Hi,

I've got 1 user that for some reason masses of spam is being sent through his username. The mail account isn't used, I've changed permissions and owners for it in an attempt to stop the spam going through.

I was using the default exim.conf and I've tried a variety of others and to no avail. If I test any DirectAdmin server via http://www.abuse.net/relay.html they all get the email that should not come through.

I've started running out of ideas, here's some info that may help:

2004-05-09 13:24:57 Received from username@host.name.com U=username P=local S=9175
2004-05-09 13:24:58 caprice377@www.customersdomain.com R=lookuphost defer (-1): remote host address is the local host
2004-05-09 13:24:59 otterheim@aol.com R=lookuphost T=remote_smtp: SMTP error from remote mailer after initial connection: host mailin-01.mx.aol.com [64.12.1$
** Then a thousand other lines of AOL users.

------ This is a copy of the message, including all the headers. ------

Return-path: <username@host.name.com>
Received: from username by host.name.com with local (Exim 4.24)
id 1BMYHb-00015v-Lb; Sun, 09 May 2004 06:18:51 +1000
To: michael696@www.customerdomain.com
From:
To: michael696@www.customerdomain.com
From: FriedrichHuntil461@kiwinet.com
Content-Type: multipart/alternative; boundary=E3hCLnHuss0S
Subject: Your chance to get in on the bottom of an amazing company Sy656V
K6R /xiVzC ddG5yE RnJcHb weLJ Message-Id:
<E1BMYHb-00015v-Lb@bne-jazz.web-host.com.au>
Date: Sun, 09 May 2004 06:18:51 +1000

--E3hCLnHuss0S
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

r7W kAJr0 O1 r KVme rE
7dTX3rm E7zofzEu hNrZyesx4BU gq2PQx1J G zCvi ktIUmgPdvyV9
suqhq8NlE6qi YOqlLJu1 6fE4PJ 5 ejCaIUzG dI
c7XP
44yug2Qp7NWFWQSxh2KX 35T
5j p0SuQW Z3
T X j KZLg9 9LWQpC EQjKDRoG4vyQKuE D5H2iO R x JUj1V UyQ5BRjKY co7Z1dR
uHhS QbV
c8C5
Xo
I Th yJDi s
--E3hCLnHuss0S
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

2004-05-09 13:25:00 Received from <> R=1BMevx-0000HC-VN U=mail P=local S=295509
2004-05-09 13:25:00 routing failed for username@host.name.com: Unrouteable address
*** Frozen (delivery error message)


1BMew0-0000HP-Bz-D
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

ohsiedward@aol.com
SMTP error from remote mailer after initial connection:
host mailin-04.mx.aol.com [205.188.156.57]: 554-(RLY:B1) The information presently available to AOL indicates this
554-server is generating high volumes of member complaints from AOL's
554-member base. Based on AOL's Unsolicited Bulk E-mail policy at
554-http://www.aol.com/info/bulkemail.html AOL may not accept further
554-e-mail transactions from this server or domain. For more information,
554 please visit http://postmaster.info.aol.com.


It goes on and on - Only 1GB worth of spam so far :-(


Changing things in exim.conf did stop them for a while and abuse.net tests did fail (fail - being the good thing), but soon after it was back to doing it again. I've also upgraded to Exim 4.32 - still the same.

It is only 1 account that is sending the spam out.

Any Ideas ????

Thanks.

Hello,

Could it be possible that the user sending the mail has access to the server? If the mail is being sent from the server itself (script on the machine) then relaying won't have any effect on it.

The /etc/virtual/pophosts file will add all IP's who've access their pop accounts within the last 30 minutes. This method is slightly presumptuous because if a user is using a proxy, any user other user who uses that proxy will be granted relaying privileges. You can disable the pophosts file by editing the /etc/exim.conf and change

hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts : 127.0.0.1

to

hostlist relay_hosts = 127.0.0.1

Note that all users would then be forced to use smtp authentication.

If relaying continues, then either he has a password for the account, or else the mail is being sent from a script on the server itself.

John

Hi John,

Yes I have kept my eye on /etc/virtual/pophosts and looked up every IP address and they have always been valid.

As for the internal script, I have been looking but will be looking harder since it is straight from localhost and not coming in from anywhere.

I'll let you know what Ifind.

Thanks.

Do you have AWStats installed?
Check your server /tmp directory for executable files. especially a telnetd file.

Let us know what you find.

Regards,
Onno Vrijburg

sorry to bump such an old thread but does making the /etc/exim.conf change stop the server acting as an open relay.

I myself have tried the relay test at abuse.net and received the email (on a fresh install of the server)

30 minutes seems very generous, I may change this on my server's.

Where would you change it?

Jon

Hello

I have the same problem.
I am not blacklisted yet at AOL, but soon ^^

I'm receiving this type of email (like 500 a day) :

Spam detection software, running on the system "server.e-aide.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: This is an automatically generated Delivery Status
Notification. Delivery to the following recipients failed.
madlene.dole@cpgmarket.com [...]

Content analysis details: (17.3 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
1.0 NO_REAL_NAME From: does not include a real name
0.5 HTML_40_50 BODY: Message is 40% to 50% HTML
0.0 HTML_MESSAGE BODY: HTML included in message
3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 0.9999]
1.6 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: anpowele.com]
4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URIs: anpowele.com]
2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: anpowele.com]
4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: anpowele.com]

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.




Subject:
Spam: Delivery Status Notification (Failure)
From:
postmaster@cpgmarket.com
Date:
Fri, 9 Dec 2005 12:50:49 +0100
To:
psg@graphiks.net

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

madlene.dole@cpgmarket.com





Reporting-MTA: dns;mail.cpgmarket.com
Received-From-MTA: dns;cpggw5.dmz.cpgmarket.com
Arrival-Date: Fri, 9 Dec 2005 12:50:49 +0100

Final-Recipient: rfc822;madlene.dole@cpgmarket.com
Action: failed
Status: 5.1.1



Subject:
Spam: The Ultimate Online Pharmaceutical
From:
Doctor <psg@graphiks.net>
Date:
Thu, 08 Dec 2005 19:59:35 -0600
To:
Madlene <madlene.dole@cpgmarket.com>

Vliagra - $3.3
Leovitra - $3.3
Citalis - $3.7
Imimtrex - $16.4
Flovmax - $2.2
Ulttram - $0.78
Vixoxx - $4.75
Amfbien - $2.2
Valieum - $0.97
Xaknax - $1.09
Somka - $3
Mersidia - $2.2


visit our website


Best regards,
Online Pharmaceuticals

gdgsdegnsq XFNXWFBfVx1QWl1Xc1dFVl9SRl5URh1XWlw=

Of course spamassasin see that it is spam ... but this email whas first send by me ?
Or is someone just using this domains to spam ?

I have set hostlist relay_hosts = 127.0.0.1
... but it is still going on ...

Can i desactivate smtp ? I dont whant people using the smtp on this server.
But, if i cut smt off, will pop still work?

Thx for any help or idea's !
Sky

ps : before, i did receive lots of these email from Online Pharmaceuticals, but i just filterd that keyword from email's. And now, it seam to be sending them with my server ...

This thread might interest you. Click Here (http://www.directadmin.com/forum/showthread.php?s=&threadid=8393)

Also might worth checking that you have no forms on the site that can be used by spammer/robots by hacking the header tags. I had a few and have patched my forms. ...

regards

Jon

Hi jjma
the idea of spam via forms is not bad !
Ill chek them out.

Thx
Sky

Belive it! Spammers like form exploits.

Jon

jjma ...
what do you mean by patching ?

I have a form that send me an email when someone contacts me. (no email is the html source).
I dont understand how someone can hack the headers and send the email to someone else ...

Sky

It depends how you created the form to be able to answer your question. However I can send you alink from antother form builder who has written about this exploit.

Click here for web site (http://scripts.dbmasters.net/forum.php?id=79&tid=3773)

Jon

P.S his form is pretty good as well.

I have had a couple of bounce email's sent out to me with spam originating from 2 of my domains one been majordomo@domain.com and I checked DA and no majordomo is setup, so I think it could possibly be spoofing email addresses.

Ok, i understand mor now. I think some are posible to spam ...

For majordomo : ill turn it off to see.

Thx for your reply's ;)

Im repeiting myself, but i realy like this DA forum. Its "adult" ... and pro, :cool: but you stay cool, and thats nice :p

Sky

Hello again.

Well, i have found 2 form on another server that where spamd :)

But, for the domain graphiks.net, i cant find a form that as been spamd, and i have now added filtering for all forms wen a email is sent.

Im still receiving a lot of spam. Perhaps a litle less, im not sure. Always the same type.

Ill try and desactivate mail to see if that stops the spam ...

Spam is a real problem. dam it.

Originally posted by filth
sorry to bump such an old thread but does making the /etc/exim.conf change stop the server acting as an open relay.
Making that change will stop all relaying through the server for anyone who doesn't login to the smtp server.

exim as installed in DA is not an open relay.

I myself have tried the relay test at abuse.net and received the email (on a fresh install of the server)
Where did you find a test on abuse.net?

I just looked and can't find one.

Jeff

Originally posted by sky
I'm receiving this type of email (like 500 a day)
Nothing in your quoted email indicates it was sent by your server. Lots of servers are misconfigured and send you spam reports because your return address was in the spam even if it didn't come from your server.

To see if it was coming from your server you have to have the headers in the email as received by the server sending it to you. If you had that, then you didn't show it to us.

but this email whas first send by me ?
Or is someone just using this domains to spam ?
Perhaps. Without the headers we can't tell.

I have set hostlist relay_hosts = 127.0.0.1
... but it is still going on ...
Did you restart exim after you made the change? Personally I don't see what this would stop.

And in any event it won't stop spam from originating on the server, perhaps by php injection.

Can i desactivate smtp ? I dont whant people using the smtp on this server.
But, if i cut smt off, will pop still work?[/quote]
POP will still work. What won't work is any kind of notification to you, for example, by any daemons. And of course forms on your server that rely on SMTP won't work.

And since many forms don't rely on SMTP but rather call exim (through the SMTP alias) directly, they can still send spam.

So similarly to the change you've already made, it will cut your system functionality without blocking any appreciable amount of spam that is coming from your server.

Most likely if you are sending the spam it's coming from compromised PHP scripts.

Jeff

Ok, thx for that.
Ill check all that out and see.

Sky

Originally posted by jlasman

Where did you find a test on abuse.net?

I just looked and can't find one.

Jeff




I am digging up old posts on "Open Relay" because we just did the dovecot upgrade and tested at abuse.net, which failed the very first test and passed the email through :(



The relay test is here:

http://www.abuse.net/relay.html

I had the same result with abuse.net - however...

abuse.net is the only one reporting an open relay - either they're right and 4 others are wrong, or they've got a uniqe test that's right when nobody else is.

Doesn't make any sense.

Ok, this is directed to Jeff - as you're the last person to modify exim.conf.

This version of spamblocked exim.conf does INDEED appear to cause an OPEN RELAY - tested at abuse.net and njrbl.org

http://article.gmane.org/gmane.mail.exim.user/57603



> mmm, relay_domains is local_domains + localhost? Do you *relay* for
> localhost??

I think we do... The exim.conf file was written specifically for use in
a webhosting environment (DirectAdmin). We don't control how
webhosting clients inject mail from the server. If they inject using
the sendmail alias we're not relaying their email. But if they inject
using smtp, I believe exim sees it as relaying.


Can you elaborate on that more?

The specific relay is:


Received: from rt2.njabl.org ([69.28.95.4])
by www29.hostpc.com with esmtp (Exim 4.52)
id 1F1njG-0000C2-5z
for relaytest@rr.njabl.org; Wed, 25 Jan 2006 11:42:42 -0500
X-RT-Subject: relaytest: 199.237.54.174
X-RT-From: relaytestsend@hostpc.com
X-RT-To: relaytest@rr.njabl.org
From: relaytestsend@rt.njabl.org
To: relaytest@rr.njabl.org


This needs to be addressed as it's a severe security issue

Originally posted by Atari
I am digging up old posts on "Open Relay" because we just did the dovecot upgrade and tested at abuse.net, which failed the very first test and passed the email through :(



The relay test is here:

http://www.abuse.net/relay.html


I used this same URL on machines with dovecot installed and machines still using the old mbox format and at test 12 the test is terminated in all cases due to abuse.net sending too many non-mail commands in test 12. All tests 1-11 pass on all machines, no relaying on my machines...

I use the latest exim.conf (2.0) and for dovecot I upgraded to the latest exim.conf before patching the exim.conf file with the dovecot code.

Regards.

Are you using the spamblocked version - ours is the lastest version - thats the only change to it

Hello,

My favorite method of testing for an open relay.. is to test for an open relay.
[root@server root]# telnet your.host.com 25
Trying 1.2.3.4...
Connected to your.host.com.
Escape character is '^]'.
220 your.host.com ESMTP Exim 4.60 Wed, 25 Jan 2006 17:35:16 -0600
HELO bob
250 your.host.com Hello my.host.com [2.3.4.5]
mail from: no@body.com
250 OK
rcpt to: real@email.com
550 authentication required
QUIT
221 your.host.com closing connectionWhere you must be telnetting from a machine that does not check a pop/imap account on your.host.com (such that the IP is not in the pophosts file), and is not from 127.0.0.1 (to make sure it's a total stranger).

Note the 550 error..

If you run a test that shows that it's an open relay, by all means, paste us the output (or email it to me), I'd want to see it. I'd also want try out this manual test on it. I've used the above mentioned testing program, but didn't get an open realy (exim booted the connection on the 12th test).

John

# telnet mail.hostpc.com 25
Trying 199.237.54.179...
Connected to mail.hostpc.com (199.237.54.179).
Escape character is '^]'.
220 www0.hostpc.com ESMTP Exim 4.54 Wed, 25 Jan 2006 18:01:07 -0500
HELO pete
250 www0.hostpc.com Hello ns4a.8-95.com [216.180.238.239]
mail from: no@body.com
250 OK
rcpt to: joe@hostpc.com
250 Accepted

Hello,

is hostpc.com ON the www0.hostpc.com ??

(ie hostpc.com in the /etc/virtua/domains file)

If so, that's not a valid test because exim is supposed to accept local email ;)

Make sure you're sending the mail to an outside email address that is not on www0.hostpc.com

John

Received: from www29.hostpc.com (www29.hostpc.com [199.237.54.174])
by rt.njabl.org (8.11.6/8.11.6) with ESMTP id k0NHXkG28382
for <relaytest@rr.njabl.org>; Mon, 23 Jan 2006 12:33:47 -0500
Date: Mon, 23 Jan 2006 12:33:47 -0500
Received: from before-reporting-as-abuse-please-see-www.njabl.org ([209.208.0.15] helo=rt.njabl.org)
by www29.hostpc.com with esmtp (Exim 4.52)
id 1F15ZW-0006py-Fq
for relaytest@rr.njabl.org; Mon, 23 Jan 2006 12:33:45 -0500
X-RT-Subject: relaytest: 199.237.54.174
X-RT-From: relaytestsend@hostpc.com
X-RT-To: relaytest@rr.njabl.org
From: relaytestsend@rt.njabl.org
To: relaytest@rr.njabl.org
Message-id: <1138037622.27950.0@rt.njabl.org>
Subject: relaytest: 199.237.54.174






Perhaps someone either needs to explain to njabl.org and abuse.net what an open relay is - or there's an issue here someplace...

eg:
[root@localhost root]# telnet www0.hostpc.com 25
Trying 199.237.54.179...
Connected to www0.hostpc.com.
Escape character is '^]'.
220 www0.hostpc.com ESMTP Exim 4.54 Wed, 25 Jan 2006 18:04:09 -0500
HELO bob
250 www0.hostpc.com Hello bob [199.237.54.170]
mail from: no@body.com
250 OK
rcpt to: support@directadmin.com
550 authentication required
QUIT
221 www0.hostpc.com closing connection
John

why are you testing www0 - that has nothing to do with this one...

mail.hostpc.com and www0.hostpc.com both resolve to 199.237.54.179.. shouldn't matter. Am I missing something?

I just tested the 199.237.54.174 IP.. same "auth required" result.

John

Someone's missing something - and at this point it's customers email.

Abuse.net and NJabl both show open relay and are filtering this servers IP address because of it.

I'm not professing to be a mail expert, but something isn't right. WHY would they think it's open - they showed by example it's open, yet your test shows closed. Who's wrong/correct here, and why?

Hello,

I tested your machine with their tester script and see what you mean now. I *did* get an email from them, meaning it's open, but only on the 5th test, when the from address was @hostpc.com .... I immediately tested the same method on our systems, but it didn't get through. Might be an issue with the exim.conf you're using.... hard to say for sure.


Relay test 5
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM:<spamtest@hostpc.com>
<<< 250 OK
>>> RCPT TO:<support@directadmin.com>
<<< 250 Accepted
>>> DATA
<<< 354 Enter message, ending with "." on a line by itself
>>> (message body)
<<< 250 OK id=1F1tna-0007sD-PJTry installing the default to see if it changes anything:
http://help.directadmin.com/item.php?id=51

John

Are those instructions valid for dovecot?


Thanks John - I was beginning to think I was los... never mind :)

Hello,

You'd need to re-patch:

cd /usr/local/directadmin/customapache
patch -p0 < exim.conf.dovecot.patch

John

I believe this is the answer; please let me know by immediate telephone or email if I'm wrong.

If I'm right, then this could be why some people are reporting an open relay while some do not.

Originally posted by hostpc.com
Ok, this is directed to Jeff - as you're the last person to modify exim.conf.

This version of spamblocked exim.conf does INDEED appear to cause an OPEN RELAY - tested at abuse.net and njrbl.org

http://article.gmane.org/gmane.mail.exim.user/57603
Is your own domain whitelisted?

If your own domain is whitelisted then some open relay tests will see you as an open relay.

If your domain is whitelisted, then please unwhitelist your own domain and try the relay test again.

And let me know immediately by telephone or email.

And please let me know which version of exim.conf you're using; If you post the second line of the file that will be helpful.

Thanks.

Jeff

Yes, hostpc.com is whitelisted on all servers

That's the problem.

You're not an open relay. But you are relaying any email with a return address of your domain.

And one of those tests is a test to see if mail from your domain will be relayed. It will, because by whitelisting it you told your server it's okay to relay it.

I recommend not whitelisting your entire domain but instead whitelisting only specific usernames at your domain.

Jeff

Maybe his server isn't an open relay in the traditional sence of the word, but it is still expoitable. I assume there is a reason why abuse.net included it as one of their tests. If they do, so could spammers scanning for mail servers to exploit. Removing the host from whitelist_domains may solve the problem, but I feel that it is a hole that should be plugged, or at the very least a bit more text should be added to the spamblocker readme.

Maybe listings in whitelist_domains should only apply to RCPT TO addresses but not to MAIL FROM addresses? Afterall, RCPT TO addresses must be real addresses or the mail would not be delivered, but MAIL FROM addresses can be fake.
Or maybe the mail server itself sould be excluded (or ignored) if it is listed in whitelist_domains?
Or maybe some combination of the two? (just thinking out loud)

Originally posted by hostpc.com
Someone's missing something - and at this point it's customers email.

Abuse.net and NJabl both show open relay and are filtering this servers IP address because of it.

I'm not professing to be a mail expert, but something isn't right. WHY would they think it's open - they showed by example it's open, yet your test shows closed. Who's wrong/correct here, and why?


Run the test again using an account not on the system.... like a gmail/hotmail/yahoo account.


If you use an email account that is ON the system... then it will "Relay" the message to any domain _on that server_ but it wont relay (in the true sense of the word) any mail THROUGH the server to another email account on another server.

Originally posted by Aspegic
Maybe his server isn't an open relay in the traditional sence of the word, but it is still expoitable. I assume there is a reason why abuse.net included it as one of their tests. If they do, so could spammers scanning for mail servers to exploit.
And they do. Which is why abuse.net includes the test.

Removing the host from whitelist_domains may solve the problem, but I feel that it is a hole that should be plugged, or at the very least a bit more text should be added to the spamblocker readme.
The hole exists for any domain in whitelist_domains, because if you put a domain in whitelist_domains what you're telling the system is to allow any email from the domain to be relayed. That's not a problem for most domains because spammers generally don't know which domains are whitelisted for which server.

For example, if you whitelist example.com on your server, then I can send email with a from address of example.com to anyone in the world, through your server. But it's doubtful I'd ever know that.

Maybe listings in whitelist_domains should only apply to RCPT TO addresses but not to MAIL FROM addresses?
Sure but that's not the intent. The intent of whitelist_domains isn't to allow mail to domains but with return addresses from domains.

Perhaps whitelist_domains is too insecure for me to include it? The main reason we allow it is because a lot of admins really don't know how to determine which servers a domain uses, so they can't use whitelist_hosts.

Or perhaps you want to get mail from all the users of example.net, but the people all send email from their homes.

Perhaps the best bet is to only allow it to be used for delivery on the server. So do some studying and tell me what the change needs to be, and I'll implement it so it only accepts whitelists for delivery on the server :) .

Or maybe the mail server itself sould be excluded (or ignored) if it is listed in whitelist_domains?
I have no idea what you mean. Can you explain?

Thanks.

Jeff

Originally posted by Atari
If you use an email account that is ON the system... then it will "Relay" the message to any domain _on that server_ but it wont relay (in the true sense of the word) any mail THROUGH the server to another email account on another server.
I believe it will, and I'm looking into fixing that hole.

Jeff

Did you ever fix this bug?

We still recommend not putting domain names hosted on the server into the whitelist.

We have a fix as of yesterday which we'll test over the next week before releasing it.

Jeff

Hi, am sorry to bump in like this but yesterday i downloaded the fresh exim.conf copy from files.directadmin.com
and exim was configured as open relay again. so i needed to change the auth_hosts line again.

there are bugs DA with spamblocker exim.conf
example
- alias spam receive as per user spambox,
could not catch spam mail
( i will try a fix from John this week-end - first fix had no success )
- dns rbl seems not work : not reject messages.
- ip blocklist doesn't seem to work

gcypher,

The SpamBlocker exim.conf file (Version 2) absolutely does NOT configure exim as an open relay.

But YOU can configure it as an open relay by by simply whitelisting domains that exist on your server. I've already written to not do that. I've not been successful in managing a workaround.

I don't know what you mean by changing auth_hosts as there's no other reference to auth_hosts in this thread.

xemaps,

I'm not sure what you mean.

- alias spam receive as per user spambox,
could not catch spam mail
The SpamAssassin code was written by DirectAdmin; John will need to work with you on the fix. SpamAssassin and SpamBlocker code are both in the exim.conf file, because DA by default includes SpamAssassin, but I don't believe in SpamAssassin and generally don't use it.

- dns rbl seems not work : not reject messages.
I'm not sure what you mean. All the blocklists we use are DNS based. Which one isn't rejecting messages?

- ip blocklist doesn't seem to work
Again, I'm not sure what you mean.

The spamblocker exim.conf file works for many of us including for many of our servers.

We block thousands of emails daily. Please give me an example of something that doesn't work, so I can fix it.

Thanks.

Jeff

Jeff,

1. setting up a forwarded mailbox with spamassasin on : spam stay in the user_spam directory and grows, in fact it should to be added in forwarded mailbox, or at user choice in the da panel
sa in panel is set up to redirect to user_spam
There is no normal way to unblock/move the spam in da panel

But later i founded alternative solution from John here :
http://www.directadmin.com/forum/showthread.php?s=&threadid=12039&perpage=20&pagenumber=2

2. I use spamassassin

exim.conf => this doesn't work :
# deny using spamcop
deny message = Email blocked by SPAMCOP
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = bl.spamcop.net

this work :
# dnslists contains * bl.spamcop.net and other rbl
deny message = $sender_host_address is blacklisted at $dnslist_domain\n$dnslist_text
!authenticated = *
dnslists = ${lookup{${lc:$local_part@$domain}}lsearch*@{/etc/virtual/dnslists}}
delay = 20s

so i can now reject message before accept
i had 90% spam from volume, now 20% but only 10% volume

3. i added ip's to bad_sender_hosts
these are not rejected. Don't know why

It's not easy for me to understand how to make sa/exim well working. Sorry for my very bad english.

Originally posted by xemaps
exim.conf => this doesn't work :
# deny using spamcop
deny message = Email blocked by SPAMCOP
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = bl.spamcop.net
I don't know why it doesn't work for you. It works with the standard exim.conf SpamBlocker version 2 file provided with DirectAdmin, the one that begins with this line:

SpamBlocker.exim.conf.2.0-release


this work :
# dnslists contains * bl.spamcop.net and other rbl
deny message = $sender_host_address is blacklisted at $dnslist_domain\n$dnslist_text
!authenticated = *
dnslists = ${lookup{${lc:$local_part@$domain}}lsearch*@{/etc/virtual/dnslists}}
delay = 20s
If the above works then you've made some changes to your DA configuration. Which is fine, no one says you have to use the default. But the default definitely works. Checking my rejectlog on one of my servers, it's worked 872 times in the last 3-1/2 days.

so i can now reject message before accept
Which our code does in the standard exim/DirectAdmin configuration.

If it doesn't work for you it's possible you didn't populate the /etc/virtual/use_rbl_domains file.

Jeff

Jeff,

i use this file 2.0 from da but it never worked, i don't know why.
So i added some acl and settings from internet and now spam is very small even server load.
I erased also some inoperant acls rules with rbl after looking the logs.

Didn't know how to populate files, found no manuals.

I made a few change this week again, and with bl & more acl rules receive less viruses. These are my results for one domain until now :

--CWEEK--
spam:205
ham:1026
rejected:3385
-virus:92
-rbl blacklist:1092

--LASTW--
spam:523
ham:1014
-rejected:4285
-virus:578

-- W-2 --
spam:522
ham:1024
rejected:4258
-virus:720

-- W-3 --
spam:544
ham:863
rejected:3437
-virus:474

-- W-4 --
spam:477
ham:1269
rejected:4003
-virus:467

notice that i extra classify spam hotmail,msn,*mail.*,aol by blacklist (sa=100)

this domain has never had so many spam in spambox, even filtered by spamcop itself with all bl activated (account 30$/year)

I will try to undersand sa little more to have better results.

Hello,

This is still an issue and caused massive headaches for me.

My DA server was rejecting all mail from Gmail. Apparently some of Gmail's server's are blacklisted on some of the blacklist services that SpamBlocker uses. So Spamblocker was rejected valid emails from Gmail accounts.

So I using the "whitelist_domains" file. I added gmail.com, yahoo.com and all other domains that I knew NOT to be spammers.

I wanted all mail from these domains to pass through the Spam Blocker filters and arrive in my Inbox. So far so good. That works fine.

Problem is that someone started to relay spam through my server. They pretended to be mailing from yahoo by sending a spoof yahoo.com "From" address, DA accepted the email no questions AND **relayed** it to anywhere. That is the problem. Those mails should pass Spamblocker but it should fail the relaying.

In the end my server ran out of inodes due to the million odd message in the exim queue. I eventually had to remove my whitelist_domains file to rectify the problem.

The solution as I see it is for domains listed in whitelist_domains to be allowed ONLY for local delivery. Anything else must fall through to the next test. Which means local users will pass because they are authenticated or are in the pop_hosts file. Other unauthorised users will fail.

Does this make sense? Anyone not agree?


Regards,

Mustapha

Originally posted by mbaboo

This is still an issue and caused massive headaches for me.

Problem is that someone started to relay spam through my server. They pretended to be mailing from yahoo by sending a spoof yahoo.com "From" address, DA accepted the email no questions AND **relayed** it to anywhere. That is the problem. Those mails should pass Spamblocker but it should fail the relaying.


I agree. I have the exact same problem, except it's not with gmail but with a different provider, one of the largest providers in my country unfortunately, so I cannot have them blacklisted. But if I whitelist them (the way it currently works) it causes problems as well.

Can someone please come up with a clever solution to have the ability to have domains whitelisted for spamblocker, without that automatically meaning it allows full relay for that domain?

Whose have exim 4.6x can use that in acl

#
drop message = Faked Yahoo
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
#

You don't have to use any whithelist, whithelisting is bad.

Thanks fot that tip! Unfortunately I'm still using 4.5 and upgrading is not an option (at least not at this moment).

Although your solution may work, I really would like to see a solution in spamblocker itself if possible.

The way I see it, if a domain is whitelisted, it should only mean that the "from" domain should be accepted, regardless of wether it's blacklisted somewhere or not, but ONLY if the recipient address is an account on my server. (At least I think that's how it should work).

Originally posted by xemaps
Whose have exim 4.6x can use that in acl

#
drop message = Faked Yahoo
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
#

You don't have to use any whithelist, whithelisting is bad.

am I right this will still allow legit yahoo email through?

Please try and help to make it better if you find this acl wrong ;-)
notice no / yes order

Originally posted by mbaboo
Hello,

This is still an issue and caused massive headaches for me.

My DA server was rejecting all mail from Gmail. Apparently some of Gmail's server's are blacklisted on some of the blacklist services that SpamBlocker uses. So Spamblocker was rejected valid emails from Gmail accounts.

So I using the "whitelist_domains" file. I added gmail.com, yahoo.com and all other domains that I knew NOT to be spammers.

I wanted all mail from these domains to pass through the Spam Blocker filters and arrive in my Inbox. So far so good. That works fine.

Problem is that someone started to relay spam through my server. They pretended to be mailing from yahoo by sending a spoof yahoo.com "From" address, DA accepted the email no questions AND **relayed** it to anywhere. That is the problem. Those mails should pass Spamblocker but it should fail the relaying.

In the end my server ran out of inodes due to the million odd message in the exim queue. I eventually had to remove my whitelist_domains file to rectify the problem.

The solution as I see it is for domains listed in whitelist_domains to be allowed ONLY for local delivery. Anything else must fall through to the next test. Which means local users will pass because they are authenticated or are in the pop_hosts file. Other unauthorised users will fail.

Does this make sense? Anyone not agree?


Regards,

Mustapha

Same spam issue here! Someone please sticky this thread!

Did you make shure your server request for authentication on non local domains ?

This should solve your problem

Warning: Avoid using the whitelist domains file. It allows relays, that's how it was setup for the spamblocker scripts.

Originally posted by xemaps
Whose have exim 4.6x can use that in acl

#
drop message = Faked Yahoo
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
#

You don't have to use any whithelist, whithelisting is bad.


Has this been confirmed to be a working solution?
I'm just trying to verify that this is what I need to do for:

#
drop message = Faked Microsoft
senders = *@microsoft.com
condition = ${if match {$sender_host_name}{\Nmicrosoft.com$\N}{no}{yes}}
#


#
drop message = Faked Gmail
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\Ngamil.com$\N}{no}{yes}}
#

etc.. etc..?

I believe there are about 10 or so 'famous' domains that I need to allow to send emails to my users on my server and I don't mind adding as many lines as it takes to exim, if this works.

BTW, is there a preference or order matters to where this bit should be placed in the exim.conf file?

Please let me know.

Thanks,

-Alon.

you can try and adapt it
this work for me
copy that before the following line to avoid load and dns check

require verify = sender

################
# FORGED MAIL CHECKS#
################

#host name based !

drop message = Forged Yahoo mail, connection denied!
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
delay = 20s

drop message = Forged hotmail mail, connection denied!
senders = *@hotmail.com
condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}
delay = 20s

drop message = Forged MSN mail, connection denied!
senders = *@msn.com
condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}
delay = 20s

drop message = Forged AOL mail, connection denied!
senders = *@aol.com
condition = ${if match {$sender_host_name}{\Naol.com$\N}{no}{yes}}
delay = 20s

drop message = Forged Netscape Mail, connection denied!
senders = *@netscape.com
condition = ${if match {$sender_host_name}{\Nnetscape.com$\N}{no}{yes}}
delay = 20s

drop message = Forged Netscape Mail, connection denied!
senders = *@netscape.net
condition = ${if match {$sender_host_name}{\Nnetscape.net$\N}{no}{yes}}
delay = 20s

drop message = Forged Comcast Mail, connection denied!
senders = *@comcast.net
condition = ${if match {$sender_host_name}{\Ncomcast.net$\N}{no}{yes}}
delay = 20s

drop message = Forged Comcast Mail, connection denied!
senders = *@comcast.com
condition = ${if match {$sender_host_name}{\Ncomcast.com$\N}{no}{yes}}
delay = 20s

drop message = Forged Verizon Mail, connection denied!
senders = *@verizon.com
condition = ${if match {$sender_host_name}{\Nverizon.com$\N}{no}{yes}}
delay = 20s

drop message = Forged Verizon Mail, connection denied!
senders = *@verizon.net
condition = ${if match {$sender_host_name}{\Nverizon.net$\N}{no}{yes}}
delay = 20s

drop message = Forged Paypal Mail, connection denied!
senders = *@paypal.com
condition = ${if match {$sender_host_name}{\Npaypal.com$\N}{no}{yes}}
delay = 20s

drop message = Forged Prodigy Mail, connection denied!
senders = *@prodigy.com
condition = ${if match {$sender_host_name}{\Nprodigy.com$\N}{no}{yes}}
delay = 20s

drop message = Forged Prodigy Mail, connection denied!
senders = *@prodigy.net
condition = ${if match {$sender_host_name}{\Nprodigy.net$\N}{no}{yes}}
delay = 20s

drop message = Forged RoadRunner Mail, connection denied!
senders = *@rr.com
condition = ${if match {$sender_host_name}{\Nrr.com$\N}{no}{yes}}
delay = 20s

drop message = Forged RoadRunner Mail, connection denied!
senders = *@rr.net
condition = ${if match {$sender_host_name}{\Nrr.net$\N}{no}{yes}}
delay = 20s

drop message = Forged Gmail, connection denied!
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\Ngmail.com$\N}{no}{yes}}
delay = 20s

#helo based !

drop message = Forged HELO: you are not $sender_helo_name
condition = ${if match {$sender_helo_name}\
{^(gmail\.com|msn\.com|yahoogroups\.com|aol\.com)\$}}
delay = 20s

Originally posted by xemaps
you can try and adapt it
this work for me
copy that before the following line to avoid load and dns check

require verify = sender

################
# FORGED MAIL CHECKS#
################

#host name based !

drop message = Forged Yahoo mail, connection denied!
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
delay = 20s

drop message = Forged hotmail mail, connection denied!
senders = *@hotmail.com
condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}
delay = 20s

#helo based !

drop message = Forged HELO: you are not $sender_helo_name
condition = ${if match {$sender_helo_name}\
{^(gmail\.com|msn\.com|yahoogroups\.com|aol\.com)\$}}
delay = 20s

I hate to be a pain,. but I'd like to make sure that I understand what I'm doing. sometimes,. explicit examples as you gave are simply the base way for me to follow and append as neccessary.


require verify = sender

Currently it is Disabled on my server, However, when users wants to send mail out, they have to have "my outgoing server requires authentiction" checkbox enabled. Otherwise, they cannot send mail.
Is that the same thing? I'm thinking it is not, but I'm not sure.

Second,

drop message = Forged hotmail mail, connection denied!
senders = *@hotmail.com
condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}
delay = 20s


That is your bit.
Does the next bit need to match it?

drop message = Forged HELO: you are not $sender_helo_name
condition = ${if match {$sender_helo_name}\
{^(gmail\.com|msn\.com|yahoogroups\.com|aol\.com)\$}}
delay = 20s

The reason I ask is because I don't understand what is a Forged HELO,
or better put, is this a different check than the former specific hosts names?
If I add for instance microsoft.com as a new host, do I need to add it both in the :

drop message = Forged Microsoft, connection denied!
senders = *@microsoft.com
condition = ${if match {$sender_host_name}{\Nmicrosoft.com$\N}{no}{yes}}
delay = 20s

AND in here:

drop message = Forged HELO: you are not $sender_helo_name
condition = ${if match {$sender_helo_name}\
{^(gmail\.com|msn\.com|yahoogroups\.com|aol\.com|microsoft\.com)\$}}
delay = 20s

Last, does order matters?

I mean, does this part of the code needs to be placed BEFORE the filters? or after the filters? or does it not matter at all?

Thanks for the contribution.

-Alon.

i think you have to read exim manual, possible it will be clear after.

require_verify = sender
just make a verification if the sender exist, aka real mailbox...

for the rules yes it does matter
make on top the most targeted on your system
such 5 or 20 'light' rules will not affect your server.

it is important to make this verification BEFORE dns checking because it cost time and power for the server.
Better reject before using dnsrbl then spamassasin.

Make your own cooking now.

Originally posted by xemaps
i think you have to read exim manual, possible it will be clear after.

require_verify = sender
just make a verification if the sender exist, aka real mailbox...

for the rules yes it does matter
make on top the most targeted on your system
such 5 or 20 'light' rules will not affect your server.

it is important to make this verification BEFORE dns checking because it cost time and power for the server.
Better reject before using dnsrbl then spamassasin.

Make your own cooking now.

Well.... before I try to cook anything.. (at best I can boil an egg),. I checked some feedback at exim newsgroup to verify any action I take. Here is a snippet of a response that I got:

The question I asked them was:

Should I enable the require_verify = sender or not.


> 5. If this is such a good feature, why would it be disabled...

- Not all sender's servers can/do respond properly or promptly to the query.

- Some very large / major ISP's do not have usable DNS records for their 'pools'
of servers.

- Many operators do not appreciate being hit with the query.

- A few may even blacklist those who attempt such queries.

Feature is perhaps at its best when used within a known-responsive environment -
say one company's intranet or a 'pool' of MX or relay hosts.

hosts / !hosts and hostlists or lookups can be used to specify which/which-not
to apply it to if you choose to use it.

Bill


Hmm.. get myself blacklisted.. that doesn't sound good.
but assuming that is not the issue,. if legitimate large provider fail to adhere to this requirment, I'll be fighting windmills and I'll have really angry users at my end.

EDIT:

I'm still not clear about one thing:

Does this code bit allows for those domains to send mail to the server even if they appear in a blacklist further down?
My question is,.. if I'm using sbl-xb.spamhaus.org and they blacklist microsoft.com will this "whitelist" safely the domain "microsoft.com"?
I'm looking for such a particular solution.

Thanks,

-Alon.

Hi All,

With further checks, I've noticed that I have few mail service providers
that are listed as FREE email providers.
That does not mean by itself that they are spammers.

I'm using:

dnslists = blackholes.five-ten-sg.com

as one of the filters.
It is very effective, but also blocks one of our large free mail providers.
Will the following syntax work to still use the filter with the exception of
deny the free servers?


# deny using blackholes.five-ten-sg.com
deny message = Email blocked by FIVETEN - to unblock see
http://www.myserver.com/spamlist.html
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = blackholes.five-ten-sg.com!=127.0.0.12


http://www.five-ten-sg.com/blackhole.php?ip=192.118.71.127&Search=Search

thanks for the input,

- Alon

Originally posted by dan35
Warning: Avoid using the whitelist domains file. It allows relays, that's how it was setup for the spamblocker scripts.
This statement is totally untrue. We've been using whitelist_domains since I wrote the SpamBlocker exim.conf file and we've never been an open relay.

All you have to do is make sure you use it with some understanding. Don't use it for any domains on the server, and don't use it for domains popularly used by spoofers.


Or use it with the Forged Mail Checks ACL addition found in this thread.

Jeff

Originally posted by SupermanInNY
I'm using:

dnslists = blackholes.five-ten-sg.com

as one of the filters.
It is very effective, but also blocks one of our large free mail providers.
Will the following syntax work to still use the filter with the exception of
deny the free servers?

# deny using blackholes.five-ten-sg.com
deny message = Email blocked by FIVETEN - to unblock see
http://www.myserver.com/spamlist.html
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = blackholes.five-ten-sg.com!=127.0.0.12
That depends on what 127.0.0.12 means in that blocklist.

This code means that every returned server in the blocklist will be checked to see what IP# is listed with it, and if 127.0.0.12 is the IP# listed, it won't be blocked; otherwise it will be.

Why not just find out the servers being blocked by the blocklist and put them into whitelist_hosts?

That should do what you want.

Jeff

Originally posted by jlasman
That depends on what 127.0.0.12 means in that blocklist.

This code means that every returned server in the blocklist will be checked to see what IP# is listed with it, and if 127.0.0.12 is the IP# listed, it won't be blocked; otherwise it will be.

Why not just find out the servers being blocked by the blocklist and put them into whitelist_hosts?

That should do what you want.

Jeff

Hi Jeff,

Great to get the feedback from you :).

Sorry for the double post (as you probably saw it in the other thread).
My understanding is that you belive that whitelists + matching_acl_forged_email_check will do the trick to allow for safe APPROVAL of senders.

As xemaps explained, ORDER matters and as such,. I want to configure the exim.conf file correctly to make sure it is both effective, correct, safe and economic.

Effective - add the needed filters that block the spam - no just adding lists to no end,. but to use the most used lists. No point in adding BLARS as it seem to block half the world, but sbl-xbl.spamhause.org seems to be just as effective, and is not blocking "everyone" so aggressively

Correct - "whose on first":

Which check should precede the other check?

Here are snippets of the exim.conf in the order that I have it. Would you re-arrange it differently? AND,. do you have #require verify = sender enabled on your servers? Or is it too restrictive?

------------------------------------------------------------

#require verify = sender

###################################################################
# FORGED MAIL CHECKS #
###################################################################

# host name based !


drop message = Forged Microsoft, connection denied!
senders = *@microsoft.com
condition = ${if match {$sender_host_name}{\Nmicrosoft.com$\N}{no}{yes}}
delay = 20s


#helo based !

drop message = Forged HELO: you are not $sender_helo_name
condition = ${if match {$sender_helo_name}\
{^(gmail\.com|msn\.com|yahoogroups\.com|aol\.com)\$}}
delay = 20s


###################################################################
# FILTER CHECK - RBL subscriptions #
###################################################################


# deny using .spamhaus
deny message = Email blocked by SPAMHAUS SBL+XBL- to unblock see http://www.shev.com/spamlistschecker.html
# only for domains that do want to be tested against RBLs
domains = +use_rbl_domains
dnslists = sbl-xbl.spamhaus.org


# deny using ordb
deny message = Email blocked by ORDB - to unblock see http://www.shev.com/spamlistschecker.html
# only for domains that do want to be tested against RBLs
domains = +use_rbl_domains
dnslists = relays.ordb.org

# deny using sorbs smtp list
deny message = Email blocked by SORBS - to unblock see http://www.shev.com/spamlistschecker.html
# only for domains that do want to be tested against RBLs
domains = +use_rbl_domains
dnslists = dnsbl.sorbs.net=127.0.0.5


# accept if address is in a local domain as long as recipient can be verified
accept domains = +local_domains
endpass
message = "Unknown User"
verify = recipient

# accept if address is in a domain for which we relay as long as recipient
# can be verified
accept domains = +relay_domains
endpass
verify=recipient

---------------------------------------------------------------

Safe: USING the snippet above, would it be safe to put microsoft.com in the whitelist_domains file? I don't have enough understanding of what does the FORGED MAIL check actually do and how does it 'verify' the sender true identity - can it be 'faked' or spoofed in some way?


Economic: This actually ties back to the Effective construct. If the Forged fails, does it stop the check and Reject? Also, going back to the reply you had for the exclusion of IPs, I think you confirmed my understanding, but somehow the wording you chose didn't leave me assured that I actually did understand, so I'll rephrase your answer to lamen words and see if you agree or disagree with it:

# deny using blackholes.five-ten-sg.com
deny message = Email blocked by FIVETEN - to unblock see
http://www.myserver.com/spamlist.html
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = blackholes.five-ten-sg.com!=127.0.0.12

In the above bit, the check will DENY and REJECT any email that will have it's IP listed in the blackholes.five-ten-sg.com list,. Excluding those that are labeled/marked with 127.0.0.12. That means that if an IP is found in the RBL and is labeled/marked with 127.0.0.4 it will be REJECTED, but if it is labeled/marked with 127.0.0.12 it will be APPROVED.

AND TWO last things in the Economic:
1. if I whitelist a domain, does it go through the RBL checks still?
2. Assuming I want to exclude 127.0.0.12 and 127.0.0.8 what is the syntax to exclude from both?
is it:
blackholes.five-ten-sg.com!=127.0.0.12 || 127.0.0.8

Or is it:

blackholes.five-ten-sg.com!=127.0.0.12 && 127.0.0.8

Thanks for the input.

-Alon.

Originally posted by jlasman
This statement is totally untrue. We've been using whitelist_domains since I wrote the SpamBlocker exim.conf file and we've never been an open relay.

All you have to do is make sure you use it with some understanding. Don't use it for any domains on the server, and don't use it for domains popularly used by spoofers.

Jeff


Hi Jeff,

But that is a problem. SpamBlocker regularly blocks mail from Gmail. I'm not sure what problem the various spam databases have with Gmail's mail server.

Nonetheless that means that legitimate Gmail mail is not coming through. So I HAD to add gmail.com to the whitelist_domains. I could not ignore them as you suggest. That is when my server got used as a relay by someone spoofing a Gmail address.

I've since moved to using whitelist_from to allow through specific email addresses but as you can imagine, this is a nightmare to maintain. But it's better than having my server killed by a spammer.

Regards,

Mustapha

Originally posted by jlasman
This statement is totally untrue. We've been using whitelist_domains since I wrote the SpamBlocker exim.conf file and we've never been an open relay.

All you have to do is make sure you use it with some understanding. Don't use it for any domains on the server, and don't use it for domains popularly used by spoofers.


Or use it with the Forged Mail Checks ACL addition found in this thread.

Jeff



I disagree, jlasman! Many servers got blocked due to the open relays caused by the whitelist_domains file. One of my servers got in spam list too since I put yahoo in its whitelist_domains file. 2GB-4GB of spams were sent through my server daily.
So I complained to DirectAdmin 'cause DA installed it by default, and I didn't see any warning about the whitelist_domains file in the config files.
Then John told me to avoid using the whitelist domains file because it allows relays, that's how it was setup for the spamblocker scripts.

So I have to warn other people to go to this thread if they don't want their servers in the spam blocklists.

Originally posted by mbaboo
Hi Jeff,

But that is a problem. SpamBlocker regularly blocks mail from Gmail. I'm not sure what problem the various spam databases have with Gmail's mail server.

Nonetheless that means that legitimate Gmail mail is not coming through. So I HAD to add gmail.com to the whitelist_domains. I could not ignore them as you suggest. That is when my server got used as a relay by someone spoofing a Gmail address.

I've since moved to using whitelist_from to allow through specific email addresses but as you can imagine, this is a nightmare to maintain. But it's better than having my server killed by a spammer.

Regards,

Mustapha

You may comment out the spamcop section in exim.conf. Spamcop blocks some Gmail servers. And spamcop is very aggressive, so many people in here don't like it either.

# deny using spamcop
# deny message = Email blocked by SPAMCOP - to unblock see http://yourdomain.com
# hosts = !+relay_hosts
# domains = +use_rbl_domains
# !authenticated = *
# dnslists = bl.spamcop.net

Originally posted by SupermanInNY
[B]Hi Jeff,

Great to get the feedback from you :).
Alon, I like the order you're using; in fact we're experimenting with the same order now, on one of our testbeds that gerts thousands of spams daily.

My understanding is that you belive that whitelists + matching_acl_forged_email_check will do the trick to allow for safe APPROVAL of senders.
It will cause it's own set of problems since plenty of people may use their gmail return address or their hotmail return address, plus their own server. No easy way to resolve these issues until something like SPF becomes mandaatory and I don't see that happening this year or next.

Effective - add the needed filters that block the spam - no just adding lists to no end,. but to use the most used lists. No point in adding BLARS as it seem to block half the world, but sbl-xbl.spamhause.org seems to be just as effective, and is not blocking "everyone" so aggressively
People differ in their ideas of course :) .

Which check should precede the other check?
Let's leave it this way until we see more information in the logs. I like it this way because, the domain checks don't use any DNS lookups at all, and therefore use less resources.

Here are snippets of the exim.conf in the order that I have it. Would you re-arrange it differently?
I don't think so.

AND,. do you have #require verify = sender enabled on your servers? Or is it too restrictive?
I'd love to enable it but I don't because I think it is too restrictive.

AND TWO last things in the Economic:
1. if I whitelist a domain, does it go through the RBL checks still?
No.
[qoute]2. Assuming I want to exclude 127.0.0.12 and 127.0.0.8 what is the syntax to exclude from both?
is it:
blackholes.five-ten-sg.com!=127.0.0.12 || 127.0.0.8

Or is it:

blackholes.five-ten-sg.com!=127.0.0.12 && 127.0.0.8[/quote]
At this hour of the morning, having been up all the preceeding day, I'm not sure :) . You can always read the exim docs :) :) .

Thanks for the input.
You're welcome.

Jeff

Originally posted by dan35
I disagree, jlasman! Many servers got blocked due to the open relays caused by the whitelist_domains file. One of my servers got in spam list too since I put yahoo in its whitelist_domains file. 2GB-4GB of spams were sent through my server daily.
And that's somehow my fault? Okay. I fullly accept responsibility for your misuse of my tool.

So I complained to DirectAdmin 'cause DA installed it by default, and I didn't see any warning about the whitelist_domains file in the config files.
Then John told me to avoid using the whitelist domains file because it allows relays, that's how it was setup for the spamblocker scripts.
I think that it's simplistic to say it was designed to allow you to be an open relay. It was designed to give you flexibility. We use its flexibility and have never been an open relay. I'm sure others do as well.

So I have to warn other people to go to this thread if they don't want their servers in the spam blocklists.
Or of course you could spend your time creating your own solution.

Jeff

I just saw these entries in my exim rejectlog (after adding the forged mail ACL's mentioned in this thread)...


2006-10-25 09:25:55 H=ug-out-1314.google.com [66.249.92.172] F=<bgclothier@gmail.com> rejected RCPT <***removed***>: Forged Gmail, connection denied!
2006-10-25 09:49:58 H=ug-out-1314.google.com [66.249.92.171] F=<kelly.evan.alleen@gmail.com> rejected RCPT <***removed***>: Forged Gmail, connection denied!

Do you think that changing this...


drop message = Forged Gmail, connection denied!
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\Ngmail.com$\N}{no}{yes}}
delay = 20s

to this is a good idea? It seems to fix the problem for me.


drop message = Forged Gmail, connection denied!
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\N(gmail|google).com$\N}{no}{yes}}
delay = 20s

I'm beginning to see some problems with this addition to exim.conf:

1) drop is probably not the best solution because any errors are not communicated back to the sender. I prefer to use deny because that way the sender sees a refusal to connect. Spammers ignore it, but legitimate senders get it bounced back from their mail server and know their email didn't go through; kind of like the way the blocklists works now.

Can this happen? Absolutely. How? For example if bill@comcast.net is travelling with his laptop and wants to send an email with his comcast.net address but can't use his comcast.net server because he's not on the network. At least if you use deny he'll get bounced and can apply to be on your whitelist (at least he can if you've set up a whitelist page).

2) the delay = 20s isn't necesary at all; all it does in a drop is makes the server wait before testing the next address. And it means the logs entries generated will be separated with perhaps a lot of unrelated entries between them, making it hard to trace in the logs. Admittedly some spam servers won't wait that long and will give up, but not enough to make it worthwhile compared to the inconvenience in checking logs.

3) This section:

#helo based !

drop message = Forged HELO: you are not $sender_helo_name
condition = ${if match {$sender_helo_name}\
{^(gmail\.com|msn\.com|yahoogroups\.com|aol\.com)\$}}
delay = 20s
doesn't work. In fact in our systems tested it causes email to completely break for incoming and outgoing email with this error:

2006-10-26 11:29:06 H=hermes1.example.net [123.45.67.8] F=<sendername@example.com> temporarily rejected RCPT <info@example.net>: failed to expand ACL string "${if match {$sender_helo_name}\{^(gmail\.com|msn\.com|yahoogroups\.com|aol\.com)\$}}": missing 2nd string in {} after "match"
because it's missing the {no}{yes} section; it should look like this:

drop message = Forged HELO: you are not $sender_helo_name
condition = ${if match {$sender_helo_name}\
{^(gmail\.com|msn\.com|yahoogroups\.com|aol\.com)\$}{no}{yes}}
delay = 20s
Fortunately it causes only a temporary rejection so as long as you fix the problem within four days no email should be lost.

4) But even after the helo based section is fixed as above it still fails ALL email that comes from any other sender except for gmail, msn, yahoogroups, and aol. The condition should only be evaluated on a match {sender_helo_name} that evaluates to one of the same senders. This isn't a hypothetical issue; I tested thoroughly.

I've commented out the helo based section on the servers where I'm beta testing; I hope the original author will do the fix for us.

That said, it's great code and I look forward to using it in the next SpamBlocker exim.conf release.

Jeff

Jeff, you make a lot of good points. Thank you for your input. After taking your and others advice I have come up with the following changes to my exim.conf. I realized that some of the existing ACL's really needed to move above the forged header checks to work. I had never included the forged HELO code in my config as I had not had time to look at it closely enough that I was comfortable with it yet.

I am including my exim.conf file from the beginning of the ACL section to the Optional Modification section of the ACL section. These changes seem to be working well for me now.


######################################################################
# ACLs #
######################################################################

begin acl

# ACL that is used after the RCPT command
check_recipient:

# to block certain wellknown exploits, Deny for local domains if
# local parts begin with a dot or contain @ % ! / |
deny domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]

# to restrict port 587 to authenticated users only
# see also daemon_smtp_ports above
accept hosts = +auth_relay_hosts
condition = ${if eq {$interface_port}{587} {yes}{no}}
endpass
message = relay not permitted, authentication required
authenticated = *

# allow local users to send outgoing messages using slashes
# and vertical bars in their local parts.
# Block outgoing local parts that begin with a dot, slash, or vertical
# bar but allows them within the local part.
# The sequence \..\ is barred. The usage of @ % and ! is barred as
# before. The motivation is to prevent your users (or their virii)
# from mounting certain kinds of attacks on remote sites.
deny domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./

# local source whitelist
# accept if the source is local SMTP (i.e. not over TCP/IP).
# Test for this by testing for an empty sending host field.
accept hosts = :

### the following checks need to happen before forged header checks

# envelope senders whitelist
# accept if envelope sender is in whitelist
accept senders = +whitelist_senders

# accept mail to postmaster in any local domain, regardless of source
accept local_parts = postmaster
domains = +local_domains

# accept mail to abuse in any local domain, regardless of source
accept local_parts = abuse
domains = +local_domains

# accept mail to hostmaster in any local domain, regardless of source
accept local_parts = hostmaster
domains =+local_domains

### modify for your organization
# accept mail to ***@somewhere.org, regardless of source
accept local_parts = ***
domains = somewhere.org

### Check for forged headers

deny message = Forged Yahoo mail, to unblock send email to ***@somewhere.org
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}

deny message = Forged hotmail mail, to unblock send email to ***@somewhere.org
senders = *@hotmail.com
condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}

deny message = Forged MSN mail, to unblock send email to ***@somewhere.org
senders = *@msn.com
condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}

deny message = Forged AOL mail, to unblock send email to ***@somewhere.org
senders = *@aol.com
condition = ${if match {$sender_host_name}{\Naol.com$\N}{no}{yes}}

deny message = Forged Netscape Mail, to unblock send email to ***@somewhere.org
senders = *@netscape.com
condition = ${if match {$sender_host_name}{\Nnetscape.com$\N}{no}{yes}}

deny message = Forged Netscape Mail, to unblock send email to ***@somewhere.org
senders = *@netscape.net
condition = ${if match {$sender_host_name}{\Nnetscape.net$\N}{no}{yes}}

deny message = Forged Comcast Mail, to unblock send email to ***@somewhere.org
senders = *@comcast.net
condition = ${if match {$sender_host_name}{\Ncomcast.net$\N}{no}{yes}}

deny message = Forged Comcast Mail, to unblock send email to ***@somewhere.org
senders = *@comcast.com
condition = ${if match {$sender_host_name}{\Ncomcast.com$\N}{no}{yes}}

deny message = Forged Verizon Mail, to unblock send email to ***@somewhere.org
senders = *@verizon.com
condition = ${if match {$sender_host_name}{\Nverizon.com$\N}{no}{yes}}

deny message = Forged Verizon Mail, to unblock send email to ***@somewhere.org
senders = *@verizon.net
condition = ${if match {$sender_host_name}{\Nverizon.net$\N}{no}{yes}}

deny message = Forged Paypal Mail, to unblock send email to ***@somewhere.org
senders = *@paypal.com
condition = ${if match {$sender_host_name}{\Npaypal.com$\N}{no}{yes}}

deny message = Forged Prodigy Mail, to unblock send email to ***@somewhere.org
senders = *@prodigy.com
condition = ${if match {$sender_host_name}{\Nprodigy.com$\N}{no}{yes}}

deny message = Forged Prodigy Mail, to unblock send email to ***@somewhere.org
senders = *@prodigy.net
condition = ${if match {$sender_host_name}{\Nprodigy.net$\N}{no}{yes}}

deny message = Forged RoadRunner Mail, to unblock send email to ***@somewhere.org
senders = *@rr.com
condition = ${if match {$sender_host_name}{\Nrr.com$\N}{no}{yes}}

deny message = Forged RoadRunner Mail, to unblock send email to ***@somewhere.org
senders = *@rr.net
condition = ${if match {$sender_host_name}{\Nrr.net$\N}{no}{yes}}

deny message = Forged Gmail, to unblock send email to ***@somewhere.org
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\N(gmail|google).com$\N}{no}{yes}}

### the following checks need to happen after forged header checks

# sender domains whitelist
# accept if sender domain is in whitelist
accept sender_domains = +whitelist_domains

# sender hosts whitelist
# accept if sender host is in whitelist
accept hosts = +whitelist_hosts
accept hosts = +whitelist_hosts_ip

# OPTIONAL MODIFICATIONS:

You will of course need to change ***@someplace.org to match something that makes sense for your organization.

I left the gmail test to work for gmail.com and google.com to cover all the bases, it looks as though google.com may be all that is really necessary now though.

Thanks again for all your help.

A check of our logs indicates we may be bouncing some legitimate gmail mail. Are you certain you've got the right hostname setup?

Jeff

Jeff,

I just went back through my logs and since the 25th I have not bounced any gmail messages where the senders host resolved to gmail.com or google.com so as far as I can tell using gmail|google works for us here.

I just checked through the mainlog and see that some gmail mail has been delivered and it all came from hosts that end in google.com so maybe it would be worth a try changing...


senders = *@gmail.com
condition = ${if match {$sender_host_name}{\N(gmail|google).com$\N}{no}{yes}}

to...


senders = *@gmail.com
condition = ${if match {$sender_host_name}{\Ngoogle.com$\N}{no}{yes}}

Has anyone else experienced any problems with these settings? I definitely would not call myself an expert on this so I could be mistaken about something. I used xemacs previous entry for hotmail.com to determine how to test for the possibility of two different servers. Here's the line from his config...


drop message = Forged MSN mail, connection denied!
senders = *@msn.com
condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}
delay = 20s

Hi,

This is so ironic.

I am now listed on SORBS because of this incident. And SORBS now demands a $50 ransom to get unlisted. I'm not paying it so I stay blocklisted. Those of you with Spamblocker won't even get my mails. It's so funny I could cry.

jlasman might think that myself, dan35 and others used Spamblocker incorrectly. I think we made a very reasonable assumption about what the config did and how Exim was meant to behave.

I suggest that DA put a big disclaimer or warning into the Exim config because I doubt I will be the last person to make this "mistake".

M




Originally posted by mbaboo
Hello,

This is still an issue and caused massive headaches for me.

My DA server was rejecting all mail from Gmail. Apparently some of Gmail's server's are blacklisted on some of the blacklist services that SpamBlocker uses. So Spamblocker was rejected valid emails from Gmail accounts.

So I using the "whitelist_domains" file. I added gmail.com, yahoo.com and all other domains that I knew NOT to be spammers.

I wanted all mail from these domains to pass through the Spam Blocker filters and arrive in my Inbox. So far so good. That works fine.

Problem is that someone started to relay spam through my server. They pretended to be mailing from yahoo by sending a spoof yahoo.com "From" address, DA accepted the email no questions AND **relayed** it to anywhere. That is the problem. Those mails should pass Spamblocker but it should fail the relaying.

In the end my server ran out of inodes due to the million odd message in the exim queue. I eventually had to remove my whitelist_domains file to rectify the problem.

The solution as I see it is for domains listed in whitelist_domains to be allowed ONLY for local delivery. Anything else must fall through to the next test. Which means local users will pass because they are authenticated or are in the pop_hosts file. Other unauthorised users will fail.

Does this make sense? Anyone not agree?


Regards,

Mustapha

It's unlikely (but possible) that one can get on SORBS because of this kind of problem; I had the problem myself until I realized the issue.

And it didn't get me on SORBS.

Please respond to my private message.

Jeff

I found what may be a major problem with this code. I had to comment it out from our servers.

Has anyone ever checked to see if, for example, mail form hotmail.com always comes from hotmail.com servers?

Or if mail from verizon.net always comes from verizon.net servers?

And so forth?

I don't think I can risk this code unless it's been checked.

Anyone?

Jeff

I'm surprised some invents rules just by copying another one and think changing name will be ok, but forget verifying dns.

It's easy to check smtp servers with http://www.dnsstuff.com/
and verify by sending mail from an account.

link rectified thx

Did you spell that link wrong?

http://www.dnsstuff.org seems to be an advertising site.

Jeff

http://www.dnsstuff.com/ is more likely.

Thanks, Supe. I have no idea how I managed to misread that.

However even looking at www.dnsstuff.com, I don't see any way to get the list of outgoing email servers. I suppose I can do an spf lookup on all the domains. I'll try that.

Jeff

I would like to test these new rules out as well and also go back to using the verify_sender option. We had alot less spam passing around back when we did and not nearly as many complaints regarding verify_sender as we now do about the ungodly amount of spam.

So could someone please post the latest version of these new rules please? Throughout the thread there have been many revisions and also multiple opinions... any consensus?

Big Wil

Originally posted by jlasman
Thanks, Supe. I have no idea how I managed to misread that.

However even looking at www.dnsstuff.com, I don't see any way to get the list of outgoing email servers. I suppose I can do an spf lookup on all the domains. I'll try that.

Jeff

tired jeff ;) ? first entry DNS Report
but please wait mail are tested, the whole page doesn't appears instantanly since it take time to test some entries

otherwise http://www.dnsreport.com/ same target

Originally posted by BigWil
I would like to test these new rules out as well and also go back to using the verify_sender option. We had alot less spam passing around back when we did and not nearly as many complaints regarding verify_sender as we now do about the ungodly amount of spam.

So could someone please post the latest version of these new rules please? Throughout the thread there have been many revisions and also multiple opinions... any consensus?

Big Wil

I tried this general sender verify but too much ressources and bad results howewer we can use callout.
I use it only in few specific rules (aol,msn,yahoo...)

Good idea. I would like to go with the mass majority which seems to be aol.com, yahoo.com, gmail.com, msn.net, and hotmail.com. So how do I define it on a per domain basis?

Big Wil

Sorry i wrote a bad idea !

You don't need to verify for aol msn yahoo, because they don't allow bad senders mail !
So if i reject with sender_helo_name and sender_host_name there are only valid mail rest.

Are you kidding. 80% of the yahoo and aol email addresses floating around in spam are spoofed. Of course we need to verify them.

I think it should check against the sender_helo_name and sender_host_name and then if that passes, double check the sender_verify just to be sure. But I would only do this in the case of the mass free email providers such as those I listed earlier.

Big Wil

I have no spam (ZERO) from these domains (msn yahoo aol) !!!
i just have the rules i posted on a thread, so no spoof possible.

Actually i reject 70% from mail at smtp time and have a few% spam 1% to 3% including special hardening who are not spam. The rest is ham. My mail volume is 2000/day

Originally posted by xemaps
first entry DNS Report
but please wait mail are tested, the whole page doesn't appears instantanly since it take time to test some entries
Not really. That only lists mx records. Large mail domains don't do incoming and outgoin on the same servers. You cannot trust that mx records point to outgoing servers. Ever. Not even on some of the domains we host.

Jeff

Originally posted by xemaps
I tried this general sender verify but too much ressources and bad results howewer we can use callout.
Actually a bad idea. Why? Because most spam today originates on zombie servers. And they find email addresses in the local address book and use it. So those addresses at AOL, etc., are often quite good.

Jeff

Originally posted by xemaps
I have no spam (ZERO) from these domains (msn yahoo aol) !!!
i just have the rules i posted on a thread, so no spoof possible.
But how many false positives are you getting? We started losing incoming mail when we implemented the rules. That's why I wrote what I did.

Jeff

Jeff,

So what was your end result? Are you not using these new rules at all?

Regardless they didn't do any good for us because we have a gateway machine on the outside also scanning for spam and viruses. So the host lookups were comparing against our gateway hostname and not the original HELO machine. I would still love a way of verifying the aol.com and yahoo.com addresses though. But I guess I am out of luck.

Cheers,

Big Wil

Originally posted by jlasman
But how many false positives are you getting? We started losing incoming mail when we implemented the rules. That's why I wrote what I did.

Jeff

sorry, i didn't see false positive for msn aol yahoo, never happens in my logs !
I make the luxe to reject spoofed mail.

Possible i have more chance than you ;)

Originally posted by jlasman
Actually a bad idea. Why? Because most spam today originates on zombie servers. And they find email addresses in the local address book and use it. So those addresses at AOL, etc., are often quite good.

Jeff

It's easy to reject most zombies servers by rfc checks and some tricks !

Originally posted by jlasman
Not really. That only lists mx records. Large mail domains don't do incoming and outgoin on the same servers. You cannot trust that mx records point to outgoing servers. Ever. Not even on some of the domains we host.

Jeff

Allowed server have to be listed in DNS, especialy carefully for these big domains which make themself a good mail prevention. They are ok whith their dns settings. Notice that you speak from mx, this is not the only entry in dns ! Alias and Cname exist, and spf add mail sender information.

I also lost incoming mail when testing these rules but for a different reason, it simply said the regex format was bad syntax.

failed to expand ACL string "${if match {$sender_host_name}{\N)(gmail|google).com$\N}{no}{yes}}": regular expression error in ")(gmail|google).com$": unmatched parentheses at offset 0

How do the other control panel fair in this 'game'?

Well.,. checking cPanel's forums shows a significant surge in SPAM issues with their boxes as well.

Here is a link to a solution someone came up with.
Has anyone attempted to try some of those:

Exim+Exiscan+Clamav+RBL+Spamassassin+SARE+Razor+DCC

http://www.rvskin.com/index.php?page=public/antispam

Count your ( and ) as well as your { and } characters.

Jeff

Originally posted by SupermanInNY
How do the other control panel fair in this 'game'?

Well.,. checking cPanel's forums shows a significant surge in SPAM issues with their boxes as well.

Here is a link to a solution someone came up with.
Has anyone attempted to try some of those:

Exim+Exiscan+Clamav+RBL+Spamassassin+SARE+Razor+DCC

http://www.rvskin.com/index.php?page=public/antispam

Nice info...gonna investigate further. BTW, where in NY are you? I am on Long Island...

/Edit: added some of these changes with modifications to work with Jeff's file and will post results to him for inclusion in the next release.

We have found some real problems with xemaps' Forged Mail Checks.

It turns out that if someone with a (for example) aol return address sends mail to an account NOT on an aol server, and then that server forwards the mail to you, the mail isn't going to get to you, and probably isn't going to be sent back to the sender either.

I'm open to discussion on the SpamBlocker forum for SpamBlocker3, but will probably have to drop these checks from the final release of SpamBlocker3.

Jeff


you can try and adapt it
this work for me
copy that before the following line to avoid load and dns check

require verify = sender

################
# FORGED MAIL CHECKS#
################

#host name based !