_command_argument}{@[]}}\
# } {yes}{no}}
# message = How can you possibly have my IP address?
# delay = 30s

# IF YOU CHECK FOR VALID HELO:
# UNCOMMENT THIS SECTION
# WARNING THIS IS UNTESTED AND MAY BREAK ABILITY FOR USERS TO SEND EMAIL THROUGH YOUR SERVER
# deny message = Single word server helo name ($sender_helo_name) rather than a FQDN.
# condition = ${if ! match {$sender_helo_name}{\N^[^.].*\.[^.]+$\N}}
# deny message = IP# server helo name ($sender_helo_name) rather than a FQDN.
# condition = ${if match {$sender_helo_name} {^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\$|^\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\]\$} {yes}{no}}

Months have passed, but I am getting closer to a release.

Jeff

Hello Jeff,

Any idea of when a final release will be available?

Jon

I'm working with John this month on some recent changes. Soon? Soon.

Jeff