Mailing List Archive: exim: users

Anti SPAM Exim configuration

1 2

View All

Index | Next | Previous | View Threaded

dot at dotat

Dec 15, 2004, 7:18 AM

Post #26 of 41 (2754 views)
Permalink

Re: Anti SPAM Exim configuration [In reply to]

On Wed, 15 Dec 2004, Alan J. Flavell wrote:
>
> There appear to be some MTAs which have some kind of rate-limit
> mechanism. I can't prove this conclusively, but it seems that the
> more that we try callout to them, the less likely they are to respond
> within the timeout that we set for callout. Which means that we
> defer, [...]

I've found that defer_ok is pretty much required for callouts to be
usable. Without it you end up losing too much desirable email from
incompetently configured web servers. The disadvantage of this is that
it's often incompetent web servers which are the sources of spam (e.g.
because of exploitable formmail scripts). So perhaps this kind of callout
failure would be worth an extra SpamAssassin point, but it causes too much
trouble to propagate the result into an SMTP error.

Tony.
--
<fanf [at] exim> <dot [at] dotat> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}

a.flavell at physics

Dec 15, 2004, 7:35 AM

Post #27 of 41 (2769 views)
Permalink

Re: Anti SPAM Exim configuration [In reply to]

On Wed, 15 Dec 2004, Tony Finch wrote:

> I've found that defer_ok is pretty much required for callouts to be
> usable.

If you're doing callouts as a matter of course, then that's certainly
the case, I agree.

However, with the selective strategy that we're using, changing to
defer_ok would defeat the effectiveness of many of the callouts which
are successfully fending-off spam.

> Without it you end up losing too much desirable email from
> incompetently configured web servers. The disadvantage of this is
> that it's often incompetent web servers which are the sources of
> spam

Just so. Which I'd say is where a selective strategy can pay off.

> So perhaps this kind of callout
> failure would be worth an extra SpamAssassin point,

Yes, I've no argument against that option.

> but it causes too much trouble to propagate the result into an SMTP
> error.

As I say: that depends on how one is using callouts. I'm not saying
you haven't made a defensible choice[1]: I'm just saying there are
other viable approaches, and each has their good and bad points.

No offence intended - all the best

[1] however, there are some who certainly -will- argue that you have
no right to consume third-party resources in that way, merely on the
excuse that some third-parties' domains are being faked by spammers.

mark.hynes at uk

Dec 15, 2004, 9:18 AM

Post #28 of 41 (2787 views)
Permalink

Re: Anti SPAM Exim configuration [In reply to]

On Dec 14, Alan J. Flavell wrote:
>
> > No IP address in HELO
>
> You'd better not do that to your outbound clients though - Macs seem
> to have rediscovered this option, that we thought had practically died
> out.
>
> > No pretending they are one of my domains in HELO
>
> That's a "kill on sight", for sure.

Unfortunately there seem to be clients out there that HELO with the domain
from the From: header and/or envelope, regardless of the actual hostname.
Not many, but it can cause problems especially if you don't know where your
users might send from so can't cover them with an exception for your own
IP address space.

--
Mark Hynes mark.hynes [at] uk
Service Developer http://www.uk.easynet.net/
Easynet Ltd

mark.hynes at uk

Dec 15, 2004, 9:23 AM

Post #29 of 41 (2770 views)
Permalink

Re: Anti SPAM Exim configuration [In reply to]

On Dec 15, Tony Finch wrote:
> On Tue, 14 Dec 2004, Alan J. Flavell wrote:
> >
> > "Verifying" a local part with MTAs that say "fine" to any old rubbish,
> > just isn't worth the overhead.
>
> It's really very cheap.

It's very useful, but not always cheap and can be open to obvious
misinterpretation - it's cheap until someone attempts a dictionary attack
or similar against you from, say, aol.com addresses, you hit AOL with an
equivalent attack of callouts which looks like the same sort of wrong-doing
and your calling-out address (or more) gets blocked.

--
Mark Hynes mark.hynes [at] uk
Service Developer http://www.uk.easynet.net/
Easynet Ltd

mark.hynes at uk

Dec 15, 2004, 9:26 AM

Post #30 of 41 (2762 views)
Permalink

Re: Anti SPAM Exim configuration [In reply to]

On Dec 14, Tony Finch wrote:
> On Mon, 13 Dec 2004, Alexander Prohorenko wrote:
> >
> > What can you advise, except spending hours daily filtering mail from
> > SPAM manually?
>
> As well as turning on network checks in SpamAssassin, use Razor and DCC.

Does Razor still class any one word message just reading "test" as spam?
Seeing it contain junk like that put me off it instantly.

--
Mark Hynes mark.hynes [at] uk
Service Developer http://www.uk.easynet.net/
Easynet Ltd

marc at perkel

Dec 15, 2004, 9:31 AM

Post #31 of 41 (2768 views)
Permalink

Re: Anti SPAM Exim configuration [In reply to]

But I get around that by accepting the authenticated SMTP and my relay
IP addresses before I reject emails pretending to be one of my domains.
That gets around that problem.

Mark Hynes wrote:

>On Dec 14, Alan J. Flavell wrote:
>
>
>
>Unfortunately there seem to be clients out there that HELO with the domain
>from the From: header and/or envelope, regardless of the actual hostname.
>Not many, but it can cause problems especially if you don't know where your
>users might send from so can't cover them with an exception for your own
>IP address space.
>
>
>

exim.calvin at rellits

Dec 15, 2004, 9:33 AM

Post #32 of 41 (2746 views)
Permalink

Re: Anti SPAM Exim configuration [In reply to]

>>>No pretending they are one of my domains in HELO
>>
>>That's a "kill on sight", for sure.
>
> Unfortunately there seem to be clients out there that HELO with the domain
> from the From: header and/or envelope, regardless of the actual hostname.
> Not many, but it can cause problems especially if you don't know where your
> users might send from so can't cover them with an exception for your own
> IP address space.

But - if your clients can send from anywhere, you will have them
authenticate, right?

In that case, move these checks from the HELO ACL to the MAIL ACL (which
is after the client should have authenticated). Then do a check for
authenticated first and accept if that is true. This allows your users
to send. Then, do all the checks for your IP/hostname, for a fully
qualified domain name, etc.

If someone is not authenticated in this phase, it's a mailserver and not
a user. And a mailserver using your domain in the HELO should be rejected.

Christian

Jan-Peter.Koopmann at seceidos

Dec 15, 2004, 9:35 AM

Post #33 of 41 (2766 views)
Permalink

RE: Anti SPAM Exim configuration [In reply to]

Hi Tony,

> Log analysis and submission to rfc-ignorant (see my recent
> posts) deals with the idiots.

do you submit those guys automatically? Can you share your log-analysis scripts?

Kind regards,
JP

dot at dotat

Dec 15, 2004, 9:40 AM

Post #34 of 41 (2779 views)
Permalink

RE: Anti SPAM Exim configuration [In reply to]

> do you submit those guys automatically? Can you share your log-analysis scripts?

http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20041213/msg00069.html

Tony.
--
<fanf [at] exim> <dot [at] dotat> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}

dot at dotat

Dec 15, 2004, 9:42 AM

Post #35 of 41 (2758 views)
Permalink

Re: Anti SPAM Exim configuration [In reply to]

On Wed, 15 Dec 2004, Mark Hynes wrote:
>
> It's very useful, but not always cheap and can be open to obvious
> misinterpretation - it's cheap until someone attempts a dictionary attack
> or similar against you from, say, aol.com addresses, you hit AOL with an
> equivalent attack of callouts which looks like the same sort of wrong-doing
> and your calling-out address (or more) gets blocked.

You can avoid this by ordering your ACL sensibly. Sender callback
verification is almost the last thing in our RCPT ACL.

acl_rcpt_mx:

# This service is only available on port 25.

require
message = No SMTP service for unauthorized users
condition = PORT25

# Make it easy to get help

accept
domains = +our_domains
local_parts = +postmasterish

# We accept email only for domains that we know about.
# This check is cheap so we do it early to save time.

require
message = Relaying is not permitted
domains = +our_domains

# Do some anti-spam checking for non-friendly machines.

deny
! hosts = +relay_hosts
! acl = aux_check_spam

# For friendly machines, just check the sender domain.

deny
hosts = +relay_hosts
! verify = sender

# All recipient addresses must be valid, more or less.

require
message = ${acl_verify_message}\n\
See http://www.cam.ac.uk/cs/email/bounce.html
verify = recipient/callout=use_sender,defer_ok

# Do more thorough sender address checks. We do this after verifying the
# recipient address to reduce the number of sender callouts.

require
acl = aux_verify_sender

# Don't accept email if we are too busy. We keep this check at the end
# of the ACLs and ensure we do it only once because it can be expensive.

defer
message = Sorry, too busy. Try again later.
condition = ${if or{{ eq{$acl_c2}{busy} } \
{ <{300}{${run {/opt/exim/sbin/exim_incount} }} }} }
set acl_c2 = busy

# Every check has been passed.

accept

Tony.
--
<fanf [at] exim> <dot [at] dotat> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}

lists at timj

Dec 17, 2004, 9:02 AM

Post #36 of 41 (2773 views)
Permalink

Re: Anti SPAM Exim configuration [In reply to]

On 13 Dec 2004, Alexander Prohorenko wrote:

Please don't top-post, and quote properly. Read this:

http://www.exim.org/eximwiki/MailingListEtiquette#head-94bc4cb7ee1d5c3b5c5d6410a89656aaf8b634ed

Thanks.

> What can you advise, except spending hours daily filtering mail from
> SPAM manually?
> Unfortunetly, SpamAssassin doesn't work good enough for me,

Investigate whether there are additional measures you can take.
SpamAssassin on its own is not the best or only way of filtering spam. I
deal with some heavily-spammed accounts and have, with some work, all but
eliminated spam/malware using Exim's powerful features in conjunction with
SpamAssassin and ClamAV.

There are a lot of tips here:

http://slett.net/spam-filtering-for-mx/

Some things in particular you may or may not want to consider if you're
not already doing them:

- block mail from dialups (something I was always reluctant to do, but am
doing more and more these days simply because trojan-spam appears to be
the leading source of spam now.)

- HELO checks of various kinds to pick out obvious spam (see HOWTO above,
although be careful)

- make sure Bayesian learning is enabled and working on SpamAssassin

- consider using "add on" SpamAssassin rulesets - there are many available
and some are very effective at expanding SpamAssassin's scope and ability
to identify spam

- write your own SpamAssassin rules. A few custom local rules tailored to
the spam you are getting can work wonders, and also makes it harder for
spammers to evade filters due to the varying targets.

- eliminate "catch all" addresses

The solution to spam is not to generate more spam.

Tim

BDarin at tanaya

Oct 31, 2006, 10:08 PM

Post #37 of 41 (2770 views)
Permalink

Re: Anti SPAM Exim configuration [In reply to]

Hello,

Alexander Prohorenko Wrote:
> Tony,
>
> What can you advise, except spending hours daily filtering mail from
> SPAM manually?

DynaStop may well help in your filtering. It can stop all spam from
dynamic IP addresses (dialup and DHCP residential).

its at http://tanaya.net/DynaStop/

There is also a new forum at exim-users under Add-Ons.

--
Matthias
------------------------------------------------------------------------
Matthias's Profile: http://www.exim-users.org/forums/member.php?action=getinfo&userid=137
View this thread: http://www.exim-users.org/forums/showthread.php?threadid=47413

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

pookey at pookey

Oct 31, 2006, 10:52 PM

Post #38 of 41 (2778 views)
Permalink

Re: Anti SPAM Exim configuration [In reply to]

On 11/01/06 Matthias wrote:
> DynaStop may well help in your filtering. It can stop all spam from
> dynamic IP addresses (dialup and DHCP residential).

I've not seen this before, and anyone give any useful feedback on this?

I've just set it up on my server and it appear to be working well with
so far (after about... 5 minutes of running)

Regards,

--
Ian P. Christian ~ http://pookey.co.uk

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

wbh at conducive

Oct 31, 2006, 11:15 PM

Post #39 of 41 (2771 views)
Permalink

Re: Anti SPAM Exim configuration [In reply to]

Matthias wrote:
> Hello,
>
> Alexander Prohorenko Wrote:
>> Tony,
>>
>> What can you advise, except spending hours daily filtering mail from
>> SPAM manually?
>
> DynaStop may well help in your filtering. It can stop all spam from
> dynamic IP addresses (dialup and DHCP residential).
>
> its at http://tanaya.net/DynaStop/
>
> There is also a new forum at exim-users under Add-Ons.
>
>
Looked at the code.

We have been using a wildcarded regexp block list with <1,000 members in a
similar manner for more than a year. But far, far less clever substring matching.

JM2CW, but possible pro and con:

Pro:

- Should work largely as advertised.

Con:

- Should be expected to return more false-positives AND misses than an actively
maintained RBL of dynamic-IP's, if only because of updating/NOT.

- but the far bigger drawback is that there is no 'free lunch' w/r substring
matching.

Whereas RBL hits are cached by Exim, the upstream, or a bespoke local DNS
implemented for the purpose, using a simple and efficient DNS lookup...

..by contrast, this critter requires, (SWAG), probably 3 or greater orders of
magnitude more CPU cycles than a DNS lookup uses.

Ergo:

IF {AND {CPU cycles to burn} {marginal DNS}{DOIT}{NOT}}

Check your server load with/without the tool.

YMMV,

Bill

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

marc at perkel

Nov 1, 2006, 5:27 AM

Post #40 of 41 (2745 views)
Permalink

Re: Anti SPAM Exim configuration [In reply to]

W B Hacker wrote:
> Matthias wrote:
>
>> Hello,
>>
>> Alexander Prohorenko Wrote:
>>
>>> Tony,
>>>
>>> What can you advise, except spending hours daily filtering mail from
>>> SPAM manually?
>>>
>> DynaStop may well help in your filtering. It can stop all spam from
>> dynamic IP addresses (dialup and DHCP residential).
>>
>> its at http://tanaya.net/DynaStop/
>>
>> There is also a new forum at exim-users under Add-Ons.
>>
>>
>>
> Looked at the code.
>
> We have been using a wildcarded regexp block list with <1,000 members in a
> similar manner for more than a year. But far, far less clever substring matching.
>
> JM2CW, but possible pro and con:
>
> Pro:
>
> - Should work largely as advertised.
>
> Con:
>
> - Should be expected to return more false-positives AND misses than an actively
> maintained RBL of dynamic-IP's, if only because of updating/NOT.
>
> - but the far bigger drawback is that there is no 'free lunch' w/r substring
> matching.
>
> Whereas RBL hits are cached by Exim, the upstream, or a bespoke local DNS
> implemented for the purpose, using a simple and efficient DNS lookup...
>
> ..by contrast, this critter requires, (SWAG), probably 3 or greater orders of
> magnitude more CPU cycles than a DNS lookup uses.
>
> Ergo:
>
> IF {AND {CPU cycles to burn} {marginal DNS}{DOIT}{NOT}}
>
> Check your server load with/without the tool.
>
> YMMV,
>
> Bill
>
>
>

Bill, might be good as a greylist. Suppose you had your lowest MX do a
DEFER based on this list and your next highest MX not do defer. Bots
usually don't retry so if you get it wrong on this list you don't lose
any mail. But for bots that use the lowest MX it could make a lot of
spam go away.

Or - you could just add a header and let Spamassassin score it as well.

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

wbh at conducive

Nov 1, 2006, 7:14 AM

Post #41 of 41 (2736 views)
Permalink

Re: Anti SPAM Exim configuration [In reply to]

Marc Perkel wrote:
>
> W B Hacker wrote:
>> Matthias wrote:
>>
>>> Hello,
>>>
>>> Alexander Prohorenko Wrote:
>>>
>>>> Tony,
>>>>
>>>> What can you advise, except spending hours daily filtering mail from
>>>> SPAM manually?
>>>>
>>> DynaStop may well help in your filtering. It can stop all spam from
>>> dynamic IP addresses (dialup and DHCP residential).
>>>
>>> its at http://tanaya.net/DynaStop/
>>>
>>> There is also a new forum at exim-users under Add-Ons.
>>>
>>>
>>>
>> Looked at the code.
>>
>> We have been using a wildcarded regexp block list with <1,000 members in a
>> similar manner for more than a year. But far, far less clever substring matching.
>>
>> JM2CW, but possible pro and con:
>>
>> Pro:
>>
>> - Should work largely as advertised.
>>
>> Con:
>>
>> - Should be expected to return more false-positives AND misses than an actively
>> maintained RBL of dynamic-IP's, if only because of updating/NOT.
>>
>> - but the far bigger drawback is that there is no 'free lunch' w/r substring
>> matching.
>>
>> Whereas RBL hits are cached by Exim, the upstream, or a bespoke local DNS
>> implemented for the purpose, using a simple and efficient DNS lookup...
>>
>> ..by contrast, this critter requires, (SWAG), probably 3 or greater orders of
>> magnitude more CPU cycles than a DNS lookup uses.
>>
>> Ergo:
>>
>> IF {AND {CPU cycles to burn} {marginal DNS}{DOIT}{NOT}}
>>
>> Check your server load with/without the tool.
>>
>> YMMV,
>>
>> Bill
>>
>>
>>
>
> Bill, might be good as a greylist.

Meaning in terms of resource consumption? Or effectiveness?

For *our* arrivals, we cannot justify the greylisting concept. YMMV.

> Suppose you had your lowest MX do a
> DEFER based on this list and your next highest MX not do defer.

I cannot justify multiple MX against 'seamless' ways to handle failover. YOMD.

> Bots
> usually don't retry

Most of the ones that hit us DO retry, and at just the interval that would
defeat a typical greylist timeout. Their designers must read mailing lists.

> so if you get it wrong on this list you don't lose
> any mail.

We don't lose much - not unintentionally anyway.

> But for bots that use the lowest MX it could make a lot of
> spam go away.
>

They 'go away' just fine w/o that complexity.

> Or - you could just add a header and let Spamassassin score it as well.
>

Different thread. This is about things one can do *before* accepting
header-message DATA.

Bill

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

1 2

View All

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads