logs archiveIRC Archive / Freenode / #exim / 2010 / March / 2 / 1
CunningPike
OK - so what I concocted didn't get tagged - you should find out how your MTA is dealing with spam, though and see if it rejects or bounces
amouge
CunningPike: lemme see if I got this right..
the problem seems to be, that when spam comes in to the server, it is bouncing it back to the "sender" making it look like my server is actually sending the origional spam causing me to be blacklisted?
cannonball
I am writing an ACL to do sender reputation tracking. It uses pygossip and exim's readsocket to communicate with it, and it works pretty well except for one issue that I'm having with defining a sub-acl.
My ACL will return an accept or defer after the rcpt to (when it looks up the reputation of the sender). It does the lookup and comes up with an answer, no problem so far.
However, the part that is throwing me is the logic of using a sub-acl. In my exim.conf, I call it like so:
warn acl = acl_check_pygossip
However, per the docs, if the sub-acl returns a defer, the warn statement really just converts it to a false, and it keeps processing past that ACL. What I need it to do is continue past the acl = acl_check_pygossip on accept, but defer it if it returns defer.
I can't quite wrap my head around the logic required to do this. Any bright ideas?
CunningPike
amouge: Yes - if you accept the message and then generate a bounce when it fails spam filtering, you are more than likely causing backscatter
cannonball
Hmmm, require seems to do what I want....haven't had to use that, now experimenting.
amouge
CunningPike: seems that I may have found the problem
CunningPike
amouge: Do tell
amouge
there is a setting in exim under cpanel to "bounce spam messages with a spam rating over 20" and the description was something like "bounce instead of send SMTP time"
now that I disabled it, the option is no longer available.. because it changed to "reject spam emails with a score over 20" which I believe is what should be the right option
SpamAssassinTM: Reject mail with a spam score greater than 20 at SMTP time.
now another thing I noticed is the option to run a second copy of exim on another port, I used iptables to forward port 587 for a client that has 25 blocked from their ISP.. that shouldn't cause any problems should it?
Simon-
you can have exim listen on multiple ports
         

amouge
yea im over all that.. im fuming at backscatterer.org total BS service
CunningPike
amouge: How is it BS?
Unless BS is short for backscatter
ksnp
i am trying to block junk mail at some unwanted times any suggestions ?
m2acis
join #solaris
cannonball
What's the best way to extract the domain from the right hand side of an email address ($sender_address_domain)? For example, one email has $sender_address_domain value of l7amgiu0x58t675s.h21yps21ls771iug.qilcxy.bounce.salesforce.com. Obviously I only want "salesforce.com" or "bounce.salesforce.com", but I need to have some logical method of extracting that, can't just blindly assume everything after second to last dot, for example.
Any ideas?
henk
the part after the last dot and the part not containing a dot before the last dot
should be no problem with a regex...
cannonball
Well, it gets complicated because we have a lot of users who receive email from user@yahoo.com.tw or domain.co.uk. So I can't do it based on "after the second to last period". Ok, do it after the third? Well now I get stuff like fios.verizon.com. I guess that's _better_, but it is still not 100% perfect.
For now I'll stick to everything after the last dot.
errr, third to last dot.
henk
which should always return domain.tld
uhm, no... third to last? so subdomain.domain.tld?
cannonball
Ultimately I want the lowest valid domain. For example, user@yahoo.com.tw, if I do after the second to last dot, I come up with a (non-valid) domain of com.tw. I need the yahoo part too.
Simon-
you need a list of all the tlds/slds
and then there's things like blah.k12.ca.us etc.
cannonball
yeah, exactly. I was hoping for a simple macro within exim to figure that out. But nothing is jumping out at me.
For the short term everything after the third dot works. (Fallback if there is not three dots is the original value).
henk
why do you need the domain?
cannonball
I'm building a sender reputation system using pygossip and I'm designing and fine tuning the exim side that communicates with the pygossip server. I want to associate the smallest valid domain with a piece of email.
Simon-
you're going to fail because you can't verify the sender is who they say they are
cannonball
This SRS isn't the only part of the system, I rely on other things as well to catch that.
henk
i'd just use the last three parts of the domain... in some cases that is what you want (yahoo.com.tw), in others i'd consider it a feature (dyn-ip.provider.net and static-ip.provider.net vs provider.net), in some cases it does not matter at all (instead of company.com you will have mail.company.com) and i can't think of other cases, so i guess that will only be a few anyway...
f00bar80
from exim_mainlog how to know which user that's considered as a spammer in a report from my DC
i checked the mainlog, but i'm a bit confused
ppl any comment ?
cannonball
from your domain controller?
f00bar80
cannonball, what do you mean by domain controlloer ?
cannonball
You said "in a report from my DC"
         

f00bar80
cannonball, yea
cannonball, data center
cannonball, any comment ?
cannonball
Oh, ok. Every 4 hours I run this: /usr/sbin/eximstats -h1 -html=/var/www/html/exim/eximstats.html /var/log/exim/main.log In that html page it shows the top 50 local senders. But if you're using virtusers, that won't show which user it is.
Gives slightly more relevant stats: /usr/sbin/eximstats -byemaildomain -h1 -html=/var/www/html/exim/eximstats_domain.html /var/log/exim/main.log
-byemail may also give you more detail.
If they're using smtp auth, then the basic report will give you what you want because it gives you the top 50 relayed hosts.
f00bar80
cannonball, this is the report i got from my data center http://pastebin.com/hwpANByT
cannonball
the most important line is line 38 in your paste. That id is the queue id that exim assigns to it. So find that message in your mail log with 'exigrep 1NbyiY-0002oT-BX /var/log/exim/main.log'
juiceman5000
how would i set up a pipe for dude@email.com to pipe to /dev/null ?
ergh ignore that. i found it derp derp derp
f00bar80
cannonball, that's what i got http://pastebin.com/5sR8UfZb
cannonball
User is shown by this line: U=stremhome
A real user named stremhome on your machine generated that message. Now whether it's a CGI that's getting hijacked or someone actually logging into your box, you'll have to figure that out, but it's very definitely coming from that account.
f00bar80
cannonball, so it's not saveongoods@aol.com ?
cannonball
No, that's who you sent the email to.
In the logfile, if it has <=, that means that is who the email is from. => means it was to that recipient. You sent that email to 5 email addresses and one pipe.
more correct, "that user sent that email to..."
f00bar80
cannonball, then so what about the Received: from mtain-md11.r1000.mx.aol.com (mtain-md11.r1000.mx.aol.com [172.29.96.95]) by air-db07.mail.aol.com in the previous paste the DC report http://pastebin.com/hwpANByT ?
cannonball
That's just internal mail routing within AOL.
f00bar80
cannonball, then so how this is related to the user
cannonball
Whatever user has their website being hosted in /home/stremhome/www is the user who is sending the email to AOL that got submitted as spam. Talk to that user.
f00bar80
cannonball, and also how to know the source of this spams from this error ?
cannonball
Taht I can't tell you. You need to get ahold of your customer who is using the account named stremhome.
f00bar80
cannonball, and do what to him ?
cannonball, nothing there shows that there's a script used to send these spams ?
cannonball
Ask him to remove that user from being sent emails. Taht's my best guess. You know your business better than I do, so I'm just guessing what you need to do.
Simon-
cannonball: read the original paste again...
cannonball: it looks like that's the hosting provider itself
although that domain doesn't exist...
cannonball
Simon-: If I'm understanding f00bar80 correctly, *HE* is the hosting provider, and one of his users with a local account stremhome sent an email to an aol address. That email said that the domain (presumably owned by the AOL account holder) was about to expire.
Simon-
cannonball: the headers and logs claim that the server itself is server5.stremhome.com
cannonball
the only question f00bar80 needs to figure out is if that wsa a valid email, or if that account got hacked. It sounds like he's using CPanel to me.
Simon-
the domain stremhome.com doesn't even exist
and AOL has mangled the source IP...
« prev next »