Exim4 blacklists seemingly not working [Resolved]


#1

I have spent a fair bit of time in these here forum following the alphacabbage and his seemingly extraordinary knowledge of exim4, and eventually decided to try out this old blacklisting thing to try and quell the spam flow as much as I can.

So I created and edited the file /etc/exim4/blacklist/by_hostname and then after waiting a while and not seeing any effect, attempted a service exim4 reload, but still no dice. :frowning:

Am I doing something wrong? Perhaps there is a symbiosis based config location that I’m not seeing.

Thanks in advance


#2

Just to advise, I have had a small blacklist setup for over 24 hours and a couple of known bad hostnames still came through, this morning I reloaded the exim4 service as stated above, and added a few more hostnames.

I have tried zgrep ‘>: Sender locally blacklisted’ /var/log/exim4/rejectlog* but I get no results. Looking through manually, I have not yet seen a single rejection for the hostnames in my blacklist (but I have seen receipts/delivered).


#3

Hi @flippantorange

I’m not expert in exim – it’s just something I’ve been forced to bumble around in after I didn’t get any answers here. :wink:

This is for /etc/exim4/blacklist/by_sender not /etc/exim4/blacklist/by_hostname (logged as “Hostname locally blacklisted”). The latter is based on the reverse dns lookup of the connecting ip address. Perhaps your rogues can be blocked on the sender address:

# /etc/exim4/blacklist/by_sender
*@example.com
spam@example.net

If not, the contents of the blacklist files and log extracts showing unexpected behaviour would be useful. Off-list is fine.


#4

Thanks for that, you have more knowledge than I in the matter, obviously spent a fair bit more time playing with it (I’ve avoided anything to do with email servers for what feels like ever).

Funnily enough, the rDNS is the stuff I’m delving into at the moment, owing to issues with my internal DNS server (unrelated to this topic, other than rDNS).

Having been fighting this other issue, and your mention of it, I have come to the conclusion that relying on rDNS is likely not the best option out there. I will give this /etc/exim4/blacklist/by_sender a whirl.

I did try a grep for ‘Hostname locally blacklisted’ before deciding all the of the above, and no results were found either. I’ll be back to report on success/failure of the changes.


#5

I fell over this one. I think that the ‘problem’ is one of expectations. Exim is looking for the domain in the envelope sender and not the ‘From’ part of the message. Check the log lines for sites you expected to be blacklisted.
Does this make sense as a solution?


#6

I have been using both tbh, I started with the envelope sender domain when trying to blacklist by_hostname, and am only now using the From: field for the /etc/exim4/blacklist/by_sender file.

I’m still reviewing the logs, but it takes a bit of time as some of the spammers aren’t as frequent as I would hope during these trying, testing, times. :smiley:


#7

by_sender only works with the smtp reverse-path, not the From: header which can contain any old junk. I’m sure you’ll get results using the envelope sender in the by_sender blacklist.


#8

Oh I see… You may be able to tell that this is all very new and baffling to me. Will have to recheck my blacklist, thank you.


#9

First positive result get! by_sender working as expected, thank you all for your helpings.


#10

Quick addition.

After playing about for a while, and waiting patiently for the spammers to try again, I noticed that some spams still get thru even though logically they shouldn’t if the following worked.

*@*.domain.com

Turns out, from my tests, that it won’t pick up the subdomain(s), and they have to be specifically listed. Unless I’m being daft in some way.


#11

It’s not worrying about the sender, the file should be

*.domain.com

It should accept anything before the text part, so it will pick up bad.domain.com for example.

Take a look at the Exim ‘File and database lookups’ page and look for nwildlsearch which is the lookup used for the by_sender file.


#12

From a literal reading of the exim docs I suspect it’s exim being fussy. There are two forms of wildcard:

  1. Simple: the entry starts “*” and anything following must match so I’m guessing that the second “*” in your example will be treated literally.
  2. Regex: for anything non-simple (e.g, “*@*”), this kicks off with “^”.

#13

Ah ha, another one of my bugbears, regular expressions.

I was certain there would be a very good reason for it, but after spending a little time digging around it all got a little overwhelming.

Also the Exim File & db lookups page was very indepth too, also quite baffling, but I got a better idea of how it works.

In positive news, based upon the changes I applied my spam bin had only around 50 today, whereas it was over 400 yesterday, prior to any blacklisting.

Thank you all. :slight_smile:


#14

I find the exim docs tight and often intense. Still, it’s useful – if I’m found lying on the floor I only need to say “exim”.


#15

I’ve been rummaging around the fourms looking for an answer to something related to the firewall blacklists, and that is IPv6 addresses.

I have made the assumption that I can just touch a file into /etc/symbiosis/firewall/blacklist.d/ using the IPv6 address as the filename, no different from IPv4 addresses.

The above is kind of unrelated to this thread, although below it isn’t.

One thing I have noticed from my tests, is that sender locally blacklisted sends an email out to the failed sender, with a Subject of “Mail Delivery Failed”, so at least it isn’t bouncing with dirty, perverted subjects.

I have attempted my first regular expression based rule in by_sender, I think this should work, just awaiting another spam from them.

\N^*@sut\d{1}\.co\.uk$\N

Should catch sut1. co .uk, sut2. co .uk all the way up to sut9, unless I don’t need the \Ns


#16

It should work but it’s masked to /64 – I’m not sure of the syntax but I’d try something like:
2001:dead:beef::|64

That’s fully out of whack. The blacklist should be consulted during the initial negotiation and result in a protocol rejection before you’ve even seen the message. (The sending mailserver will then probably report the failed delivery to the sender).


#17

This is what the automatic system based on patterns does for files in the blacklist directory. It stores the top part of the IPv6, and replaces / by | because / is inconvenient in filenames. For exim - you need to single quote IPv6 addresses in files, because the : character is inconvenient for Exim - it’s a separator.


#18

Not entirely sure what you mean here, the Failed Message bounce is correct, no? I do know that any sender that is hitting my firewall blocks won’t get a reply, but it is somewhat strange that the exim4 is rejecting receipt and sending it back. I would prefer it’s completely ignored, but that leads me down the roundcube filter path…

Edit: I’m wondering whether your “out of whack” statement is related to all my DKIM stuff? If so, then it’s unrelated as I haven’t setup all that on any vhost but my test vhost. If it isn’t, then I’m still baffled. :smiley:

IPv6 firewall rules updated, tyvm @hillside and @alphacabbage1


#19

Not if the message is being sent by you (exim).

I might be misreading but you seemed to be saying that a hit in /etc/exim4/blacklist/by_sender results in exim sending a Failed Delivery Notification – an email message – to the blocked sender.

Exim should say “go away” during the initial part of the smtp transaction (“550 Your email address or domain is locally blacklisted.”), log the incident and no more. The mailserver that’s been told to go away would usually issue a Failed Deliverty Notification to its sender, quoting the 5xx error and part of the message it tried to send.

If Exim is sending a message as a result of the rejection then something is wrong.


#20

Ahhhh we are both confused, well, maybe I’m confused. But I get what you’re saying now, I just never understood how it arrived.

Basically, I saw the log message rejected receipt for each of the blocked senders, and thought to myself, “does this send a message back?”. So I added my gmail to the by_sender file, then sent an email to the server.

The server rejected the message in the way it rejected other messages, but then in gmail I saw the Mail Delivery Failed, so my immediate thought was, “Yes, it does send a reply.” without thinking any deeper on the matter, although I did look at the source and I thought it looked a bit odd, but pay no mind to it.

So you are correct, it doesn’t send replies to blacklisted senders, it’s just me playing too fast and loose.