Email defences; additional DNS RBL


#33

Very odd : I removed a number of the entries in the blacklist folder and eventually when i removed rm truncate.gbudb.net and then reran rblinfo all the stats reappeared !

No idea why … I will add them back in with truncate.gbudb.net and see where we get to


#34

Added all entries back in the returned list from rblinfo fills up correctly accordingly. But when i add truncate.gbudb.net again the listing gets curtailed as before.

I will keep this entry off my list. Is there anything that may cause a problem with this particular url in the blacklists?

./rblinfo

17 rbl services configured (non-spamhaus might ‘tag’)
8 rbl services show log rejection messages

service sites rejections

zen.spamhaus.org 1 658
b.barracudacentral.org 1 14
all.s5h.net 1 9
dnsbl.sorbs.net 1 4
all.spamrats.com 1 2
ubl.unsubscore.com 1 2
dbl.spamhaus.org 1 1
multi.uribl.com 1 1
bl.mailspike.net 1 0
bl.spamcop.net 1 0
dnsbl.dronebl.org 1 0
dyna.spamrats.com 1 0
excommunicado.co.uk 1 0
hostkarma.junkemailfilter.com 1 0
noptr.spamrats.com 1 0
rhsbl.sorbs.net 1 0
spam.spamrats.com 1 0
TOTAL - 691

spamassassin 1 127
clamav 1 0
locally blacklisted sender - 0

v20180729 : ~0.85s


#35

I can’t think of anything that would explain it. I’ll PM to see if we can sort it…


#36

I’m not too bothered about using this particular one but thought you may want to know as yes something odd is going on :wink:

Thanks for your help so far. We’ve had an extra 33 emails blocked in a day thanks to the extra blacklists


#37

Sorry to dredge this up a few months later but I’m also getting this issue.

I implemented the spam solution above quite some time ago but only today added the rblinfo script. I also get the summary or with services are configured/have log entries, but no more than this.

I’m on Stretch. Did you discover anything more about why this might not be reporting?


#38

Oops, I’ve discovered that the blacklisting seems to occur in the exim4 mainlog and not the rejectlog. Is this to do with whether mail is tagged or outright rejected?

I’ve switched the log file to mainlog and am now getting the full report.


#39

Yes, ‘tag’ wont reject and the rblinfo script only looks for rejections [ via logfiles=("/var/log/exim4/rejectlog*") ]. To-date I’ve only manually scanned the main log to keep track of ‘tag’ hits and potential false positives when using new rbl services.

I didn’t manage to reproduce or understand @joolsr1’s ‘truncate’ issue but I’m guessing it’s not related.


#40

So if I switch to rejection, should I switch back to rejectlog. Or I guess (for a little extra overhead) I could use /var/log/exim/*log* ? :slight_smile:

Edit: Oh well that doesn’t quite work.


#41

As far as I can see, I don’t have any of my email accounts set to ‘tag’, they should all reject.

And in fact, in mainlog I get entries like ACL105076 H=------ IP address blacklisted at truncate.gbudb.net (127.0.0.2) - ------ set to reject

So why my log files aren’t the same I don’t know. Not that it matters if nothing seems to be broken.

I’m still getting a lot of spam and having to do local filtering as well, but that’s another issue and one I think I’ll just have to put up with for now. Your solution is definitely reducing the overall spam headache.


#42

@alphacabbage1
Hi Martin
Just a quick note. I need to whitelist a domain / ip where the mail filter is giving persistent false positives. Can this be done? Looking at your change log, you brought it in then stopped it again and mention that this is how it would be done . But it doesn’t make it clear if whitelisting is working now or not. Not a terrible problem as I can just remove that filter as it doesnt stop much anyway but good to know


#43

Another mystery! Scanning the exim4 docs, rejections due to policy should always make it to log_file_path (rejectlog) unless write_rejectlog is set false – in which case the file would be empty.

Looking at the ACL, we know the warn verb has fired so I’m wondering if something could be clobbering the deny condition. I’ll start by comparing ‘main’ & ‘reject’ logs here in case something’s out of whack. It’ll be a while but I’ll post here if anything crops up.


#44

Hi

Sorry, if it wasn’t clear – whitelisting is still on the drawing board. I had a quick look at it (see the commented out !condition section) but didn’t implement. The current version is 20180723 but I’ll post here when there’s an update.


#45

Thanks for the quick update. At least I know :wink:


#46

@andymerrett

It’s working exactly as expected locally … switching rblinfo from rejectlog* to mainlog* doubles the number of reported hits for each non-spamhaus service.

mainlog contains entries for the ACL’s warn and deny verbs, e.g:

2019-01-24 12:19:42 ACL105076 H=(worldtraveler.com) [69.12.82.215] IP address blacklisted at all.bl.blocklist.de (127.0.0.9) - my-brilliant-site.example.com set to reject
2019-01-24 12:19:42 H=(worldtraveler.com) [69.12.82.215] F=briakinteerspanlop@sonic.com rejected RCPT jb@my-brilliant-site.example.com: 69.12.82.215 is blacklisted at all.bl.blocklist.de (127.0.0.9)

…and rejectlog repeats the second entry:

2019-01-24 12:19:42 H=(worldtraveler.com) [69.12.82.215] F=briakinteerspanlop@sonic.com rejected RCPT jb@my-brilliant-site.example.com: 69.12.82.215 is blacklisted at all.bl.blocklist.de (127.0.0.9)


#47

Still not sure what’s going on, then.

Having mainlog on mine, it can’t be doubling up hits as I have odd-numbered reject counts for some services.

As it is, it does seem to be doing a good job at least. I switched off nearly all of my local spam-catching rules a few days ago and I’ve not had any spam come through at all (and still getting legitimate email). So although I’ve had this implemented for some time, it does seem as if one or more services have upped their game, in what they’re catching.


#48

As an aside, I’m a bit confused as to how a blacklist may be working.

A friend tried to send an email to me and they said it bounced. When I looked in my logs, it had indeed been rejected. The reason was a blacklist of an IPv6 address representing the mail server of the machine they’re on (a Bytemark one also, as it happens).

The blacklist service is s5h.net, yet when I run blacklist testing across the domain name of their email address, the mail server name, and the mail server IP (which is what was matched), all say there are no problems. This is within an hour of the issue being reported.

Why might this be?


#49

This may be incorrect advice, because I’ve not been following this topic too closely. BUT I would suspect that whitelisting the domain and ip in the standard Symbiosis way will work for you because the DNSBL tests are not applied to whitelisted sites - the white listed sites are accepted before the DNSBL tests are made.


#50

Lots of possibilities. :wink: all.s5h.net delisting is “instant” so maybe the site owner took action – or the report was manually acted on. Can share the ip address (ideally, ipv6 & 4) via PM or here?


#51

Could you PM /etc/exim4/exim4.conf in case something has gone ‘non-standard’?


#52

I administer the backend stuff for the system in question, and I certainly didn’t do anything, although I know they’ve all had problems with outgoing messages being marked as spam for some time.

Makes me wonder if there’s something rogue going on one of their domains (they have WordPress on one of them, for example), possibly tripping filters every now and again.


Exim4 'error' - no host name found for IP address