Topic: Blocking spaming servers

[arnie25]

How to block a mail server, which is acting as mail relay server?
I had set up Spamassassin to Custom spam tagging and rejection level 5, but lots of spam especially from the server 194.176.45.1 / smtp01-neptunas.omnitel.net are passing through to mail accounts.
In previos SME6 version I used badhelo template to block particular spam servers, which are not yet listed in RBL's.
Is there anything I could use in SME7 what could help block that mail relay server?

[root@webas ~]# config show qpsmtpd                                             qpsmtpd=service
    Bcc=disabled
    BccUser=maillog
    DNSBL=enabled
    LogLevel=8
    MaxScannerSize=25000000
    RBLList=sbl-xbl.spamhaus.org,whois.rfc-ignorant.org,dnsbl.njabl.org,dnsbl.sorbs.net,relays.ordb.org,bl.spamcop.net,dynablock.njabl.org
    RHSBL=disabled
    RequireResolvableFromHost=no
    SBLList=dsn.rfc-ignorant.org
    access=public
    status=enabled

2006-07-26 09:23:07.896907500 4178 Accepted connection 0/40 from 194.176.45.1 / smtp01-neptunas.omnitel.net
2006-07-26 09:23:07.896913500 4178 Connection from smtp01-neptunas.omnitel.net [194.176.45.1]
2006-07-26 09:23:07.899753500 4178 running plugin (connect): check_earlytalker
2006-07-26 09:23:08.901795500 4178 check_earlytalker plugin: remote host said nothing spontaneous, proceeding
2006-07-26 09:23:08.901800500 4178 Plugin check_earlytalker, hook connect returned DECLINED,
2006-07-26 09:23:08.901803500 4178 running plugin (connect): check_relay
2006-07-26 09:23:08.901806500 4178 trying to get config for relayclients
2006-07-26 09:23:08.914699500 4178 trying to get config for morerelayclients
2006-07-26 09:23:08.915812500 4178 Plugin check_relay, hook connect returned DECLINED,
2006-07-26 09:23:08.916512500 4178 running plugin (connect): check_norelay
2006-07-26 09:23:08.917262500 4178 trying to get config for norelayclients
2006-07-26 09:23:08.920105500 4178 Plugin check_norelay, hook connect returned DECLINED,
2006-07-26 09:23:08.920693500 4178 running plugin (connect): dnsbl
2006-07-26 09:23:08.921760500 4178 dnsbl plugin: RBLSMTPD not set for 194.176.45.1
2006-07-26 09:23:08.922329500 4178 trying to get config for dnsbl_allow
2006-07-26 09:23:08.938341500 4178 trying to get config for dnsbl_zones
2006-07-26 09:23:08.975242500 4178 dnsbl plugin: Checking 1.45.176.194.dnsbl.sorbs.net for TXT record in the background
2006-07-26 09:23:09.028150500 4178 dnsbl plugin: Checking 1.45.176.194.bl.spamcop.net for TXT record in the background
2006-07-26 09:23:09.032345500 4178 dnsbl plugin: Checking 1.45.176.194.relays.ordb.org for TXT record in the background
2006-07-26 09:23:09.036482500 4178 dnsbl plugin: Checking 1.45.176.194.dnsbl.njabl.org for TXT record in the background
2006-07-26 09:23:09.040420500 4178 dnsbl plugin: Checking 1.45.176.194.whois.rfc-ignorant.org for TXT record in the background
2006-07-26 09:23:09.044540500 4178 dnsbl plugin: Checking 1.45.176.194.sbl-xbl.spamhaus.org for TXT record in the background
2006-07-26 09:23:09.048793500 4178 dnsbl plugin: Checking 1.45.176.194.dynablock.njabl.org for TXT record in the background
2006-07-26 09:23:09.053753500 4178 Plugin dnsbl, hook connect returned DECLINED,
2006-07-26 09:23:09.054524500 4178 trying to get config for smtpgreeting
2006-07-26 09:23:09.303485500 4178 250-***.lt Hi smtp01-neptunas.omnitel.net [194.176.45.1]
2006-07-26 09:23:09.304224500 4178 250-PIPELINING
2006-07-26 09:23:09.304796500 4178 250-8BITMIME
2006-07-26 09:23:09.305318500 4178 250 SIZE 15000000
2006-07-26 09:23:09.351146500 4178 dispatching MAIL FROM:<s_crowley_ad@roedlusa.com> SIZE=3072
2006-07-26 09:23:09.352637500 4178 full from_parameter: FROM:<s_crowley_ad@roedlusa.com> SIZE=3072
2006-07-26 09:23:09.353253500 4178 from email address : [<s_crowley_ad@roedlusa.com>]
2006-07-26 09:23:09.355206500 4178 running plugin (mail): require_resolvable_fromhost
2006-07-26 09:23:09.356189500 4178 trying to get config for invalid_resolvable_fromhost
2006-07-26 09:23:09.364353500 4178 trying to get config for require_resolvable_fromhost
2006-07-26 09:23:09.368839500 4178 Plugin require_resolvable_fromhost, hook mail returned DECLINED,
2006-07-26 09:23:09.369396500 4178 running plugin (mail): check_badmailfrom
2006-07-26 09:23:09.370164500 4178 trying to get config for badmailfrom
2006-07-26 09:23:09.382910500 4178 Plugin check_badmailfrom, hook mail returned DECLINED,
2006-07-26 09:23:09.383572500 4178 getting mail from <s_crowley_ad@roedlusa.com>
2006-07-26 09:23:09.384187500 4178 250 <s_crowley_ad@roedlusa.com>, sender OK - how exciting to get mail from you!
2006-07-26 09:23:09.385095500 4178 dispatching RCPT TO:<***@***.lt>
2006-07-26 09:23:09.386036500 4178 to email address : [<***@***.lt>]
2006-07-26 09:23:09.386853500 4178 running plugin (rcpt): dnsbl
2006-07-26 09:23:09.387625500 4178 trying to get config for dnsbl_zones
2006-07-26 09:23:09.388617500 4178 dnsbl plugin: waiting for dnsbl dns
2006-07-26 09:23:09.389412500 4178 dnsbl plugin: DONE waiting for dnsbl dns, got  7  answers ...
2006-07-26 09:23:09.399003500 4178 Plugin dnsbl, hook rcpt returned DECLINED,
2006-07-26 09:23:09.399565500 4178 running plugin (rcpt): check_badmailfrom
2006-07-26 09:23:09.400290500 4178 Plugin check_badmailfrom, hook rcpt returned DECLINED,
2006-07-26 09:23:09.400851500 4178 running plugin (rcpt): check_badrcptto_patterns
2006-07-26 09:23:09.401712500 4178 trying to get config for badrcptto_patterns
2006-07-26 09:23:09.403564500 4178 Plugin check_badrcptto_patterns, hook rcpt returned DECLINED,
2006-07-26 09:23:09.404160500 4178 running plugin (rcpt): check_badrcptto
2006-07-26 09:23:09.404914500 4178 trying to get config for badrcptto
2006-07-26 09:23:09.445616500 4178 Plugin check_badrcptto, hook rcpt returned DECLINED,
2006-07-26 09:23:09.446210500 4178 running plugin (rcpt): check_goodrcptto
2006-07-26 09:23:09.447024500 4178 check_goodrcptto plugin: stripping '-' extensions
2006-07-26 09:23:09.447579500 4178 trying to get config for goodrcptto
2006-07-26 09:23:09.495890500 4178 Plugin check_goodrcptto, hook rcpt returned DECLINED,
2006-07-26 09:23:09.496493500 4178 running plugin (rcpt): rcpt_ok
2006-07-26 09:23:09.497273500 4178 trying to get config for me
2006-07-26 09:23:09.497891500 4178 trying to get config for rcpthosts
2006-07-26 09:23:09.511583500 4178 Plugin rcpt_ok, hook rcpt returned OK,
2006-07-26 09:23:09.512329500 4178 250 <***@***.lt>, recipient ok
2006-07-26 09:23:09.513186500 4178 dispatching DATA
2006-07-26 09:23:09.514213500 4178 354 go ahead
2006-07-26 09:23:09.514863500 4178 trying to get config for databytes
2006-07-26 09:23:09.515407500 4178 max_size: 15000000 / size: 0
2006-07-26 09:23:09.516426500 4178 trying to get config for timeout
2006-07-26 09:23:09.647145500 4178 spooling message to disk
2006-07-26 09:23:09.721712500 4178 max_size: 15000000 / size: 3122
2006-07-26 09:23:09.721717500 4178 trying to get config for me
2006-07-26 09:23:09.721719500 4178 running plugin (data_post): check_basicheaders
2006-07-26 09:23:09.721722500 4178 Plugin check_basicheaders, hook data_post returned DECLINED,
2006-07-26 09:23:09.721725500 4178 running plugin (data_post): virus::pattern_filter
2006-07-26 09:23:09.723821500 4178 trying to get config for pattern_filter
2006-07-26 09:23:09.723826500 4178 trying to get config for signatures_patterns
2006-07-26 09:23:09.727492500 4178 Plugin virus::pattern_filter, hook data_post returned DECLINED,
2006-07-26 09:23:09.728143500 4178 running plugin (data_post): tnef2mime
2006-07-26 09:23:10.134620500 4178 Plugin tnef2mime, hook data_post returned DECLINED,
2006-07-26 09:23:10.135265500 4178 running plugin (data_post): spamassassin
2006-07-26 09:23:10.136161500 4178 spamassassin plugin: check_spam
2006-07-26 09:23:10.138089500 4178 spamassassin plugin: check_spam: connected to spamd
2006-07-26 09:23:10.143190500 4178 spamassassin plugin: check_spam: finished sending to spamd
2006-07-26 09:23:18.110168500 4178 spamassassin plugin: check_spam: spamd: SPAMD/1.1 0 EX_OK
2006-07-26 09:23:18.110173500
2006-07-26 09:23:18.110175500 4178 trying to get config for me
2006-07-26 09:23:18.121661500 4178 spamassassin plugin: check_spam: spamd: Content-length: 18
2006-07-26 09:23:18.121666500
2006-07-26 09:23:18.121668500 4178 spamassassin plugin: check_spam: spamd: Spam: False ; 1.6 / 15.0
2006-07-26 09:23:18.121671500
2006-07-26 09:23:18.121673500 4178 spamassassin plugin: check_spam: spamd:
2006-07-26 09:23:18.121675500
2006-07-26 09:23:18.126664500 4178 spamassassin plugin: check_spam: finished reading from spamd
2006-07-26 09:23:18.126670500 4178 spamassassin plugin: check_spam: No, hits=1.6, required=15.0, tests=DATE_IN_PAST_96_XX
2006-07-26 09:23:18.126673500 4178 Plugin spamassassin, hook data_post returned DECLINED,
2006-07-26 09:23:18.126676500 4178 running plugin (data_post): spamassassin
2006-07-26 09:23:18.126678500 4178 Plugin spamassassin, hook data_post returned DECLINED,
2006-07-26 09:23:18.126681500 4178 running plugin (data_post): virus::clamav
2006-07-26 09:23:18.126732500 4178 virus::clamav plugin: Changing permissions on file to permit scanner access
2006-07-26 09:23:18.128540500 4178 virus::clamav plugin: Running: /usr/bin/clamdscan --stdout  --disable-summary /var/spool/qpsmtpd/1153894989:4178:0 2>&1
2006-07-26 09:23:19.146426500 4178 virus::clamav plugin: clamscan results: /var/spool/qpsmtpd/1153894989:4178:0: OK
2006-07-26 09:23:19.146431500 4178 Plugin virus::clamav, hook data_post returned DECLINED,
2006-07-26 09:23:19.146434500 4178 running plugin (queue): queue::qmail_2dqueue
2006-07-26 09:23:19.146436500 4182 queue::qmail_2dqueue plugin: (for 4178 ) Queuing qp 4182 to /var/qmail/bin/qmail-queue
2006-07-26 09:23:19.641478500 4178 Plugin queue::qmail_2dqueue, hook queue returned OK, Queued! 1153894999 qp 4182 <007b01c4820c$665dac90$425a4593@roedlusa.com>
2006-07-26 09:23:19.641747500 4178 250 Queued! 1153894999 qp 4182 <007b01c4820c$665dac90$425a4593@roedlusa.com>
2006-07-26 09:23:19.667790500 4178 dispatching QUIT
2006-07-26 09:23:19.668860500 4178 trying to get config for me
2006-07-26 09:23:19.669462500 4178 221 ***.lt closing connection. Have a wonderful day.

[arnie25]

I see nobody knows how to solve this problem or it is hard to understand my explanation of it.
Maybe I could create a list and add those anoying servers and later enable spamassassin to check that list and block the mail from comming into mailboxes.
Anybody did that kind of thing?

[jfarschman]

Arnie,

  Here is what I don't understand.  Why not just wait for the RBL list to block the bad servers?

  For me, I do not have time to locate a spam server and configure the SME to block them.  I think the RBL is a great thing.  Do you have them enabled:

db configuration show qpsmtpd

If not...

db configuration setprop qpsmtpd DNSBL enabled RHSBL enabled
signal-event email-update
svc -t /service/qpsmtpd

If this is not good enough, maybe you want to use the LearnAsSpam.pl script and set thing to run every 15 minutes.  Then you could forward a message to a special directory and have it identified as SPAM.

I hope this helps.

[raem]

arnie25

> In previos SME6 version I used badhelo template to block particular
> spam servers, which are not yet listed in RBL's.
> Is there anything I could use in SME7 what could help block that mail
> relay server?


Simlar templates should work for sme7

[JonB]

arnie25,

You can also do this. It will block the ip for smtp at the firewall.

db configuration setprop smtpd DenyHosts xxx.xxx.xxx.xxx
signal-event remoteaccess-update

where xxx.xxx.xxx.xxx is the ip address you want to block. You can add multiple ip addresses by comma seperating them.

Jon

[arnie25]

jfarschman,

Here is what I don't understand. Why not just wait for the RBL list to block the bad servers?

For me, I do not have time to locate a spam server and configure the SME to block them. I think the RBL is a great thing.

The thing is that the servers smtp01-neptunas.omnitel.net [194.176.45.1] and smtp02-neptunas.omnitel.net [194.176.45.2] are created as mail relay servers a long time ago and I don't know why they are not listed in RBL's yet. I think they are created for the reason they could provide smtp services for they internet service customers without using mail accounts. I'll try to inform speciall authorities and see their position.

If this is not good enough, maybe you want to use the LearnAsSpam.pl script and set thing to run every 15 minutes. Then you could forward a message to a special directory and have it identified as SPAM.

I have installed Michael's Weinberger's smeserver-spamassassin-features-0.0.2-0.noarch.rpm which is doing great job sorting spam to junkmail folder. My server users are lazy enough to sort spam to special folder which could be later checked by LearnAsSpam.pl script.

Anyway, thanks for the feedback.

JonB,
RayMitchell,

Thanks for your help.
I'll try it with the badhelo template first.

[kruhm]

I find good reason to do this as not all IP's make it to the RBL's as they should. More importantly, some ISP's have less than reasonable standards when it comes to monitoring their clients activities. Nothing better than blocking their whole IP range. If a box is a problem, usually all domains on the box are a problem as well -blocking a domain name doesn't cut it.

Some have worked it out to enable the GEOIP plugin (already in the plugin dir), find out where the problems are coming from and customize another plugin to block specific problem countries. Ask, creator of qpsmtpd, has more: www.askbjoernhansen.com/archives/2005/08/Build_Easily_Extensible_Perl_Programs.pdf

AFAIK, the badhelo (check_spamhelo plugin) won't work here as it only checks for HELO message delivered from a connecting host, not ip's.

db configuration setprop smtpd DenyHosts xxx.xxx.xxx.xxx

@JonB
Thanks for that info. Maybe the FAQ needs to be clearer so people can find it more easily.
Will this work for ranges? For example, 123.123.123.12-34
When does this run -before or after the plugins?

I would think the proper way to do this would be to create a qpsmtpd plugin and run it near the top of the plugins with a config file. After all, that's whole idea of qpsmtpd -plugin your customized needs.

I tried doing an automatic plugin but couldn't get it working. The info I based it on is here: http://www.oreillynet.com/pub/a/sysadmin/2005/09/15/qpsmtpd.html

[JonB]

kruhm,

I haven't tried ranges but you may get away with using a netmask e.g

123.123.123.12/30  would block 123.123.123.12 - 15

That set of commands creates a firewall rule which deny all SMTP traffic from the IP address specified so the connection doesn't even get to qpsmtpd.

Jon

[kruhm]

Reposting a conversation I had somewhere else (no credit to me). This is a modified GEOIP plugin to block email from problem countries:

Code: [Select]


use Geo::IP;
my $geoip = Geo::IP->new(GEOIP_STANDARD);
 
sub hook_connect {
        my ($self) = @_;
        my $country = $geoip->country_code_by_addr
                ($self->qp->connection->remote_ip);
        $self->qp->connection->notes('geoip_country', $country);
        $self->log(LOGNOTICE, "GeoIP Country: $country");
        if ( $self->qp->config("badcountries") ) {
                my @badcountries = $self->qp->config("badcountries");
 
                for (@badcountries) {
                        my ($pattern, $response) = split /\s+/, $_, 2;
                        return (DENY, $response) if ($country eq $pattern);
                }
        }
 
        return (DECLINED);
}


Before you do this, it may be a good idea to find where the problems are coming from.