The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spammers driving me crazy

Discussion in 'General Discussion' started by fanturex, Jun 1, 2005.

  1. fanturex

    fanturex Member

    Joined:
    Oct 19, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Helllpppp, spammers are driving me insane. I have tried everything to stop them and now after checking my logs have found a new worry!!!

    failed to expand condition "${perl{checkspam}}" for literal router: you are not permitted to relay mail at /etc/exim.pl line 511

    failed to expand condition "${perl{checkspam}}" for lookuphost router: you are not permitted to relay mail at /etc/exim.pl line 511.

    this is my spamcheck report >

    But we are still having major issues and of course abuse.net still states we are running an open relay. I am about to burst and was wondering whats the best way to sort out the above error!!!!!

    Plus our current setup does not seem to be stopping forged helo's (Forged HELO= 0)

    I am at a point now were I am just going apf -d madness
     
    #1 fanturex, Jun 1, 2005
    Last edited: Jun 1, 2005
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You've mentioned do totally different issues here:

    1. That you believe that you have an open relay and/or spammers sending email from your server

    or is it:

    2. You are having problems with incoming spam and not being able to cope with it?

    If it's the former, read up on the various threads on the forum for securing your server.

    If it's the latter, read up on the various threads on the forum for configuring exim to block spam. There are two main approaches, the first is to following the rvskin method with exim configuration modifications, the second to use MailScanner.

    Which ever you use, make sure that:

    1. None of your /etc/valiases/* files are using :blackhole: but using :fail: instead:
    http://www.configserver.com/free/fail.html

    2. As many if not all domains are using :fail: as their default address and it's not be redirected (i.e. setup Forwarders for all legitimate addresses and don't rely on the catchall)

    3. Use a dictionary attack ACL:
    http://www.configserver.com/free/eximdeny.html

    Lastly, I would never recommend blocking IP's in a firewall for spamming problems. All you will end up doing is slowing down traffic to and from your server for all services and do next to nothing in blocking spam.
     
  3. fanturex

    fanturex Member

    Joined:
    Oct 19, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Cheers has been a longday, I have used multiple tests from around the web to give us a clear indication of our open relay status and it seems (according to abuse.net) that we do indeed have a relay.

    I have run the scripts that are part of cpanel/whm to fix relays but that seems to make no difference.

    As regards spam I have added the various variables available across the forum including your vown dictionary attack (vnice howto by the way) which has by my spamcheck report picked off a large amount of spam over the last 24hrs.

    We have just managed to get AOL to unblock our IP's, much to the pleasure of our clients and I just want to maintain some level of normality for as long as possible.

    So I suppose the big problem is are we a open relay or not, can we just take the word of abuse.net?
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    No, abuse.net can give false-positives. It's highly unlikely that you have an open relay if you haven't edited exim.conf directly.

    The best way to be sure would be to save your current changes and then restore your exim configuration back to defaults and check abuse.net again. You can save your settings by taking a copy of /etc/exim.conf.local and then deleting that file, then run /scripts/buildeximconf and restart exim. If it comes up fine on abuse.net then something you changed has caused a problem. If abuse.net says there's still a problem, then it's talking smelly cow poo.
     
  5. fanturex

    fanturex Member

    Joined:
    Oct 19, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Cheers ill give that ago later tonight.

    Hopefully it will just be nothing.

    Chris
     
  6. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    1. None of your /etc/valiases/* files are using :blackhole: but using :fail: instead:

    I understand the reasoning behind this. Is there a way to replace all existing users to :fail: if they are using :blackhole: and to remove the :blackhole: option or direct it to :fail: ?
     
  7. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    To prevent FUTURE users one option would be to simply modify the /mail/setdef.html file.

    I noticed the line containing "Hint: You can enter :blackhole: to discard all incoming unrouted mail or :fail: no such address here to bounce it." is in "<cpanel langprint="EADefaulthint">" Where is the langprint listings located so I can modify it there?

    Update: Found it /usr/local/cpanel/lang/english
     
    #7 Solokron, Jun 1, 2005
    Last edited: Jun 1, 2005
  8. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    to modify the whole server from blackhole to fail enter below in SSH

    replace :blackhole: :fail: -- /etc/valiases/*
     
  9. fanturex

    fanturex Member

    Joined:
    Oct 19, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    have just checked our /etc/valiases/* and all of our files have a similar layout:

    Were should fail but put?
     
  10. bijo

    bijo Well-Known Member

    Joined:
    Aug 21, 2004
    Messages:
    475
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    Hello,

    Presently you are setting catch-all account. When ever you get a mail to nonuser@your domain.com, It will go to the default cpanel user's mail box. Just edit the valises files of each domain, delete the "*: :cpanelusername:" line and put like follows
    ========
    *: :fail:
    ========
     
    #10 bijo, Jun 2, 2005
    Last edited: Jun 2, 2005
  11. fanturex

    fanturex Member

    Joined:
    Oct 19, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    cheers that makes that part clear enough, in some on the valiases account there are forwards:

    username@primarydomain: username@yahoo.com

    if I add the fail command just to *: will this affect the forward setup for those users.

    I reall hope that makes sense
     
    #11 fanturex, Jun 2, 2005
    Last edited: Jun 2, 2005
  12. bagel50

    bagel50 Member

    Joined:
    Jun 1, 2005
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    correct, it will, if you simply *add* the :fail: command, but

    replace :blackhole: :fail: -- /etc/valiases/*

    will only change the blackhole directives, not affecting users' settings where they have a catchall address. If there are no :blackhole: directives, there isn't a problem.

    Olly.
     
  13. fanturex

    fanturex Member

    Joined:
    Oct 19, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    many thanks :fail is working as required, and after testing telnet relay-test.mail-abuse.org all seems closed.

    well for now anyway, so once again many thanks for all your support.

    Chris
     

Share This Page