Topic: UCEProtect level 2 blocking legitimate mail

[mophilly]

Recently a number of our customers began receiving bounce messages in response to the email sent to my company. In some cases they believe our server is compromised. The real issue is that UCEProtect level 2 rejects the senders IP address. I have found this be the case with customers of TimeWarner (roadrunner), RackSpace and a couple of others.

I would like to keep the incoming spam to a minimum but feel pressed to disable UCEProtect level 2. Even with UCEProtect level 2 enabled, we are receiving a lot of incoming spam, often with a .eu suffix in the domain name. (damned if I do, damned if I don't!)

I would be very grateful for suggestions to improve how we handle this situation.

I am running SME 8.x, up to date, with mods.

[ReetP]

Hi,

I think you probably have the wbl contrib installed but it isn't working correctly ?

Please check this bug :

http://bugs.contribs.org/show_bug.cgi?id=8327

It would help for someone to verify the bug and to test my attempts at patching it. We may then be able to get it incorporated.

Let me know if ou have any questions.

B. Rgds
John

[ReetP]

I should also say that the normal mantra should be applied :

"If it doesn't work as expected then file a bug (after searching thoroughly on the subject)" 

You should also really follow this up on the bug link that I sent.

B. Rgds
John

[mophilly]

Thank you. I will review the link and follow up appropriately.

[ReetP]

Thank you. I will review the link and follow up appropriately.

No probs - be glad of a hand !!!

Note that I believe there are a number of issues with various of the qpsmtpd plugins and would like to try and sort a few out.

I also need to sort my own bugs out.

This bug : http://bugs.contribs.org/show_bug.cgi?id=8321 was where I started - I made an amendment to the whitelist panel wording.

This bug : http://bugs.contribs.org/show_bug.cgi?id=8327 is really where the patches for the whitelist plugin should be. I'll try and tidy my mess in the morning I'll move the correct patches and notes here in the morning.


B. Rgds
John

[mophilly]

I have read through the bug reports, and I can see that some work is required.

However, I question whether the problem(s) I am observing is covered entirely by the white list issue although I can see how whitelisting may help.

Our problem is that UCEProtect is very aggressive with popular services such as RoadRunner and RackSpace, listing blocks of IP addresses for days at a time, which then blocks email from prospects, clients and associates who use those services. Also, there is a huge amount of spam getting through, even with level 2 enabled. Obviously, this is causing my users a lot of grief and having a negative impact on the business.

If a reader of this post has perl experience, free time available and a willingness to dig into qmail and clam, I would be willing to pay for a resolution that can be submitted to the SME maintainers for review. Please feel free to contact me on or off list.

[janet]

Mophilly

I assume you are referring to RBLs.
If a list is not working well for you ie causing valid messages to be rejected, then you should disable it immediately.
Sorting out spam can be considered after you stop blocking senders.
For starters show us output of
config show qpsmtpd

Other settings may need tweaking

Do you have Custom spam settings configured in the server manager panel ?

If a reader of this post has perl experience, free time available and a willingness to dig into qmail and clam, I would be willing to pay for a resolution that can be submitted to the SME maintainers for review. Please feel free to contact me on or off list.

You should post your request on the devinfo mailing list and attract paid developer support directly.

[mophilly]

Thank you, Janet.

Running SME 8.x, all official updates applied.

Code: [Select]

# config show qpsmtpd
qpsmtpd=service
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DNSBL=enabled
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=bl.spamcop.net:dnsbl-1.uceprotect.net:dnsbl-2.uceprotect.net:psbl.surriel.com:zen.spamhaus.org
    RHSBL=enabled
    RelayRequiresAuth=enabled
    SBLList=multi.surbl.org:black.uribl.com:rhsbl.sorbs.net
    TlsBeforeAuth=1
    access=public
    qplogsumm=disabled
    status=enabled
#
ClamAV and db versions: 0.98.4/19268/Thu Aug 7 11:23:44 2014
daily scan, quarrantine enabled.
Added the "Additional Signatures" to the ClamAV on April 29, 2014; see how-to "Virus:Additional Signatures"
Added the "learn Spam" feature in spamassassin as described in "contribs.org/Learn".

Email panel settings:
virus scanning enabled
spam filtering enabled
spam sensitivity is custom
-- tagging level: 4
-- rejection level: 10
sort into junkmail folder
modify subject of message enabled
Content to block: all standard, zip archive not selected.

[janet]

Mophilly

Your settings seem fair enough, except I personally do not use those aggressive lists.
They will block mail coming from many popular free type public systems, & some big ISPs who do not want to follow all the rules.
Your spam circumstances & vulnerability are probably different to mine.

You can remove the RBL lists etc that block senders by following this:
http://wiki.contribs.org/SME_Server:Documentation:FAQ:Section04#Real-time_Blackhole_List_.28RBL.29

What mode is your server running in, gateway & server or server only ?
This can have a big impact on the effectiveness of spam & other filtering etc.
What firewall if any do you have in front of the server, is your Internet access via a bridged modem (with sme in server gateway mode) ?

Are there any other appliances or corporate network equipment in front of your server ?

    RBLList=bl.spamcop.net:dnsbl-1.uceprotect.net:dnsbl-2.uceprotect.net:psbl.surriel.com:zen.spamhaus.org
    SBLList=multi.surbl.org:black.uribl.com:rhsbl.sorbs.net
-- tagging level: 4
-- rejection level: 10

Content to block: all standard, zip archive not selected.

Enabling zipv1.0 blocking (minimally) will reject a lot of spam, so it's worthwhile setting that.
Users can still send zipv2.0 files or get them to send rar files instead.


If this spam is a big issue, then enabling grey listing may be the answer.
It will effectively cut spam to zero, but users have to tolerate the way it works, which is mostly unseen to them.

There may be an occasional lost email if mail servers do not retry according to standards, but that would probably be no worse than the issues your users have now, & I expect there would be almost no spam (or none even) so users would be happier.
For any problematic senders, with non compliant mail servers, you can always whitelist them in the grey listing contrib.

[mophilly]

Thank you for the detailed reply. I appreciate it very much.

The ISP device is in bridge mode, no restrictions or firewall. Gigabit switch between ISP device and two servers, each SME running in gateway & server mode, and a VoIP device. The two SME servers have different purpose, only one is involved in email.

I reviewed the FAQ; it has changed since I last looked at it. I will adjust the settings accordingly and as you suggest regarding zipv1.0 blocking. I will also revisit grey listing.

Regards.

[janet]

Mophilly

The ISP device is in bridge mode, no restrictions or firewall. Gigabit switch between ISP device and two servers, each SME running in gateway & server mode, and a VoIP device. The two SME servers have different purpose, only one is involved in email.

How does that work, do you only have 1 external IP ?
How can two gateway servers talk to it, which device is the gateway/firewall ?

You really should only have one sme server in server & gateway mode acting as the firewall & gateway.
The second sme server can be behind that in server only mode.

I suspect you may not be getting effective spam & other mail blocking feature control due to this unusual arrangement.

The spam control device (ie your sme server) must be the device that is acting as firewall & gateway for your whole network, & it should be an sme server in server & gateway mode with only a bridged modem in font of it, between the server & the Internet, with nothing else in between.

[mophilly]

We have a bank of five fixed external IP addresses. Three are dedicated for various purposes and two are used from time to time for experiments. Currently, there are two ISP devices and each is provisioned to accept all five external addresses.

The three devices are assigned one of the fixed external IP addresses, and each has a unique internal address. The VoIP device is not connected to the LAN, but only the phone net. The two SME servers do connect to the LAN, in the same subnet. This arrangement is supported with appropriate registry settings for A, C, and MX records.

The primary SME server is responsible for the normal bank of services, including email, vpn, and web sites. The other SME server is used for development support such as git, svn and other stuff where integration with the os user account system is useful.

Code: [Select]

I suspect you may not be getting effective spam & other mail blocking feature control due to this unusual arrangement.
I surmised there wouldn't be a problem... it *seems* to work. I admit that using SME for the second server was a bit of laziness on my part; I understand SME (more or less) and familiarity is comforting. The alternative would be to break the LAN into two sub nets. That sounds like a headache in the workstation config. That said, I don't mean to belittle your suggestion. It is worth considering and I will look into it.

Thank you for helping me think through this. Your comments are very helpful.

[janet]

Mophilly

I do not know the devices you have interposed between your sme server & Internet so hard to comment further.
Maybe they are acting in truly bridged mode.

Everything published here over the years advises to ONLY have the gateway device as your one main sme server in server & gateway mode.

That way the features of sme server are able to do their job correctly regarding spam filtering & other bogus mail rejection techniques.

It may not be too hard to slightly rearrange your network to have only one sme server in server & gateway mode facing the Internet (with only a single bridged modem in between), & everything else is behind that, a test should determine fairly quickly if spam improves. Maybe remove all the VOIP stuff temporarily.

Nothing wrong with using sme as a second server, but put it in server only mode behind your main server (in a single external IP situation).

There was a technique published years ago for having a second test sme server in server & gateway mode, on the one external IP network.

[mophilly]

I just reread my earlier post and I apologize for being so oblique.

The ISP provides two cable modems, Motorola 5120's. Each allow traffic for our five external IP address. These are connected to a switch. Also connected to the switch are the two SME servers and the VoIP box.

Each SME server has one external IP from the fixed group. Each has a unique ip address on the lan. The "primary" SME server is used for email. The other is set to disallow email connections from the users, although the mail service is enabled to it can communicate to us.

Anyway, I reconfigured the primary per the FAQ you referenced and it appears things are improving. I will keep an eye on it.

[janet]

Mophilly

Out of interest, what is this now

config show qpsmtpd