Email defences; additional DNS RBL


#41

As far as I can see, I don’t have any of my email accounts set to ‘tag’, they should all reject.

And in fact, in mainlog I get entries like ACL105076 H=------ IP address blacklisted at truncate.gbudb.net (127.0.0.2) - ------ set to reject

So why my log files aren’t the same I don’t know. Not that it matters if nothing seems to be broken.

I’m still getting a lot of spam and having to do local filtering as well, but that’s another issue and one I think I’ll just have to put up with for now. Your solution is definitely reducing the overall spam headache.


#42

@alphacabbage1
Hi Martin
Just a quick note. I need to whitelist a domain / ip where the mail filter is giving persistent false positives. Can this be done? Looking at your change log, you brought it in then stopped it again and mention that this is how it would be done . But it doesn’t make it clear if whitelisting is working now or not. Not a terrible problem as I can just remove that filter as it doesnt stop much anyway but good to know


#43

Another mystery! Scanning the exim4 docs, rejections due to policy should always make it to log_file_path (rejectlog) unless write_rejectlog is set false – in which case the file would be empty.

Looking at the ACL, we know the warn verb has fired so I’m wondering if something could be clobbering the deny condition. I’ll start by comparing ‘main’ & ‘reject’ logs here in case something’s out of whack. It’ll be a while but I’ll post here if anything crops up.


#44

Hi

Sorry, if it wasn’t clear – whitelisting is still on the drawing board. I had a quick look at it (see the commented out !condition section) but didn’t implement. The current version is 20180723 but I’ll post here when there’s an update.


#45

Thanks for the quick update. At least I know :wink:


#46

@andymerrett

It’s working exactly as expected locally … switching rblinfo from rejectlog* to mainlog* doubles the number of reported hits for each non-spamhaus service.

mainlog contains entries for the ACL’s warn and deny verbs, e.g:

2019-01-24 12:19:42 ACL105076 H=(worldtraveler.com) [69.12.82.215] IP address blacklisted at all.bl.blocklist.de (127.0.0.9) - my-brilliant-site.example.com set to reject
2019-01-24 12:19:42 H=(worldtraveler.com) [69.12.82.215] F=briakinteerspanlop@sonic.com rejected RCPT jb@my-brilliant-site.example.com: 69.12.82.215 is blacklisted at all.bl.blocklist.de (127.0.0.9)

…and rejectlog repeats the second entry:

2019-01-24 12:19:42 H=(worldtraveler.com) [69.12.82.215] F=briakinteerspanlop@sonic.com rejected RCPT jb@my-brilliant-site.example.com: 69.12.82.215 is blacklisted at all.bl.blocklist.de (127.0.0.9)


#47

Still not sure what’s going on, then.

Having mainlog on mine, it can’t be doubling up hits as I have odd-numbered reject counts for some services.

As it is, it does seem to be doing a good job at least. I switched off nearly all of my local spam-catching rules a few days ago and I’ve not had any spam come through at all (and still getting legitimate email). So although I’ve had this implemented for some time, it does seem as if one or more services have upped their game, in what they’re catching.


#48

As an aside, I’m a bit confused as to how a blacklist may be working.

A friend tried to send an email to me and they said it bounced. When I looked in my logs, it had indeed been rejected. The reason was a blacklist of an IPv6 address representing the mail server of the machine they’re on (a Bytemark one also, as it happens).

The blacklist service is s5h.net, yet when I run blacklist testing across the domain name of their email address, the mail server name, and the mail server IP (which is what was matched), all say there are no problems. This is within an hour of the issue being reported.

Why might this be?


#49

This may be incorrect advice, because I’ve not been following this topic too closely. BUT I would suspect that whitelisting the domain and ip in the standard Symbiosis way will work for you because the DNSBL tests are not applied to whitelisted sites - the white listed sites are accepted before the DNSBL tests are made.


#50

Lots of possibilities. :wink: all.s5h.net delisting is “instant” so maybe the site owner took action – or the report was manually acted on. Can share the ip address (ideally, ipv6 & 4) via PM or here?


#51

Could you PM /etc/exim4/exim4.conf in case something has gone ‘non-standard’?


#52

I administer the backend stuff for the system in question, and I certainly didn’t do anything, although I know they’ve all had problems with outgoing messages being marked as spam for some time.

Makes me wonder if there’s something rogue going on one of their domains (they have WordPress on one of them, for example), possibly tripping filters every now and again.


Exim4 'error' - no host name found for IP address