IP listed in RBL but not blocked at SMTP level

Discuss here all what concerns the MailCleaner anti-spam efficiency, share your rulesets and tips for SpamAssassin !

Moderators: Pascal, mentor, FlorianB, bourgeois

ics
Posts: 66
Joined: Wed Sep 03, 2014 11:05 am
How did you hear about Mailcleaner: googling

Re: IP listed in RBL but not blocked at SMTP level

Postby ics » Mon Nov 10, 2014 11:30 am

I checked with 4 emails and yes, it looks like it matches the sender's SPF policy.
What does this mean ?
del
Posts: 497
Joined: Mon Mar 11, 2013 7:42 am
How did you hear about Mailcleaner: google
Location: Germany

Re: IP listed in RBL but not blocked at SMTP level

Postby del » Mon Nov 10, 2014 11:58 am

/usr/mailcleaner/etc/exim/exim_stage1.conf_template:

Code: Select all

474   __IF__ RCPTRBL
475     deny    !hosts        = <; 127.0.0.1 ; NORBLHOSTS ; +trusted_hosts
476             spf           = fail
477             dnslists = __RBLS__
478             condition     = ${if eq {$received_port}{587} {0}{1}}
479             message = Blacklisted in $dnslist_domain: $dnslist_text
480             log_message   = "listed in $dnslist_domain : $dnslist_text"
481             delay = __RBLTIMEOUT__s
482             set acl_c8    = smtp:refused:rbl
483             set acl_c9    = STATSADD
484             set acl_c8    = domain:$domain:rbl_refused
485             set acl_c9    = STATSADD
486             set acl_c8    = user:$domain:$local_part:rbl_refused
487             set acl_c9    = STATSADD
488             set acl_c8    = smtp:refused
489             set acl_c9    = STATSADD
490             set acl_c8    = domain:$domain:refused
491             set acl_c9    = STATSADD
492             set acl_c8    = smtp:dnslist:$dnslist_domain
493             set acl_c9    = STATSADD
494    __IF__ DEBUG
495             logwrite      = DEBUG - refused, listed in rbl ($dnslist_domain : $dnslist_text) - smtp:refused,smtp:refused:rbl
496    __FI__
497   __FI__


Line 476 says, if the SPF fails, mailcleaner will ask DNSBL, otherwise it won't.
You can remove line 476 if you want to check all hosts.
ossistemes
Posts: 4
Joined: Thu Mar 06, 2014 10:27 am
How did you hear about Mailcleaner: google

Re: IP listed in RBL but not blocked at SMTP level

Postby ossistemes » Mon Nov 10, 2014 12:42 pm

Perfect!! Now runs perfect

But I change the line to:

!spf = pass

So if domain have spf and pass don't check rbl but if fails OR domain don't have spf register, check the rbl.

The problem I think if we applied an update in future, will lost this modification??

Bye
del
Posts: 497
Joined: Mon Mar 11, 2013 7:42 am
How did you hear about Mailcleaner: google
Location: Germany

Re: IP listed in RBL but not blocked at SMTP level

Postby del » Mon Nov 10, 2014 1:14 pm

If you do the CVS update the changes may be lost, yes.
cglmicro
Posts: 291
Joined: Thu Mar 07, 2013 2:12 am
How did you hear about Mailcleaner: google

Re: IP listed in RBL but not blocked at SMTP level

Postby cglmicro » Wed Nov 12, 2014 10:50 pm

I've modified it too since many pass through, but should have been blocked at stage1.

Will report back tomorow.
Julien
Posts: 31
Joined: Mon Jul 14, 2014 8:43 am
How did you hear about Mailcleaner: job

Re: IP listed in RBL but not blocked at SMTP level

Postby Julien » Wed Nov 19, 2014 3:28 pm

Hi guys,

In Configuration -> SMTP -> SMTP checks, provide us the "RBL checks timeout".
After could you test your DNS resolution time on one (many ?) RBL. Compare this two times...

After in Configuration -> Anti-Spam -> PreRBLs, provide us "Maximum check time".
If "Maximum check time" >> "RBL checks timeout" probably the first one raise this timeout and the second work because it has much time to resolve.

Julien.
cglmicro
Posts: 291
Joined: Thu Mar 07, 2013 2:12 am
How did you hear about Mailcleaner: google

Re: IP listed in RBL but not blocked at SMTP level

Postby cglmicro » Thu Nov 20, 2014 2:10 am

Julien wrote:Hi guys,

In Configuration -> SMTP -> SMTP checks, provide us the "RBL checks timeout".
After could you test your DNS resolution time on one (many ?) RBL. Compare this two times...

After in Configuration -> Anti-Spam -> PreRBLs, provide us "Maximum check time".
If "Maximum check time" >> "RBL checks timeout" probably the first one raise this timeout and the second work because it has much time to resolve.

Julien.


Was 30 secs, now it's 60 just in case.
Was also 30secs, now also 60.

I don't know how to test my DNS resolution time on RBLs. How can I?

Most of the spam are coming in during weekdays around 12~3 PM, during peak and I'm GMT -5, if SPAMHAUS and MANITU are in Europe, they probably are around GMT 0, . Yesterday I has suspected something: that my MASTER (184.107.xxx.xxx) was doing too many requests to RBL in it's period of 24 hours, and what if they ignore my queries until their next reset at midnight (or around 6~9 PM here) ?
So I changed the order of the MX for one affected domain so this domain now MAINLY use my SLAVE (69.70.xxx.xxx) that only manage a few emails per day. My surprise is, even 12 hours after the MX changes, some spams got through and a TRACING indicate all these spams were filtered by the MASTER (MX priority of 21), not the SLAVE (MX priority of 10).

In what log file can I tail/view to see the RBL queries to confirm if they are (rejected | ignored | answered) ?

Return to “Filter efficiency”

Who is online

Users browsing this forum: No registered users and 1 guest