How to reduce SPAM through exim.conf ?

[eurorocco]

I wonder if anyone can provide advice on how to change the /etc/exim.conf file.

When a connection is received to deliver email to my server (SMTP TCP/IP port 25 and 26 too)...

a) Check that the connecting IP has valid non-numerical reverse DNS lookup response, and it matches the "helo" value in that email. AOL is doing this now, for example, when receiving email.

b) Check that the IP of the host making the SMTP connection is not a dialup (phone, cable, dsl or otherwise). If it's a dialup, then assume it's a spammer individual (not a mail server used by a community).

On a) I have just the one line in /etc/exim.conf
Quote: "
# The setting below causes Exim to do a reverse DNS lookup on all incoming
# IP calls, in order to get the true host name. If you feel this is too
# expensive, you can specify the networks for which a lookup is done, or
# remove the setting entirely.

host_lookup = 0.0.0.0/0

The host_lookup line was commented out (started with a # that I removed, then restarted exim with "service exim restart").

On b) I have http://njabl.org/ and its dnsbl.njabl.org , and I see SpamAssasin using this reference to calculate some spam points. I'd like Exim not to receive email from dialups. Is there a way to bring njabl.org to the exim.conf file? I think they have an rsync connection so one can stay in sync ever so often.

If you know the answer to these questions or a link to find it, please let me know.

Thanks in advance for your help!

ER

 

[myrem]

Originally posted by eurorocco
b) Check that the IP of the host making the SMTP connection is not a dialup (phone, cable, dsl or otherwise). If it's a dialup, then assume it's a spammer individual (not a mail server used by a community).

...

On b) I have http://njabl.org/ and its dnsbl.njabl.org , and I see SpamAssasin using this reference to calculate some spam points. I'd like Exim not to receive email from dialups. Is there a way to bring njabl.org to the exim.conf file? I think they have an rsync connection so one can stay in sync ever so often.

You can have exim do rejections based on a connecting host matching an RBL (or multiple).

In the exim config you can place below the :

#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.

  accept  hosts = +relay_hosts
       endpass

Place:

  drop dnslists =  dnsbl.njabl.org :  bl.spamcop.net 
       message = your mail server $sender_host_address is in a black list \
              at $dnslist_domain ($dnslist_text)

  require verify = reverse_host_lookup
          message = your mail server IP address ($sender_host_address) has no reverse DNS PTR hostname

Save, restart exim. The "require verify" makes certain the host has a reverse 'name' lookup for it's IP address.

(I added spamcop.net's blacklist because that is VERY helpful.)

This is MY dnslist blacklist config (this is very aggressive):

  drop dnslists =  relays.ordb.org :\
                sbl-xbl.spamhaus.org :\
                hil.habeas.com :\
                list.dsbl.org :\
                bl.spamcop.net :\
                dnsbl.njabl.org :\
                proxies.blackholes.easynet.nl :\
                dynablock.easynet.nl :\
                spam.dnsbl.sorbs.net :\
                korea.services.net :\
                brazil.blackholes.us :\
                nigeria.blackholes.us :\
                argentina.blackholes.us :\
                malaysia.blackholes.us  :\
                singapore.blackholes.us :\
                taiwan.blackholes.us

       message = your mail server $sender_host_address is in a black list \
                 at $dnslist_domain ($dnslist_text)

 

[eurorocco]

Thanks! Issue though!

Thanks for replying to my post.

I tried implementing it but some customers experienced problems... they could not send email.

I saw their IP listed in /etc/relayhosts and still they could not send email. Somehow exim seems not to reload the file, or to ignore the file sometimes.

I have another server where customers have not reported problems in spite of this solution being implemented (with the more astringent and longer RBL lookup list). I will diff the two exim.conf files and see.

In two servers I connected using a phone dialup listed in njabl.org and was able to send/receive email (my SMTP server requires authentication selected in Outlook), but some customers reported they could not send email and got the message they were blacklisted even though their IP was listed in /etc/relayhosts and they had the SMTP auth option in Outlook. Investigating.

Thanks again for your help!

ER

 

[myrem]

Re: Thanks! Issue though!

Originally posted by eurorocco
I saw their IP listed in /etc/relayhosts and still they could not send email. Somehow exim seems not to reload the file, or to ignore the file sometimes.

Make sure you have an "endpass" below the "accept hosts = +relay_hosts" line.

 

[d-woo]

Thanks for the strict SPAM blocking RBLs.

In my /etc/exim.conf file I only have:

  accept  hosts = :

Question1: What does this do or not do?

Question2: Should I change it to:

  accept  hosts = +relay_hosts
       endpass

Thanks all!

 

[WebHostPro]

Where does this go in the exim file?

Just the lines before where it goes would be great...

drop dnslists = relays.ordb.org :\
sbl-xbl.spamhaus.org :\
hil.habeas.com :\
list.dsbl.org :\
bl.spamcop.net :\
dnsbl.njabl.org :\
proxies.blackholes.easynet.nl :\
dynablock.easynet.nl :\
spam.dnsbl.sorbs.net :\
korea.services.net :\
brazil.blackholes.us :\
nigeria.blackholes.us :\
argentina.blackholes.us :\
malaysia.blackholes.us :\
singapore.blackholes.us :\
taiwan.blackholes.us

message = your mail server $sender_host_address is in a black list \
at $dnslist_domain ($dnslist_text)

 

[d-woo]

After the section:

#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.

  accept  hosts

What does your accept hosts line have after "accept hosts" ?

 

[Website Rob]

Re: Re: How to reduce SPAM through exim.conf ?

Originally posted by myrem
(I added spamcop.net's blacklist because that is VERY helpful.)

This is MY dnslist blacklist config (this is very aggressive):

  drop dnslists =  relays.ordb.org :\
                sbl-xbl.spamhaus.org :\
                hil.habeas.com :\
                list.dsbl.org :\
                bl.spamcop.net :\
                dnsbl.njabl.org :\
                proxies.blackholes.easynet.nl :\
                dynablock.easynet.nl :\
                spam.dnsbl.sorbs.net :\
                korea.services.net :\
                brazil.blackholes.us :\
                nigeria.blackholes.us :\
                argentina.blackholes.us :\
                malaysia.blackholes.us  :\
                singapore.blackholes.us :\
                taiwan.blackholes.us

       message = your mail server $sender_host_address is in a black list \
                 at $dnslist_domain ($dnslist_text)

The above is very agressive which may cause some problems. Creating an RBL list is very specific to the Clients using the Server and somewhere between "an Art and a Science" for creating a good one that works for you.

Your place the RBL list here:

require verify = sender

  deny    message = $sender_host_address is Spamlisted at $dnslist_domain
          dnslists = list.dsbl.org : \
                      ....
                     porn.rhs.mailpolice.com

I put the 'deny msg.' before the RBLs instead of after, personal choice is all.
The last RBL does not need : \ after it as that just tells Exim there is another RBL -- which is why the last one does not need it.

Speaking of which, I think it would be nice if everyone included 'porn.rhs.mailpolice.com' in their RBL list.


restart exim: service exim restart
check your work: service exim status
correct any mistakes and repeat as necessary

 

[d-woo]

Rob,

What is the difference between the commands:

accept  hosts = +relay_hosts
       endpass

and

accept  hosts = :

 

[VirtuaLira]

Exim PROBLEMS AGAIN!!!

In the new Exim version, CPANEL CHANGED MY DEFAULT CONFIG!!!

Now Exim includes a List of the RBL or something like that (the black list)

But I have this line Commented, anyway I can send emails to some users of others ISP, and this is really bad... it says:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
SMTP error from remote mailer after RCPT TO:<[email protected]>:
host mail.entelchile.net [164.77.62.8]: 550 5.7.1 Found in <http://spamcop.net/>:
[email protected]

HOW CAN I DISABLE THIS FEATURE IN THE NEW VERSION??...

PLEASE HELP!!!

 

[Ali]

Great thread.. How do I setup a whitelist so as to have specific IPs bypass this process.

Thanks.

 

[picoyak]

Review your config following the instructions here...

http://forums.ev1servers.net/showthread.php?s=&threadid=34689&highlight=rblblacklist

Then, go to http://www.webumake.com/free/eximdeny.htm and take care of dictionary spammers.

I've been using both for a bit now, and it SERIOUSLY helps. Whitelisting/blacklisting works well also

 

[Lestat]

#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.
    accept hosts = :

    drop hosts = /etc/exim_deny
        message = Connection denied after dictionary attack
        log_message = Connection denied from $sender_host_address after dictionary attack 


    drop message = Appears to be a dictionary attack
        log_message = Dictionary attack (after $rcpt_fail_count failures)
        condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
        condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
        !verify = recipient

This is what I currently have on mine. How would I go about placing your config in there without corrupting the rest of the code I have in there?

 

[Ali]

Hello,

How can create exceptions. lets say I host abcd.com and I dont want emails meant for abcd.com to go through the SPAM Check

Thanks.

 

[Ali]

no sweat. figured it out.

 

[dee_at_candl]

Hi Ali,

How you did that?

 

[Ali]

Hi Ali,

How you did that?

simply by adding

!domains = yourlocaldomain.com

 

[lloyd_tennison]

Check out
combined.njabl.org

as it includes a couple of the lists you are listing - or the same type. Cuts down on the calls.

 

[ttremain]

simply by adding

!domains = yourlocaldomain.com

Where did you put this? Between these?

    drop hosts = /etc/exim_deny

and

    message = Connection denied after dictionary attack

 

[ttremain]

Legitimate users getting blocked

With the settings below, Several clients are not able to send through EXIM
from an SMTP client.

When checking /var/log/exim_mainlog their IPs are being flagged as listed
in spamhaus or one of the others.

The clients tested are listed in /etc/relay_hosts

#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.
  accept  hosts = +relay_hosts
     endpass
	
  drop dnslists =  relays.ordb.org :\
                sbl-xbl.spamhaus.org :\
                hil.habeas.com :\
                bl.spamcop.net :\
                proxies.blackholes.easynet.nl :\
                dynablock.easynet.nl :\
                spam.dnsbl.sorbs.net :\
                korea.services.net :\
                brazil.blackholes.us :\
                nigeria.blackholes.us :\
                argentina.blackholes.us :\
                malaysia.blackholes.us  :\
                singapore.blackholes.us :\
                taiwan.blackholes.us :\
                combined.njabl.org :\
                porn.rhs.mailpolice.com

       message = your mail server $sender_host_address is in a black list \
                 at $dnslist_domain ($dnslist_text)



    drop hosts = /etc/exim_deny
        !domains = lsearch;/etc/nonblacklistfilterhosts
        message = Connection denied after dictionary attack
        log_message = Connection denied from $sender_host_address after dictionary attack