How to reduce SPAM through exim.conf ?

eurorocco

Well-Known Member
Jun 23, 2003
98
0
156
I wonder if anyone can provide advice on how to change the /etc/exim.conf file.

When a connection is received to deliver email to my server (SMTP TCP/IP port 25 and 26 too)...

a) Check that the connecting IP has valid non-numerical reverse DNS lookup response, and it matches the "helo" value in that email. AOL is doing this now, for example, when receiving email.

b) Check that the IP of the host making the SMTP connection is not a dialup (phone, cable, dsl or otherwise). If it's a dialup, then assume it's a spammer individual (not a mail server used by a community).

On a) I have just the one line in /etc/exim.conf
Quote: "
# The setting below causes Exim to do a reverse DNS lookup on all incoming
# IP calls, in order to get the true host name. If you feel this is too
# expensive, you can specify the networks for which a lookup is done, or
# remove the setting entirely.

host_lookup = 0.0.0.0/0

The host_lookup line was commented out (started with a # that I removed, then restarted exim with "service exim restart").

On b) I have http://njabl.org/ and its dnsbl.njabl.org , and I see SpamAssasin using this reference to calculate some spam points. I'd like Exim not to receive email from dialups. Is there a way to bring njabl.org to the exim.conf file? I think they have an rsync connection so one can stay in sync ever so often.

If you know the answer to these questions or a link to find it, please let me know.

Thanks in advance for your help!

ER
 

myrem

Well-Known Member
Jul 14, 2002
93
0
156
Originally posted by eurorocco
b) Check that the IP of the host making the SMTP connection is not a dialup (phone, cable, dsl or otherwise). If it's a dialup, then assume it's a spammer individual (not a mail server used by a community).

...

On b) I have http://njabl.org/ and its dnsbl.njabl.org , and I see SpamAssasin using this reference to calculate some spam points. I'd like Exim not to receive email from dialups. Is there a way to bring njabl.org to the exim.conf file? I think they have an rsync connection so one can stay in sync ever so often.
You can have exim do rejections based on a connecting host matching an RBL (or multiple).

In the exim config you can place below the :
Code:
#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.

  accept  hosts = +relay_hosts
       endpass
Place:
Code:
  drop dnslists =  dnsbl.njabl.org :  bl.spamcop.net 
       message = your mail server $sender_host_address is in a black list \
              at $dnslist_domain ($dnslist_text)

  require verify = reverse_host_lookup
          message = your mail server IP address ($sender_host_address) has no reverse DNS PTR hostname

Save, restart exim. The "require verify" makes certain the host has a reverse 'name' lookup for it's IP address.

(I added spamcop.net's blacklist because that is VERY helpful.)

This is MY dnslist blacklist config (this is very aggressive):

Code:
  drop dnslists =  relays.ordb.org :\
                sbl-xbl.spamhaus.org :\
                hil.habeas.com :\
                list.dsbl.org :\
                bl.spamcop.net :\
                dnsbl.njabl.org :\
                proxies.blackholes.easynet.nl :\
                dynablock.easynet.nl :\
                spam.dnsbl.sorbs.net :\
                korea.services.net :\
                brazil.blackholes.us :\
                nigeria.blackholes.us :\
                argentina.blackholes.us :\
                malaysia.blackholes.us  :\
                singapore.blackholes.us :\
                taiwan.blackholes.us

       message = your mail server $sender_host_address is in a black list \
                 at $dnslist_domain ($dnslist_text)
 
Last edited:

eurorocco

Well-Known Member
Jun 23, 2003
98
0
156
Thanks! Issue though!

Thanks for replying to my post.

I tried implementing it but some customers experienced problems... they could not send email.

I saw their IP listed in /etc/relayhosts and still they could not send email. Somehow exim seems not to reload the file, or to ignore the file sometimes.

I have another server where customers have not reported problems in spite of this solution being implemented (with the more astringent and longer RBL lookup list). I will diff the two exim.conf files and see.

In two servers I connected using a phone dialup listed in njabl.org and was able to send/receive email (my SMTP server requires authentication selected in Outlook), but some customers reported they could not send email and got the message they were blacklisted even though their IP was listed in /etc/relayhosts and they had the SMTP auth option in Outlook. Investigating.

Thanks again for your help!

ER
 
Last edited:

myrem

Well-Known Member
Jul 14, 2002
93
0
156
Re: Thanks! Issue though!

Originally posted by eurorocco
I saw their IP listed in /etc/relayhosts and still they could not send email. Somehow exim seems not to reload the file, or to ignore the file sometimes.
Make sure you have an "endpass" below the "accept hosts = +relay_hosts" line.
 

d-woo

Well-Known Member
Aug 9, 2003
88
0
156
Thanks for the strict SPAM blocking RBLs.

In my /etc/exim.conf file I only have:

Code:
  accept  hosts = :
Question1: What does this do or not do?

Question2: Should I change it to:
Code:
  accept  hosts = +relay_hosts
       endpass
Thanks all!
 

WebHostPro

Well-Known Member
PartnerNOC
Jul 28, 2002
1,726
28
328
LA, Costa RIca
cPanel Access Level
Root Administrator
Twitter
Where does this go in the exim file?

Just the lines before where it goes would be great...

drop dnslists = relays.ordb.org :\
sbl-xbl.spamhaus.org :\
hil.habeas.com :\
list.dsbl.org :\
bl.spamcop.net :\
dnsbl.njabl.org :\
proxies.blackholes.easynet.nl :\
dynablock.easynet.nl :\
spam.dnsbl.sorbs.net :\
korea.services.net :\
brazil.blackholes.us :\
nigeria.blackholes.us :\
argentina.blackholes.us :\
malaysia.blackholes.us :\
singapore.blackholes.us :\
taiwan.blackholes.us

message = your mail server $sender_host_address is in a black list \
at $dnslist_domain ($dnslist_text)
 

d-woo

Well-Known Member
Aug 9, 2003
88
0
156
After the section:

Code:
#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.

  accept  hosts

What does your accept hosts line have after "accept hosts" ?
 

Website Rob

Well-Known Member
Mar 23, 2002
1,504
1
318
Alberta, Canada
cPanel Access Level
Root Administrator
Re: Re: How to reduce SPAM through exim.conf ?

Originally posted by myrem
(I added spamcop.net's blacklist because that is VERY helpful.)

This is MY dnslist blacklist config (this is very aggressive):

Code:
  drop dnslists =  relays.ordb.org :\
                sbl-xbl.spamhaus.org :\
                hil.habeas.com :\
                list.dsbl.org :\
                bl.spamcop.net :\
                dnsbl.njabl.org :\
                proxies.blackholes.easynet.nl :\
                dynablock.easynet.nl :\
                spam.dnsbl.sorbs.net :\
                korea.services.net :\
                brazil.blackholes.us :\
                nigeria.blackholes.us :\
                argentina.blackholes.us :\
                malaysia.blackholes.us  :\
                singapore.blackholes.us :\
                taiwan.blackholes.us

       message = your mail server $sender_host_address is in a black list \
                 at $dnslist_domain ($dnslist_text)
The above is very agressive which may cause some problems. Creating an RBL list is very specific to the Clients using the Server and somewhere between "an Art and a Science" for creating a good one that works for you. ;)

Your place the RBL list here:
Code:
require verify = sender

  deny    message = $sender_host_address is Spamlisted at $dnslist_domain
          dnslists = list.dsbl.org : \
                      ....
                     porn.rhs.mailpolice.com
I put the 'deny msg.' before the RBLs instead of after, personal choice is all.
The last RBL does not need : \ after it as that just tells Exim there is another RBL -- which is why the last one does not need it.

Speaking of which, I think it would be nice if everyone included 'porn.rhs.mailpolice.com' in their RBL list.


restart exim: service exim restart
check your work: service exim status
correct any mistakes and repeat as necessary
 
Last edited:

d-woo

Well-Known Member
Aug 9, 2003
88
0
156
Rob,

What is the difference between the commands:

Code:
accept  hosts = +relay_hosts
       endpass
and


Code:
accept  hosts = :
 

VirtuaLira

Well-Known Member
Feb 1, 2004
148
0
166
Chile
Exim PROBLEMS AGAIN!!!

In the new Exim version, CPANEL CHANGED MY DEFAULT CONFIG!!!

Now Exim includes a List of the RBL or something like that (the black list)

But I have this line Commented, anyway I can send emails to some users of others ISP, and this is really bad... it says:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
SMTP error from remote mailer after RCPT TO:<[email protected]>:
host mail.entelchile.net [164.77.62.8]: 550 5.7.1 Found in <http://spamcop.net/>:
[email protected]

HOW CAN I DISABLE THIS FEATURE IN THE NEW VERSION??...

PLEASE HELP!!!
 

Ali

Well-Known Member
Jul 12, 2003
52
0
156
Great thread.. How do I setup a whitelist so as to have specific IPs bypass this process.

Thanks.
 

Lestat

Well-Known Member
Sep 13, 2003
199
0
166
Code:
#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.
    accept hosts = :

    drop hosts = /etc/exim_deny
        message = Connection denied after dictionary attack
        log_message = Connection denied from $sender_host_address after dictionary attack 


    drop message = Appears to be a dictionary attack
        log_message = Dictionary attack (after $rcpt_fail_count failures)
        condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
        condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
        !verify = recipient
This is what I currently have on mine. How would I go about placing your config in there without corrupting the rest of the code I have in there?
 

Ali

Well-Known Member
Jul 12, 2003
52
0
156
Hello,

How can create exceptions. lets say I host abcd.com and I dont want emails meant for abcd.com to go through the SPAM Check

Thanks.
 

Ali

Well-Known Member
Jul 12, 2003
52
0
156
no sweat. figured it out.
 

Ali

Well-Known Member
Jul 12, 2003
52
0
156
dee_at_candl said:
Hi Ali,

How you did that? :)
simply by adding

Code:
!domains = yourlocaldomain.com
 

lloyd_tennison

Well-Known Member
Mar 12, 2004
697
1
168
Check out
combined.njabl.org

as it includes a couple of the lists you are listing - or the same type. Cuts down on the calls.
 

ttremain

Well-Known Member
Feb 16, 2003
246
2
168
cPanel Access Level
Root Administrator
Ali said:
simply by adding

Code:
!domains = yourlocaldomain.com

Where did you put this? Between these?

Code:
    drop hosts = /etc/exim_deny

and

    message = Connection denied after dictionary attack
 

ttremain

Well-Known Member
Feb 16, 2003
246
2
168
cPanel Access Level
Root Administrator
Legitimate users getting blocked

With the settings below, Several clients are not able to send through EXIM
from an SMTP client.

When checking /var/log/exim_mainlog their IPs are being flagged as listed
in spamhaus or one of the others.

The clients tested are listed in /etc/relay_hosts

Code:
#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.
  accept  hosts = +relay_hosts
     endpass
	
  drop dnslists =  relays.ordb.org :\
                sbl-xbl.spamhaus.org :\
                hil.habeas.com :\
                bl.spamcop.net :\
                proxies.blackholes.easynet.nl :\
                dynablock.easynet.nl :\
                spam.dnsbl.sorbs.net :\
                korea.services.net :\
                brazil.blackholes.us :\
                nigeria.blackholes.us :\
                argentina.blackholes.us :\
                malaysia.blackholes.us  :\
                singapore.blackholes.us :\
                taiwan.blackholes.us :\
                combined.njabl.org :\
                porn.rhs.mailpolice.com

       message = your mail server $sender_host_address is in a black list \
                 at $dnslist_domain ($dnslist_text)



    drop hosts = /etc/exim_deny
        !domains = lsearch;/etc/nonblacklistfilterhosts
        message = Connection denied after dictionary attack
        log_message = Connection denied from $sender_host_address after dictionary attack