Navigation

Morons · #1 23rd August 2010, 17:50

Quote:

Caution: Because ZEN includes the XBL and PBL lists, do not use ZEN on smarthosts or SMTP AUTH outbound servers for your own customers (or you risk blocking your own customers). Do not use ZEN in filters that do any ‘deep parsing’ of Received headers, or for anything other than checking IP addresses that hand off to your mailservers.

Due to this I have LOST millions of mail incomming to "Legal" mail accounts and also lost many customers due to mail never reaching the destination, In My country We do not have any fixed IP numbers 90% is Dynamic and therefore all my valid mail end up in /dev/null

I am SCREEMING mad about this as I did not chose to have this included as it only started to become a problem during the last 2 updates of ISPC2. I guess I have to make some amends to my ISPC3 server also!

Please alow Us to chose the RBL defaults!

Morons · #2 24th August 2010, 08:22

Sorry for this Posting Above, Frustration and anger boiled up to high.
I realise ISPC is not at fault, but rather spammers, and my own knowledge of how it works and how the spamassassin changed over time

This is the correct version of the issue

Some countries have 90% dynamic IP's and only a handful fixed IP's that is used for DNS servers and large Corporate!

Smaller organisations have to use dynamic IP's and DDNS technology to get the work done.

Spamhaus and other list all dynamic MX servers as unwanted by default and does not include specific IP 's in the databases, If I then accept legal Mail to such an MX then my own server dump the incomming legal non-spam mail into /dev/null and is lost
Outgoing mail is always as in the past forwarded to relayhost on an fixed IP and therefore it is ok.

I will have to include into my /etc/postfix/main.cf some URBI/RBL's etc but I need a good list that exclude those blocking Dynamic IP's

So again Accept my appologies for the rude post - Thanx you

till · #3 24th August 2010, 09:06

You might want to take a look at the nixspam URIBL:

http://www.heise.de/ix/NiX-Spam-DNSB...ad-499637.html

Just a general note: In germany, almost all end user internet access accounts have dynamic IP addresses but this does not matter for blacklists on mailservers, as every end user and company with own local mailserver normally relays trough the mail server of its ISP which has a fixed IP address. Emails sent trough a dynamic IP address are about 99.x% spam and you will not be able to send to a hotmail, gmail, yahoo, ... account from a dynamic IP anyway. So are you really sure that the dynamic IP URIBL is the source of your problem? Almost all mail servers worldwide have a dynamic IP address filter enabled and thats why it is the default of spamassassin too.

If your server has delted some non spam mails, you should check if the spam score is not set too low for these accounts. It might be that the spamassassin scores are more accurate, means higher, in latest spamassassin versions. A safe score should be about 4 - 5.

Mark_NL · #4 24th August 2010, 09:18

Millions of mails, from dynamic ip's? I'd rather not have those ..

only a few might have been valid, but the other 999.990 probably are all spam ..

And i don't think it's your problem, but more or less the problem of the system admin that runs the small companies network. He should be aware of the drawbacks of running mailservers on a dynamic ip, and rather should've used google's MX servers (to just name an example) to send out mail ..

Only one to blame here is the small companies that don't spend enough time in the technology they're using. And ehm, sorry to say sir, but that would be you ..

It sucks i know

soooo .. i'd suggest you start using google's MX servers, or your ISP's mx servers for your mail.

Morons · #5 24th August 2010, 12:45

Quote:

Originally Posted by till

You might want to take a look at the nixspam URIBL:

..................... <Sniped>

I will explain by means of the Spamassasin report

The RCVD_IN_PBL is the problem because my customers come in via routers with port forward and the outside address is dynamic. This cause the mail from those addresses - even from people authenticating to send from server 1 to another server 2 inside the same network. The routers differ in that some routers do not route internal addresses properly and those that does cause the issue.

How it is is that some routers dont route your outside ip through the nat proper for example. If you have ip block 192.168.10.0/24 inside and dynamic outside and from the inside do an dns lookup and you get the outside IP, the router will not NAT you proper from the routers LAN ports through the natted inside, however some routers does that properly. If its done correct all internal mail will be stamped with the outside dynamic IP and therefore be seen as SPAM as per spamhaus.org/PBL.

Code:

Spam detection software, running on the system "hera.domain.tld", has identified this incoming email as possible spam.  The original message has been attached to this so you can view it (if it isn't spam) or label similar future email.  If you have any questions, see jpb@domain.tld for details.

Content preview:  From: Person 1 [mailto:jpb@domain1.tld] Sent: 23 August
   2010 12:25 To: 'Person 2' Subject: FW: Urgent - Email Addresses Importance:
   High From: Original Person [mailto:marius@domain3.tld] Sent: 23 August
   2010 12:24 To: 'Person 2' Cc: jpb@domain1.tld.za Subject: FW: Urgent -
   Email Addresses Importance: High [...] 

Content analysis details:   (7.0 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.0 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP address
                            [DynamicIP Numerals here listed in dnsbl.sorbs.net]
 1.3 RCVD_IN_RP_RNBL        RBL: Relay in RNBL,
                            https://senderscore.org/blacklistlookup/
                           [DynamicIP Numerals here listed in bl.score.senderscore.com]
 3.6 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                            [DynamicIP Numerals here listed in zen.spamhaus.org]
 0.4 RDNS_DYNAMIC           Delivered to internal network by host with
                            dynamic-looking rDNS
 1.8 MISSING_MIMEOLE        Message has X-MSMail-Priority, but no X-MimeOLE

The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam.  If you wish to view it, it may be safer to save it to a file and open it with an editor.

Maybe i'm wrong - I happen to change my routers from d-link that DONT route proper to edimax that does!

Morons · #6 24th August 2010, 12:56

Quote:

Originally Posted by Mark_NL

Millions of mails, from dynamic ip's? I'd rather not have those ..

only a few might have been valid, but the other 999.990 probably are all spam ..

And i don't think it's your problem, but more or less the problem of the system admin that runs the small companies network. He should be aware of the drawbacks of running mailservers on a dynamic ip, and rather should've used google's MX servers (to just name an example) to send out mail ..

Only one to blame here is the small companies that don't spend enough time in the technology they're using. And ehm, sorry to say sir, but that would be you ..

It sucks i know

soooo .. i'd suggest you start using google's MX servers, or your ISP's mx servers for your mail.

The problem is not sending, that is why it took me so long to debug this, I do use upstream smtp it is the mail incomming from my own internal servers which have dynamic IP's and spamassasin does an lookup - ask spamhouse then fail it.

What I have done is changed spamassasin in
/home/admispconfig/ispconfig/tools/spamassassin/etc/mail/spamassassin/local.cf
and added

Code:

skip_rbl_checks 1

I will dig deeper and maybe have to modify the spamassasin lookup - Just a lot of modifications each time I upgrade ISPC!

My modifications done to ISPC includes already clamdscan vs clamscan. If Till can make clamdscan an option along with allow changes to the URIBL such as include and exclude providers it will be awesome.