Help - Search - Members - Calendar
Full Version: Exim RBL or DNSBL HowTo... INCLUDES: RBL Bypass, RBL Whitelist, eMail Blacklist
The Planet Forums > Control Panels > cPanel/WHM > Cpanel/WHM HOWTOs
Pages: 1, 2
eMtnMan
Oct 16 2003, 03:33 PM
This is my micro-howto for how I set up RBL using the Exim Configuration Editor...

With many thanks to cPanel.Net Forum's:
Richard (Noldar), for his invaluable suggestions...
"jcsolutions" for router section blacklist in "Server Setup Tips" thread...
and "Cyberspirit" for his thread "rejecting mail instead of failing it"

SUGGESTIONS? Please email me and I will edit this howto to reflect your suggestions...

UPDATES:
Added Postmaster and Abuse bypass to ACL Section (thanks Noldar)
Normalized file names to start with RBL
02/13/04 UPDATE:
Added local hosts bypass to RBL List section - fixes 503 rcpt errors (thanks Noldar)
Added Reject Email to Invalid Recipient (thanks Cyberspirit)

TESTED WITH VERSIONS
-------------------------------------------
WHM 8.5.1 cPanel 8.5.3-S3 Exim 4.24
WHM 8.8.0 cPanel 8.8.0-S74
RedHat 7.3 - WHM X v2.1.1 / WHM X v2.1.2
-------------------------------------------

----------------------
Creating lsearch files
*****************

Create three text files in the /etc directory:
/etc/rblblacklist
/etc/rblbypass
/etc/rblwhitelist

SAMPLE DATA
/etc/rblblacklist is a manual blacklist, it rejects specific spammer hosts BEFORE they can send more email to your server:
domain1.com
domain2.com
domain3.com

/etc/rblbypass bypasses RBL email testing for specific destination (local) domains that don't want RBL filtering or prefer SpamAssassin tagging:
domain1.com
domain2.com
domain3.com

/etc/rblwhitelist blocks RBL email testing for listed incoming hosts, (wildcards allowed), in case an important client's mailserver is listed on an RBL you use, also automatically excludes relayhosts:
mail.domain1.com
*.domain2.com
*.domain3.com


-------------------------------
EXIM CONFIGURATION EDITOR
-------------------------------

If you use the WHM-based Exim Configuration Editor, all of your modifications will be reproduced after each update. If you edit exim.conf directly, cPanel updates MAY overwrite your changes! Because of this, the following changes should be entered using the Exim Configuration Editor.

------------------------
Setting up lsearch files
*******************

At the top of the editor, in the window below:
#!!# cPanel Exim 4 Config

Enter these lines:
domainlist rbl_blacklist = lsearch;/etc/rblblacklist
domainlist rbl_bypass = lsearch;/etc/rblbypass
hostlist rbl_whitelist = lsearch;/etc/relayhosts : partial-lsearch;/etc/rblwhitelist

----------------------------
RBL entries in ACL Section
*********************

RBL selection depends on many factors, be sure to edit the list below to reflect your priorities... Postmaster and abuse bypass allows blocked users to contact admin.

In the center window of the ACL section, directly below the line:
accept hosts = :

Enter these lines:
#**#
#**# RBL List Begin
#**#
#
# Always accept mail to postmaster & abuse for any local domain
#
accept domains = +local_domains
local_parts = postmaster:abuse
#
# Check sending hosts against DNS black lists.
# Accept all locally generated messages
# Reject message if address listed in blacklist.
deny message = Message rejected because $sender_fullhost \
is blacklisted at $dnslist_domain see $dnslist_text
!hosts = +relay_hosts
!authenticated = *
dnslists = dnsbl.njabl.org : \
bl.spamcop.net : \
sbl.spamhaus.org : \
list.dsbl.org : \
cbl.abuseat.org : \
relays.ordb.org
# RBL Bypass Local Domain List
!domains = +rbl_bypass
# RBL Whitelist incoming hosts
!hosts = +rbl_whitelist
#**#
#**# RBL List End
#**#

Scroll down the center window of the ACL section, directly below the line:
accept domains = +local_domains
Enter these lines:
#**#
#**# Reject Email to Invalid Recipient
#**#
endpass
message = unknown user
verify = recipient
#**#


--------------------------------
RBL entries in ROUTERS Section
**************************

In the ROUTERS section window, directly below the line:
# in the "local_domains" setting above.

Enter these lines:
# Deny and send notice to list of rejected domains.
reject_domains:
driver = redirect
# RBL Blacklist incoming hosts
domains = +rbl_blacklist
allow_fail
data = :fail: Connection rejected: SPAM source $domain is manually blacklisted.


-----------------------------
RBL Testing and Verification
***********************

Once your file changes are in place, be sure to keep an eye out for errors... missing files and other errors will be listed here:
tail -50 /var/log/exim_paniclog

You can view your spam filtering by reviewing the reject log:
tail -50 /var/log/exim_rejectlog

If your RBL tests include sbl.spamhaus.org, you can test the blacklist and whitelist functions by sending an email, USING THE MAILSERVER YOU WISH TESTED, to:
nelson-sbl-test@crynwr.com

It will attempt to send an email from mailserver sbl.crynwr.com, which is blacklisted in sbl.spamhaus.org

If the blacklist works, you'll get an email that looks something like this:

Subj: Your SBL test report
Testing your SBL block. See http://www.crynwr.com/spam/ for more info.
Please note that this test will not tell you if your server is open for
relaying. Instead, it tests to see if your server blocks email from IP
addresses listed in various blocking lists; in this case, the SBL list.

Here's how the conversation looked from sbl.crynwr.com.
Note that some sites don't apply the SBL block to postmaster, so
I use your envelope sender as the To: address.

I connected to 64.246.24.14 and here's the conversation I had:

220-whm.yourserver.com ESMTP Exim 4.24 #1 Thu, 16 Oct 2003 08:23:23 -0700
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
helo sbl.crynwr.com
250 whm.yourserver.com Hello sbl.crynwr.com [192.203.178.107]
mail from:<>
250 OK
rcpt to:
550-Message rejected because sbl.crynwr.com [192.203.178.107] is blacklisted at
550 sbl.spamhaus.org see http://www.spamhaus.org/SBL/sbl.lasso?query=SBLTEST
Terminating conversation

If the RBL block fails, you'll receive TWO emails:

Subj: Your SBL test report
Testing your SBL block. See http://www.crynwr.com/spam/ for more info.
Please note that this test will not tell you if your server is open for
relaying. Instead, it tests to see if your server blocks email from IP
addresses listed in various blocking lists; in this case, the SBL list.

Here's how the conversation looked from sbl.crynwr.com.
Note that some sites don't apply the SBL block to postmaster, so
I use your envelope sender as the To: address.

I connected to 64.246.24.14 and here's the conversation I had:

220-whm.yourserver.com ESMTP Exim 4.24 #1 Thu, 16 Oct 2003 08:19:44 -0700
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
helo sbl.crynwr.com
250 whm.yourserver.com Hello sbl.crynwr.com [192.203.178.107]
mail from:<>
250 OK
rcpt to:
250 Accepted
data
354 Enter message, ending with "." on a line by itself
From: nelson-SBL-test@crynwr.com
To: eMtnMan@yourdomain.com
Date: Thu, 16 Oct 2003 15:19:46 -0000
Message-Id: <1066317586@sbl.crynwr.com>

Test message
.
250 OK id=1AA9uj-0005xq-2l
quit
Successful termination. As far as I can tell, the email was delivered.
That might not be what you want.

Subj: (BLANK)
Uh-oh, your SBL block is not working!


----------------
RBL Log Counts
*************

I use this script to count the log hits for various RBL's, you should change it to reflect your RBL's and error syntax. Mine relies on the unique word "blacklisted" in every RBL bounce entry.

Assuming the script is called spam, after you:
chmod 755 spam
... it can be executed with: ./spam

SAMPLE SCRIPT:
grep "blacklisted" /var/log/exim_mainlog -i > kilme
tail -100 kilme
tail /var/log/exim_paniclog
printf "\n"
printf "Spam Count = "
grep "blacklisted" kilme -c -i
printf "njabl.org = "
grep "njabl.org" kilme -c
printf "spamcop = "
grep "bl.spamcop" kilme -c
printf "spamhaus = "
grep "sbl.spamhaus" kilme -c
printf "dsbl.org = "
grep "dsbl" kilme -c
printf "abuseat = "
grep "abuseat.org" kilme -c
printf "ordb.org = "
grep "ordb" kilme -c
printf "Manual = "
grep "manual" kilme -c
printf "verify fail= "
grep "verify fail" /var/log/exim_mainlog -c
printf "No Relay = "
grep "not permitted" /var/log/exim_mainlog -c
printf "\n"
printf "All Spam: \n"
zgrep -ci "blacklisted" /var/log/exim_mainlog*
printf "\n"

HOPE THIS HELPS!
Got-Hosting
Oct 16 2003, 06:02 PM
Very impressive!
dynaweb
Oct 23 2003, 06:32 PM
Very well instructed eMtnMan!

One problem though in testing for me. I did not make anything different from how you posted. I sent the email to nelson-sbl-test@crynwr.com and got the 2 returns which means the autoreply or whatever made it through. Upon researching further, I noticed that the domain crynwr.com is associated to IP 192.203.178.8 which is not listed at http://spamhaus.org/sbl/index.lasso Do you think that is the problem or is there something I am missing? Is there another way to test?

I also noticed that EV1.NET was listed at http://spamhaus.org/sbl/isp.lasso icon_sad.gif

Thanks again for the great how-to !

Danno

=========================
Affordable Web Hosting Done Right
HostNed - http://www.hostned.com
eMtnMan
Oct 23 2003, 08:37 PM
QUOTE
dynaweb wrote...  One problem though in testing for me.  I did not make anything different from how you posted.  I sent the email to nelson-sbl-test@crynwr.com and got the 2 returns which means the autoreply or whatever made it through.  Upon researching further, I noticed that the domain crynwr.com is associated to IP 192.203.178.8 which is not listed at http://spamhaus.org/sbl/index.lasso  Do you think that is the problem or is there something I am missing?  Is there another way to test?
Make sure you're sending through the blocked mailserver... if so, your dnsbl isn't working or perhaps the list had a glitch... The test email comes FROM sbl.crynwr.com [192.203.178.107], as that is the name of the blocked test server, NOT crynwr.com [192.203.178.8]... The test results come from ns1.crynwr.com [192.203.178.14] See:
http://www.abuse.net/sbl.phtml?IP=192.203.178.107 ...

Ref: SBLTEST
192.203.178.107/32 is listed on the Spamhaus Block List (SBL)
22-Oct-2003 00:00 GMT
SBL TEST ADDRESS - sbl.crynwr.com
sbl.crynwr.com (192.203.178.107) is the SBL testing address. This service is provided to Spamhaus curtesy of Russell Nelson at crynwr.com
192.203.178.107 IS NOT A SPAM IP. Don't be a silly bean and block any other addresses in the 192.203.178 subnet, otherwise you will not be able to receive the test results.

QUOTE
I also noticed that EV1.NET was listed at http://spamhaus.org/sbl/isp.lasso   :(
Note how recent the entries are... all in October... With over 19,000 servers and a half-million domains, it isn't surprising that a few Spammers would slip through. They are pretty quick to act against them, once they know!

QUOTE
Thanks again for the great how-to!  Danno
Glad I could help! Good Luck...
coralbridge
Nov 30 2003, 09:32 AM
Outstanding, thank you.

Do you know, please, if this can be tweaked to bouce emails with blank subject?

Regards
famehost
Dec 12 2003, 03:35 PM
Fantastic addition, works like a charm.

Where is the best place to put the spam script? Would it be fine to add a cron job to run the spam script when specified and output the information to the admin email address on the server?

Seems would have to chmod exim_mainlog and exim_paniclog to 644 so cron job script can tail and grep the files - is that ok to do and is there another cron job someone can advise that automatically checks the permissions and changes them back to 644 for example if an update occurs on the server for exim....

TIA

Mike
adstreamer
Mar 29 2004, 05:14 AM
Has anyone tested that fantastic how-to on a RH Enterprise with WHM X v2.1.2 with cPanel 9.1.0 or comparable?

Anything one has to think of in this context?

Any help / suggestion would be highly appreciated.

TIA

Karen
carpman
Jul 6 2004, 05:42 AM
How does this work with this thread:

http://forum.rackshack.net/showthread.php?...light=exim+spam


cheers
carpman
Jul 6 2004, 05:53 AM
QUOTE
Originally posted by famehost
Fantastic addition, works like a charm.

Where is the best place to put the spam script? Would it be fine to add a cron job to run the spam script when specified and output the information to the admin email address on the server?

Seems would have to chmod exim_mainlog and exim_paniclog to 644 so cron job script can tail and grep the files - is that ok to do and is there another cron job someone can advise that automatically checks the permissions and changes them back to 644 for example if an update occurs on the server for exim....

TIA

Mike


Did you get an solution to this?
silversurfer
Jul 28 2004, 05:07 PM
Is there any way to make sure that the RBL only applies to incoming and not outgoing?

Obviously our dialup customers is not going to be pleased to be unable to send email.
coralbridge
Aug 13 2004, 02:51 PM
Hi

I am getting the following error:

2004-08-13 21:40:49 1Bvir2-0000ed-P0 unknown named domain list "+rbl_blacklist"
siteThing
Aug 13 2004, 08:46 PM
QUOTE
Originally posted by silversurfer
Is there any way to make sure that the RBL only applies to incoming and not outgoing?  

Obviously our dialup customers is not going to be pleased to be unable to send email.

Try adding the following just after your dnslists

# Don't scan outgoing
!hosts = +relay_hosts
coralbridge
Aug 14 2004, 01:15 AM
I removed the following and everything works fine

Scroll down the center window of the ACL section, directly below the line:
accept domains = +local_domains
Enter these lines:
#**#
#**# Reject Email to Invalid Recipient
#**#
endpass
message = unknown user
verify = recipient
#**#
ramprage
Sep 22 2004, 02:03 PM
I also removed this, otherwise all email was getting rejected:

Scroll down the center window of the ACL section, directly below the line:
accept domains = +local_domains
Enter these lines:
#**#
#**# Reject Email to Invalid Recipient
#**#
endpass
message = unknown user
verify = recipient
#**#
ramprage
Sep 22 2004, 02:45 PM
All I can say is that this is one of the most helpful tutorials to date:


2004-09-22 15:47:10 H=200-161-1-158.dsl.telesp.net.br [200.161.1.158] F= rejected RCPT : Message rejected because 200-161-1-158.dsl.telesp.net.br [200.161.1.158] is blacklisted at dnsbl.njabl.org see open proxy -- 1094923203
2004-09-22 15:47:16 no host name found for IP address 218.18.19.138
2004-09-22 15:47:16 H=(67.19.235.100) [218.18.19.138] F= rejected RCPT : Message rejected because (67.19.235.100) [218.18.19.138] is blacklisted at dnsbl.njabl.org see open proxy -- 1095880966

I just set this up 2 minutes ago and already look at this:

njabl.org = 6
spamcop = 13
spamhaus = 4

icon_biggrin.gif OH HAPPY DAYS FOR THE ADMINS icon_cool.gif
WebandNet
Oct 22 2004, 01:09 AM
Hi

This is great thanks

One thing that i need help on is the script ./spam

I have used just as posted and get after a very long list of blocked email then this:

mx2.heartbeatfade.com (heartbeatfade.com) [66.63.165.7] is blacklisted at bl.spamcop.net see Blocked - see http://www.spamcop.net/bl.shtml?66.63.165.7
: No such file or directoryg

grep: invalid option --
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
grep: invalid option --
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
grep: invalid option --
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
grep: invalid option --
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
grep: invalid option --
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
grep: invalid option --
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
grep: invalid option --
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
grep: invalid option --
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
grep: invalid option --
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
grep: invalid option --
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.

All Spam:
.gz: No such file or directory
0



Any thoughts?

Thanks
WebandNet
ahfai
Nov 15 2004, 02:39 AM
Thanks for the detailed description of how to use RBL

But now I am annoying about the configuratiuon of exim.

Instead of simply reject or warn for a suspected spam mail ...

deny message =....
dnslists = ... : ...:...

or,

warn message =....
dnslists = ... : ...:

can I forward the blacklisted domain to a specified email, by using exim?

say,

foward / redirect target = spam@domain
dnslists= ...:...:...

the purpose of doing so is to check if there is any message is accidentally identified as a spam email.

I've searched on the web pages over pages and still cannot find out a solution. Should u please shed light on it.

Thanks in advance.
Fai
CreationNation
Nov 15 2004, 07:48 PM
I knew my server got a lot of spam attempts but...sheesh! Check this out...installed the Exim edits about 40-45 minutes ago:

Spam Count = 1007
njabl.org = 115
spamcop = 731
spamhaus = 4
dsbl.org = 78
abuseat = 79
ordb.org = 0
Manual = 0
verify fail= 2429
No Relay = 351

One day spammers will be tracked, hunted, and make me rich in lawsuit money......s i g h icon_smile.gif
CreationNation
Nov 16 2004, 09:28 AM
So it is morning time now (about 14 hours since installing) and here are my latest numbers (does anyone else ride this high on spam counts? I host a lot of band sites so maybe that's why I get a lot of junk...):

Spam Count = 30445
njabl.org = 7141
spamcop = 17854
spamhaus = 1551
dsbl.org = 2087
abuseat = 1806
ordb.org = 8
Manual = 0
verify fail= 2825
No Relay = 442
CreationNation
Nov 18 2004, 09:23 PM
I'm having one issue since installing these settings and can't figure out why. I have put the offending domain in my rbl_bypass and whitelist and it still comes back. Here's the message:

QUOTE
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

 person@bouncingdomain.com
   SMTP error from remote mailer after RCPT TO::
   host mx4.netwood.net [209.247.184.2]: 554 :
   Client host rejected: ACL mta_clients_dict_ip


I looked up "ACL mta_clients_dict_ip" on google but it didn't really bring up anything to help me (one result!)

I added both mx4. and *.netwood.net as well as bouncingdomain.com and still it's bouncing. Any ideas?
Michael
Nov 24 2004, 06:32 PM
I had originally used one of the cpanel thread's that you credited at the beginning of your post. However, it lacked the ability for easy customizations, so I started from scratch with your instructions and everything looks great so far. Thanks! icon_biggrin.gif

Michael
benito
Nov 26 2004, 02:49 PM
Hi !

Some of my clients ISPīs have several ips listed in some RBL blacklists and cant SEND emails, where i need to put their domains to bypass the RBL.

/etc/rblbypass

or

/etc/rblwhitelist

?
Michael
Nov 26 2004, 02:56 PM
QUOTE
Originally posted by benito
Hi !

Some of my clients ISPīs have several ips listed in some RBL blacklists and cant SEND emails, where i need to put their domains to bypass the RBL.?


/etc/rblwhitelist
graziano
Dec 14 2004, 02:32 AM
This guidelines are still valid for cpanel 9.9.x ?

Please anyone can copy an paste here the contents of
1th , 2th , 3th and 4th webform box , of the whm ACL exim configuration editor (after the modification described above) ?

(or anyone can copy and paste here the full ACL exim.conf lines ?)

Thank you!
siteThing
Dec 14 2004, 05:30 AM
It's still valid. I've had the same config since somewhere in version 8.x.x and now running 9.9.8

My only modification is to include !hosts = +relay_hosts just below !hosts = rbl_whitelist in the third text box like so.

...
# RBL Whitelist incoming hosts
!hosts = +rbl_whitelist
# Don't scan outgoing
!hosts = +relay_hosts
...

If you're leary, just cp /etc/exim.conf /etc/exim.conf.bkup then make the edits and copy it back if it's a no-go.
graziano
Dec 14 2004, 08:10 AM
please anyone can verify/compare my exim.conf with yours

At the start I have

CODE


#!!# cPanel Exim 4 Config

domainlist rbl_blacklist = lsearch;/etc/rblblacklist

domainlist rbl_bypass = lsearch;/etc/rblbypass

hostlist rbl_whitelist = lsearch;/etc/relayhosts : partial-lsearch;/etc/rblwhitelist



RELAY_WHITELIST=/etc/relayhosts

hostlist whitelisted_hosts = lsearch;RELAY_WHITELIST  



on ACL section I have

CODE


#!!#######################################################!!#

#!!# This new section of the configuration contains ACLs #!!#

#!!# (Access Control Lists) derived from the Exim 3      #!!#

#!!# policy control options.                             #!!#

#!!#######################################################!!#



#!!# These ACLs are crudely constructed from Exim 3 options.

#!!# They are almost certainly not optimal. You should study

#!!# them and rewrite as necessary.



begin acl



#!!# ACL that is used after the RCPT command

check_recipient:

 # Exim 3 had no checking on -bs messages, so for compatibility

 # we accept if the source is local SMTP (i.e. not over TCP/IP).

 # We do this by testing for an empty sending host field.

 accept  hosts = :





#**#

#**# RBL List Begin

#**#

#

# Always accept mail to postmaster & abuse for any local domain

#

accept domains = +local_domains

local_parts = postmaster:abuse

#

# Check sending hosts against DNS black lists.

# Accept all locally generated messages

# Reject message if address listed in blacklist.

deny message = Message rejected because $sender_fullhost \

is blacklisted at $dnslist_domain see $dnslist_text

!hosts = +relay_hosts

!authenticated = *



dnslists = bl.spamcop.net : \

#dnsbl.njabl.org : \

sbl-xbl.spamhaus.org : \

bl.spamcop.net : \

list.dsbl.org : \

cbl.abuseat.org : \

relays.ordb.org

# RBL Bypass Local Domain List

!domains = +rbl_bypass

# RBL Whitelist incoming hosts

!hosts = +rbl_whitelist

#**#

#**# RBL List End

#**#





# Accept bounces to lists even if callbacks or other checks would fail

 warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes

          condition    = \

          ${if and {{match{$local_part}{(.*)-bounces\+.*}} \

                    {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \

               {yes}{no}}



 accept   condition    = \

          ${if and {{match{$local_part}{(.*)-bounces\+.*}} \

                    {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \

               {yes}{no}}





 # Accept bounces to lists even if callbacks or other checks would fail

 warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes

          condition    = \

          ${if and {{match{$local_part}{(.*)-bounces\+.*}} \

                    {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \

               {yes}{no}}



 accept   condition    = \

          ${if and {{match{$local_part}{(.*)-bounces\+.*}} \

                    {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \

               {yes}{no}}



 #if it gets here it isn't mailman

                                                                                                                                         

 #sender verifications are required for all messages that are not sent to lists

                                                                                                                                         

 require verify = sender

 accept  domains = +local_domains



#**#

#**# Reject Email to Invalid Recipient

#**#

endpass

message = unknown user

verify = recipient

#**#





 endpass

                                                                                                                                         

 #recipient verifications are required for all messages that are not sent to the local machine

 #this was done at multiple users requests

                                                                                                                                         

 message = "The recipient cannot be verified.  Please check all recipients of this message to verify they are valid."

 verify = recipient

                                                                                                                                         

 accept  domains = +relay_domains



 warn  message = ${perl{popbeforesmtpwarn}{$sender_host_name}}

       hosts = +relay_hosts

 accept  hosts = +relay_hosts

                                                                               

 warn  message = ${perl{popbeforesmtpwarn}{$sender_host_address}}

       condition = ${perl{checkrelayhost}{$sender_host_address}}

 accept  condition = ${perl{checkrelayhost}{$sender_host_address}}



 accept  hosts = +auth_relay_hosts

         endpass

         message = $sender_fullhost is currently not permitted to \

                       relay through this server. Perhaps you \

                       have not logged into the pop/imap server in the \

                       last 30 minutes or do not have SMTP Authentication turned on in your email client.

         authenticated = *



 deny    message = $sender_fullhost is currently not permitted to \

                       relay through this server. Perhaps you \

                       have not logged into the pop/imap server in the \

                       last 30 minutes or do not have SMTP Authentication turned on in your email client.





#!!# ACL that is used after the DATA command

check_message:

 require verify = header_sender

 accept









begin authenticators



fixed_plain:

driver = plaintext

public_name = PLAIN

server_condition = "${perl{checkuserpass}{$1}{$2}{$3}}"

server_set_id = $2



fixed_login:

driver = plaintext

public_name = LOGIN

server_prompts = "Username:: : Password::"

server_condition = "${perl{checkuserpass}{$1}{$2}}"

server_set_id = $1





######################################################################

#                      REWRITE CONFIGURATION                         #

######################################################################






Then I have this on router conf

CODE


######################################################################

#                      ROUTERS CONFIGURATION                         #

#            Specifies how remote addresses are handled              #

######################################################################

#                          ORDER DOES MATTER                         #

#  A remote address is passed to each in turn until it is accepted.  #

######################################################################



# Remote addresses are those with a domain that does not match any item

# in the "local_domains" setting above.



# Deny and send notice to list of rejected domains.

reject_domains:

driver = redirect

# RBL Blacklist incoming hosts

domains = +rbl_blacklist

allow_fail

data = :fail: Connection rejected: SPAM source $domain is manually blacklisted.




Is it all correct ?
The problem I have is that /etc/rblbypass doesn't seem to work .
For example I have a client which is not able to send email because he has a blacklisted ip

I inserted his blacklisted ip and his domain on /etc/rblbypass
but his emails are still denied , why ?

Another problem is that I have still to understand the usage
of /etc/relayhosts . What I have to insert there ?

Thank you!
benito
Dec 14 2004, 11:27 AM
How can i add to this rules some dictionary spam block ?
CreationNation
Dec 18 2004, 12:27 PM
Can someone copy/paste me their entire section from the Exim windows? I had Aussies old rules in there and I think I may have not deleted something that needed to be. I'm havingsome people report email issues lately so I want to replace my current tweak with a proper one. I would appreciate it, thanks!
chism
Dec 24 2004, 11:29 AM
This is from Aussie with the additions from eMtnMan.. This is for the middle box only of the WHM Exim confirgurator.
RH 7.3
WHM 9.9.9
Cpan 9.9.9 S15

My question is, can IP's be added to the rblblacklist file??
Thanks All,


CODE


########################################################################

 #   REPLACEMENT ACL CONFIGURATION RULES FOR CPANEL/EXIM 4-24         #

 #   With RBL Lookup and Blacklist. Specifies access  control         #  

 #   lists for incoming SMTP mail. Original Written by AuSSie 10/23/03#

 #   Edited on 12/21/04 with RBL inserted from eMtnMan                #

 ######################################################################



 # This access control list is used for every RCPT command in an incoming

 # SMTP message. The tests are run in order until the address is either

 # accepted or denied.

   

 check_recipient:

 

 # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by

 # testing for an empty sending host field.

 

 accept  hosts = :

 

 # Accept anything from localhost, and especially mailman which

 # chokes badly if you refuse its mail

 

 accept  hosts    = 127.0.0.1/8



 # Deny if the local part contains . or @ or % or / or | or !. These are rarely

 # found in genuine local parts, but are often tried by people looking to

 # circumvent relaying restrictions.

 #

 # Also deny if the local part starts with a dot. Empty components aren't

 # strictly legal in RFC 2822, but Exim allows them because this is common.

 # However, actually starting with a dot may cause trouble if the local part

 # is used as a file name (e.g. for a mailing list).

 #

 # NOTE denying the dot is a new addition. Now i will be able tell when these

 # code thiefs will continue to steal my modifications and claim it their own.

 # Check the CPANEL FORUMS sometime for these people. I see all kinds of variations of what i have written.

 # If i see this modification in anyone elses code I will be able to tell that it's been stolen from here.

 

 deny   local_parts = ^.*[@%!/|] : ^\\. \

         messages = I've never seen ., @, %, !, /, or | in an any e-mail address. Neither should you!



 # Accept mail to POSTMASTER in any local domain, regardless of the source. If you dont want this option comment

 # out the next two lines, below.

 

accept domains = +local_domains

local_parts = postmaster:abuse



 #######################################################################

 # Now that we have all the overrides, we can start the deny rules     #

 #######################################################################

 

 deny     message      = "HELO/EHLO required by SMTP RFC"

          condition    = ${if eq{$sender_helo_name}{}{yes}{no}}

 

 deny     message      = Only one receipient accepted for NULL sender

          senders      = :

          condition    = ${if >{$rcpt_count}{1} {1}}



############################################################################

 #

 # There are no checks on DNS "black" lists because the domains that contain

 # these lists are changing all the time. However, here are two examples of

 # how you could get Exim to perform a DNS black list lookup at this point.

 # The first one denies, while the second just warns. Uncomment any of the ##'s

 # below if you want to use RBL Lookups. Modify the RBL's to suit your needs.

 # If you don't want to use DENY rules and only want to use Warn, then uncomment

 # only the warning rules and visa versa. If you want to use Deny and Warn rules

 # then uncomment both. Uncomment only the double #'s.

 #

 # Reject message if address listed in blacklist.

   deny message = Message rejected because $sender_fullhost \

   is blacklisted at $dnslist_domain see $dnslist_text

   !hosts = +relay_hosts

   !authenticated = *

   dnslists = dnsbl.njabl.org : \

   bl.spamcop.net : \

   sbl.spamhaus.org : \

   list.dsbl.org : \

   cbl.abuseat.org : \

   relays.ordb.org

 

 # RBL Bypass Local Domain List

 !domains = +rbl_bypass

 # RBL Whitelist incoming hosts

 !hosts = +rbl_whitelist

 #**#

 #**# RBL List End

#**#

############################################################################



 # Accept bounces to lists even if callbacks or other checks would fail

 warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes

          condition    = \

          ${if and {{match{$local_part}{(.*)-bounces\+.*}} \

                    {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \

               {yes}{no}}



 accept   condition    = \

          ${if and {{match{$local_part}{(.*)-bounces\+.*}} \

                    {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \

               {yes}{no}}





 # Accept bounces to lists even if callbacks or other checks would fail

 warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes

          condition    = \

          ${if and {{match{$local_part}{(.*)-bounces\+.*}} \

                    {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \

               {yes}{no}}



 accept   condition    = \

          ${if and {{match{$local_part}{(.*)-bounces\+.*}} \

                    {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \

               {yes}{no}}



 require verify = sender



 # Accept if the address is in a local domain, but only if the recipient can

 # be verified. Otherwise deny. The "endpass" line is the border between

 # passing on to the next ACL statement (if tests above it fail) or denying

 # access (if tests below it fail).

 

 # This section fixes the annoying problem of spammers sending mail to users and domains that don't exist on the box.

 # Why can't Cpanel learn that this fixes their issues. In order for this to happen successful, users who want to use

 # :FAIL: should enter, :fail: no such address here! in their default control panel setting for undeliverable mail. To

 # find this section, log into the contral panel for x or x2, click on Mail setting, Default Address, Set Default

 # address and in the space provided enter, :fail: no such address here!



 accept   domains      = +local_domains

          endpass

          message      = unknown user

          verify       = recipient

               

 # Accept if the address is in a domain for which we are relaying, but again,

 # only if the recipient can be verified.

                     

 accept   domains      = +relay_domains

          endpass

          message      = unrouteable address

          verify       = recipient



 accept  hosts = +relay_hosts

 accept  condition = ${perl{checkrelayhost}{$sender_host_address}}



 accept  hosts = +auth_relay_hosts

         endpass

         message = $sender_fullhost is currently not permitted to \

                       have not logged into the pop/imap server in the \

                       last 30 minutes or do not have SMTP Authentication turned on in your email client.

         authenticated = *



 deny    message = $sender_fullhost is currently not permitted to \

                       relay through this server. Perhaps you \

                       have not logged into the pop/imap server in the \

                       last 30 minutes or do not have SMTP Authentication turned on in your email client.



###############################

   accept hosts = :



   drop hosts = /etc/exim_deny

       message = Connection denied after dictionary attack

       log_message = Connection denied from $sender_host_address after dictionary attack





   drop message = Appears to be a dictionary attack

       log_message = Dictionary attack (after $rcpt_fail_count failures)

       condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}

       condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}

       !verify = recipient

##################################

#!!# ACL that is used after the DATA command

check_message:

 require verify = header_sender

 accept

CreationNation
Jan 1 2005, 06:49 PM
Heya Chism,

The code you posted looks like it may have gotten whacked out? Can you edit your post and just in case try again? I recall Aussie was very adamant about the code being pasted in exactly and no wrap etc. so I want to make sure. Thanks man!

EDIT: Hm maybe I am wrong I see it right now, strange.
AdCs
Jan 3 2005, 01:32 PM
After following the original instructions, in the paniclog I'm getting the following messages;

CODE


2005-01-03 13:20:28 1ClWod-0004c2-VJ failed to expand condition "${perl{checkspam}}" for lookuphost router: Gid 513 is not permitted to relay mail at /etc/exim.pl line 365.



2005-01-03 13:20:28 1ClWod-0004c2-VJ failed to expand condition "${perl{checkspam}}" for literal router: Gid 513 is not permitted to relay mail at /etc/exim.pl line 365.





2005-01-03 14:08:05 1ClXYj-0005HX-Hs failed to expand condition "${perl{checkspam}}" for literal router: Gid 505 is not permitted to relay mail at /etc/exim.pl line 365.





Anybody here got any idea, I do know it's got something to do with when scripts are sending email to non-local domains.

------------------
Ah no matter, using /scripts/reseteximtodefaults and /scripts/exim4 local scripts started being able to send email, I redid the above changes and now the changes are prforming wonderfully...

CODE


./spamcheck





Spam Count = 1220

njabl.org = 308

spamcop = 622

spamhaus = 23

dsbl.org = 230

abuseat = 36

ordb.org = 1

Manual = 0

verify fail= 2237

No Relay = 105



All Spam:

/var/log/exim_mainlog:1220

/var/log/exim_mainlog.1.gz:0



DigitalN
Jan 3 2005, 03:44 PM
QUOTE
Originally posted by AdCs
After following the original instructions, in the paniclog I'm getting the following messages;

CODE


2005-01-03 13:20:28 1ClWod-0004c2-VJ failed to expand condition \"${perl{checkspam}}\" for lookuphost router: Gid 513 is not permitted to relay mail at /etc/exim.pl line 365.



2005-01-03 13:20:28 1ClWod-0004c2-VJ failed to expand condition \"${perl{checkspam}}\" for literal router: Gid 513 is not permitted to relay mail at /etc/exim.pl line 365.





2005-01-03 14:08:05 1ClXYj-0005HX-Hs failed to expand condition \"${perl{checkspam}}\" for literal router: Gid 505 is not permitted to relay mail at /etc/exim.pl line 365.



 

Anybody here got any idea, I do know it's got something to do with when scripts are sending email to non-local domains.

------------------
Ah no matter, using /scripts/reseteximtodefaults and /scripts/exim4 local scripts started being able to send email, I redid the above changes and now the changes are prforming wonderfully...

CODE


./spamcheck





Spam Count = 1220

njabl.org = 308

spamcop = 622

spamhaus = 23

dsbl.org = 230

abuseat = 36

ordb.org = 1

Manual = 0

verify fail= 2237

No Relay = 105



All Spam:

/var/log/exim_mainlog:1220

/var/log/exim_mainlog.1.gz:0





You fixed it by reinstalling exim etc, so just a note for next time maybe if it crops up again.

Check the ownership of /usr/sbin/sendmail

The error you described usually happens when /usr/sbin/sendmail isn't owned root:mailtrap

chown root:mailtrap /usr/sbin/sendmail

Should fix that error.
JRKy
Feb 8 2005, 07:30 PM
Does anyone have any ideas on how to go about trying to make the SPAMCHECK script calculate totals for user accounts?
mahesh
Feb 12 2005, 01:05 AM
Hello Team,
I did all this setting with that my spam mail are get blocked. But still i am having one problem of Dictionary attack. Also i am getting mail from unknow language. I want to block these kind of mail from the server. will you please update me how to block all these mail from the server.
Thank you
Waiting for your reply on this.
kamihacker
Feb 12 2005, 03:23 AM
QUOTE
Originally posted by mahesh
Hello Team,
I did all this setting with that my spam mail are get blocked. But still i am having one problem of Dictionary attack. Also i am getting mail from unknow language. I want to block these kind of mail from the server. will you please update me how to block all these mail from the server.
Thank you
Waiting for your reply on this.


depending on your customer needs you could block some IP classes assigned to China and Korea, there are some threads stating such IP classes here in the forums

I'm sorry I don't have a bookmark on that but you could find it here with keywords like block ip classes or something like that

just an insight, not a silver bullet though

regards
aussie
Feb 12 2005, 03:28 AM
RBL lookups are so yesterday. Any advanced hosting company no longer does RBL lookups on customer mail. There are far richer features and tool available to combat spam and RBL lookups are not one of them.
kamihacker
Feb 12 2005, 03:40 AM
QUOTE
Originally posted by aussie
RBL lookups are so yesterday. Any advanced hosting company no longer does RBL lookups on customer mail. There are far richer features and tool available to combat spam and RBL lookups are not one of them.


OK, this just hit me in the head

I don't trust Bayes filters that much, unless trained by myself with what I consider spam

what insights you might have regarding to alternatives to RBL?

regards
dogslife
Feb 12 2005, 06:46 AM
I think what aussie is trying to say, in his own way, is have a look at SURBL.

icon_smile.gif
TMX
Feb 12 2005, 12:06 PM
QUOTE
Originally posted by aussie
RBL lookups are so yesterday. Any advanced hosting company no longer does RBL lookups on customer mail. There are far richer features and tool available to combat spam and RBL lookups are not one of them.


In another thread in which you were touting SURBL, you said that your false positive rate was "less than 4%". Don't you think that's a bit high? I personally find anything above 1% to be unacceptable, which is why I leave content-based filtering, however smart it may be, to the end user.

I use DNSBL-based filtering exclusively, and generally experience a 1% or less (usually much less) false positive rate. For example, here are yesterday's stats from a domain I manage:

Total Incoming mail - 161
Total rejected as spam - 128
Total spam delivered - 6
Total false positives - 0

That's 97% of spam caught with zero false positives.

Obviously, this is just one day for one user, but it is a fairly accurate representation of the general effectiveness I've experienced by using carefully selected and properly managed DNSBLs. Not bad for something so 'yesterday'...icon_wink.gif

I'm sure content-based filtering has its place, but I'm not sure recommending that people dump their DNSBLs in favor of it is the way to go.

-Bob
coralbridge
Feb 16 2005, 07:30 AM
QUOTE
Originally posted by aussie
RBL lookups are so yesterday. Any advanced hosting company no longer does RBL lookups on customer mail. There are far richer features and tool available to combat spam and RBL lookups are not one of them.


Bollocks.

I use DNSBL's and IP Hardware firewalls and I've nuked 90% of my spam in six months.
Bashar
Feb 21 2005, 09:11 AM
why not stick to SpamAssassin? it reduced my spam by 99% recetly icon_smile.gif
Aleister
Mar 6 2005, 01:30 PM
Bashar - Because SpamAssassin is not known for its low memory usage icon_smile.gif

eMtnMan - Great tutorial! I got it installed and working with no problems. Thanks!

Just one note though, I think it might clear up some of the confusion in a couple of posts. You wrote this:

QUOTE
Scroll down the center window of the ACL section, directly below the line:
accept domains = +local_domains


You may want to mention that this will be there two times. The first instance is from the code that was just added, and the second instance (further down) is where it should go. Unless this was already mentioned and I did not see it icon_wink.gif

I blocked one of my other mail servers to run some tests. I noticed that the "if you feel this message to be in error" message had the postmaster email for the ISP I sent the mail from, and not the postmaster address for the destination (my VPS - which has this code on it). Is that correct? And if I change it, would it be safe to put that address in there?
eMtnMan
Apr 2 2005, 05:56 PM
Since I wrote this How-To over eighteen months ago, the anti-spam landscape has changed significantly. Spammers have gotten more creative and aggressive, and C-Panel now has added Spamassassin and Clam Anti-Virus, plus the excellent exim switch: "Verify the existance of email senders", in addition, other tools like Vipul's Razor, DCC and SARE have made Spam filtering even better. The APF (advanced policy firewall) with brute force detection add yet another layer in your anti-spam arsenal.

Pairote Manunphol of RvSkin has recently written an excellent How-To on installing all of the above products in one integrated whole for RvSkin users. It includes domain-level control for each feature so you can tailor the features to each customer's needs. If you can't make the How-To work, he will even INSTALL IT FOR YOU for just $30... what a deal!

The How-To and ordering info is located here:
http://www.rvskin.com/index.php?page=public/antispam

I had a problem with my install, so I used Pairote's services and he had everything humming within a couple of days. I elected to do a double Spamassassin check so I could also take advantage of Cpanel's built-in spam quarantine folders. If your server is heavily loaded, you may want to stick with Pairote's default one-pass method and give your server a break.

Over the last month, my spam rejection rate has doubled (over 14,000 killed per week on one web server alone) and the spam that gets through is quite rare, perhaps one or two a day for a long-existing account that serves as the abuse, webmaster and postmaster mailbox for over 50 domains and used to get about 40 a day using the old system (above).

Clam takes care of the viruses (and allows you to scan entire domain directories) and APF w/BFD not only stops brute force attacks, it terminates spammers who send more than ten emails to unknown accounts! Best of all, we've had zero problems with false positives and the good email is still getting through. Life is good... and I'm as happy as a Clam! :)

Have fun,

Paul
----------------

Here's how I explained the new system to my customers:

ANTI-SPAM TESTS...

The following is a summary of SPAM tests currently used by our servers:

1) Is it real? Each message is tested for authenticity in numerous ways, we even ask the sending server if the "from" address is from a valid sender. Messages with falsified server info, faked server addresses, unknown senders or forged (spoofed) headers are immediately rejected.

2) Is it safe? Our virus scanner scans the message for viruses and worms. Any message with unsafe or infected attachments is immediately rejected.

3) From a known spammer? Every message source is checked against several spam detecting services to see if it is from a known spam source. We currently check each message's source with: spamcop.net, spamhaus.org, abuseat.org, njabl.org, Razor and the Distributed Checksum Clearinghouse anti-spam databases. Any message coming from a server that is listed on one of these databases is immediately rejected.

4) High Spamassassin score? Spamassassin checks all the internal links for known spammers and scores the message. If it scores higher than 15 it is almost certainly SPAM, so we automatically reject it.

5) Final Spamassassin check... messages that have made it through the above gauntlet get one final run through Spamassassin. Those that score higher than 5 are marked as SPAM with the score (i.e. *SPAM*12.5:) in the subject and the original message is included as an attachment that you can safely preview. You can also use an Outlook filter to move these messages to a special folder for later review.

We also have a number of options available to make your SPAM blocking even stronger and more transparent, including a SPAM box on the server that quarantines SPAM for your later review and a "box trapper" that automatically requires that all people not on your white-list to reply to a verification email before they can send email to you.

Just let us know and we will be happy to implement a customized anti-SPAM solution for your domain that best suits your needs.

HOPE THIS HELPS! Paul
RBohm
Apr 3 2005, 11:13 PM
DCC seems like a nice option, but pretty heavy handed. It seems mail from all of EV1 is blocked by default.

http://www.rhyolite.com/anti-spam/ipaddrs.html

It also blocks sedo.com (and most, if not all, domain parking services), hostdime, hostway, jaguar, servepath, SAVVIS, and on and on.

Check and see if YOUR ips are on here, and use the whitelist feature to unblock them if neccessary, if you use this.
eMtnMan
Apr 4 2005, 09:40 AM
QUOTE(RBohm)
DCC seems like a nice option, but pretty heavy handed. It seems mail from all of EV1 is blocked by default.
http://www.rhyolite.com/anti-spam/ipaddrs.html...
I don't think so... As I understand it (and the page above clearly states), the above list is NOT the DCC, but Rhyolite's personal blacklist...

The DCC is not a blacklist, it is: "more than 250 servers collecting and counting checksums ... The counts can be used by SMTP servers and mail user agents to detect and reject or filter spam ... checksums include values that are constant across common variations in bulk messages, including 'personalizations.'" http://www.rhyolite.com/anti-spam/dcc/

A review of my logs show that the DCC positives are (without exception) bulk email ads, but they also include "legitimate" ads from Costco, American Airlines, gmail, etc. So you would never want to use the DCC like a DNSRBL, unless you also don't mind blocking many legitimate bulk commercial messages.

In Pairote's solution, DCC-positive messages only add to the Spamassassin score and they are not rejected outright. The current default is to add 2.169 to the score for a DCC positive message. Of course, this score can be modified in /usr/share/spamassassin/50_scores.cf, or DCC can be disabled completely in /var/dcc/dcc_conf.

The beauty of Pairote's system is that a tremendous number of messages are rejected as fakes well before the server wastes any resources checking DNSRBL's or Spamassassin. Because so many spammers commonly use fake return addresses or forged headers, rejecting these non-RFC compliant messages "at the gate" is a very effective solution. When you combine the cPanel exim switch "Verify the existance of email senders" with Pairote's other fake email tests (see HELO tests in Section 3), you end up with a simple front-end solution that is clearly more effective than either DNSRBL or Spamassassin. http://www.rvskin.com/index.php?page=public/antispam

If you do nothing else, you will be amazed at the powerful effect rejecting faked email messages has on reducing your total SPAM load.

Pairote told me: "I wrote the instruction as I got very effective Spam filtering and just want to share it to everybody." I couldn't agree more... After spending the last month sorting through my logs, I am amazed that the SPAM has stopped without causing false positives. Pairote's anti-SPAM system is a wonderful gift to the cPanel world.

Have fun,

Paul
RBohm
Apr 4 2005, 10:48 AM
Thanks for that, it seems I missed the fact that this was his personal blacklist....guess I won't try to email him then with my questions icon_smile.gif
eMtnMan
Apr 4 2005, 11:45 PM
Here's a tweak of my original script, it will produce a SPAM tracking report like this for all your active log files:

From: 2005-03-27
Thru: 2005-04-03

------------------
Deleted SPAM:
------------------
dsbl.org = 3510
spamcop = 1486
abuseat = 741
spamhaus = 389
njabl.org = 71
SPAM Assn. = 234
------
SPAM Kills = 6431

------------------
Fake or Unsafe:
------------------
Virus/Atch = 6
Forged HELO= 1492
No Host = 3022
No IP = 379
No Relay = 31
Bad Sender = 1004
Bad Recpt = 1650
------
Fake Kills = 7584

------------------
TOTAL DELETE 14015
------------------

If your server is under a heavy load, you'll probably want to run this offline or late at night... It's crude, but it helps you select which tests should be placed in your SPAM filter structure first. By placing the most effective ones first, you minimize your server's load for SPAM filtering.

As you can see, about 55% of my SPAM get rejected as fake before it's accepted by the server, so the majority never even sees a DNSRBL. My first two DNSRBL's (dsbl.org & spamcop) whack another 35%... and the vast majority (over 98%) of my spam is history before SpamAssassin ever gets a whack at them. Killing fakes early and using strong DNSRBL's will save you major CPU...

Hope this helps!

Paul (eMtnMan)
---------------

Here's the script:

echo .......
echo
echo REJECTS:
tail -20 /var/log/exim_rejectlog
echo .......
echo
echo PANIC:
tail /var/log/exim_paniclog
printf \"\n\"
echo ------------------
echo ANTI-SPAM MONITOR
echo ------------------
grep -i \"reject\|sender\|attachm\|virus\|no host\|no ip\" /var/log/exim_mainlog > kilme
echo
printf \" From: \"
grep -m1 \"\" kilme | cut -d' ' -f1
printf \" Thru: \"
tail -1 kilme | cut -d' ' -f1
echo
echo ------------------
echo Deleted SPAM:
echo ------------------
printf \"dsbl.org = \"
grep -ci \"dsbl.org\" kilme
printf \"spamcop = \"
grep -ci \"spamcop.net\" kilme
printf \"abuseat = \"
grep -ci \"abuseat.org\" kilme
printf \"spamhaus = \"
grep -ci \"spamhaus.org\" kilme
printf \"njabl.org = \"
grep -ci \"njabl.org\" kilme
printf \"SPAM Assn. = \"
grep -ci \"spam score\" kilme
echo \" ------\"
printf \"SPAM Kills = \"
grep -ci \"blackl\|spam score\" kilme
echo
echo ------------------
echo Fake or Unsafe:
echo ------------------
printf \"Virus/Atch = \"
grep -ci \"virus\|attachm\" kilme
printf \"Forged HELO= \"
grep -ci \"Forged HELO\" kilme
printf \"No Host = \"
grep -ci \"no host\" kilme
printf \"No IP = \"
grep -ci \"no ip\" kilme
printf \"No Relay = \"
grep -ci \"not permitted\" kilme
printf \"Bad Sender = \"
grep -ci \"sender\" kilme
printf \"Bad Recpt = \"
grep -icv \"Forged HELO\|no host\|no ip\|not permitted\|sender\|spam score\|blackl\|virus\|attachm\" kilme
echo \" ------\"
printf \"Fake Kills = \"
grep -civ \"spam score\|blackl\" kilme
printf \"\n\"
echo ------------------
printf \"TOTAL DELETE \"
grep -c \"\" kilme
echo ------------------
echo
echo
echo
zgrep -i \"reject\|sender\|attachm\|virus\|no host\|no ip\" /var/log/exim_mainlog.1.gz > kilme
printf \" From: \"
grep -m1 \"\" kilme | cut -d' ' -f1
printf \" Thru: \"
tail -1 kilme | cut -d' ' -f1
echo
echo ------------------
echo Deleted SPAM:
echo ------------------
printf \"dsbl.org = \"
grep -ci \"dsbl.org\" kilme
printf \"spamcop = \"
grep -ci \"spamcop.net\" kilme
printf \"abuseat = \"
grep -ci \"abuseat.org\" kilme
printf \"spamhaus = \"
grep -ci \"spamhaus.org\" kilme
printf \"njabl.org = \"
grep -ci \"njabl.org\" kilme
printf \"SPAM Assn. = \"
grep -ci \"spam score\" kilme
echo \" ------\"
printf \"SPAM Kills = \"
grep -ci \"blackl\|spam score\" kilme
echo
echo ------------------
echo Fake or Unsafe:
echo ------------------
printf \"Virus/Atch = \"
grep -ci \"virus\|attachm\" kilme
printf \"Forged HELO= \"
grep -ci \"Forged HELO\" kilme
printf \"No Host = \"
grep -ci \"no host\" kilme
printf \"No IP = \"
grep -ci \"no ip\" kilme
printf \"No Relay = \"
grep -ci \"not permitted\" kilme
printf \"Bad Sender = \"
grep -ci \"sender\" kilme
printf \"Bad Recpt = \"
grep -icv \"Forged HELO\|no host\|no ip\|not permitted\|sender\|spam score\|blackl\|virus\|attachm\" kilme
echo \" ------\"
printf \"Fake Kills = \"
grep -civ \"spam score\|blackl\" kilme
printf \"\n\"
echo ------------------
printf \"TOTAL DELETE \"
grep -c \"\" kilme
echo ------------------
echo
echo
echo
echo
echo
zgrep -i \"reject\|sender\|attachm\|virus\|no host\|no ip\" /var/log/exim_mainlog.2.gz > kilme
printf \" From: \"
grep -m1 \"\" kilme | cut -d' ' -f1
printf \" Thru: \"
tail -1 kilme | cut -d' ' -f1
echo
echo ------------------
echo Deleted SPAM:
echo ------------------
printf \"dsbl.org = \"
grep -ci \"dsbl.org\" kilme
printf \"spamcop = \"
grep -ci \"spamcop.net\" kilme
printf \"abuseat = \"
grep -ci \"abuseat.org\" kilme
printf \"spamhaus = \"
grep -ci \"spamhaus.org\" kilme
printf \"njabl.org = \"
grep -ci \"njabl.org\" kilme
printf \"SPAM Assn. = \"
grep -ci \"spam score\" kilme
echo \" ------\"
printf \"SPAM Kills = \"
grep -ci \"blackl\|spam score\" kilme
echo
echo ------------------
echo Fake or Unsafe:
echo ------------------
printf \"Virus/Atch = \"
grep -ci \"virus\|attachm\" kilme
printf \"Forged HELO= \"
grep -ci \"Forged HELO\" kilme
printf \"No Host = \"
grep -ci \"no host\" kilme
printf \"No IP = \"
grep -ci \"no ip\" kilme
printf \"No Relay = \"
grep -ci \"not permitted\" kilme
printf \"Bad Sender = \"
grep -ci \"sender\" kilme
printf \"Bad Recpt = \"
grep -icv \"Forged HELO\|no host\|no ip\|not permitted\|sender\|spam score\|blackl\|virus\|attachm\" kilme
echo \" ------\"
printf \"Fake Kills = \"
grep -civ \"spam score\|blackl\" kilme
printf \"\n\"
echo ------------------
printf \"TOTAL DELETE \"
grep -c \"\" kilme
echo ------------------
echo
echo
echo
echo
zgrep -i \"reject\|sender\|attachm\|virus\|no host\|no ip\" /var/log/exim_mainlog.3.gz > kilme
printf \" From: \"
grep -m1 \"\" kilme | cut -d' ' -f1
printf \" Thru: \"
tail -1 kilme | cut -d' ' -f1
echo
echo ------------------
echo Deleted SPAM:
echo ------------------
printf \"dsbl.org = \"
grep -ci \"dsbl.org\" kilme
printf \"spamcop = \"
grep -ci \"spamcop.net\" kilme
printf \"abuseat = \"
grep -ci \"abuseat.org\" kilme
printf \"spamhaus = \"
grep -ci \"spamhaus.org\" kilme
printf \"njabl.org = \"
grep -ci \"njabl.org\" kilme
printf \"SPAM Assn. = \"
grep -ci \"spam score\" kilme
echo \" ------\"
printf \"SPAM Kills = \"
grep -ci \"blackl\|spam score\" kilme
echo
echo ------------------
echo Fake or Unsafe:
echo ------------------
printf \"Virus/Atch = \"
grep -ci \"virus\|attachm\" kilme
printf \"Forged HELO= \"
grep -ci \"Forged HELO\" kilme
printf \"No Host = \"
grep -ci \"no host\" kilme
printf \"No IP = \"
grep -ci \"no ip\" kilme
printf \"No Relay = \"
grep -ci \"not permitted\" kilme
printf \"Bad Sender = \"
grep -ci \"sender\" kilme
printf \"Bad Recpt = \"
grep -icv \"Forged HELO\|no host\|no ip\|not permitted\|sender\|spam score\|blackl\|virus\|attachm\" kilme
echo \" ------\"
printf \"Fake Kills = \"
grep -civ \"spam score\|blackl\" kilme
printf \"\n\"
echo ------------------
printf \"TOTAL DELETE \"
grep -c \"\" kilme
echo ------------------
echo
echo
echo
echo
echo
zgrep -i \"reject\|sender\|attachm\|virus\|no host\|no ip\" /var/log/exim_mainlog.4.gz > kilme
printf \" From: \"
grep -m1 \"\" kilme | cut -d' ' -f1
printf \" Thru: \"
tail -1 kilme | cut -d' ' -f1
echo
echo ------------------
echo Deleted SPAM:
echo ------------------
printf \"dsbl.org = \"
grep -ci \"dsbl.org\" kilme
printf \"spamcop = \"
grep -ci \"spamcop.net\" kilme
printf \"abuseat = \"
grep -ci \"abuseat.org\" kilme
printf \"spamhaus = \"
grep -ci \"spamhaus.org\" kilme
printf \"njabl.org = \"
grep -ci \"njabl.org\" kilme
printf \"SPAM Assn. = \"
grep -ci \"spam score\" kilme
echo \" ------\"
printf \"SPAM Kills = \"
grep -ci \"blackl\|spam score\" kilme
echo
echo ------------------
echo Fake or Unsafe:
echo ------------------
printf \"Virus/Atch = \"
grep -ci \"virus\|attachm\" kilme
printf \"Forged HELO= \"
grep -ci \"Forged HELO\" kilme
printf \"No Host = \"
grep -ci \"no host\" kilme
printf \"No IP = \"
grep -ci \"no ip\" kilme
printf \"No Relay = \"
grep -ci \"not permitted\" kilme
printf \"Bad Sender = \"
grep -ci \"sender\" kilme
printf \"Bad Recpt = \"
grep -icv \"Forged HELO\|no host\|no ip\|not permitted\|sender\|spam score\|blackl\|virus\|attachm\" kilme
echo \" ------\"
printf \"Fake Kills = \"
grep -civ \"spam score\|blackl\" kilme
printf \"\n\"
echo ------------------
printf \"TOTAL DELETE \"
grep -c \"\" kilme
echo ------------------
Aleister
Apr 5 2005, 06:09 PM
Nice work! Does it require modification of any other files?

I have been using this method for a few weeks or so, and it has definitly helped. One thing I wished though is for a bit more info from the logs, and this does it icon_smile.gif
eMtnMan
Apr 5 2005, 06:43 PM
QUOTE(Aleister)
Does it require modification of any other files?

I used the default file names & locations for cPanel/RH Enterprise. If yours are different, the changes should be minor.

SOME NOTES:

1) It creates a temporary file called "kilme" to process the exim mainlog and all four old .gz logs.

2) You may have to customize it if your DNSRBL's or error messages are different from mine.

3) This command will show you what isn't selected by my filters so you can create your own filters (I disregard the "unexpected disconnection" errors since they are a result of us dropping them):
grep -iv \"reject\|sender\|attachm\|virus\|no host\|no ip\" /var/log/exim_mainlog | more

4) The first two items (before the report) take a peek at the latest entries in the panic and rejects logs, just in case we're having a problem. They are optional.

Pairote just recommended the following:

For the software update:

DCC: /var/dcc/libexec/updatedcc

SARE signature: /etc/mail/rulesdujour/my_rules_du_jour

Spamassassin, and Clam: updated by cPanel if you check the checkbox to keep clamavconnector module up-to-date.

Razor: this need to manual update, but it is very rare to update.

You can also boost up the SPAM rate by add this following lines in /etc/mail/spamassassin/local.cf
score BAYES_99 0 3.00 3.00 3.00
score URIBL_AB_SURBL 0 6.50 6.50 6.50
score URIBL_OB_SURBL 0 4.50 4.50 4.50
score URIBL_SBL 0 2.50 2.50 2.50
score URIBL_SC_SURBL 0 6.00 6.00 6.00
score URIBL_WS_SURBL 0 4.50 4.50 4.50

Hope this helps!

Paul
DCUA
Apr 28 2005, 05:21 AM
Could you please tell me why local RBL desribed here does not work with IPs but only with domain names?

When I put in the /etc/rblblackllist the domain.com and send test message from test@domain.com it blocks the email.
When I put in the /etc/rblblackllist the IP of domain.com and send test message from test@domain.com it does not block the email.


Is there any way to block by sending IPs?
It is not useful to block by sending domains at all.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.