Hi Jeff,

What can we do against those (most probably) spam email harvesters / checkers, that send out empty emails with empty headers ?


Return-path: <>
Envelope-to: my_email@bar.com
Delivery-date: Mon, 09 May 2011 06:25:50 +0200
Received: from [89.33.85.26] (helo=vizlaptop1.pro.protv.ro)
by my.server.com with smtp (Exim 4.75)
id 1QJI2Y-0007r4-BN
for my_email@bar.com; Mon, 09 May 2011 06:25:50 +0200
Received: (qmail 8620 by uid 620); Mon, 9 May 2011 07:34:54 -0200
From: "" <>
To: <my_email@bar.com>
Subject:
Date: Mon, 9 May 2011 06:41:40 -0200
Message-ID: <000801c5a896$d5d4a1d0$817de570$@com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C5A896.D5D4A1D0"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcjhBm5DvtrroJXrkDQFu5EiYxBgzw==
Content-Language: en-us
X-Antivirus-Scanner: Seems clean. You should still use an Antivirus Scanner



I'd very much like to block them.
And most rather with in a way that makes them think our email addresses don't exist. :)

I also have the same problem a few days, can anyone help please?

Also i am receiving a lot of 'empty' emails since 1 week.

I have had the same problem...over the past week I have been getting blasted with emails from empty sender.

Me too, same problem!! :(

Same problem here, but not with all customers.


Return-path: <>
Envelope-to: email@domain.nl
Delivery-date: Mon, 09 May 2011 18:50:11 +0200
Received: from 89-105-235-94.static.vega-ua.net ([89.105.235.94] helo=pc3)
by server.domain.nl with smtp (Exim 4.75)
id 1QJTet-0007m5-87
for email@domain.nl; Mon, 09 May 2011 18:50:11 +0200
Received: (qmail 4607 by uid 607); Mon, 9 May 2011 19:49:01 -0200
From: "" <>
To: <email@domain.nl>
Subject:
Date: Mon, 9 May 2011 19:29:12 -0200
Message-ID: <002c01cc0e82$51cf01c0$f56d0540$@com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_002B_01CC0E82.51CF01C0"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcjsZayg29vxvNOPOOHNJlRTv4NZlA==
Content-Language: en-us
X-Antivirus-Scanner: Seems clean. You should still use an Antivirus Scanner | X-Antivirus-Scanner: Lijkt ongevaarlijk. Gebruik toch nog een eigen virusscanner voor dit bericht.
X-EsetId: F14B54215D4C3C32A10B

(email and server name are changed)

Because the first post was from Romania and this one is from Ukraine....are there bad servers in eastern European countries? And they are not placed on the spamlists yet?

Still the "From"-address should be filled in and not blank, is there a config part we missed?

- Edit -

It is Exim doing.... or rather NOT doing a check: 45.5 Header verification (http://www.exim.org/exim-html-3.20/doc/html/spec_45.html#SEC807)

Funny! I also have the same problem.

All emails come from different IPs.

Dennis => have you changed the settings, is it working ?
Thx for any feedback :)

Hi sky,

I was hoping Jeff would post a message :rolleyes:. Did not have enough time yet to look into it myself.
Also I do not know if the spamblocker config is set up to do this already...and if we have missed a configuration or something.

Found some info tho:

http://www.mail-archive.com/exim-users@exim.org/msg28733.html

Thx for reply, i see the problem.
Well, i only have like less than 50 à day, so not sure i want to block "possible" correct emails for that.
After tweaking spamd for my email account, i dont even get any more now, but it would be nice to block them with exim :)

Still searching and found the reason in another thread: http://www.directadmin.com/forum/showthread.php?t=37704


That said, the latest version of my SpamBlocker-powered exim.conf file doesn't accept messages from blank senders unless the recipient address is located on your server.

Still the rule is to accept the message. And if the IP is not on a spamlist, the message will be delivered. hard problem to tackle in this case...

So, if the server receives a email for a "local email", it accepts empty sender ?

About the IP blacklisting : last week, the sender ip whas whitelisted in list.dnswl.org ...

Edit : after checking that IP, is whas ebay.com, i suppose its fake.

Yes, but was the "Envelope-to:" a valid emailbox on your server?
(And if the IP is on a whitelist then the email is delivered)

I noticed that many of the empty emails are generated by an email to the domain with a few CC. In the header, it looks like this:

From: "" <>
To: <shami@abc.com>,
<sohri@abc.com>,
<nasir@abc.com>

Inspired by the exim4 configuration at http://marc.merlins.org/linux/exim/exim4-conf/exim4.conf, I added

# Null Sender with more than one recipient is not allowed
deny message = Only one recipient accepted for NULL sender
senders = :
condition = ${if >{$rcpt_count}{1} {1}}

before

# Remaining Mailer-Daemon messages must be for us
accept senders = :
domains = +relay_domains

It does help to reject those empty junks with this pattern.

Spammers continue to figure out how to spam us. Pretending to be a mailer-daemon is one way. Why would these messages be blank? One guess would be to see if an email address exists. I don't know, though.

I think adding the code for null-senders sending to more than one recipient is a good idea, and I will the next time I work on my SpamBlocker powered exim.conf file for DirectAdmin; possibly today.

If someone figures out a way to check body length, and tests it, I can add that also.

Otherwise my file will continue to accept email from null-senders addressed to valid users as it's the only way to get notified of a bounce.

Jeff

After a closer look in the emails my customer gave me I found out that the emails with the blank headers are not blocked by the spamblocker. I got 3 emails with the mark ****SPAM**** from his spamassassin configuration and it reads the lines:


[200.93.133.10 listed in zen.spamhaus.org]
[178.37.94.211 listed in dnsbl.sorbs.net]
[90.188.97.190 listed in dnsbl.sorbs.net]

I searched a few more and found more IP's listed but when they send a blank header "From" the email is accepted.

Does the exim config first need to test the IP before it gets to the headers? Or is that not possible?

(Tested the IP's on this site: MX Toolbox Blacklists test (http://www.mxtoolbox.com/blacklists.aspx))

Is your spamblocker configuration set up to use either of those two blocklists?

Jeff

Hi Jeff,

it's pretty standard there:


#EDIT#41:
deny message = Email blocked by $dnslist_domain | E-mail geblokkeerd door $dnslist_domain
hosts = !+relay_hosts
domains = +use_rbl_domains
domains = !+skip_rbl_domains
!authenticated = *
dnslists = \
cbl.abuseat.org : \
dnsbl.njabl.org : \
bl.spamcop.net : \
dnsbl.ahbl.org : \
combined.rbl.msrbl.net : \
b.barracudacentral.org : \
zen.spamhaus.org : \
hostkarma.junkemailfilter.com=127.0.0.2

#EDIT#42:
deny message = Email blocked by $dnslist_domain | E-mail geblokkeerd door $dnslist_domain
hosts = !+relay_hosts
domains = +use_rbl_domains
domains = !+skip_rbl_domains
!authenticated = *
dnslists = \
rhsbl.ahbl.org/$sender_address_domain


I see zen.spamhaus.org but the other one is not there :o....sorry

- Edit -
But it is still after the:


#EDIT#38:
require verify = sender

So is my theory still valid? :)

- Edit 2 -
Want to find the solution so much that I do not read enough in your readme file...this has only to do with the domain, if it exists.

I see zen.spamhaus.org but the other one is not there :o....sorry
You can add sorbs blocklists if you want to, after doing some research on them, but I don't recommend or support them.

But it is still after the:


#EDIT#38:
require verify = sender

So is my theory still valid? :)
What theory? null senders are accepted before require verify = senderl is tested.

Jeff

I'm working on a new policy to limit versions of SpamBlocker to no more than one per month, unless there's some sort of emergency issue which needs to be addressed. So probably won't be until end end of this month at the earliest before I create a new revision.

Jeff

I understand we can't reject on null senders, since bounced emails that were sent by ur clients will also have a null sender. So if ur client sends an email to a wrong address, he/she would never receive the error message.

So we should probably only reject the combination:
null sender + too short message contents

Altough I doubt those bounce messages have <> as sender, as I think they have no headers at all.. not even those <>

Does the exim config first need to test the IP before it gets to the headers?
Exact my thoughts. Why accept a mail if it is listed at zen.spamhaus.org ? If it is listed there I do not want to accept anything from that IP. That normaly works but not in this case ?

Could you perhaps say something about this Jeff ?

Hi,

found some info on another site:

http://skullboxx.net/kb/node/499

Can anyone test and verify this? (Have no testserver anymore :o)

And maybe a way to check if the message is empty:



# Enforce a message-size limit
#
deny
message = Message size $message_size is larger than limit of \ MESSAGE_SIZE_LIMIT
condition = ${if >{$message_size}{MESSAGE_SIZE_LIMIT}{true}{false}}

# Deny unless the address list header is syntactically correct.
#
deny
message = Your message does not conform to RFC2822 standard
log_message = message header fail syntax check
!verify = header_syntax

# Warn unless there is a verifiable sender address in at least
# one of the "Sender:", "Reply-To:", or "From:" header lines.
#
warn
message = X-Sender-Verify-Failed: No valid sender in message header
log_message = No valid sender in message header
!verify = header_sender


Source: http://skullboxx.net/kb/node/503

Also another customer came up with this:



1.5 FROM_NO_USER Van: heeft geen lokaal deel voor het @-tje
2.7 FH_FROMEML_NOTLD E-mail address doesn't have TLD (.com, etc.)
1.0 BAYES_60 BODY: Bayesiaanse kans op spam is 60 tot 80% [score: 0.6830]
2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO
0.6 RCVD_IN_SORBS_WEB RBL: SORBS: verzender is een misbruikbare webserver
[196.40.10.142 listed in dnsbl.sorbs.net] 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Recieved via a relay found in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?196.40.10.142>]
3.0 RCVD_IN_XBL RBL: Recieved via a relay found in Spamhaus XBL [196.40.10.142 listed in zen.spamhaus.org]
0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
1.8 MISSING_SUBJECT Missing Subject: header
1.4 EMPTY_MESSAGE Message appears to have no textual parts and no
Subject: text


SpamCop is one of the standard lists so why is it not rejected? (sorry for the Dutch)

Have the same problem here since a few days, getting 5 empty message, empty header e-mails/day/account.

Jeff, any ETA on a fix for this? Quickfix is fine too.

I am not a exim.conf professional, but I try to :-)

One example is this one:
2011-05-10 14:45:25 1QJmJX-0007WD-0H <= <> H=(ff27480a42304c7) [188.114.14.249] P=smtp S=1042 id=001c01cc0bd4$3d16f9f0$b744edd0$@com T="" from <> for customer@example.com

This mail comes through.

Few things are wrong in this log.

The Hostname is invalid.
When I look at the spamblocker config I see check #EDIT#27:
Perhaps put that check a few lines higher, before '# Remaining Mailer-Daemon messages must be for us' ?

The IP is on a blacklist.
The blacklist check is #EDIT#41 but the message is already accepted before as a mailer-deamon message ? Would the trick be to do an extra blacklist check if we think it is a mailer-daemon message ?

# Remaining Mailer-Daemon messages must be for us
accept senders = :
domains = +relay_domains


Or can this part be placed after the spamlist checks?

# Remaining Mailer-Daemon messages must be for us
accept senders = :
domains = +relay_domains
Or can this part be placed after the spamlist checks?
I am testing this on one server for a few hours now. Looks good sofar.

I am testing this on one server for a few hours now. Looks good sofar.
Did you send out a mail to a non existing address, and received the error mail back ?

Did you send out a mail to a non existing address, and received the error mail back ?
Yes, was the first thing I tested and that still works. So far so good.

I think it works, put the code after #EDIT42 and comment it out above.

Got in log:

2011-05-11 16:42:55 H=(head) [95.143.208.12] F=<> rejected RCPT <email@domain.nl>: Email blocked by cbl.abuseat.org | E-mail geblokkeerd door cbl.abuseat.org

And still get al the messages if those are undeliverable....

Exact my thoughts. Why accept a mail if it is listed at zen.spamhaus.org ? If it is listed there I do not want to accept anything from that IP. That normaly works but not in this case ?
If you've got zen.spamhaus enabled in your copy of exim.conf, mail from IP#s listed therein will be blocked. While we still include zen.spamhaus.org in the latest version of our Spamblocker Powered exim.conf file, we recommend in our ReadMe that you make sure you meet their requirements for use, as it's not always free.

Jeff

http://skullboxx.net/kb/node/499
Looks interesting; may make it into a future version. Anyone want to test it first?
[/quote]And maybe a way to check if the message is empty:



# Enforce a message-size limit
#
deny
message = Message size $message_size is larger than limit of \ MESSAGE_SIZE_LIMIT
condition = ${if >{$message_size}{MESSAGE_SIZE_LIMIT}{true}{false}}[/quote]
The above doesn't check for an empty message, but only for a message overlimit.


# Deny unless the address list header is syntactically correct.
#
deny
message = Your message does not conform to RFC2822 standard
log_message = message header fail syntax check
!verify = header_syntax
The problem with the above is that it will refuse certain emails from Microsoft clients. You can add it and test if if you wish.


# Warn unless there is a verifiable sender address in at least
# one of the "Sender:", "Reply-To:", or "From:" header lines.
#
warn
message = X-Sender-Verify-Failed: No valid sender in message header
log_message = No valid sender in message header
!verify = header_sender
That's only going to put a message into the log; it's not going to do anything with the email. If you want to do that, go ahead, but it seems a bit counterproductive to just fill the log files with more stuff we're not sure what to do with. If you're suggesting we run warn for a while to see what it does, then do it for us, and post further later.

Source: http://skullboxx.net/kb/node/503
Also another customer came up with this:



1.5 FROM_NO_USER Van: heeft geen lokaal deel voor het @-tje
2.7 FH_FROMEML_NOTLD E-mail address doesn't have TLD (.com, etc.)
1.0 BAYES_60 BODY: Bayesiaanse kans op spam is 60 tot 80% [score: 0.6830]
2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO
0.6 RCVD_IN_SORBS_WEB RBL: SORBS: verzender is een misbruikbare webserver
[196.40.10.142 listed in dnsbl.sorbs.net] 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Recieved via a relay found in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?196.40.10.142>]
3.0 RCVD_IN_XBL RBL: Recieved via a relay found in Spamhaus XBL [196.40.10.142 listed in zen.spamhaus.org]
0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
1.8 MISSING_SUBJECT Missing Subject: header
1.4 EMPTY_MESSAGE Message appears to have no textual parts and no
Subject: text


SpamCop is one of the standard lists so why is it not rejected? (sorry for the Dutch)My best guess is that we only block based on the server we're getting the mail from; SpamAssassin is catching it based on an earlier server sending it to the server that sent it to you.

Jeff

Have the same problem here since a few days, getting 5 empty message, empty header e-mails/day/account.

Jeff, any ETA on a fix for this? Quickfix is fine too.
I don't do quick fixes; they tend to bite back when I make the inevitable mistake. You can try something yourself, and then let us know how it works.

Jeff

The Hostname is invalid.
When I look at the spamblocker config I see check #EDIT#27:
Perhaps put that check a few lines higher, before '# Remaining Mailer-Daemon messages must be for us' ?
I suppose you don't need to accept messages that appear to be from Mailer-Daemons if sure they're not.

The IP is on a blacklist.
The blacklist check is #EDIT#41 but the message is already accepted before as a mailer-deamon message ? Would the trick be to do an extra blacklist check if we think it is a mailer-daemon message ?
I think we should still accept Mailer-Daemon messages if they may be legit. See my next reply.

Jeff

# Remaining Mailer-Daemon messages must be for us
accept senders = :
domains = +relay_domains


Or can this part be placed after the spamlist checks?
Perhaps I should rethink the entire set of checks; perhaps we should check for a few more problems before accepting remaining Mailer-Daemon messages.

Input requested on this.

Jeff

I just hope someone can come up with something that works soon. I get at least 7 returns an hour and now my customers are starting to complain as well.

@scsi: I have implemented the code after #EDIT42 and the empty emails are no more. They are blocked now by the right spamlists. So I think we have a work arround. Still as Jeff says, maybe it is good to take a look at the check sequence.

@Jeff: going to take a look at the checks and comming back with my vision soon.
Thanks for the answers on my post earlier.

@scsi: I have implemented the code after #EDIT42 and the empty emails are no more. They are blocked now by the right spamlists. So I think we have a work arround. Still as Jeff says, maybe it is good to take a look at the check sequence.
Exactly what code did you put after #EDIT#42? which code from which post above?

@Jeff: going to take a look at the checks and comming back with my vision soon.
Thanks for the answers on my post earlier.
I really appreciate your help and look forward to your vision. I've been working on this for a long time and I can certainly use the help.

Jeff

I have comment out the code:



# Remaining Mailer-Daemon messages must be for us
accept senders = :
domains = +relay_domains


at #EDIT26 and placed it after the spamlists check #EDIT42. Before the verification of the recipient.

So it is the last check in the line before acceptance of the email. If the communication, ClamAV and local / exernal whitelists / blacklists are ok then it is going to check if it is a "Remaining Mailer-Daemon message".

I did exactly the same as Dennis did, moving the code for Mailer-Daemon messages. It has been active now a 2 servers and no more empty mails anymore.

In my opinion we do not need to accept mailer-deamon messages if they are on a blacklist or if the mail server has a wrong HELO name. I think that is what we are talking about ?

Is it possible to add this work around in a normal exim.conf?

This fix definately works.

Is it possible to add this work around in a normal exim.conf?

What do you mean "normal". If you are not using directadmin then you are on the wrong site.

We are using da, i just cant find the #edit46 lines in my conf

You might have a different exim.conf

Most of us are using:

http://www.nobaloney.net/downloads/spamblocker/DirectAdminSpamBlocker4.1/