Skip to main content

Discarding spam messages (Exim rules)

jtgroup
Hello everyone, We have been using the following script in the advanced settings of Exim Administration Manager: # Inserted to block domains access # Local from blacklist: /etc/eximblacklist reject_domains: driver = redirect # RBL Blacklist incoming hosts domains = +eximblacklist allow_fail data = :fail: Connection rejected: $domain is manually blacklisted. This has been useful but I would like to make a slight adjustment to it. Currently if a spamming domain is on our custom list, e-mails will get returned to send with the '$domain is manually blacklisted' message. What I would like to do is adapt the script so that no message is returned to the sender. Can anyone help me please? Kind regards James

Comments

19 comments

Date Votes
  • keat63
    I tried the exim_backlist method, and whilst it works to a certain extent, its a manual process. You'll eventually get bored of updating the file. Not only that, spammers just move on, so whilst you'll blacklist 'some-spammer.com' he'll only come back as 'another-spammer.com' As for dropping the message, I assume you'll need to blackhole them. How you do this, I'm not sure, but instead of allow_fail, what would happen if you tried allow_blackhole. Personally, I wouldn't go down the exim_blacklist route, but instead look at utilising a number of free RBL's in your exim config.
    0
  • cPanelLauren
    If you wanted to silently fail them you could do data = :blackhole:
    But ultimately that wouldn't be RFC compliant.
    0
  • jtgroup
    Hi Lauren, Thank you. Is there a way to remain RFC compliant whilst achieving what I want? I just want to prevent those messages getting to the users' inboxes and not have the sender receive notification. Kind regards James
    0
  • foxmedo
    i have same problem as you and i need to block some email adresse to not send emails to my clients
    0
  • jtgroup
    Hi Foxmedo, The above does allow you to block entire domains but we are still trying to find a solution to block individual accounts from sending messages to the server. I'll let you know when I have more. James
    0
  • cPanelLauren
    Hi @jtgroup Failing with a message is the only RFC compliant solution, you really only get two choices in that respect. Subsequently, the bounce messages wouldn't be delivered if sent to a non-existent domain and would ultimately exceed Exim's retries and be removed from the queue.
    0
  • jtgroup
    Hi Lauren, Is there a way to adjust the script so that caught messages get forwarded to another account e.g. spam@mydomain.com ? It would be useful to do this for a while to see which messages are getting caught. Kind regards James
    0
  • keat63
    I don't quite understand the RFC compliance thing. If a server bounces an email, then this would be classed as being compliant. If it accepts it, but secretly drops it, who would know that it had been dropped, it can't be reported that it's been secretly dropped as by doing so, would become complaint again. ?? So as far as anything goes, to all intents and purposes, it would appear that it's been delivered. So whilst we might aim to be RFC compliant, I don't fully see the point in this scenario. As regards blocking individual email addresses from sending to your server, CSF mailscanner will do this, but it's not free. Also, you could build a global filter in the users cpanel, and keep adding to this as your list grows, but this would have to be done at user level. A global filter at server level would be a cool idea.
    0
  • cPanelLauren
    Hi James,
    Is there a way to adjust the script so that caught messages get forwarded to another account e.g. spam@mydomain.com ?

    There certainly is! The exim documentation here should be helpful in configuring this: 22. The redirect router
    I don't quite understand the RFC compliance thing. If a server bounces an email, then this would be classed as being compliant. If it accepts it, but secretly drops it, who would know that it had been dropped, it can't be reported that it's been secretly dropped as by doing so, would become complaint again. ??

    I think where this originates from, is from the perspective of a system administrator in charge of managing mail on a server, it is necessary to understand why an email was bounced, in the event that a recipient server has set mail to be blackholed you'll never get any indication that the message was bounced or that there was even a problem. RFC compliance rules are geared toward benign entities not spammers. RFC 5321 - Simple Mail Transfer Protocol Is the RFC blackholing mail violates if you'd like to read through it
    As regards blocking individual email addresses from sending to your server, CSF mailscanner will do this, but it's not free.

    SpamAssassin can do this as well and it's built in.
    A global filter at server level would be a cool idea.

    The exim system filter will do this we also have a tutorial on managing it - How to Customize the Exim System Filter File - cPanel Knowledge Base - cPanel Documentation Thanks!
    0
  • jtgroup
    Hi guys, Thanks Lauren, I'll take a look at the redirect option. The global filter tutorial you've got is useful but not very friendly from a sys admin point of view as you have to add all of the lines to the file for each address e.g.: if ("$h_from:" contains "user@example.com") then fail endif Would it be possible to have a different but similar rule whereby we can just add a new address per line, similar to the rule in my first thread? Kind regards James
    0
  • cPanelLauren
    Hi James,
    The global filter tutorial you've got is useful but not very friendly from a sys admin point of view as you have to add all of the lines to the file for each address e.g.:

    Unfortunately, each string needs to be on a separate line separated by or as follows: if $header_from: contains "anyaddresshere@gmail.com" or $header_from: contains "anotheraddresshere@email.tld"
    0
  • jtgroup
    If you wanted to silently fail them you could do data = :blackhole:
    But ultimately that wouldn't be RFC compliant.

    Hi Lauren, I changed the script's last line to this but then the spam messages started coming through again. Would you mind taking a look for me to see what the issue is as it appears making this change means that the whole custom filter is ignored? Kind regards James
    0
  • cPanelLauren
    Hi @jtgroup Can you show me the filter again as well as the output from /var/log/exim_mainlog of one of the spam emails that made it through? Thanks!
    0
  • jtgroup
    Hello @cPanelLauren, Sorry, it has been a while! I've run some tests and here is the export of the /var/log/exim_mainlog when the Exim settings are set to: # Inserted to block domains access # Local from blacklist: /etc/eximblacklist reject_domains: driver = redirect # RBL Blacklist incoming hosts domains = +eximblacklist allow_fail data = :blackhole: The log file shows: 2019-05-17 16:12:11 1hReWj-000IAG-H3 H=cp162175.hpdns.net [91.238.162.175]:44076 Warning: "SpamAssassin as jtgroupco detected message as NOT spam (0.7)" 2019-05-17 16:12:11 1hReWj-000IAG-H3 <= sending@address.com H=cp162175.hpdns.net [91.238.162.175]:44076 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=3895 id=a1$ 2019-05-17 16:12:11 SMTP connection from cp162175.hpdns.net [91.238.162.175]:44076 closed by QUIT 2019-05-17 16:12:11 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1hReWj-000IAG-H3 2019-05-17 16:12:11 1hReWj-000IAG-H3 => info R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 aInZB0vP3lziBgEA8OEBAg Saved" 2019-05-17 16:12:11 1hReWj-000IAG-H3 Completed 2019-05-17 16:12:11 SMTP connection from [83.223.113.157]:50124 (TCP/IP connection count = 3) The result was that the e-mail did get through to the recipient's inbox. I'd like to know what I can do to change the Exim settings so that the message is blocked but no error is sent to the sender, letting them know that the message was unsuccessful. If you could help me, that would be great :0) Kind regards James
    0
  • cPanelLauren
    Hi @jtgroup In this instance it doesn't look like the email is getting flagged at all by the filter. Can you tell me the exact steps you took to create this? This is entirely different from the initially suggested advice as well for editing the actual exim configuration you should go over the documentation here: How to Edit the exim.conf File - cPanel Knowledge Base - cPanel Documentation
    0
  • jtgroup
    Hi @cPanelLauren, The steps I followed are these ones: hostingmatters.co.uk/support/help-guides/86-server-management/46-whm-block-server-from-receiving-e-mails-from-particular-domains Kind regards James
    0
  • cPanelLauren
    Hi @jtgroup Troubleshooting 3rd party customizations like this is a bit beyond our ability to support but, you might also try sending the mail to /dev/null which has the same function essentially as blackhole. I'm resending Exim's documentation on the redirect router which is extremely useful
    0
  • jtgroup
    Hi @cPanelLauren, I've taken a look and tried various changes to the 'data = :fail: Connection rejected: $domain is manually blacklisted.' line of code by nothing else works. I cannot seem to get the messages to blackhole. Does anyone have any ideas? Kind regards James
    0
  • cPanelLauren
    Hi @jtgroup Per the exim documentation, you should be able to use blackhole or /dev/null as blackhole behaves a bit differently, more than likely it's a matter of configuration. A great resource for exim configuration/modifications would be the exim-users mailing list which you can find here: Exim-users Info Page You might also look to enlist the assistance of a qualified system administrator. If you don't have one you might find one here: System Administration Services | cPanel Forums Thanks!
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post