Spam RBL

crashdump · Post by **crashdump** » Thu Jun 03, 2004 5:26 pm

I am not seeing any errors but will continue to watch it over the next couple days...

Post by **Arf** » Thu Jun 03, 2004 6:06 pm

Bill,
If you had them, you'd see them, trust me. They were happening about every 10 messages. I had to kill the RBL stuff for now. Maybe Ala will have a suggestion. Hopefully they won't opt-out of supporting such things.

sunckell · Post by **sunckell** » Thu Jun 03, 2004 6:24 pm

Update to my postings about /etc/mail/access

(somethings slipped my mind. I guess it happens.)

You can add a line such as:

$ispname.com REJECT

or

123.123.123. REJECT

to block emails.

to accept them up can add:

$ispname.com OK

or

Connect:$ispname.com OK

I believe the first way is preferred.

When you have made changes:

cd /etc/mail

make all

This will update the access.db and other files.
It was over a month ago when I made the changes. Forgot about the make all.

Sorry about that.

Post by **Arf** » Thu Jun 03, 2004 9:43 pm

Is there any way to get sendmail to put these emails in a file for review. I want to make sure it's working by looking at the blocked email with my own eyes.

sixpackmx · Post by **sixpackmx** » Thu Jun 03, 2004 9:56 pm

Arf,

No, a message rejected by sendmail is not saved to the server. However you can take a look at your log file.

We first block the mail with procmail, and when there is enough evidence, and the mail can be blocked with the access file.

Okidoki · Post by **Okidoki** » Fri Jun 04, 2004 1:24 pm

Arf,

What documentation do you want?, to program in Milter or you look for only information Milter.

If is for make program this url : http://sourceforge.net/docman/?group_id=8173

or

http://www.milter.org/

It is normal that any program in Milter has a help for the installation.

But...and but....

Alabanza says "No. We will not install, maintain, or support the milters at this time as a part of our technical support offering."... hmmmm :roll:

I am something frustrated, I explain the because.

I install in Antiviru Milter, the documentation of this antivirus says:

Change user and group to uucp:
chown uucp:uucp /usr/lib/AntiVir
chown uucp:uucp /usr/lib/AntiVir/antivir.vdf

The issue is that the server the processes with the user "uucp" make kill, and after 2 min. it doesn't work more the antivirus.

The solution that I found, is to change the user to "root." Now it works very well.

But... but...

Alabanza says : "It is possible that you have the milter daemon running as the root user. For
security reasons, the ability to run milter as root has been disabled. Depending on the milter you decide to
use, you may have to create a "regular" non-root user that the milter will
run as."

Now my fear is that it can no more use the antivirus, then Alabanza doesn't offer support, and we have the "Milter" of decoration. :-?

Okidoki

Post by **Arf** » Fri Jun 04, 2004 1:33 pm

Okidoki wrote:If is for make program this url : http://sourceforge.net/docman/?group_id=8173
or
http://www.milter.org/

I've read all this. It's useless. I'm afraid that I'm so unfamiliar with this that I need a step-by-step tutoral on what it is, what it does, how it work, all the way down to the keystrokes needed to use it.

I'm going to assume that I'm not the only one here who has no clue about this stuff. Or am I the only one willing to admit that I'm ignorant in this area.

Okidoki · Post by **Okidoki** » Fri Jun 04, 2004 1:55 pm

Arf,

I hope this help.

http://milter.free.fr/intro/
http://swexpert.com/CC/SE.C12.JAN.01.pdf
http://www.webservertalk.com/Sendmail_58.htm
http://www.technoids.org/milter-README.txt

Okidoki

Post by **Arf** » Fri Jun 04, 2004 2:07 pm

Okidoki wrote:Arf,
I hope this help.
http://milter.free.fr/intro/
http://swexpert.com/CC/SE.C12.JAN.01.pdf
http://www.webservertalk.com/Sendmail_58.htm
http://www.technoids.org/milter-README.txt
Okidoki

I've 'tried' to read some of these. nothing here for the simple person.

And some of them talk about the sendmail.mc file which Alabanza does not provide (not that I would understand it if they did but I hear it is easier than sendmail.cf). Still, the mc file is off limits because it is used to modify the cf file and thus gets Alabanza out of supporting me.

Okidoki · Post by **Okidoki** » Fri Jun 04, 2004 2:15 pm

Arf wrote:to read some of these. nothing here for the simple person.

And some of them talk about the sendmail.mc file which Alabanza does not provide (not that I would understand it if they did but I hear it is easier than sendmail.cf). Still, the mc file is off limits because it is used to modify the cf file and thus gets Alabanza out of supporting me.

Interesting comment... .... for Alabanza :wink:

Clear, you can always edit directly the sendmail.cf, but the experts on this topic they always recommend to work with the sendmail.mc

the reasons are several, one very simple it is to avoid not to put those [TAB]

Okidoki

sunckell · Post by **sunckell** » Fri Jun 04, 2004 6:59 pm

Hello again,

Saw a little (actaully a lot) of discussions about "Why Alabanza doesn't give out the sendmail.mc file?"

Well here is why.
The sendmail.mc plays is the integral part of the mail sending/delivery and authentication on our servers. As you are all aware, the sendmail.cf file is extremely cryptic. Clients are less likely to edit that file, in fear it may totally mess up their mail.

The sendmail.mc file on the other hand, is very easy to read, But very easy to mess up. One line could be deleted ( by accident, on purpose, doesn't matter) , and everything from smtp authentication to delivery canbe messed up.

I releaize this would be your choice to do this, but if things did not go back to the way they were before the mix up, support would be called.

I guess, if an Alabanza Client really wanted it, we could arrange it. But I am sure that a $150 /hr charge would need to be inforced to get things back in order if support would ever need to be called.

Maybe if enough clients wanted it, it could be arranged, with strong caution on the consequences of changing the sendmail.mc.

"But what about miltering?"

Sure, let me mention the ideas we have about miltering. It's sort of a multi-phase process.
1. Get a sendmail binary on the network that would allow for miltering.
2. Develop a few milter hooks, that are officially supported by Alabanza. (spamassassin, and clamv to start)
-by officially supported I mean, we can monitor them if they go down.
-currently if a milter were to stop running, such as clamv, sendmail will not start unless clamv was running also.
3. Develop a script (which we have written) to check that the Alabanza supportted milters are running, and notify support/emergency fi they aren't.
4. Release the milter and milter monitor to the network.

( yes this a brief description, but then again this is a forum, not an official announcement.)

Hope this helps relieve some of the confusion..

Everyone have a great weekend.

Chad

Post by **Arf** » Fri Jun 04, 2004 7:09 pm

I've asked for the mc file several times. I don't want to mess things up, I'm not even sure I would do anything with it, Still I'd like the easiest method of editing and to see what Alabanza's choices have been in creating the original .mc file. AND so that if I did mess up the cf file i could create a new one from the default mc file.

The other option I'm considering is creating my own mc file and just using it to create snippets.cf files that I can then import into the real .cf file. This is assuming it would even be possible?

As for milter, I'm yet to get my head around that one. So far, the only real instructions that I do understand have been the step by step direction provide in this forum. However, unlike the others my server burps up errors that support will not touch because it involves the .cf file. I can't even google the error message.

Greg · Post by **Greg** » Fri Jun 04, 2004 7:34 pm

Hi Chad,

If i mess up a config file, i assume i will be paying, as it is my fault.

Before i touch a file, i first make a backup.

Before i ever went into SSH, i bought and read the books "bash", "linux administration", "learning the vi editor", "apache", "mysql", "programming perl", "linux and apache administration", "unix in a nutshell", "dns and bind" among many others.....so not all your clients are the type to go into a file and mess around without knowing what they are doing

sunckell · Post by **sunckell** » Fri Jun 04, 2004 7:47 pm

Maybe you guys should bring this up to your Account Manger.

I recieved an email from comments@ not too long ago and sent almost the same reply to them.

Greg, I wasn't saying that you would ever do that. But there may be some out there. And I definitely don't want to be the person to cause any increase in support tickets.

Boy, this could get into a real long thread, but you guys would not believe some of the things I have seen people do.

example.
su - root
cd /
rm -rf *.* (deleting all files on hard drive -- edit by arf. )

email to support: " Somethings wrong with my server?"

Okidoki · Post by **Okidoki** » Fri Jun 04, 2004 8:30 pm

sunckell wrote:
example.
su - root
cd /
rm -rf *.*

Yes, I agreement.

I am careful but once something happened similar.

Premise, I am left-handed and I use the mouse of Micrsoft an putty.

I was inside the server how root, and previously to erase a file series I made a copy/paste of the command rm *. then I went to the directory /etc/mail. Exactly in that moment it hits with the left hand the keyboard of the PC, Clear there this the button of the Mouse of Microsoft to make the one paste.
Then the misfortune happened, I erase the whole files of the directory /etc/mail/.

Thanks to Alabanza quick intervention (5 min) everything returned to the normality.

That was a day of luck. Thank again Alabanza.

Okidoki

Greg · Post by **Greg** » Fri Jun 04, 2004 8:45 pm

sunckell wrote:
example.
su - root
cd /
rm -rf *.*

email to support: " Somethings wrong with my server?"

LOL, I can imagine.

On my end, I get clients deleting their domain-www and www and then tell me somethings wrong with their account.

rldev · Post by **rldev** » Fri Jun 04, 2004 9:54 pm

Is their anyway to whitelist a client's domain in all of this? That is anything sent to domain.com is ok to accept?

sixpackmx · Post by **sixpackmx** » Sat Jun 05, 2004 7:22 pm

I'm not sure if it will work, but you can try in your access file:

To:$domain OK

sunckell · Post by **sunckell** » Tue Jun 08, 2004 12:10 pm

Greetings,

I was wondering how everyone was coming along with there RBL's. Can anyone shed any exeprience that they have had over the past week or so. I guess what I am looking for is something along the lines of:

1. Which ones work?
2. Are there ones better that others?
3. Are some more "tighter" than others? (ie dsbl.org seems to block just about everything.)
4. Problems you are experiencing?

As I said before we have been testing the RBL's for about 3 months now and the only issues we have are entire ISP being blocked. ( which is easily fixed with an entry the access file and running a make all in the /etc/mail directory.)

Just like to hear some "honest" thoughts about it before making any announcements.

Thanks,
Chad

Okidoki · Post by **Okidoki** » Tue Jun 08, 2004 12:47 pm

Chad,

Well, I after several test decided to use only the rbl "sbl-xbl.spamhaus.org".

Why?

The dsbl.org goes very hard, it almost blocks all the IP of my cleintes and doesn't allow to see that range of IP and I don't have control on what is happening.

sbl-xbl.spamhaus.org
It is possible to see the ranges of blocked IP, there is more information than I can give to my client to speak with their ISP.

I believe that at the moment I can say that not are my clients blocked and everything works very well. For each server 8,000 spam blocked per day.

The comments of my clients are positive, they are very happy of seeing the spam decrease, my server descend the loadaverage between 5% and 7%.

Thanks Chad, for you help :wink:

Okidoki

durandel · Post by **durandel** » Tue Jun 08, 2004 12:47 pm

We have been running the RBL's since February (when I originally posted this thread). We are using sbl.spamhaus.org and list.dsbl.org without any real problems (i.e. no complaints from clients, no real server load increase). We have a pretty international client base, as well, so we get a broad range of users needing to send mail to the server.

I also have been testing bl.spamcop.net & relays.ordb.org on a non-Alabanza mail server, and it has been working pretty well. I also know someone who uses the four I mentioned, as well as ipwhois.rfc-ignorant.org, opm.blitzed.org, dnsbl.njabl.org, relays.visi.com. He said he gets almost no valid complaints.

That being said, I have noticed an uptick in spam that gets through recently (past week or two). This seems to be the normal ebb & flow of spam though.

rldev · Post by **rldev** » Tue Jun 08, 2004 12:53 pm

Can anyone test if you can whitelist a client's domain so that they get all email and none is blocked? I just have not had much success in the past with blocking stuff for clients serverwide. It's been a real problem.

Okidoki · Post by **Okidoki** » Tue Jun 08, 2004 1:22 pm

Rocco,

I recommend you first to see the IP- connection of their clients in the file:
/var/log/pop3d.auth

Then those IP writes in the file / etc/mail/access

for example:

198.123.34.1 OK
233.222.222.1 OK

If you saw that there a range of IP very used by their cleints write, for example:

198.123.34 OK

This is to give the "OK" to a class C complete of IP's

to conclude run command : makemap hash /etc/mail/access.db < /etc/mail/access

Okidoki

rldev · Post by **rldev** » Tue Jun 08, 2004 1:39 pm

This could work, but it would be a lot easier to manage if we could exclude a client alltogether if they choose to do so. I am guessing this is not poissble.

crashdump · Post by **crashdump** » Tue Jun 08, 2004 1:45 pm

We have been having great success with this. 10k - 30k emails blocked each day with zero complaints. We are using both dsbl.org and sbl-xbl.spamhaus.org. In our experience, the spamhaus RBL is blocking about 2 to 3 times the amount of SPAM as the dsbl RBL.

We've noticed absolutely no change to server utilization and we've seen a noticible drop in our bandwidth use on this server.

Couple this with SPAM Assasin and we'll have a pretty solid (and free) SPAM blocking solution for our clients.

theunknownhost · Post by **theunknownhost** » Tue Jun 08, 2004 1:52 pm

I have had the exact same success, however I have noticed something interesting. When I first enabled it dsbl was blocking about 3 times as much as spamhaus. This continued for the first two days. Then spamhaus began blocking about 3 times more, but the number did not increase for spamhaus, instead the dsbl number greatly decreased. It looks like there may have been a serious open relay that spammers on the dsbl list were using. Perhaps they got tired of receiving the "You cannot send message", and went elsewhere?

Post by **Arf** » Tue Jun 08, 2004 2:09 pm

sunckell wrote:Greetings,

I was wondering how everyone was coming along with there RBL's. Can anyone shed any exeprience that they have had over the past week or so.
...
4. Problems you are experiencing?

Thanks,
Chad

Chad,
I can't run the RBLs on my server. When I tried to add them, as noted earlier, I'm getting some errors and many valid emails were getting lost. This is an unsupported option and I can't even find info on the error through google. As much as I'd like to try these, I can't figure out the cause of the problems I'm experiencing.

rldev · Post by **rldev** » Tue Jun 08, 2004 2:30 pm

When you say there are $: in the middle of each line and there must be a tab before them. Are you only reffering to the firts instance of $: or every instance of $: ? Sorry it is a little confusing as described because line two and five both have two instances of $:

Thanks.

crashdump · Post by **crashdump** » Tue Jun 08, 2004 2:41 pm

I have removed the code blocked posted here. I think its better to go with the code provided in the unknownhost's link below as it seems to preserve the tabs better

bill

Post by **Arf** » Tue Jun 08, 2004 2:45 pm

Bill,
Those still look like spaces to me. can you just put <*TAB*> where the tabs should go?

rldev · Post by **rldev** » Tue Jun 08, 2004 2:50 pm

yes I was going to suggest this for others

theunknownhost · Post by **theunknownhost** » Tue Jun 08, 2004 2:50 pm

I can send you the entries in a text file - what email address would you like them sent to?

Here:

http://itxdesign.com/RBL.txt

rldev · Post by **rldev** » Tue Jun 08, 2004 3:16 pm

Yeah, I got the following errors:

[root@host2 init.d]# ./sendmail start
Starting sendmail: 554 5.0.0 /etc/mail/sendmail.cf: line 1635: invalid rewrite line "R* : &/" (tab expected)
554 5.0.0 /etc/mail/sendmail.cf: line 1636: invalid rewrite line "R::ffff:-.-.-.- : <?> (host 4.3.2.1.sbl-xbl.spamhaus.org. :OK )" (tab expected)
554 5.0.0 /etc/mail/sendmail.cf: line 1637: invalid rewrite line "R-.-.-.- : <?> (host 4.3.2.1.sbl-xbl.spamhaus.org. :OK )" (tab expected)
554 5.0.0 /etc/mail/sendmail.cf: line 1638: invalid rewrite line "R<?>OK : OKSOFAR" (tab expected)
554 5.0.0 /etc/mail/sendmail.cf: line 1639: invalid rewrite line "R<?>+ #error @ 5.7.1 : "Mail from " &/ " Email blocked using spamhaus - see <http://www.spamhaus.org/>"" (tab expected)

All tab errors

Can some just post with <TAB>

rldev · Post by **rldev** » Tue Jun 08, 2004 3:24 pm

Well it looks like I got it working. What errors should I be looking for in the maillog if there are problems?

durandel · Post by **durandel** » Tue Jun 08, 2004 6:10 pm

Here it is, with "<tab>'s"

Code: Select all

R$*<tab><tab><tab>$: $&{client_addr}
R::ffff:$-.$-.$-.$-<tab>$: <?> $(host $4.$3.$2.$1.sbl.spamhaus.org. $:OK $)
R$-.$-.$-.$-<tab><tab>$: <?> $(host $4.$3.$2.$1.sbl.spamhaus.org. $:OK $)
R<?>OK<tab><tab><tab>$: OKSOFAR
R<?>$+<tab><tab><tab>$#error $@ 5.7.1 $: "Mail from " $&{client_addr} " Email blocked using spamhaus - see <http://spamhaus.org/>"

After you edit it in vi, the "$:" right after the tabs should all line up.

The Unofficial Alabanza Forums

Spam RBL

The infamous sendmail.mc file.

So, what do you think about RBL's?

Re: So, what do you think about RBL's?

Who is online