The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to reduce SPAM through exim.conf ?

Discussion in 'General Discussion' started by eurorocco, Apr 6, 2004.

  1. eurorocco

    eurorocco Well-Known Member

    Joined:
    Jun 23, 2003
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    I wonder if anyone can provide advice on how to change the /etc/exim.conf file.

    When a connection is received to deliver email to my server (SMTP TCP/IP port 25 and 26 too)...

    a) Check that the connecting IP has valid non-numerical reverse DNS lookup response, and it matches the "helo" value in that email. AOL is doing this now, for example, when receiving email.

    b) Check that the IP of the host making the SMTP connection is not a dialup (phone, cable, dsl or otherwise). If it's a dialup, then assume it's a spammer individual (not a mail server used by a community).

    On a) I have just the one line in /etc/exim.conf
    Quote: "
    # The setting below causes Exim to do a reverse DNS lookup on all incoming
    # IP calls, in order to get the true host name. If you feel this is too
    # expensive, you can specify the networks for which a lookup is done, or
    # remove the setting entirely.

    host_lookup = 0.0.0.0/0

    The host_lookup line was commented out (started with a # that I removed, then restarted exim with "service exim restart").

    On b) I have http://njabl.org/ and its dnsbl.njabl.org , and I see SpamAssasin using this reference to calculate some spam points. I'd like Exim not to receive email from dialups. Is there a way to bring njabl.org to the exim.conf file? I think they have an rsync connection so one can stay in sync ever so often.

    If you know the answer to these questions or a link to find it, please let me know.

    Thanks in advance for your help!

    ER
     
  2. myrem

    myrem Well-Known Member

    Joined:
    Jul 14, 2002
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    You can have exim do rejections based on a connecting host matching an RBL (or multiple).

    In the exim config you can place below the :
    Code:
    #!!# ACL that is used after the RCPT command
    check_recipient:
      # Exim 3 had no checking on -bs messages, so for compatibility
      # we accept if the source is local SMTP (i.e. not over TCP/IP).
      # We do this by testing for an empty sending host field.
    
      accept  hosts = +relay_hosts
           endpass
    
    Place:
    Code:
      drop dnslists =  dnsbl.njabl.org :  bl.spamcop.net 
           message = your mail server $sender_host_address is in a black list \
                  at $dnslist_domain ($dnslist_text)
    
      require verify = reverse_host_lookup
              message = your mail server IP address ($sender_host_address) has no reverse DNS PTR hostname
    

    Save, restart exim. The "require verify" makes certain the host has a reverse 'name' lookup for it's IP address.

    (I added spamcop.net's blacklist because that is VERY helpful.)

    This is MY dnslist blacklist config (this is very aggressive):

    Code:
      drop dnslists =  relays.ordb.org :\
                    sbl-xbl.spamhaus.org :\
                    hil.habeas.com :\
                    list.dsbl.org :\
                    bl.spamcop.net :\
                    dnsbl.njabl.org :\
                    proxies.blackholes.easynet.nl :\
                    dynablock.easynet.nl :\
                    spam.dnsbl.sorbs.net :\
                    korea.services.net :\
                    brazil.blackholes.us :\
                    nigeria.blackholes.us :\
                    argentina.blackholes.us :\
                    malaysia.blackholes.us  :\
                    singapore.blackholes.us :\
                    taiwan.blackholes.us
    
           message = your mail server $sender_host_address is in a black list \
                     at $dnslist_domain ($dnslist_text)
    
     
    #2 myrem, Apr 6, 2004
    Last edited: Apr 7, 2004
  3. eurorocco

    eurorocco Well-Known Member

    Joined:
    Jun 23, 2003
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    Thanks! Issue though!

    Thanks for replying to my post.

    I tried implementing it but some customers experienced problems... they could not send email.

    I saw their IP listed in /etc/relayhosts and still they could not send email. Somehow exim seems not to reload the file, or to ignore the file sometimes.

    I have another server where customers have not reported problems in spite of this solution being implemented (with the more astringent and longer RBL lookup list). I will diff the two exim.conf files and see.

    In two servers I connected using a phone dialup listed in njabl.org and was able to send/receive email (my SMTP server requires authentication selected in Outlook), but some customers reported they could not send email and got the message they were blacklisted even though their IP was listed in /etc/relayhosts and they had the SMTP auth option in Outlook. Investigating.

    Thanks again for your help!

    ER
     
    #3 eurorocco, Apr 14, 2004
    Last edited: Apr 14, 2004
  4. myrem

    myrem Well-Known Member

    Joined:
    Jul 14, 2002
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    Re: Thanks! Issue though!

    Make sure you have an "endpass" below the "accept hosts = +relay_hosts" line.
     
  5. d-woo

    d-woo Well-Known Member

    Joined:
    Aug 9, 2003
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for the strict SPAM blocking RBLs.

    In my /etc/exim.conf file I only have:

    Code:
      accept  hosts = :
    Question1: What does this do or not do?

    Question2: Should I change it to:
    Code:
      accept  hosts = +relay_hosts
           endpass
    Thanks all!
     
  6. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    Where does this go in the exim file?

    Just the lines before where it goes would be great...

    drop dnslists = relays.ordb.org :\
    sbl-xbl.spamhaus.org :\
    hil.habeas.com :\
    list.dsbl.org :\
    bl.spamcop.net :\
    dnsbl.njabl.org :\
    proxies.blackholes.easynet.nl :\
    dynablock.easynet.nl :\
    spam.dnsbl.sorbs.net :\
    korea.services.net :\
    brazil.blackholes.us :\
    nigeria.blackholes.us :\
    argentina.blackholes.us :\
    malaysia.blackholes.us :\
    singapore.blackholes.us :\
    taiwan.blackholes.us

    message = your mail server $sender_host_address is in a black list \
    at $dnslist_domain ($dnslist_text)
     
  7. d-woo

    d-woo Well-Known Member

    Joined:
    Aug 9, 2003
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    After the section:

    Code:
    #!!# ACL that is used after the RCPT command
    check_recipient:
      # Exim 3 had no checking on -bs messages, so for compatibility
      # we accept if the source is local SMTP (i.e. not over TCP/IP).
      # We do this by testing for an empty sending host field.
    
      accept  hosts
    

    What does your accept hosts line have after "accept hosts" ?
     
  8. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Re: Re: How to reduce SPAM through exim.conf ?

    The above is very agressive which may cause some problems. Creating an RBL list is very specific to the Clients using the Server and somewhere between "an Art and a Science" for creating a good one that works for you. ;)

    Your place the RBL list here:
    Code:
    require verify = sender
    
      deny    message = $sender_host_address is Spamlisted at $dnslist_domain
              dnslists = list.dsbl.org : \
                          ....
                         porn.rhs.mailpolice.com
    I put the 'deny msg.' before the RBLs instead of after, personal choice is all.
    The last RBL does not need : \ after it as that just tells Exim there is another RBL -- which is why the last one does not need it.

    Speaking of which, I think it would be nice if everyone included 'porn.rhs.mailpolice.com' in their RBL list.


    restart exim: service exim restart
    check your work: service exim status
    correct any mistakes and repeat as necessary
     
    #8 Website Rob, May 9, 2004
    Last edited: May 9, 2004
  9. d-woo

    d-woo Well-Known Member

    Joined:
    Aug 9, 2003
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    Rob,

    What is the difference between the commands:

    Code:
    accept  hosts = +relay_hosts
           endpass
    and


    Code:
    accept  hosts = :
     
  10. VirtuaLira

    VirtuaLira Well-Known Member

    Joined:
    Feb 1, 2004
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chile
    Exim PROBLEMS AGAIN!!!

    In the new Exim version, CPANEL CHANGED MY DEFAULT CONFIG!!!

    Now Exim includes a List of the RBL or something like that (the black list)

    But I have this line Commented, anyway I can send emails to some users of others ISP, and this is really bad... it says:

    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:

    retamalabogados@entelchile.net
    SMTP error from remote mailer after RCPT TO:<retamalabogados@entelchile.net>:
    host mail.entelchile.net [164.77.62.8]: 550 5.7.1 Found in <http://spamcop.net/>:
    retamalabogados@entelchile.net

    HOW CAN I DISABLE THIS FEATURE IN THE NEW VERSION??...

    PLEASE HELP!!!
     
  11. Ali

    Ali Well-Known Member

    Joined:
    Jul 12, 2003
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Great thread.. How do I setup a whitelist so as to have specific IPs bypass this process.

    Thanks.
     
  12. picoyak

    picoyak Well-Known Member

    Joined:
    Jun 10, 2004
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
  13. Lestat

    Lestat Well-Known Member

    Joined:
    Sep 13, 2003
    Messages:
    199
    Likes Received:
    0
    Trophy Points:
    16
    Code:
    #!!# ACL that is used after the RCPT command
    check_recipient:
      # Exim 3 had no checking on -bs messages, so for compatibility
      # we accept if the source is local SMTP (i.e. not over TCP/IP).
      # We do this by testing for an empty sending host field.
        accept hosts = :
    
        drop hosts = /etc/exim_deny
            message = Connection denied after dictionary attack
            log_message = Connection denied from $sender_host_address after dictionary attack 
    
    
        drop message = Appears to be a dictionary attack
            log_message = Dictionary attack (after $rcpt_fail_count failures)
            condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
            condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
            !verify = recipient
    
    
    This is what I currently have on mine. How would I go about placing your config in there without corrupting the rest of the code I have in there?
     
  14. Ali

    Ali Well-Known Member

    Joined:
    Jul 12, 2003
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    How can create exceptions. lets say I host abcd.com and I dont want emails meant for abcd.com to go through the SPAM Check

    Thanks.
     
  15. Ali

    Ali Well-Known Member

    Joined:
    Jul 12, 2003
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    no sweat. figured it out.
     
  16. dee_at_candl

    dee_at_candl Active Member

    Joined:
    May 12, 2004
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    Hi Ali,

    How you did that? :)
     
  17. Ali

    Ali Well-Known Member

    Joined:
    Jul 12, 2003
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    simply by adding

    Code:
    !domains = yourlocaldomain.com
     
  18. lloyd_tennison

    lloyd_tennison Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    698
    Likes Received:
    1
    Trophy Points:
    18
    Check out
    combined.njabl.org

    as it includes a couple of the lists you are listing - or the same type. Cuts down on the calls.
     
  19. ttremain

    ttremain Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16

    Where did you put this? Between these?

    Code:
        drop hosts = /etc/exim_deny
    
    and
    
        message = Connection denied after dictionary attack
     
  20. ttremain

    ttremain Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Legitimate users getting blocked

    With the settings below, Several clients are not able to send through EXIM
    from an SMTP client.

    When checking /var/log/exim_mainlog their IPs are being flagged as listed
    in spamhaus or one of the others.

    The clients tested are listed in /etc/relay_hosts

    Code:
    #!!# ACL that is used after the RCPT command
    check_recipient:
      # Exim 3 had no checking on -bs messages, so for compatibility
      # we accept if the source is local SMTP (i.e. not over TCP/IP).
      # We do this by testing for an empty sending host field.
      accept  hosts = +relay_hosts
         endpass
    	
      drop dnslists =  relays.ordb.org :\
                    sbl-xbl.spamhaus.org :\
                    hil.habeas.com :\
                    bl.spamcop.net :\
                    proxies.blackholes.easynet.nl :\
                    dynablock.easynet.nl :\
                    spam.dnsbl.sorbs.net :\
                    korea.services.net :\
                    brazil.blackholes.us :\
                    nigeria.blackholes.us :\
                    argentina.blackholes.us :\
                    malaysia.blackholes.us  :\
                    singapore.blackholes.us :\
                    taiwan.blackholes.us :\
                    combined.njabl.org :\
                    porn.rhs.mailpolice.com
    
           message = your mail server $sender_host_address is in a black list \
                     at $dnslist_domain ($dnslist_text)
    
    
    
        drop hosts = /etc/exim_deny
            !domains = lsearch;/etc/nonblacklistfilterhosts
            message = Connection denied after dictionary attack
            log_message = Connection denied from $sender_host_address after dictionary attack 
    
     
Loading...

Share This Page