CBL Problems

[payne]

I think I have this licked. I received an email back from SpamCop indicating the email caught in their spamtrap had the subject "The results of your email commands..." which is, I believe, a mailman autoresponder/bounce.

So, I wrote the following php script which checks every mailman list on my box for seven different configuration variables that are responsible for sending autoresponses/bounces and setting them appropriately. I think the defaults are to "reject" rather than "discard" various messages which causes bounces back to forged FROM: addresses (which in this case are SpamCop traps). I'll be cron'ing this script to run nightly.

Code:

<?
define('MM_PATH','/usr/local/cpanel/3rdparty/mailman');
define('LIST_PATH',MM_PATH.'/lists/');
define('BIN_PATH',MM_PATH.'/bin/');

foreach (glob(LIST_PATH."*") as $filename) {
	$list = substr($filename,strlen(LIST_PATH));
	echo '*** '.$list." ***\n";
	$config = shell_exec(BIN_PATH.'config_list -o - '.$list);
	$out = '';
	if (ereg ("respond_to_post_requests = [1].", $config, $regs)) {
		echo "PROBLEM: respond_to_post_requests is active.\n";
		$out = "respond_to_post_requests = 0\n";
	}
	if (ereg ("generic_nonmember_action = [2].", $config, $regs)) {
		echo "PROBLEM: generic_nonmember_action is bouncing.\n";
		$out.= "generic_nonmember_action = 3\n";
	}
	if (ereg ("member_moderation_action = [1].", $config, $regs)) {
		echo "PROBLEM: member_moderation_action is bouncing.\n";
		$out.= "member_moderation_action = 2\n";
	}
	if (ereg ("autorespond_postings = [1].", $config, $regs)) {
		echo "PROBLEM: autorespond_postings is autoresponding.\n";
		$out.= "autorespond_postings = 0\n";
	}
	if (ereg ("autorespond_admin = [1].", $config, $regs)) {
		echo "PROBLEM: autorespond_admin is autoresponding.\n";
		$out.= "autorespond_admin = 0\n";
	}
	if (ereg ("autorespond_requests = [1].", $config, $regs)) {
		echo "PROBLEM: autorespond_requests is autoresponding.\n";
		$out.= "autorespond_requests = 0\n";
	}
	ereg ("max_days_to_hold = ([0-9]*)", $config, $regs);
	if ($regs[1]=='0') {
		echo "PROBLEM: max_days_to_hold is deactivated.\n";
		$out.= "max_days_to_hold = 30\n";
	}
	if(!empty($out)) {
		file_put_contents($list.'.conf.bak',$config);
		file_put_contents('mm_config.tmp',$out);
		shell_exec(BIN_PATH.'config_list -i mm_config.tmp '.$list);
		unlink('mm_config.tmp');
		echo "The list has been updated with the following settings:\n".$out;
	} else {
		echo "The list needs no reconfiguration.\n";
	}
	echo "\n";
}

?>

[payne]

ok... still not completely cutting out the "the results of your email commands" messages. Apparently if anything is sent to listname-requests@domain.com, mailman will automatically respond to the sender... even if forged, and even if the sender is not a member.

Anyone know how to deal with this? I suppose the -requests address should be limited to members unless it is a subscribe request?

[jbreck]

First a rant:

CBL is not a responsible spam prevention service by any means. The refuse to provide a copy of the offending email so you can see what you've done. I truly, and totally hate them. It's not an overstatement. I absolutely loathe them, and wish they would vanish off of the earth.


Now a solution:

It's probably half a dozen cgi or php script on your server firing out port 25. The solution is simple reroute anything that's not going out port 25 by the mail user back through exim.

Iptables:

iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 25 -m owner --uid-owner [exim owner] -j ACCEPT
iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 25 -j DNAT --to-destination=127.0.0.1

Viola. Expect some user screaming from a couple of people that were spamming out your system, or using offsite mail servers for thousands of messages per hour. Exim will also make sure your server is hello'ing as... your server. CBL problem solved.

You're welcome.

[brianoz]

Interesting and effective solution!

Another way of solving this is to ban all outgoing port 25 access other than from root or exim. Also solves the problem instantly - and given most of those sending outgoing mail via port 25 (if not all) are spammers, you can mostly ignore the outcry. This ban is easily accomplished using CSF.

[deieno]

Hi brianoz,
can you explain how to add this rules with csf?
I´m having the same issue.

Thanks

[brianoz]

can you explain how to add this rules with csf?

If I remember correctly, it's in the CSF config file, search for SMTP ..

[deieno]

Great.. found it... I hope it helps...
thanks

[jbreck]

Interesting and effective solution!

Another way of solving this is to ban all outgoing port 25 access other than from root or exim. Also solves the problem instantly - and given most of those sending outgoing mail via port 25 (if not all) are spammers, you can mostly ignore the outcry. This ban is easily accomplished using CSF.

Actually, there is a problem with just banning it. Alot of very, very stupid coders allow the option, set in some auto installs of mambo and joomla esp, to send mail via sockets. If you ban it entirely, your support queue will build up pretty quick. With Mailscanner, and rate limited, you'll still put the kabosh on your spammers as well with my hack ;-)

Oh, and the problem that was causing our listing was a legit email... Mambo install sending with sockets, but the script is so blitheringly stupid, it HELO's as the user the customer wanted them to reply as... @gmail.com.

[brianoz]

Actually, there is a problem with just banning it. Alot of very, very stupid coders allow the option, set in some auto installs of mambo and joomla esp, to send mail via sockets. If you ban it entirely, your support queue will build up pretty quick. With Mailscanner, and rate limited, you'll still put the kabosh on your spammers as well with my hack ;-)

I think something got lost in translation from Aussie to US

I was talking about banning port 25 to external. Port 25 to localhost is fine and trackable through exim logs. And that's exactly what your iptables rules do, except what I was suggesting was doing it through CSF.

Banning port 25 to external won't cause a support load, trust me, it never has for me. Banning all port 25 access is ridiculous and makes your server unusable.

[jbreck]

It's was more as in if you just ban it to non-localhost, and don't re-route it somewhere. When I did it, I had about 15 tickets in the queue about broken cms installs for "cannot send mail" issues.

[canfone]

We are experiencing similar CBL issues

When I attempt

iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 25 -m owner --uid-owner [exim owner] -j ACCEPT


I receive

iptables v1.3.0: Bad OWNER UID value `[exim'
Try `iptables -h' or 'iptables --help' for more information.


I tried changing [exim owner] to 8 (because this is the mail uid) and that didn't work either... Can someone help me out.

[brianoz]

Hi! Was there a reason why you are trying to do this with a native iptables rule rather than just using CSF? CSF does all this work for you, and a lot more besides. You'd be crazy not to install it unless you had a very good reason - it will save you oceans of work!

www.configserver.com/cp/csf.html

Work smart not hard!

[10101]

We are experiencing similar CBL issues

When I attempt

iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 25 -m owner --uid-owner [exim owner] -j ACCEPT


I receive

iptables v1.3.0: Bad OWNER UID value `[exim'
Try `iptables -h' or 'iptables --help' for more information.


I tried changing [exim owner] to 8 (because this is the mail uid) and that didn't work either... Can someone help me out.

I'm getting the same, can anybody help with this IPtables rule?

[MaestriaNick]

you should give a valid uid or username after the switch --uid-owner

[10101]

do you know how i would find the uid for exim?