Mailing List Archive

Anti SPAM Exim configuration
Dear Sirs.

Have anybody already tried to build such system as:

http://networksolutions.no-ip.com/services.php/mail/ecr ?

I remember I saw something of this kind, but can't remind where it
was. I would be very thankfull for any links on this topic.

Please, make a copy of your answer me directly. Thanks.

--
Alexander Prohorenko
Re: Anti SPAM Exim configuration [ In reply to ]
Alexander Prohorenko schrieb:

>Please, make a copy of your answer me directly. Thanks.
>
Check out tmda.net, works with exim.


johannes
Re: Anti SPAM Exim configuration [ In reply to ]
Johannes,

Thanks, it works for me!

More to ask: have anybody configured Exim with TMDA to work with
virtual boxes, but not regular Unix user accounts?


Monday, December 13, 2004, 6:56:11 PM, Johannes Berg wrote:
> Alexander Prohorenko schrieb:

>>Please, make a copy of your answer me directly. Thanks.
>>
> Check out tmda.net, works with exim.


> johannes



--
Alexander Prohorenko
Re: Anti SPAM Exim configuration [ In reply to ]
On Mon, 13 Dec 2004, Johannes Berg wrote:

> Check out tmda.net, works with exim.

TDMA is a dreadful idea that contributes to collateral spam and which is
likely to cause legitimate senders to give up trying to get through to
you.

Tony.
--
f.a.n.finch <dot@dotat.at> http://dotat.at/
THAMES DOVER WIGHT PORTLAND PLYMOUTH: SOUTH 3 VEERING SOUTHWEST 4 OR 5. FAIR.
MODERATE OR POOR.
Re: Anti SPAM Exim configuration [ In reply to ]
Tony,

What can you advise, except spending hours daily filtering mail from
SPAM manually?

Unfortunetly, SpamAssassin doesn't work good enough for me, I'm able
to filter not more than 70% of SPAM. I recieve about 30 SPAM messages
daily for one mailbox.

Hopefully, you can show me the way out of here.

Thank you.

Monday, December 13, 2004, 11:30:38 PM, Tony Finch wrote:
> On Mon, 13 Dec 2004, Johannes Berg wrote:

>> Check out tmda.net, works with exim.

> TDMA is a dreadful idea that contributes to collateral spam and which is
> likely to cause legitimate senders to give up trying to get through to
> you.

> Tony.


--
Alexander Prohorenko
RE: Anti SPAM Exim configuration [ In reply to ]
> What can you advise, except spending hours daily filtering mail from
> SPAM manually?
>
> Unfortunetly, SpamAssassin doesn't work good enough for me,
> I'm able to filter not more than 70% of SPAM. I recieve
> about 30 SPAM messages daily for one mailbox.

I assume you run your SpamAssassin "out-of-the-box"? Try tuning it with additional rulesets. Use bayes and train your database. I never heard of a SpamAssassin installation only catching 70% spam if setup correctly. Moreover tune your exim to starve SMTP connections a bit if they look like spam (e.g. if certain RBLs are triggered, HELO checks fail etc.). Many spammers will simply try to push the entire message to you and will not care for sychnronization of commands in which case you can drop the connection.

I agree with Tony though that TMDA is dreadful. Have a look into greylisting as well. I would not recommend greylisting to business users but it sure is great for personal use. Moreover: Look into dspam. Never used it myself but you never know... :-)

Regards,
JP
Re: Anti SPAM Exim configuration [ In reply to ]
On Mon, Dec 13, 2004 at 11:39:53PM +0200, Alexander Prohorenko wrote:
> Tony,
>
> What can you advise, except spending hours daily filtering mail from
> SPAM manually?
>
> Unfortunetly, SpamAssassin doesn't work good enough for me, I'm able
> to filter not more than 70% of SPAM. I recieve about 30 SPAM messages
> daily for one mailbox.

Yesterday I received 168 spams (which I know is less than many people) and
114 non-spams with no false positives or negatives. On average I'll get one
or two false negatives a week but fewer false positives.

Make sure you have SA set up as well as you can. It is useful to run it in
debug mode (-D) and manually run messages through. Make sure bayes, DNS and
auto lists are working (can write to the right directories, perl mods
installed etc). Use the latest SA and see if you can set up razor too. Train
the bayesian stuff with a decent sized corpus of spam too.

It'll take a little time to pick a suitable threshold and for the autolists to
learn.

Mike
--
Mike Richardson
Messaging and Collaboration
Manchester Computing
Email: mike.richardson@manchester.ac.uk
*Plain text only please - attachments stripped on arrival*
Re: Anti SPAM Exim configuration [ In reply to ]
On Mon, 13 Dec 2004, Alexander Prohorenko wrote:
>
> What can you advise, except spending hours daily filtering mail from
> SPAM manually?

As well as turning on network checks in SpamAssassin, use Razor and DCC.
Use DNS blacklists in Exim (the SBL and the RBL+ are very good). Make Exim
reject at SMTP time based on a high SpamAssassin score. Have a whitelist
of known correspondents whose email is delivered to your inbox, and filter
everything else to a folder which you look at once a day. If your spam
load is still to high you can split the misc folder based on spam score
and look at the spam weekly.

> Unfortunetly, SpamAssassin doesn't work good enough for me, I'm able
> to filter not more than 70% of SPAM.

It's easy to do much better than that.

Tony.
--
<fanf@exim.org> <dot@dotat.at> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}
Re: Anti SPAM Exim configuration [ In reply to ]
Jan-Peter,

Believe me, I'm spending hours weekly with tuning SpamAssassin. Of
course it's running Bayes, Razor, DCC, my Exim server has a lot of
rulesets for RBLs, HELO, Virus checking, etc.

Yes, it stops just HUGE number of SPAM messages, however, I still have
to fight with them daily in my mailbox.

Thanks, I'll get a look at greylisting and dspam. Hopefully, they
will work out for me well.

Thank you.

Tuesday, December 14, 2004, 8:59:04 AM, Jan-Peter Koopmann wrote:

>> What can you advise, except spending hours daily filtering mail from
>> SPAM manually?
>>
>> Unfortunetly, SpamAssassin doesn't work good enough for me,
>> I'm able to filter not more than 70% of SPAM. I recieve
>> about 30 SPAM messages daily for one mailbox.

> I assume you run your SpamAssassin "out-of-the-box"? Try tuning
> it with additional rulesets. Use bayes and train your database. I
> never heard of a SpamAssassin installation only catching 70% spam if
> setup correctly. Moreover tune your exim to starve SMTP connections
> a bit if they look like spam (e.g. if certain RBLs are triggered,
> HELO checks fail etc.). Many spammers will simply try to push the
> entire message to you and will not care for sychnronization of
> commands in which case you can drop the connection.

> I agree with Tony though that TMDA is dreadful. Have a look into
> greylisting as well. I would not recommend greylisting to business
> users but it sure is great for personal use. Moreover: Look into
> dspam. Never used it myself but you never know... :-)

> Regards,
> JP


--
Alexander Prohorenko
Re: Anti SPAM Exim configuration [ In reply to ]
On Mon, 13 Dec 2004 23:26:56 +0200, Alexander Prohorenko
<white@prohorenko.com> wrote:
> Johannes,
>
> Thanks, it works for me!

If 'it' is TMDA, are you happy with the trade-off that it 'works' for
you, but causes

1. annoyance to your genuine contacts
2. collateral spam to innocent victims of forged sender addresses on
spam and worms
3. unless carefully managed, annoyance to mailing list posters and managers

and generally, 'solves' the unwanted email problem by sending more
unwanted email?

Peter
Re: Anti SPAM Exim configuration [ In reply to ]
--On Monday, December 13, 2004 23:39:53 GMT +0200 Alexander Prohorenko
<white@prohorenko.com> wrote:

> Tony,
>
> What can you advise, except spending hours daily filtering mail from
> SPAM manually?

You also need to take your email address off the web. Google shows 25 hits
for it. That's where the spammers get your address. Simple encoding or
disguising of the address helps.

> Unfortunetly, SpamAssassin doesn't work good enough for me, I'm able
> to filter not more than 70% of SPAM. I recieve about 30 SPAM messages
> daily for one mailbox.
>
> Hopefully, you can show me the way out of here.
>
> Thank you.
>
> Monday, December 13, 2004, 11:30:38 PM, Tony Finch wrote:
>> On Mon, 13 Dec 2004, Johannes Berg wrote:
>
>>> Check out tmda.net, works with exim.
>
>> TDMA is a dreadful idea that contributes to collateral spam and which is
>> likely to cause legitimate senders to give up trying to get through to
>> you.
>
>> Tony.
>
>
> --
> Alexander Prohorenko



--
Ian Eiloart
Servers Team
Sussex University ITS
Re: Anti SPAM Exim configuration [ In reply to ]
Also check out surbl.org (it is improving all the time)

surbl + dcc + razor + pyzor + scoring for RBL black lists + a well
trained bayes filter = about 99.98% accuracy on my SA setup :) - [.it is
a bit resource hungry.... however I value my time over the CPU cycles!]

I am also trying the call-out feature to verify senders addresses (which
works very well so far - although I'm sure there will be debate between
exim members as to the ups and downs of it....).

Cheers,
Andrew

Ian Eiloart wrote:

>
>
> --On Monday, December 13, 2004 23:39:53 GMT +0200 Alexander Prohorenko
> <white@prohorenko.com> wrote:
>
>> Tony,
>>
>> What can you advise, except spending hours daily filtering mail from
>> SPAM manually?
>
>
> You also need to take your email address off the web. Google shows 25
> hits for it. That's where the spammers get your address. Simple
> encoding or disguising of the address helps.
>
>> Unfortunetly, SpamAssassin doesn't work good enough for me, I'm able
>> to filter not more than 70% of SPAM. I recieve about 30 SPAM messages
>> daily for one mailbox.
>>
>> Hopefully, you can show me the way out of here.
>>
>> Thank you.
>>
>> Monday, December 13, 2004, 11:30:38 PM, Tony Finch wrote:
>>
>>> On Mon, 13 Dec 2004, Johannes Berg wrote:
>>
>>
>>>> Check out tmda.net, works with exim.
>>>
>>
>>> TDMA is a dreadful idea that contributes to collateral spam and
>>> which is
>>> likely to cause legitimate senders to give up trying to get through to
>>> you.
>>
>>
>>> Tony.
>>
>>
>>
>> --
>> Alexander Prohorenko
>
>
>
>
Re: Anti SPAM Exim configuration [ In reply to ]
On Tue, 14 Dec 2004, Ian Eiloart wrote:

> You also need to take your email address off the web.

Waste of effort for most of us. Our addresses will be on
past-published documents, professional membership lists, etc. etc.
You'd drive yourself demented trying to get rid of them all, and you'd
drive yourself -and- your correspondents demented if you kept changing
your address to try to hide from the spammers.

> Google shows 25 hits for it.

And I'd surmise at least one of them is not under the control of the
hon. member. It only takes just one.

> That's where the spammers get your address. Simple encoding or
> disguising of the address helps.

It might, for some minority who are in a rather special situation.
But professionally it's just not feasible.

> > Unfortunetly, SpamAssassin doesn't work good enough for me, I'm
> > able to filter not more than 70% of SPAM. I recieve about 30 SPAM
> > messages daily for one mailbox.

I've got accustomed to my email address serving as a spamtrap.
Seeing that we all act as postmasters here - right? - we can raise the
probability that anyone who spams us won't spam us again - nor any of
our users.

There's no single right answer, though. If everyone ran the same
anti-spam profile, the spammers would easily defeat it. It needs
variegated counter-measures. Which means, sadly, that one has to put
a bit of extra effort into it. But IMHO that is more productive (and
scales much better to one's users) than desperately trying to keep
one's email address "ex-directory", and leaving one's users to the
mercy of the same mechanisms.

best regards
Re: Anti SPAM Exim configuration [ In reply to ]
* Alexander Prohorenko <white@prohorenko.com> [20041214 00:41]: wrote:
> Tony,
>
> What can you advise, except spending hours daily filtering mail from
> SPAM manually?
>
> Unfortunetly, SpamAssassin doesn't work good enough for me, I'm able
> to filter not more than 70% of SPAM. I recieve about 30 SPAM messages
> daily for one mailbox.
>
> Hopefully, you can show me the way out of here.

Hello Alexander and others,

I found this topic quite interesting and decided that I wouldn't let it
pass me by ;)

Alexander: Depending on your userbase, their hatred from spam, and their
willingness to cooperate in the war against spam, you should consider
deploying DSPAM. Why?

1. It does not require you to run DCC, Razor, Pyzor and what not so
you minimize on the apps you are running. You remain with just a
single point of failure - dspam itself.
2. It allows users to "train" it on what is spam and what is not.
Of course you are also able to only put willing users' mail thro'
it.
3. If your users have similar characteristics in their e-mailing habits
(who they receive mail from, the type of spam they rcv), it's even
easier. You can build a dictionary and share it amongst them for a
start. The problem with handling hundreds/thousands on users is with
the fact that what is spam for others might not be universally seen
as spam for everyone.
4. It can handle virtual users quite easily.
5. It supports reclassification (of spam and nonspam) by the users
themselves.
6. Troy Engel already made very good HOWTO for DSPAM. See this:

http://www.exim.org/pipermail/exim-users/Week-of-Mon-20040510/071459.html

NOTE::

1. The configure options and command line options in the Exim transports
for DSPAM v3.x (3.2.3) will differ from the ones on that howto. Same
for runtime configuration of dspam.

2. For a good DSPAM setup you will need MySQL and related administration knowledge!!

Spam filtering is a big challenge for an ISP, I can tell you that.
Even RBLS does not really help in an ISP environment as you end up
blocking senders who are legit to some of your users.
If you have several thousand users, like in an ISP, I would tell you
there is no "perfect" anti-spam solution!!

I'll be willing to hear a case where someone in such a situation has
achieved even just 90% accuracy on spam defenses. Suresh, are you listening?;)
You are one of the gurus on this.

I'll also advise you to tread carefully when it comes to greylisting.
In an environment like mine (ISP), it's a tedious venture since
almost every host on the Internet is likely to send e-mail your way!
You will spend quite some time on the greylisting, leave alone the
planning itself, which you need to consider very keenly.

It's been claimed that Postfix has got far much better anti-spam
defenses than Exim, but the person who said that (Hey Guka
guka, you are reading this?) did not say if his setups (he has
many) bear any semblance to an ISP environment. Anyway running
Postfix is another thing altogether - not easy when you run Exim.
To be good, you have to run one or the other. I am on the Exim
side, if this comment precipitates a flame war ;)

It's my hope that this gives some of the advise you asked for.


cheers
- wash
+----------------------------------+-----------------------------------------+
Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi, KE) |
<wash at wananchi dot com> . 1ere Etage, Loita Hse, Loita St., |
GSM: (+254) 722 743 223 . # 10286, 00100 NAIROBI |
GSM: (+254) 733 744 121 . (+254) 020 313 985 - 9 |
+---------------------------------+------------------------------------------+
"Oh My God! They killed init! You Bastards!"
--from a /. post
Anti SPAM Exim configuration [ In reply to ]
I manage to filter nearly 100% of spam. I could go into a lot of detail
about how I do that but here's the highlights.

First - I use the Exim ACL tricks that many people have published here.
The best ones include:

Sender Callback Verification
Spamhaus Blacklist
No IP address in HELO
No pretending they are one of my domains in HELO
I nuke all viruses and windows executable attachments.

This gets rid of 90% + of spam

Then - I use Spam Assassin for the rest of it. But - the ACLs get rid of
more spam that Spam Assassin does.

I also do front end spam filtering for other people's domains - so if
you don't want to figure it all out yourself you can route your email
through my servers (for a small price) and I'll clean the spam for you.
Re: Anti SPAM Exim configuration [ In reply to ]
jvanasco@mastersofbranding.com wrote:

>Would you mind sharing those lines from your .conf with the list?
>
>
>
>>First - I use the Exim ACL tricks that many people have published here.
>>The best ones include:
>>
>>Sender Callback Verification
>>Spamhaus Blacklist
>>No IP address in HELO
>>No pretending they are one of my domains in HELO
>>I nuke all viruses and windows executable attachments.
>>
>>This gets rid of 90% + of spam
>>
>>

No problem - here's my ACL

========================

# Various Domain Lists

domainlist system_domains = lsearch;/etc/exim/sdomains
domainlist virtual_local_domains = lsearch;/etc/exim/vdomains
domainlist preprocess_domains = lsearch;/etc/exim/preprocess
domainlist mx_backup_domains = lsearch;/etc/exim/mxbackup
domainlist domain_fallback = lsearch:/etc/exim/domainfallback
domainlist domain_aliases = lsearch:/etc/exim/domainaliases
domainlist no_verify = lsearch:/etc/exim/noverify

domainlist local_domains = +virtual_local_domains : +domain_fallback :
+domain_aliases : +system_domains

domainlist all_mail_handled_locally = +local_domains :
+mx_backup_domains : +preprocess_domains


hostlist relay_from_hosts = /etc/exim/relayfor : @[]
hostlist auth_relay_hosts = !+relay_from_hosts

dns_again_means_nonexist = !+all_mail_handled_locally


# Good info at http://slett.net/spam-filtering-for-mx/


#########################################################
## This new section of the configuration contains ACLs ##
## (Access Control Lists) derived from the Exim 3 ##
## policy control options. ##
#########################################################

acl_smtp_connect = check_connect
acl_smtp_helo = check_helo
acl_smtp_mail = check_sender
acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message
acl_smtp_mime = check_mime

begin acl

###########################################################
########## ACL that checks at CONNECT time
###########################################################

check_connect:

#######################################################################
# DNS checks
######################################################################
#
# The results of these checks are cached, so multiple recipients
# does not translate into multiple DNS lookups.
#
# If the connecting host is in one of a select few DNSbls, then
# reject the message. Be careful when selecting these lists; many
# would cause a large number of false postives, and/or have no
# clear removal policy.

drop dnslists = sbl-xbl.spamhaus.org
message = REJECTED - Host $sender_host_address is Blacklisted in
$dnslist_domain=$dnslist_value

# On backup servers stall them if things aren't quite right.

.ifdef NO_VDOMAINS

# This is run only on secondary mx spam filters

defer dnslists = dnsbl.sorbs.net : dnsbl.njabl.org : cbl.abuseat.org
: bl.spamcop.net
message = Host $sender_host_address is Blacklisted in
$dnslist_domain=$dnslist_value

defer message = Warning - Reverse DNS lookup failed for host
$sender_host_address.
!verify = reverse_host_lookup

.endif


# Otherwise ....
accept


###########################################################
########## ACL that checks HELO
###########################################################

check_helo:

# If the remote host greets with an IP address, then reject the mail.

drop message = REJECTED - Bad HELO - IP address not allowed
($sender_helo_name)
condition = ${if isip {$sender_helo_name}{true}{false}}

# Otherwise ....
accept


###########################################################
########## ACL that checks the SENDER ADDRESS
###########################################################

check_sender:

drop message = REJECTED - Sender Address in BLOCK LIST
senders = /etc/exim/sendersblocked


# Otherwise ....
accept

###########################################################
########## ACL that checks the RECIPIENTS
###########################################################

check_recipient:

# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.

accept hosts = :
require verify = sender

deny local_parts = ^.*[@%!/|] : ^\\.
message = REJECTED - Recipient address contains invalid characters


.ifndef NO_VDOMAINS

deny message = REJECTED - Unroutable Local Address
log_message = REJECTED
domains = +local_domains
!verify = recipient

.endif

drop recipients = lsearch;/etc/exim/deadaccounts
message = REJECTED - The account you are emailing is a Dead Account

accept hosts = 127.0.0.1 : 192.168.0.0/16

accept hosts = +relay_from_hosts

accept authenticated = *


####### HELO CHECKS

# Require fully qualified domain name in HELO

warn message = Bad HELO - single word rather than a Domain Name -
($sender_helo_name)
log_message = Bad HELO - single word rather than a Domain Name -
($sender_helo_name)
condition = ${if match {$sender_helo_name} {\.} {no}{yes}}


# No HELO

warn message = Bad HELO no greeting
log_message = Bad HELO no greeting
condition = ${if def:sender_helo_name {false}{true}}


accept condition = ${if
match_domain{$sender_helo_name}{localhost}{true}{false}}
log_message = HELO is Localhost


# Can't impersonate one of our domains

drop message = REJECTED - Bad HELO - Host impersonating
[$sender_helo_name]
condition = ${if match_domain{$sender_helo_name}\
{+all_mail_handled_locally}{true}{false}}


# If reverse DNS lookup of the sender's host fails (i.e. there is
# no rDNS entry, or a forward lookup of the resulting name does not
# match the original IP address), then warn abut the message.

warn dnslists = dnsbl.sorbs.net : dnsbl.njabl.org : cbl.abuseat.org :
bl.spamcop.net
message = Host $sender_host_address is Blacklisted in
$dnslist_domain=$dnslist_value
log_message = Host $sender_host_address is Blacklisted in
$dnslist_domain=$dnslist_value

warn message = Warning - Reverse DNS lookup failed for host
$sender_host_address.
log_message = Warning - Reverse DNS lookup failed for host
$sender_host_address
!verify = reverse_host_lookup


# Reject the recipient address if it is not in a domain for
# which we are handling mail.

drop message = REJECTED - Relay not Permitted
!domains = +all_mail_handled_locally


# Deny when sender and recipient match

warn message = Sender and Recipient are the Same
condition = ${if eq {$sender_address}{$local_part@$domain}{yes}{no}}



######################################################################
# Sender Address Checks
######################################################################

# If we cannot verify the sender address, deny the message.
#
# You may choose to remove the "callout" option. In particular,
# if you are sending outgoing mail through a smarthost, it will not
# give any useful information.
#
# Details regarding the failed callout verification attempt are
# included in the 550 response; to omit these, change
# "sender/callout" to "sender/callout,no_details".
#

accept senders = *eff.org

warn dnslists = dsn.rfc-ignorant.org/$sender_address_domain
message = Host $sender_host_address is RFC-IGNORANT listed
at http://rfc-ignorant.org/policy-dsn.php
log_message = Host $sender_host_address is RFC-IGNORANT

deny message = REJECTED - Sender Verify Failed\n\n\
The return address you are using for this email message <$sender_address>\
does not seem to be a working account.
!dnslists = dsn.rfc-ignorant.org/$sender_address_domain
!domains = +no_verify
!verify = sender/callout=2m,defer_ok


# Reject the recipient if it is not a valid mailbox.
# If the mailbox is not on our system (e.g. if we are a
# backup MX for the recipient domain), then perform a
# callout verification; but if the destination server is
# not responding, accept the recipient anyway.

deny message = REJECTED - Remote Recipient Verify Failed
domains = +all_mail_handled_locally
!verify = recipient/callout=2m,defer_ok,use_sender

# Drop the connection if the envelope sender is empty, but there is
# more than one recipient address. Legitimate DSNs are never sent
# to more than one address.

drop message = Legitimate bounces are never sent to more than one
recipient.
senders = :
condition = ${if >{$recipients_count}{1}{true}{false}}

# Deny if too many failed recipients

drop condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
message = REJECTED - Too many failed recipients - count =
$rcpt_fail_count


# Otherwise ....
accept



###################################################
########## ACL that is used after the DATA command
###################################################

check_message:

# Executes ClamAV Virus Filter

drop message = REJECTED - Contains malware ($malware_name) addressed
to [$h_to:]
demime = *
malware = *


# Unpack MIME containers and reject file extensions

deny message = Your message contains a windows executable
\"\.$found_extension\" file which is prohobited on this system.
demime =
ade:adp:bas:bat:chm:cmd:com:cpl:crt:exe:hlp:hta:inf:ins:isp:js:jse:lnk:mdb:mde:msc:msi:msp:mst:pcd:pif:reg:scr:sct:shs:shb:url:vb:vbe:vbs:wsc:wsf:wsh:tmp:ADE:ADP:BAS:BAT:CHM:CMD:COM:CPL:CRT:EXE:HLP:HTA:INF:INS:ISP:JS:JSE:LNK:MDB:MDE:MSC:MSI:MSP:MST:PCD:PIF:REG:SCR:SCT:SHS:SHB:URL:VB:VBE:VBS:WSC:WSF:WSH:TMP

deny message = Your message contains a suspicious filename which is
prohobited on this system.
demime = attached.zip

drop message = REJECTED - Hiding of file extensions is not allowed!
regex =
^(?i)Content-Disposition::(.*?)filename=\\s*"+((\{[a-hA-H0-9-]{25,}\})|((.*?)\\s{10,}(.*?)))"+\$



# Unpack MIME containers and reject ZIP file extensions

#deny message = Your message contains a compressed
\"\.$found_extension\" file which is temporarilly prohobited on this
system to prevent the spread of a new virus. Please rename the file and
send it again.
#demime = zip:ZIP


# Reject messages that have serious MIME errors.
# This calls the demime condition again, but it
# will return cached results.

deny message = REJECTED - Serious MIME defect detected ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}


# Warn if the address list headers are syntactically correct.

warn message = Does not conform to RFC2822 standard
!verify = header_syntax

# Otherwise ....
accept


###########################################################
########## ACL that is used for MIME decoding with exiscan
###########################################################

check_mime:


warn message = X-Attach-Beware: Be careful of compressed attached
file named \"$mime_filename\".
condition = ${if match {${lc:$mime_filename}}
{\N(\.zip|\.rar)$\N}{1}{0}}

warn message = X-Character-set: $mime_charset
condition = ${if eq{$mime_charset}{}{0}{1}}


# Otherwise ....
accept
Re: Anti SPAM Exim configuration [ In reply to ]
On Tue, 14 Dec 2004, Marc Perkel wrote:

> I manage to filter nearly 100% of spam.

And what rate of false positives?

> Sender Callback Verification

Selectively, I hope. "Verifying" a local part with MTAs that say
"fine" to any old rubbish, just isn't worth the overhead. And some
otherwise-bona-fide MTAs won't co-operate, either.

> Spamhaus Blacklist

False positives are pretty-much guaranteed, if you don't confirm
that with other resources.

What I would add, though, is that we've had rather good results from
rejecting if the offering MTA is not only in one of the technical
blacklists, such as DSBL and one or two others, and is thus known to
be capable of being expoited, but is also blacklisted in Spamcop, i.e
has been observed actually relaying spam. That catches quite a few
which oozed past the more-conservative blacklists on which we reject
outright. And the cross-correlation avoids the false positives that
one gets by rejecting on a spamcop entry etc. alone.

> No IP address in HELO

You'd better not do that to your outbound clients though - Macs seem
to have rediscovered this option, that we thought had practically died
out.

> No pretending they are one of my domains in HELO

That's a "kill on sight", for sure.

> I nuke all viruses

I take it you mean "all known viruses". Unfortunately we still get an
irritating amount of shrapnel from virus attacks, with insufficient
virus signature to actually recognise it. TimJ has a useful resource
for that kind of stuff, for which we can all be grateful...

> and windows executable attachments.

If -only- we could be sure which attachments Windoze in its wisdom is
going to deem to be executable, in one or other of its multifarious
ways. RFC2616 at least shows how to do it right for HTTP, and in
effect mandates rejecting any object whose content proves to
incompatible with its MIME type. So MS go and trample all over that
mandate, and the results are, well, "as we see them".

> Then - I use Spam Assassin for the rest of it. But - the ACLs get
> rid of more spam that Spam Assassin does.

Same here. Only a relatively small proportion of spams get as far as
being spamassassin-rated. Because they got rejected by one of the
earlier, low-fat, rules.

all the best
Re: Anti SPAM Exim configuration [ In reply to ]
Well, I suppose this question (which appears to have arrived in
private mail, but I propose to answer in the list) was inevitable...

> What are the technical blacklists you are using? I am only using
> DSBL at home and would love to learn of additional resources...

Well, we've shifted around quite a bit as things have changed, and I
haven't done the statistics recently, so I'm reluctant to say exactly
what we're using right now. I was chastened, earlier today, when I
reviewed the statistics for another part of the ACL, where, in the
recent logging interval, one of the rules had rejected 6,000, while
another had rejected only 2, and a further one had rejected nothing at
all. One has to keep moving, in this business!

Anyhow, I'd recommend consulting
http://www.sdsc.edu/~jeff/spam/cbc.html , reviewing the policies of
the various lists, and trying out some combinations. Some can
confidently be used for outright rejection, sure...

But what I'm saying is we get enhanced results by having an extra
stanza, making up one group which includes "spam seen" (might be, say,
spamcop along with the relevant SORBS entry), and another group which
indicates technical likelihood (dsbl, probable dialups, entry in
SPEWS, whatever appeals to you).

Here's a simplified picture, where in our case
ACL_BLACKLIST=acl_m7

(my colleague prefers mnemonic working variables ;-) , and then it
goes something like this:

deny hosts = +rbl_hosts
message = Your mail host $sender_host_address is blacklisted in \
$dnslist_domain=$dnslist_value as well as in $ACL_BLACKLIST.
dnslists = spam.dnsbl.sorbs.net : bl.spamcop.net
set ACL_BLACKLIST = $dnslist_domain
dnslists = l1.spews.dnsbl.sorbs.net : \
list.dsbl.org : \
dul.dnsbl.sorbs.net

But I must emphasise that we switch the blacklists around according to
the results achieved - when we get the time to study them. Don't just
blindly copy the above!

hope that helps a bit.
Re: Anti SPAM Exim configuration [ In reply to ]
Alan J. Flavell wrote:

>On Tue, 14 Dec 2004, Marc Perkel wrote:
>
>
>
>>I manage to filter nearly 100% of spam.
>>
>>
>
>And what rate of false positives?
>
>
Almost none

I have different grades of spam. I deliver low grade spam to server side
IMAP folders. Thus the user still gets their false positives. I also
have feedback folders for the bayesian filter and personal white lists
and black lists.

>
>
>>Sender Callback Verification
>>
>>
>
>Selectively, I hope. "Verifying" a local part with MTAs that say
>"fine" to any old rubbish, just isn't worth the overhead. And some
>otherwise-bona-fide MTAs won't co-operate, either.
>
>
Its my best filter. As long as they respond to mail from:<> or are
listed in rfc-ignorant.org. If I get a complaint - I list them in
rfc-ignorant

>
>
>>Spamhaus Blacklist
>>
>>
>
>False positives are pretty-much guaranteed, if you don't confirm
>that with other resources.
>
>What I would add, though, is that we've had rather good results from
>rejecting if the offering MTA is not only in one of the technical
>blacklists, such as DSBL and one or two others, and is thus known to
>be capable of being expoited, but is also blacklisted in Spamcop, i.e
>has been observed actually relaying spam. That catches quite a few
>which oozed past the more-conservative blacklists on which we reject
>outright. And the cross-correlation avoids the false positives that
>one gets by rejecting on a spamcop entry etc. alone.
>
>
>
spamhaus has been good to me. No complaints.

>>No IP address in HELO
>>
>>
>
>You'd better not do that to your outbound clients though - Macs seem
>to have rediscovered this option, that we thought had practically died
>out.
>
>
>
I'm not getting any complains about this.

>>No pretending they are one of my domains in HELO
>>
>>
>
>That's a "kill on sight", for sure.
>
>
Yep - and it catches a LOT of spam.

>
>
>>I nuke all viruses
>>
>>
>
>I take it you mean "all known viruses". Unfortunately we still get an
>irritating amount of shrapnel from virus attacks, with insufficient
>virus signature to actually recognise it. TimJ has a useful resource
>for that kind of stuff, for which we can all be grateful...
>
>
>
Right - all known ZIP viruses.

>>and windows executable attachments.
>>
>>
>
>If -only- we could be sure which attachments Windoze in its wisdom is
>going to deem to be executable, in one or other of its multifarious
>ways. RFC2616 at least shows how to do it right for HTTP, and in
>effect mandates rejecting any object whose content proves to
>incompatible with its MIME type. So MS go and trample all over that
>mandate, and the results are, well, "as we see them".
>
>
I nuke all windows executables period. The risk of virus exposure
outweighs the rest. It protects used from new viruses.

>
>
>>Then - I use Spam Assassin for the rest of it. But - the ACLs get
>>rid of more spam that Spam Assassin does.
>>
>>
>
>Same here. Only a relatively small proportion of spams get as far as
>being spamassassin-rated. Because they got rejected by one of the
>earlier, low-fat, rules.
>
>all the best
>
>
>
>
Re: Anti SPAM Exim configuration [ In reply to ]
On Tue, 14 Dec 2004, Alan J. Flavell wrote:
>
> "Verifying" a local part with MTAs that say "fine" to any old rubbish,
> just isn't worth the overhead.

It's really very cheap.

> And some otherwise-bona-fide MTAs won't co-operate, either.

Log analysis and submission to rfc-ignorant (see my recent posts) deals
with the idiots.

> > Spamhaus Blacklist
>
> False positives are pretty-much guaranteed, if you don't confirm
> that with other resources.

We have had no complaints.

> You'd better not do that to your outbound clients though

We perform no outbound checks, but rely on higher-level network security,
i.e. identification of infected hosts and exploitable HTTP proxies.

MUAs are fundamentally crap and written by people who don't know the
difference between RFC 821 and the car number plate you want to run them
over with.

> If -only- we could be sure which attachments Windoze in its wisdom is
> going to deem to be executable, in one or other of its multifarious
> ways.

file(1) is great.

Tony.
--
<fanf@exim.org> <dot@dotat.at> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}
Re: Anti SPAM Exim configuration [ In reply to ]
On 12/14/2004 16:04, "Marc Perkel" <marc@perkel.com> wrote:

> spamhaus has been good to me. No complaints.

Same here, generally.

Either we had a glitch earlier today which produced false spamhaus listing
DNS answers, or spamhaus briefly listed a bunch of white hats. I've never
had in a month as many block exemption requests for spamhaus blocks as I got
today. (Upon return from a medical appointment which was part followup to
the collapse-in-restaurant; ride in Aid Car; ER; overnight stay with 3 units
blood poured in adventure of last Monday.)

I tend to think they listed some white hats briefly...in the case of one of
the IPs, one of our servers thought it was OK and the other thought Spamhaus
had blocked it, which implies to me a caching of the block on the latter
server. Many of the others showed no spamhaus listing when I checked by
hand.

This problem had its good side...some of the reported servers should already
have been whitelisted past the spamhaus test just for reasons of trust and
volume. They are now.

Spamhaus and a local list we maintain in MySQL sit "in front of" our
greylisting. [.The greylisting is running smoothly, and has whitelisting for
the trusted servers which send us high volumes...removing the impact on
those sending operations. It also has whitelisting for creatures like Yahoo
Groups, which don't do greylisting (Yahoo Groups diverts rejected mail to
the user's web interface). We can whitelist as finely as "this sender to
this recipient" or as coarsely as this /24 subnet. And our greylist daemon
whitelists automatically if SPF matches up and the sending domain is in a
trusted list.]

--John
Re: Anti SPAM Exim configuration [ In reply to ]
On Tue, 2004-12-14 at 23:17, Alan J. Flavell wrote:
> > Spamhaus Blacklist
>
> False positives are pretty-much guaranteed, if you don't confirm
> that with other resources.

The sbl can result in false positives during escalation though generally
I've had no complaints in using it.

The xbl is a very effective list (stopping around 50% of mail by
itself), I've yet to have a single complaint about a block made using
the list.

--
Mark Lowes <hamster@korenwolf.net>
Re: Anti SPAM Exim configuration [ In reply to ]
Hi -
I am very surprised by the poor results you are getting - I have a very
similar setup, and as mentioned in a previous email getting 99.98% hit
rate, and a very very very rare FP. Someone also mentioned that it is
hard to get > 90% in a large environment - I disagree.... I am running
this setup on multiple servers with good quality filtering (> 100
domains and around 1 Million emails each day). It isn't exactly the
biggest setup in the world, but it is running in an ISP environment.

Throw in www.surbl.org to the equation, it catches all the hard-to-bayes
spam (simple one line emails).

At the end of the day you can tune up SA very well - but it is a CPU
hog, check out DSPAM if you want something more efficient (I am in the
middle of moving to it).

Cheers,
Andrew.



Alexander Prohorenko wrote:

>Jan-Peter,
>
>Believe me, I'm spending hours weekly with tuning SpamAssassin. Of
>course it's running Bayes, Razor, DCC, my Exim server has a lot of
>rulesets for RBLs, HELO, Virus checking, etc.
>
>Yes, it stops just HUGE number of SPAM messages, however, I still have
>to fight with them daily in my mailbox.
>
>Thanks, I'll get a look at greylisting and dspam. Hopefully, they
>will work out for me well.
>
>Thank you.
>
>Tuesday, December 14, 2004, 8:59:04 AM, Jan-Peter Koopmann wrote:
>
>
>
>>>What can you advise, except spending hours daily filtering mail from
>>>SPAM manually?
>>>
>>>Unfortunetly, SpamAssassin doesn't work good enough for me,
>>>I'm able to filter not more than 70% of SPAM. I recieve
>>>about 30 SPAM messages daily for one mailbox.
>>>
>>>
>
>
>
>>I assume you run your SpamAssassin "out-of-the-box"? Try tuning
>>it with additional rulesets. Use bayes and train your database. I
>>never heard of a SpamAssassin installation only catching 70% spam if
>>setup correctly. Moreover tune your exim to starve SMTP connections
>>a bit if they look like spam (e.g. if certain RBLs are triggered,
>>HELO checks fail etc.). Many spammers will simply try to push the
>>entire message to you and will not care for sychnronization of
>>commands in which case you can drop the connection.
>>
>>
>
>
>
>>I agree with Tony though that TMDA is dreadful. Have a look into
>>greylisting as well. I would not recommend greylisting to business
>>users but it sure is great for personal use. Moreover: Look into
>>dspam. Never used it myself but you never know... :-)
>>
>>
>
>
>
>>Regards,
>> JP
>>
>>
>
>
>
>
Re: Anti SPAM Exim configuration [ In reply to ]
On Wed, 15 Dec 2004, Mark Lowes wrote:

> On Tue, 2004-12-14 at 23:17, Alan J. Flavell wrote:
> > > Spamhaus Blacklist
> >
> > False positives are pretty-much guaranteed, if you don't confirm
> > that with other resources.
>
> The sbl can result in false positives during escalation

Indeed: it's a deliberate part of the policy. If you can support that
policy - great. But it needs to be a deliberate decision, is all that
I'm saying.

> though generally I've had no complaints in using it.

It's not that I'm saying "don't use it" - far from it. But anyone
taking that decision needs to be aware of the policy and its possible
consequences.

The same goes - even more strongly - for Spews, of course.

> The xbl is a very effective list

Agreed.
Re: Anti SPAM Exim configuration [ In reply to ]
On Wed, 15 Dec 2004, Tony Finch wrote:

> On Tue, 14 Dec 2004, Alan J. Flavell wrote:
> >
> > "Verifying" a local part with MTAs that say "fine" to any old rubbish,
> > just isn't worth the overhead.
>
> It's really very cheap.

It may be cheap for you - but it potentially gives the spammers the
ability to enlist us all in a denial-of-service attack on some site
that they've taken a dislike to. Paging Suresh?

> > And some otherwise-bona-fide MTAs won't co-operate, either.
>
> Log analysis and submission to rfc-ignorant (see my recent posts)
> deals with the idiots.

Yes. But that's not the whole story. Here's a for-instance.

There appear to be some MTAs which have some kind of rate-limit
mechanism. I can't prove this conclusively, but it seems that the
more that we try callout to them, the less likely they are to respond
within the timeout that we set for callout. Which means that we
defer, and the offering MTA tries the mail again soon afterwards, and
we try yet another callout, and it times-out yet again, and this can
go on for many hours, or even days. Meantime, more mails are being
offered with the same sender domain (it isn't always yahoo.co.jp ;-),
and those get called-out too, adding to the pressure on the called-out
site - and so it goes on.

rfc-ignorant doesn't help with that.

On the other hand, if you just ignore the result from callouts which
time-out, then you're considerably watering-down the potential benefit
from using callout. Seems to me it needs a more-sophisticated
mechanism for stateful control of callouts, if you're going to
implement callouts on a global basis.

Anyway, I'm just a part-timer at this, and you seem to be the
specialist, so I won't labour the point.

[..]
> MUAs are fundamentally crap and written by people who don't know the
> difference between RFC 821 and the car number plate you want to run
> them over with.

That's quite .sig-worthy ;-)

Thanks for the other points - interesting.

1 2  View All