- Added anti dictionnary attack rules - Have you ever seen spammers attempting to send huge amounts of messages to jane@domain.com, peter@domain.com, ashley@domain.com etc., when in fact neither of these users exists? And if they do exist these users are being dictionnary style spam bombed? These rules will drop the connection and attempt to ban the spammer from connecting for a period of time even when they try to reconnect they will be immediately dropped. God they will be annoyed!!! . In your /var/log/exim_mainlog you will see an entry like Dictionnary attack (x failed probes). Dropping connection!:

Anti dictionnary attacks stop pests like this, http://forum.ev1servers.net/showthread.php...ghlight=john%40

- Added whitlisting of entire domains - Some of our users get upset when we do RBL lookups on their e-mail. These rules will allow you to whitelist an entire domain so that no RBL lookups are performed on their e-mail. If your users are complaining, simply place their domain name in the whitelist and no further RBL checks will be performed on their e-mail. Let them be spammed till kindom come. Sooner or later they will ask you to place them back on the list of RBL lookups because they will be bombed so heavily with spam they won't know what to do with themselves.

If you are using MailScanner i recommend that you do your RBL lookups before MailScanner can get to them, in Exim. Why? Because it saves bandwidth. Since RBL lookups via Exim are performed before MailScanner gets to them the backlisted ip is blocked up front and there is no reason to do another lookup via MailScanner. Then the above whitelisting will work!

- Blacklisting of hosts - Allows you to blacklist any host by ip address.

- Blacklist of envelope senders - Allows you to blacklist envelope senders.

For a list of additional features, please view the changelog in the ACL Ruleset.

Get it here!

-Enjoy!

somthing happend like that to vbulletin.com....

What do you mean?

How about an option to whitelist a single incoming domain?

There is some times one or two domains out there, that get blacklisted for something ( for a while cause of something someone else did near them ) and I would like to still recieve mail from that domain.

So if you can let me know how to whitelist an incoming domain name, it would be quite helpfull.

Thanks, for the great exim setup changes so far.... keep up the good work..

Maybe you misunderstood the reason what destwhitelist is for. If you want to whitelist a domain just add it to the destwhitelist file;

eg

mydomain.com

Will whitelist the entire domain.

I tried that and it did not work.

ie.
maindomain.ext ( the account recieving the mail )

sendingdomain.ext ( the account that is blocked from sending mail to the server )


I put the sendingdomain.ext in the whitelist, but it still does not go through.
If I add maindomain.ext then all of them come through just fine. ( but do not want this, only want mail from the one domain to be allowed... )

So did I miss something, or is this now how this is supposed to work? Should I use thier IP instead of thier domain name?

Or is there another way?

What doesnt go though? If you place sendingdomain.ext into a whitelist it means its excluded from RBL checking inbound/outbound and thats all its designed to do. It does not control whether mail arrives or doesnt arrive to a domain. It strictly controls whether mail is checked by Spamcop, sbl-xbl.spamahus etc.



This is another issue unrelated to my modification.

The blocked domain is blocked by sbl-xbl.spamahus, no matter if it is in the whitelist or it is not in the whitelist.
only if we put the domain it is going to, into the whitelist, does it pass it through..

must be something, not quite right, some where. Time to go and tinker on it some.

Restart Exim, if you place a domain in the whitelist you must restart exim. Thats specified on my web site.

UPDATE:

One of the most annoying issues dealing with Cpanel is that it creates a CATCH-ALL e-mail address by default at account creation time.

This opens the door to spammers ambushing a users email address by spamming them with e-mail addresses that dont exist in the users account.

Here is a simpe modification that you can make to Cpanels wwwacct that will create a :fail: instead of a catch-all. The :fail: will NOT bounce the message back to the spammer, but rather, DENY the message from being delivered, if you have made my modification to the rules, as stated above. The default :fail: by Cpanel would attempt to return the message where it would get stuck in the queue but if you make my modification that no longer happens. It denies the msg being delivered outright!!!

2004-02-09 12:59:11 H=(hsdbpa142-165-225-114.sasknet.sk.ca) [142.165.225.114] F= rejected RCPT : user unknown

The airplanehomes.com website only have a couple of e-mail address setup and bmastgr does not exist on the account and because we have applied my modification and used the :fail: user unknown statement in the catch-all its rejected!

pico /scripts/www*

cntrl-w and type *:
remove the $user
replace with :fail: user unknown or if you want to keep the standard wording use :fail: no such address here
cntrl-x to save

All new accounts created will now contain :fail: user unknown in the default catch-all field. Test, your done.

You may also wish to ask your users, who dont wish to use a catch-all email address, to add :fail: user unknown in the default catch-all field to prevent spammers from spamming non existant e-mail addresses.

Here is the contents of my /etc/wwwacct.conf. I don't see the "*:" inside it.

[PHP]ADDR x.x.x.X
AIMPASS
AIMUSER
BINDVER 8
CONTACTAIM
CONTACTEMAIL admin@server.com
CONTACTPAGER
CONTACTUIN
DEFMOD x
ETHDEV
FTPTYPE proftpd
HOMEDIR /home
HOMEMATCH home
HOST name.server.com
ICQPASS
ICQUSER
LOGSTYLE combined
MINUID
NS dns1.server.com
NS2 dns2.server.com
NS3
SCRIPTALIAS y
ns4
[/PHP]


WHM 8.8.0 cPanel 8.8.0-R73
RedHat 7.3 - WHM X v2.1.2

Let me know if i missed something.

its in /scripts/wwwacct

sorry for being a fool here.

But won't the /scripts/wwwacct be overwritten by next cpanel update ?

Here is how i do it;

Firstly i always run my updates manually. Since im running Edge i only update when i m kind of certain the next Edge release wont screw up my installation.

Before running the update i always run;

/scripts/updatenow

When i see an update to wwwacct i will see something along the lines that it could be updated because i have it protected so I run

chattr -i /scripts/wwwacct then run /scripts/updatenow a second time to get the new wwwacct.

After i finish running upcp, i re add the modification, which should take about 1 second to do and chattr +i /scripts/wwwacct again so it cannot be changed again.

-OR-

You dont even need to make the modification until you see wwwacct updated when you run /scripts/updatenow. The changes takes about 2 secs so you could just mod the file real quick if its updated. This may be easier.

At default, there is a dictionary check. If I wish NOT to check domain.com's email, I have to put domain.com into white list. Correct?

Great scripts.

Aussie,

This is just awesome! This has been stopping tons of spam on my personal account. Thank you!!!

If you wish to exclue domains on your server from being checked by RBL's just place the domain name into the destwhitelist file and restart Exim. Provided you have not commented out all the RBL's in the script those domains will be excluded from RBL checking.

Great!

While going through the exim mailing list i found this:

[PHP] deny hosts = +rbl_hosts
!verify = recipient/defer_ok/callout=10s/callout_defer_ok
message = sender_host_address is listed in $dnslist_domain\n\
$dnslist_text
log_message = said $dnslist_domain; really
dnslists = my.favourite.rbl : ...
[/PHP]

What is the meaning of the !verify any ideas ?

I just installed a mail parser program which parses incoming mails. After setting up the forwarder i am getting this error:

pipe to |/home/user/parser/parser.sh
generated by user@domain.com
local delivery failed

The parser is accepting the mail without any error. Could it be any acl we used in the howto causing this ? Have no clue so just wanted to be sure.

Nope, dont see why it would be related. We run Kayako which uses pipeing without issues.

k thx. Any ideas on the !verify thing ?

I'm rather confused by all this.

First, Aussie, you do great work! Thanks!

Second, you may want to check the title on that page. Something tells me you copied the template from the chhkrootkit tutorial

Third. Your suggested update for that wwwaccount, is that in your tutorial? Is it something you need this ACL set up to do? Or will it work separately as well? Bleh, I can't coherently What I mean is, are the two instructions related, or are they two completely different things and one does not depend on the other?

Fourth. All this talk of whitelists and dictionary confused me. If you remove the catchall account (what WERE CPANEL devs thinking????), then won't that catch a dictionary attack anyways? Isn't a dictionary attack when they fo something like spam
a@a.com
b@a.com
c@a.com etc?

Fifth. Let's work together on a thread at cpanel.net to change the default so this change doesn't have to be applied every night.

Does anyone here have special "credit" with them? They are so busy building cpanel pro while making major mistakes that allow spam in on the regular cpanel, who knows if they'll have the brain to fix sthing in their bread and butter product now. (Can you tell I'm not a fan of cpanel pro?)

Do you people know if there are some pre-made rules similar to these for sendmail so that I can use them in Ensim 3.1.x?

Thanks

how can I verify that exim is doing the RBL check before MailScanner is?

does this ACL update include the previous one you did? Basically do I append or replace?

your how-to's and other support here is great aussie, thanks a bunch!

If someone wanted to add the following rbl's to your settings, how would it be done?

See the examples and replace what i have for what you want to use for RBL's!

Is it possible to do a mirror of a rbl list ? I basically want to edit the list and take out certain ip ranges from which i still want to allow mails from.

Any help would be appreciated.

What do you mean? Pleae elaborate on your question.

I want to hear from those who have implamented this modification and have found it useful. So far many have visited but nobody but 1 person has mentioned that it helped. :confused:

Lets say there is a rbl list rbl.mail-abuse.org. Now i know certain ip ranges in this rbl list which i still want to allow and use the rest of it. And hence my question, can i mirror a rbl database and modify as per my needs ?

It's the most useful post in the entire forums!!

As far as I can tell there are no lookups. The ones I showed are just lists of IPs. Nevermind.

Just wondering if anyone else noticed problems, after using this?

Mail ( typically large ones from like mail-man ) will sit and eat up the cpu useage and cause a very high load for 15 to 30 minutes some time.

( If I revert back to your code from back in Oct, the problem stops )

Any one got any ideas what is causing it? or any kind of fix for it?

Other wise, I love the changes you made.... Hope the next version is even better.

Im not aware of any issues with MailMan since none of the MailMan code was even touched. If you do a comparison between the origional code supplied by Cpanel for Mailman and what is included in this modification you will note they are identical therefore the mailman code should function as before. Mailman has issues anyway and always has, thanks Cpanel for still not fixing it, but that is a different issue. Im using the identical modification on all my boxes. I admit Mailman is a major pain at times but its a pain with or without my latest modification. You loads could also be people sending hundreds even thousands of msgs from their own mailing lists which would cause load issues.

it is not mailman it self, that the problem comes from, but the mail it creates.. lets say one with many people on the list, will sit there and attempt to send for 15 minutes... it is like the mail is not timing out, on the email address's it has problems contacting...


Hehe, I have tried a few times to change the code, but when I do, I always manage to break exim... Guess I will just have to go and start commenting out things, till I find what is causing it to do that. I was really hoping someone else had already run into a similar problem.


also, people sending from thier own mailing lists, will not affect it much, cause after 250 per hour, it kills and returns all as "Unroutable" Must say, I do love that feature...

If I can figure out what it is, I will be sure to post here and let you know. keeps fingers crossed.

[QUOTE]Originally posted by faldran
it is not mailman it self, that the problem comes from, but the mail it creates.. lets say one with many people on the list, will sit there and attempt to send for 15 minutes... it is like the mail is not timing out, on the email address's it has problems contacting...[/quote]

Thats a mailman issue sorry.

[quote]
Hehe, I have tried a few times to change the code, but when I do, I always manage to break exim... Guess I will just have to go and start commenting out things, till I find what is causing it to do that. I was really hoping someone else had already run into a similar problem.[/quote]

Yep, go ahead comment out what you see fit. Since nobody else has reported issues and there are no issues on my own box, and i have tested it for almost 3 months, all i can say is that this modification is unrelated.

[quote]
also, people sending from thier own mailing lists, will not affect it much, cause after 250 per hour, it kills and returns all as "Unroutable" Must say, I do love that feature...[/quote]

Unroutable means the possibly the sender is sending some fake domain that is not registered, no MX record, no PTR. You can check this very easily by looking up the domain sending mail where its reported as unroutable. Now if yahoo.com or hotmail is unroutable then you better check your own DNS.[/quote]

[quote]
If I can figure out what it is, I will be sure to post here and let you know. keeps fingers crossed. [/QUOTE]

NO issues on my side. Suggestion, if you modified your code prior to installing it into the exim editor make sure you did not make an error in your changes, as explained in the docs. Possibly you removed or commented out something you shouldnt have. You could always send me a copy of what you applied.

[QUOTE]Originally posted by aussie
Thats a mailman issue sorry.[/QUOTE]
Actually it seems it is not thier problem... but one with email address/domains that are not active, that cause exim to stall.

[QOUTE]
Yep, go ahead comment out what you see fit. Since nobody else has reported issues and there are no issues on my own box, and i have tested it for almost 3 months, all i can say is that this modification is unrelated.
[/QOUTE]
No modifications on my part.

[QOUTE]
Unroutable means the possibly the sender is sending some fake domain that is not registered, no MX record, no PTR. You can check this very easily by looking up the domain sending mail where its reported as unroutable. Now if yahoo.com or hotmail is unroutable then you better check your own DNS.[/quote]
[/QOUTE]
No, this is exactly how this is supposed to function, in order to turn down service to all those over the 250 per hour limit. ( there is no mail server problem here )

[QOUTE]
NO issues on my side. Suggestion, if you modified your code prior to installing it into the exim editor make sure you did not make an error in your changes, as explained in the docs. Possibly you removed or commented out something you shouldnt have. You could always send me a copy of what you applied. [/QUOTE]


as for my problem, I did manage to track down what causes it.

Though not a solution to fix it yet.

But it comes down to domains that have mail problems ( i.e. thier mail server is down, or thier account is terminated at that webhost )

For some reason with those domains/email address's exim will just sit for very long periods of time, and run up the load, and use alot of cpu resources instead of timing out. Even when you do one of these manually it can sit there for up to 5 minutes, before it finally says that mail server is un-reachable.

So now, looks like I need to figure out how to tell exim how to time out quicker when attempting to reach a mail server, you got any ideas on this?

Ok i understand what your saying now.

The modification was never tested with this option set in WHM. This part of the code is not available to us therefore we cant see what Cpanel is doing when this option is set. This may or may not be your issue.

Open up the exim editor and place comments in front of the following lines.

In top box comment out;

#ALLOWEDRCPTFAIL=3

In the middle box comment out the following;

# drop log_message = Dictionnary attack #($rcpt_fail_count failed probes). Dropping connection
# message = unknown user ($rcpt_fail_count failed queries)
# condition = ${if >{$rcpt_fail_count}#{${eval:ALLOWEDRCPTFAIL-2}} {1}{0}}

# We close the connection after a few failures, but we still
# delay the sender because people who do dictionnary attacks can
# reconnect and try again, so let's slow them down
# delay = ${eval:30*$rcpt_fail_count}s
# domains = +local_domains
# !verify = recipient

Save and let Exim restart. Do you still have this issue?

Ok, I have done that on two of the servers that most commonly have this problem and I will keep you posted as to how it affects it.

I did finally figure out what causes it..

Under Tweak settings, the option to set "xx mail per hour" setting, is what causes it.

On a high volume mail server, for some reason this runs it into the ground basically. Had to go back to a 0 ( unlimited ) setting and things are back to normal.

So now I need to look and find another similar solution to the max amount of email per hour. You don't by chance know of any good ones, do you?

Hi,

I added the rules to the exim configuration through whm, and it says everything is ok. All I did was copy and paste directly from the tutorial page.

But, now I cannot send mail at all. No matter where I send, I get the following error immediately on trying to send:

Your message did not reach some or all of the intended recipients.

Subject: Testing
Sent: 03/20/2004 7:04 PM

The following recipient(s) could not be reached:

421 Unexpected failure, please try later


I have to run exim on an alternate port due to my ISP blocking 25. Does this make a difference?

Also, any local mail on the server never gets delivered, it just piles up in the queue until I remove the rules and then everything goes back to working.

To update, my problem was that the touch did not create all three files in the exim/acls dir, and I did not check to confirm they were there.

Once I put them in manually, everything started working correctly. Thanks for the great contribution.

Your very welcome. Im glad it worked and you found the problem eventually. Let me know if you need additional assistance.

Actually I ran into that problem too on few a server installs.

I found if you cd to that dir ( cd /etc/exim/acls/ ), then put in his command to make them, they all are put in the right place. ( or put full path for each of them )

I have installed this update using the tutorial on the site linked to, however, I am not sure if this is an issue with my setup, or if its a "regular" issue.

See, I installed the first version of aussie's ACLs (pre-dictionary attack version) and then I installed MailScanner/ClamAV/SpamAssassin using the cpanelplus.com tutorial.

The cpplus tutorial creates basically two copies of the exim.conf (an incoming and outgoing version) . Well using WHM to make the edits in aussie's latest tutorial get applied to both incoming and outgoing versions of the conf files. I assume WHM read/gets the incoming and outgoing path info from exim.conf and applies the changes to both versions of the file.

The WHM editor fills in the edits that were made from the incoming conf file in the web browser text boxes. When aussie's edits are added, the data for the incoming file (that was pre-filled into the WHM text boxes) is writen to the outgoing file and that needs to be editted out.

Basically, the addition of the incoming spool directory section at the top of the file and the defer_router: section in the middle are added to the outgoing conf file.

This causes exim to not send mail (spool file cannot be found). At least no messages are lost, you just need to remove the 2 sections from the outgoing conf file and restart exim and mailscanner.

Hope that all makes sense.

That's correct so far


Thats also correct. Any changes made via the exim editor is written to both exim.conf and exim_outgoing.conf as per Cpanel. Cpanel will write to both files and cannot be helped. Spoke to Cpanel about this once before and thats the way they do it but it DOES NOT affect the functionality of Mailscanner or anything added via the editor.


spool_directory = /var/spool/exim_incoming
queue_only = true

should only appear at the top of exim.conf and not in exim_outgoing.conf.

Thanks for clarifying my message aussie. Just figured other should hear it in case they ran into the same errors I did as your tutorial didn't mention it.

Can I remove all your ACLs from the outgoing file? Are they used at all outbound? Do they eat resources at all if they are there but not used? I'd hate for outbound messages to be checked against RBLs and such eating bandwidth since that does not matter.

{edit: spelling}

Hi Aussie,

First off great tutorial as always.

Anyway here's a small problem. Placing an IP number in hostrejectrcpt from the original sender that their ISP reroutes, doesn't work correctly.

For example message header shows:

Received: from [xx.xx.xxx.xxx] (port=49800 helo=ms-smtp-03-eri0.socal.rr.com)

Received: from HOMEPORT (yyy-yyy-yy-yyy.san.rr.com [yyy.yyy.yy.yyy])

yyy.yyy.yy.yyy would be the original sender and xx.xx.xxx.xxx is the rerouted IP of the ISP. Entering the original senders IP number still allows the email through.

Not very practical to block an ISP over one bad apple.

Any ideas or possible changes to the ACL rules to check for multiple Received: from lines and block the one your really want to block?

Really? I will have to look at that but i wont be able to this week. I'm moving to Baltimore, Maryland this week and wont have an internet connection till around 4/10 so until then i will be pretty much offline.