Stop spam using SURBL at SMTP time instead of accepting it before being processed by MailScanner. Even if you don't have MailScanner installed, and you are not doing any other type of spam filtering, inbound, you can still benefit by reducing your incoming JUNK mail simply by taking a few minutes to add the following modification to your cPanel box!

I could never understand the mentality behind accepting spam when using SURBL then trashing it. This gives spammers the notion that they can continue sending their junk because from their prospective it seems like the message is being successfully delivered even though your MailScanner is working like crazy to trash the message.

Now you can stop spam at SMTP time and reject the message outright if the spammers domain is on the SURBL blacklist. The end result is a faster MS too because it doesnt have to work so hard processing surbl spam.

Here is how to do it.

I do not take credit for the code. The credit goes to Erik Mugele and his code snippnet. I have merely tested it and integrated it with Cpanel and it works beautifully. Thanks Erik!

1) If you are currently using my_rules_du_jour and downloading your rulesets, leave those in place. Those rulesets should be left as is and should not be deleted. They will be used to weed out spam for non blacklisted sites.

Visit, http://www.teuton.org/~ejm/exim_surbl/ and download the latest tar, its currently v1.6. V1.6 includes URIBL and MIME decoding.

2) Make a copy of exim.pl



If you are updating, run the command above and answer Y to overwrite existing file.

3) Edit exim_surbl.pl using your favourite editor and scroll to the bottom of the file, right to the very eof. Now just before the number 1;



Copy and paste the content of the file from the zip file. Save and exit.

4) Implament ccTLD.txt



5) Edit /etc/exim_surbl.pl again, and do a search for ccTLD.txt. You will need to change the path to ccTLD.txt here to /etc/ccTLD.txt.

6) Open the Exim Configuration Editor in WHM and click on Switch To Advanced Mode. In the first box copy and paste this code.



7) Find the center box, where most of the exim rules reside and search for this line of code. The codes resides at the end of file, the last 4 lines of code.



If you are upgrading from an earlier version, make sure you replace this line of code as shown above as there are is now a new routine to check for MIME messages.

Save and reload! I added the Log subject code above. I like to see the subject of messages arriving so i can see what spammers and users are sending. If you include those lines, the subject for each message will appear in exim_mainlog.

After saving your changes you should tail your exim_mainlog to make sure everyting is functioning correctly. Use;

tail -f /var/log/exim_mainlog to monitor the log.

NOTE: If surbl lookups are happening, you will notice messages that look something like this;

2005-09-01 10:34:18 1EAq8w-00006T-13 Subject: Clean Shave on Us
2005-09-01 10:34:18 1EAq8w-00006T-13 H=(mx1.rainkeys.com) [205.150.209.142] F= rejected after DATA: Message contains blacklisted domain (popbasic.com) in [jp] [ws]. See http://www.surbl.org/lists.html. R=stuff@vreal.org (Rule 21)

AND BEST OF ALL, they are all getting wiped out before it gets a change to be accepted!

Good Luck!

Update History;

QUOTE

Origional post on 09/01/05

QUOTE

Updated on 12/27/05

QUOTE

Last Updated on 06/10/06

groovy Aussie works like a champ

should it bounce the message??
I was testing it with my own email address's with a known surbl listed domain
and it rejects it as it should but was expecting to see a bounce message ??

What kind of message should it bounce?

First of all, the perl code itself does not do anything with the message other than scan it and pass back to Exim whether or not it found a URL from the SURBL database in that message. What to do with the message is up to Exim. Generally that is handled by the various Exim ACLs.

Second, IF Exim were to send a bounce message implies that Exim has to accept the message first, then evaluate it, and then formulate and send a bounce response. That misses the whole point of rejecting the message during the message transfer which is the whole point of the Exim ACL system. We don't want to accept any mail that is spam.... we want it rejected during the SMTP conversation and we want the sending server to take care of any bounce.

Also consider that most of the From: addresses found in spam messages and virus messages is forged, just who is Exim supposed to send the bounced message to? You don't want to exacerbate the problem by sending a bounce to someone who has nothing to do with the problem.

You are testing with a mail client sending to a mail server. While that will test the functionality it is not a very good test of what happens with a server-to-server SMTP transaction. Your Outlook transaction log will show that the message was rejected.

Think of this example. A spammer out there writes up his spam message and sends it to his dedicated spam server (or even his zombie army of trojaned
machines) to delivered to millions of poor souls. The spammer's mail server gets to your mail address and makes a connection to your mail server. The way the system is currently configured your mail server will not ever accept the message from the spam server. It will realize the message is spam (during the many Exim ACL checks which take place while the message is being delivered) and will refuse to accept it. That means the burden is on the sending spam server to do something with the blocked message.

If you were to accept the message from the spammer and then determine it was spam, where would you send the bounce, to? Even if the spammer left a legit From: address in the message he certainly wouldn't accept the bounce.

Now, having said all that, you can customize the reject message (in fact it already is customized) so that the sending server gets a reason for not being able to deliver the message. If the message was legitimate it would have a valid path to bounce the message. The sending server would send an error back to the original author with the reason for the non-delivery (that reason is customized in the Exim ACL).

excellent I was using my ISP and all record of it disapeared i used one of my other servers without the the ACL and it logs the same error in reverse with SPMT error

Just want the scum to know their mail is going nowhere

If you have not implamented this modification to all your servers then you are loosing out guys. Spam is down 60% on all my servers due to these changes. Consider making the change!

When i do chattr +x exim.pl I get an error message. I read the man page and used the '+i' option instead.

Thanks for a great HOWTO!

Its the +i my mistype

thanks for this great howto!!! It helps to reduce my server load even more after RBL.

Can I know is it possible to customize the rejection based on the different category of SURBL? sc, ws, be, ob, ab, multi, ph and jp.

Cause i want to reject only if SURBL matches of 3 or more category. Sometimes for my emails, 1 or 2 matches are still valid emails.

Thanks in advance.

For those who didn't notice, you can actually add a whitelist file to whitelist domains that you want surbl to skip.

Look in the codes that you added into exim.pl file. As the top of the code, you'll see



Add a file in those quotes and then create that file with your whitelist.

wonder why i am getting this in the log



Timeout?

Why did I wait so long to implement this?? :confused:

Works great, thanks Aussie

Scrumpy

Hey your welcome of course!

Hi guys,

Any idea why I'm getting zero emails after this implementation?

If you don't have a hint for me straight away I can provide more system info, but just thought you might have an idea at the outset.

My logs seem to be delivering some and blacklisting others, as expected.

All was fine before plugging in this set of alterations. I'm running MailScanner, my impression was that MS can run just fine behind this fix, is that indeed correct?

Thanks for any hints or request for specific log or version info,

Lizard

p.s. I think I'll reverse the change for now to see if mail kicks back in...


=============== EDIT ===============

Okay, I worked the problem down to MailScanner... it just wasn't delivering from the mail queue. Aussie's HowTo IS and WAS rock solid. I performed a clean install of MailScanner to get rid of whatever wacky configuration problems I had that were jacking things up. Then I re-implemented Aussie's HowTo and now we are smooth and happy here. Thanks guys for all the support.

Lizard

Im running MS as well with this installation and no problems. You may want to reread the installation instructions and check your work to make sure you have not left something out. It works fantastic. Just as an example, one box was processing over 2600 messages a day with a 95% spam rate. After this implamentation the box is processing less than 400 messages a day killing off those SURBL sites which are a constant spam mennace with delivering all legit mail.

looks good. nice how to.

LOL, this is unrelated to this modification. This is a timeout with your RBL checks, not your SURBL checking.

I seem to be getting this error in the exim_mainlog and it is blocking all sorts of emails even ev1servers.net I did happen to do the convert script because of the hole has been discovered in the UW-imap mail server. Right after that these errors started showing up.

2005-10-08 18:51:38 1EOOTa-0004Nr-Tx H=(web1.ev1servers.net) [207.218.223.172] F=<[email="nobody@web1.ev1servers.net"]nobody@web1.ev1servers.net[/email]> temporarily rejected after DATA: failed to expand ACL string "${perl{surblspamcheck}}": Undefined subroutine &main::surblspamcheck called.


So for now I have disabled surbl till I find how to stop the errors

You did not modify /etc/exim.pl as per the instructions or you copied and pasted the code incorrectly. Please recheck your work after which time you should restart exim. See step 1 above.

Your exim.pl would have been updated and the surbl subroutine is no longer there. Add it back in.

cPanel does that a lot now. They un-chattr files that it needs to do its updates. I can undrstand why.

Too bad there is no way to do this within cPanel's framework.

There is a way to do it.

cp /etc/exim.pl /etc/exim_surbl.pl
vi /etc/exim_surbl.pl
and add in the surbl subroutine.
In Exim advanced editor add in first box:
perl_startup = do '/etc/exim_surbl.pl'

I'm assuming you've already added the ACL code.

Works fine for me and no need to worry about CHATTR which I never like anyway. Just remember to update exim_surbl.pl if cpanel update exim.pl

Great addition!

Courtesy of the cPanel forums.

Yup thats what it was ....... so I set it up as suggested freddo thanks and thanks to you aussie for this How-To

Hi!

Really great!

I implemented this on Saturday evening.
On Tuesday morning i did..
grep "Message contains blacklisted domain" /var/log/exim_mainlog
Guess what?
190 Messages !!!!

Thanks!

CLAP CLAP! Only 190? Thats nothing!

Hello There,

I configurated SURBL on Exim mail server, following this thread's instructions, three weeks ago. I have got really interesting results, decreasing the amount of unsolicited mails.

Now, I would like to set up SURBL on "Mail Enable" mail server (Windows Server 2003). I have been looking for any help but I didn't find.

Does someone have "Mail Enable" experience? Any help will be apretiated.

Grettings,

Diego.-

How did I miss this thread...

I see a drastic reduction is my server loads after implementing this.

Thanks Aussie and this forum.

Regards

Hello,

I have implemented this HOWTO of aussie.. works very well

Not sure if this question is related to this thread and exim.pl.

Can you please suggest a way to prevent email headers with huge number of To: addresses in it (better before we end up processing the mail body) ?

This week I noticed sudden burst of emails with huge number of To: addresses.

I could build on any tip that I get as I understand Perl (and very little exim)

Thanks,

Origional message updated based on Freddo's suggestion. Modificaiton date 12/27/05!

[QUOTE=nsp]Hello,

I have implemented this HOWTO of aussie.. works very well

Not sure if this question is related to this thread and exim.pl.

Can you please suggest a way to prevent email headers with huge number of To: addresses in it (better before we end up processing the mail body) ?

This week I noticed sudden burst of emails with huge number of To: addresses.

I could build on any tip that I get as I understand Perl (and very little exim)

Thanks,[/QUOTE]

This is unrelated to this modifcation. My suggestion is that you read the mod_security forums and implament dictionary attack rules to stop multiple recipients after x number of recipients.

I just put this on 100 minutes ago, and I got 1945 of them.

Aussie, you rock.

I have been using this SURBL tweak for quite sometime now (it works great by the way)

I have a user who is recieving bounce messages from yahoo groups

is there a way to bypass the srubl check for one domain and yes I know there is a whitelist feature (but it only whitlists spam domains dont want to do that:eek: ) I have tried to set add it to a standard whitelist but it just bypasees the the other rbls set up spamhaus etc

If anyone has an idea it would be much apreciated


thanks

We whitelisted all yahoo groups but thats via MailScanner other than that there was nothing more we had to do. Have you tried installaing the latest version? It includes whitelisting functions and has been rewritten.

Not using mailscanner (using clamAV with exiscan)

No, im talking about the code in the origional messages posted here.

This is the new link and it include ccTLD.txt

http://www.teuton.org/~ejm/exim_surbl/

no such luck getting ver 1.4 to run boxtraper errors

failed to expand condition "${perl{checkbx_autowhitelist}{$authenticated_id}}" for boxtraper_autowhitelist router: Undefined subroutine &main::checkbx_autowhitelist called

Try contacting the author. His pretty responsive. We dont use whitelisting so i cant comment.

the author was not much help as it was out of the scope of what the script can do.

But if anyone else wants to bypass the the SURBL there is a solution below,
in my case i only needed to bypass one email address. Place the accept condition under the data command



#!!# ACL that is used after the DATA command
check_message:
require verify = header_sender

accept condition = \
${if match\
{$recipients}\
{\N?\N}\
{yes}{no}}

Thanks for a great how-to, however I'm getting an error in executing the ACL. This is the message I get when I tail exim_mainlog:



Do I need to download this file: ccTLD.txt?

Thanks.


I.

Yes you do. Its in the new zip file.

what about those of us who already installed 1.3 into exim.pl? How do we convert this to 1.6 exim_surbl.pl? Do we have to remove the 1.3 script from exim.pl? Hehe..sounds dumb. I know 1.3 should be removed from exim.pl but what other things should I check? I install 1.3 quite some time ago, so I forgot what other changes I have made and I am afraid that if I just remove the script of 1.3 from exim.pl, I might have missed something else.

Thanks in advance.

Hi

interesting methos, BUT which are the risk/possibilities(%) to lose valid/positive email using this antispam method ?

If you want your VIAGRA spam stopped you will implament it. The new version includes decoding of MIME as well as lookups to a new RBL. I doubt you will have too many false positives. At least we have never had a complaint unless one of your own hosted sites is listed on SURBL in which case they should be trying to get themselves removed don't you think?

Nope, just copy /etc/exim.pl over the top of exim_surbl.pl and re add the new modification to exim_surbl.pl. Simple!

another doubt ..

now I have exim-4.52-15_cpanel_maildir
Suppose WHM/cpanel upgrades my exim to exim-4.9-25_cpanel_maildir (suppose) . exim.pl will probably change . So will I have to redo all the surbl work ? Am I right ?

In other words , I don't like a lot this solution (also if it seems to work great) because it modifies a core exim file . Am I right ?

If your read the entire post exim update wont overwite update exim on your time

exim.pl hasnt changed in ages. Even so, if it does and your worried about an outdated exim_surbl.pl simply make the change when i new updates comes out.

I am sorry to be such a noob in this. But I don't quite get what you mean. Here is what I understand about your statement. Just tell me if I got it right.


With current implementation of SURBL 1.3, I edited exim.pl by adding somewhere in the file some new scripts. But surbl 1.6 is supposed to have exim_surbl.pl where you only need to edit exim.pl to reference something to exim_surbl.pl. So far correct?

So in order to change from 1.3 to 1.6, I have to copy contents in exim.pl (including stuffs of 1.3) into exim_surbl.pl. Then re-add the new mod into exim_surbl.pl. Am I right?

Thats correct.

cd /etc
cp exim.pl exim_surbl.pl
make changes to exim_surbl.pl as per installation in zip file.
touch ccTLD.txt and edit the file and add the contents to ccTLD.txt as per instructions.

test.