What is the best practice to ban the spammers?

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
DrmCa
Normal user
Normal user
Posts: 112
Joined: 2011-02-14 21:30

What is the best practice to ban the spammers?

Post by DrmCa » 2012-04-19 02:05

I have collected the IP addresses of the spammers who send to my users by adding them to my firewall.
However, there are legitimate senders on some of those SMTP hosts and some of the IPs are legitimate destinations for my users.
How should I ban the spammers in those cases using hmailserver admin?

User avatar
mattg
Moderator
Moderator
Posts: 21189
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: What is the best practice to ban the spammers?

Post by mattg » 2012-04-19 12:06

banning them in hmailserver is still banning them.

What version of hMailserver are you using?
Do you have autoban set? If so what are your settings?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

DrmCa
Normal user
Normal user
Posts: 112
Joined: 2011-02-14 21:30

Re: What is the best practice to ban the spammers?

Post by DrmCa » 2012-04-19 14:33

latest version of hmailserver. I am not banning them on hmailserver like I said. Don't have any settings for banning. The purpose of this thread is to get information, not to supply it.

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: What is the best practice to ban the spammers?

Post by dzekas » 2012-04-19 17:51

DrmCa wrote:by adding them to my firewall
works if you want to deny any connectivity. Maintaining own rbl service might be better, if you have more than one server or your list of IP addresses is long enough and you want to be able to understand your firewall rules.
However, there are legitimate senders on some of those SMTP hosts
Then you can only filter them by sender address or ask server admin to boot spammers off their server.
some of the IPs are legitimate destinations for my users
Incoming smtp traffic is blocked with rules that don't block outgoing smtp traffic.

DrmCa
Normal user
Normal user
Posts: 112
Joined: 2011-02-14 21:30

Re: What is the best practice to ban the spammers?

Post by DrmCa » 2012-04-19 20:43

So far I've tried turning on dns blacklisters - that did not do much good, spam still coming.
I've started adding the typical subject lines to the Rules section - such as viagra, penis enlargement etc. That really thinned the spam traffic.

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: What is the best practice to ban the spammers?

Post by dzekas » 2012-04-19 21:06

DrmCa wrote:So far I've tried turning on dns blacklisters - that did not do much good, spam still coming.
I've started adding the typical subject lines to the Rules section - such as viagra, penis enlargement etc. That really thinned the spam traffic.
Check ip address in http://blacklistalert.org/ before turning on rbls. Plus my point was that you can run your own rbl instead of putting spammer's ip addresses in firewall.

Check email in spamassassin. You can check how it scores your spam without turning it on in hmailserver.

Don't know which rbl are using, but CBL or spamhaus cut out lots of connections.

Simple check in logs. 100190 blocked by rbl / 226924 total. Number did go down from 70-90% of blocked connections about 2 years ago.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: What is the best practice to ban the spammers?

Post by ^DooM^ » 2012-04-19 23:58

Enable Greylisting. It delays legitimate email for a short time but really helps with spam. You don't notice the delay on email unless you are waiting for an email. It's livable. I have been using it for many years and refuse to turn it off.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
mattg
Moderator
Moderator
Posts: 21189
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: What is the best practice to ban the spammers?

Post by mattg » 2012-04-20 13:53

DrmCa wrote:I am not banning them on hmailserver like I said. Don't have any settings for banning.
earlier you wrote
DrmCa wrote:How should I ban the spammers in those cases using hmailserver admin?
and I replied
mattg wrote:banning them in hmailserver is still banning them.
DrmCa wrote:The purpose of this thread is to get information, not to supply it.
If I can't get some fairly basic information, then I have to guess. That's pretty pointless.
Autoban is a relatively new feature of hMailserver, that's why I asked.

Autoban is far more effective in banning a single user rather than a whole domain (which you do when you ban an IP at the firewall.
I was simply answering your questions, and ensuring that you were you using a recent version.

No need to make smart alec comments
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

DrmCa
Normal user
Normal user
Posts: 112
Joined: 2011-02-14 21:30

Re: What is the best practice to ban the spammers?

Post by DrmCa » 2012-04-20 16:07

matt,

I don't get you at all. You asked me how I was banning spammers on hmailserver and I replied that I was not. Indeed, I did nothing at all to ban them on hmailserver at that moment. Not sure why that did not come across.

As I understand, and correct me if I am wrong, Autoban would work if someone tried to use my server to send spam. That's not what I am concerned about. I am concerned that my internal users are receiving spam from outside.

User avatar
mattg
Moderator
Moderator
Posts: 21189
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: What is the best practice to ban the spammers?

Post by mattg » 2012-04-21 15:03

Yes I understand that you were NOT using hMailserver to ban.
I thought that you were asking HOW to do that.
DrmCa wrote:How should I ban the spammers in those cases using hmailserver admin?
You are correct when you say
DrmCa wrote:As I understand, and correct me if I am wrong, Autoban would work if someone tried to use my server to send spam. That's not what I am concerned about. I am concerned that my internal users are receiving spam from outside.
But now I'm confused.
Why would you ban IP of senders of SPAM, even just at your firewall.


Sorry for the confusion
As Doom says use greylisting
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

DrmCa
Normal user
Normal user
Posts: 112
Joined: 2011-02-14 21:30

Re: What is the best practice to ban the spammers?

Post by DrmCa » 2012-05-26 23:40

Gentlemen:

Question about the rules, if you don't mind! As stated above, I now have a global rule with OR that deletes messages that contain certain keywords, including

Code: Select all

'From Contains vigara'
and

Code: Select all

'Subject Contains vigara'
(that's on top of the same set with the word viagra spelled correctly). But I still received the message below. What is wrong with my rule that it allowed the message to be delivered?

Code: Select all

From - Sat May 26 17:28:40 2012
X-Account-Key: account5
X-UIDL: 1538
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
Return-Path: lkwosu@qbij.com
Received: from [190.252.104.171] ([190.252.104.171])
	by mail.DOMAIN.ca
	; Sat, 26 May 2012 12:20:12 -0400
Message-ID: <CAD2FDE8-AAD3-441D-AC49-E8907009714D@mail.DOMAIN.ca>
To: <sales@DOMAIN.ca>
Subject: PURCHASE CILAIS & VIGARA -60% Discount! 1 day delivery! 
From: "Purchase_Vigara Today" <lkwosu@qbij.com>
Date: Sat, 26 May 2012 16:18:13 -0500
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: IPS PHP Mailer
MIME-Version: 1.0
Content-type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-ID: <20120526112005.70315232q033@pyimpxpdupn>

yoni5002
Normal user
Normal user
Posts: 36
Joined: 2010-07-13 15:04

Re: What is the best practice to ban the spammers?

Post by yoni5002 » 2012-05-27 00:36

I've been running hMailServer with spamassassin, DNSbl and Greylisting with really good results... I remember I found few good posts here about it time ago. A search in the board will give you some good hints. I kept spam for a long time trying to decide whether to go with a MySQL database and give users the option to set their own filters or not but ended up just going the easy way. I have a folder to which all spam is reported into and 3 bat files to run as scheduled tasks every night.

Learn Spam:
sa-learn-spam.bat
---------------------
@echo off
sa-learn.exe --spam "D:\sa\SPAM\spam\*"
del /q D:\sa\SPAM\spam\*.*
exit

Learn Ham:
sa-learn-ham.bat
@echo off
sa-learn.exe --ham "D:\sa\SPAM\ham\*"
del /q D:\sa\SPAM\ham\*.*
exit

Updates:
sa-update.bat
--------------------
sa-update.exe -v --nogpg --channelfile UpdateChannels.txt
if NOT EXIST .\share\3.003001\updates_spamassassin_org.cf EXIT /B 1

After training Spamassassin with all those messages I kept and the ones reported by users I rarely get to see spam which is brave to say :D

User avatar
mattg
Moderator
Moderator
Posts: 21189
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: What is the best practice to ban the spammers?

Post by mattg » 2012-05-27 02:32

DrmCa wrote:Gentlemen:

Question about the rules, if you don't mind! As stated above, I now have a global rule with OR that deletes messages that contain certain keywords, including

Code: Select all

'From Contains vigara'
and

Code: Select all

'Subject Contains vigara'
(that's on top of the same set with the word viagra spelled correctly). But I still received the message below. What is wrong with my rule that it allowed the message to be delivered?
Perhaps the capital VIGARA is different to the lower case vigara
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

DrmCa
Normal user
Normal user
Posts: 112
Joined: 2011-02-14 21:30

Re: What is the best practice to ban the spammers?

Post by DrmCa » 2012-05-27 20:57

mattg wrote:
DrmCa wrote:Gentlemen:

Question about the rules, if you don't mind! As stated above, I now have a global rule with OR that deletes messages that contain certain keywords, including

Code: Select all

'From Contains vigara'
and

Code: Select all

'Subject Contains vigara'
(that's on top of the same set with the word viagra spelled correctly). But I still received the message below. What is wrong with my rule that it allowed the message to be delivered?
Perhaps the capital VIGARA is different to the lower case vigara
Oh, boy! So the rules are case sensitive? What for, for god's sake?

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: What is the best practice to ban the spammers?

Post by Bill48105 » 2012-05-27 21:02

DrmCa wrote:Oh, boy! So the rules are case sensitive? What for, for god's sake?
Don't get yer panties in a bunch, for performance I'm sure it is just a simple string compare! If you want to have more control do a regular expression! Obviously it'll do more work.
Bill

EDIT: I just checked & according to the test option on the rules screen it should not be case sensitive for contains.. Test & TEST show match..
http://www.hmailserver.com/documentatio ... rence_rule
Either way if you want more control do regular expression but be sure to test your patterns.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

DrmCa
Normal user
Normal user
Posts: 112
Joined: 2011-02-14 21:30

Re: What is the best practice to ban the spammers?

Post by DrmCa » 2012-05-27 21:13

Ok, so if I have contains and it does not work - it's a bug. Correct me if I am wrong.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: What is the best practice to ban the spammers?

Post by Bill48105 » 2012-05-27 22:04

DrmCa wrote:Ok, so if I have contains and it does not work - it's a bug. Correct me if I am wrong.
Not likely. can't believe you'd be only person to run into it. contains in rules is super common & used by many. Most likely explanation is you are assuming wrong string (very common with spam since spammers love to replace letters with look-alikes & why string filters are about worthless) and also very common & possible for the string to be encoded somehow. Here is an example:
Subject: 2 =?GB2312?B?Lc7StcTBqs+1t73KvdLRuMQ=?= 7
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

DrmCa
Normal user
Normal user
Posts: 112
Joined: 2011-02-14 21:30

Re: What is the best practice to ban the spammers?

Post by DrmCa » 2012-05-28 14:37

I've provided message source above :roll:
Your theory would explain why subject contains failed, but how do you explain from contains failure?
Is it possible that the # of tests per rule is limited? Perhaps I should create many rules with few tests instead of one rule with many tests?
Bill48105 wrote:
DrmCa wrote:Ok, so if I have contains and it does not work - it's a bug. Correct me if I am wrong.
Not likely. can't believe you'd be only person to run into it. contains in rules is super common & used by many. Most likely explanation is you are assuming wrong string (very common with spam since spammers love to replace letters with look-alikes & why string filters are about worthless) and also very common & possible for the string to be encoded somehow. Here is an example:
Subject: 2 =?GB2312?B?Lc7StcTBqs+1t73KvdLRuMQ=?= 7
Bill

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: What is the best practice to ban the spammers?

Post by Bill48105 » 2012-05-28 15:20

DrmCa wrote:I've provided message source above :roll:
Your theory would explain why subject contains failed, but how do you explain from contains failure?
Is it possible that the # of tests per rule is limited? Perhaps I should create many rules with few tests instead of one rule with many tests?
I was giving you example explanations, doesn't meant there are not others or those don't apply. Besides you didn't provide raw original email file, you copied/pasted between 2 mediums which often results in unreliable results with strange/different charsets etc. YOU are the one having the problem that you are are asking for help with & we can't help without providing educated guesses on what's going on especially without every bit of info about your situation. Odds are it is something stupid you'll kick yourself over but we can't get there unless you cooperate.

Anyway I know of no rule limit except they eval in order but yes you could try breaking it up to test & see where it's falling thru at. Another option is to give us the exact rules from backup XML or sql dump so we can see what you are actually using & not read what you claim you are. Same goes with actual raw email you know is having problems and logs etc. Unless we can duplicate it here or it is obvious we can only guess based on info you provide.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

DrmCa
Normal user
Normal user
Posts: 112
Joined: 2011-02-14 21:30

Re: What is the best practice to ban the spammers?

Post by DrmCa » 2012-05-28 15:36

Bill48105 wrote:
DrmCa wrote:Another option is to give us the exact rules from backup XML or sql dump so we can see what you are actually using & not read what you claim you are. Same goes with actual raw email you know is having problems and logs etc. Unless we can duplicate it here or it is obvious we can only guess based on info you provide.
Bill
If you can provide specific instructions for both, I'll try to provide the requested.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: What is the best practice to ban the spammers?

Post by Bill48105 » 2012-05-28 18:17

DrmCa wrote:If you can provide specific instructions for both, I'll try to provide the requested.
The simplest way is to run a backup using hmail's internal backup option in the admin BUT with most builds of hmail you will have issues if you have over like 1G of emails. Newer builds let you get past that or disable the option to backup emails at all (just database gets backed up) but it'll depend on what build you are using.

In terms of dumping your SQL config, that depends on what SQL/database you are using. A starting point would be one of these:
http://www.hmailserver.com/documentatio ... t_to_mssql
http://www.hmailserver.com/documentatio ... t_to_mysql
Essentially you need tools to connect to your hmail database to do a dump of your hmail tables.

Once you have the backup/dump then you find the rules & give those to use to look at. (I do wish it was easier to export rules for support but it hasn't been added yet)
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

DrmCa
Normal user
Normal user
Posts: 112
Joined: 2011-02-14 21:30

Re: What is the best practice to ban the spammers?

Post by DrmCa » 2012-05-28 22:27

Code: Select all

	<Rules>
		<Rule Name="Spam global" Active="1" UseAND="0" SortOrder="1" >
			<RuleCriterias>
				<Criteria MatchString="penis" FieldType="4" MatchType="2" HeaderField="" UsePredefinedField="1" />
				<Criteria MatchString="viagra" FieldType="4" MatchType="2" HeaderField="" UsePredefinedField="1" />
				<Criteria MatchString="casino" FieldType="4" MatchType="2" HeaderField="" UsePredefinedField="1" />
				<Criteria MatchString="luxury replicas" FieldType="4" MatchType="2" HeaderField="" UsePredefinedField="1" />
				<Criteria MatchString="Augmentez votre fortune" FieldType="4" MatchType="2" HeaderField="" UsePredefinedField="1" />
				<Criteria MatchString="weight loss" FieldType="4" MatchType="2" HeaderField="" UsePredefinedField="1" />
				<Criteria MatchString="doggie style" FieldType="4" MatchType="2" HeaderField="" UsePredefinedField="1" />
				<Criteria MatchString="investment opportunit" FieldType="4" MatchType="2" HeaderField="" UsePredefinedField="1" />
				<Criteria MatchString="prescription" FieldType="4" MatchType="2" HeaderField="" UsePredefinedField="1" />
				<Criteria MatchString="kiev.ua" FieldType="1" MatchType="2" HeaderField="" UsePredefinedField="1" />
				<Criteria MatchString="arrest record" FieldType="4" MatchType="2" HeaderField="" UsePredefinedField="1" />
				<Criteria MatchString="Linkedin" FieldType="4" MatchType="2" HeaderField="" UsePredefinedField="1" />
				<Criteria MatchString="BBB assistance Re: Case" FieldType="4" MatchType="2" HeaderField="" UsePredefinedField="1" />
				<Criteria MatchString="FW:You just sent a payment to" FieldType="4" MatchType="2" HeaderField="" UsePredefinedField="1" />
				<Criteria MatchString="why did you put this photo online" FieldType="4" MatchType="2" HeaderField="" UsePredefinedField="1" />
				<Criteria MatchString="DHL Package delivery status" FieldType="4" MatchType="2" HeaderField="" UsePredefinedField="1" />
				<Criteria MatchString="kingspalace.com" FieldType="5" MatchType="2" HeaderField="" UsePredefinedField="1" />
				<Criteria MatchString="RE:You HAVE to check this photo in attachment man" FieldType="4" MatchType="2" HeaderField="" UsePredefinedField="1" />
				<Criteria MatchString="Job Opening:  We are currently hiring and looking for" FieldType="5" MatchType="2" HeaderField="" UsePredefinedField="1" />
				<Criteria MatchString="Kings Palace" FieldType="1" MatchType="2" HeaderField="" UsePredefinedField="1" />
				<Criteria MatchString="vigara" FieldType="4" MatchType="2" HeaderField="" UsePredefinedField="1" />
				<Criteria MatchString="vigara" FieldType="1" MatchType="2" HeaderField="" UsePredefinedField="1" />
				<Criteria MatchString="viagra" FieldType="1" MatchType="2" HeaderField="" UsePredefinedField="1" />
				<Criteria MatchString="penis" FieldType="1" MatchType="2" HeaderField="" UsePredefinedField="1" />
			</RuleCriterias>
			<RuleActions>
				<Action Type="1" Subject="" Body="" FromAddress="" FromName="" IMAPFolder="" FileName="" To="" ScriptFunction="" SortOrder="1" Header="" Value="" RouteID="0" />
			</RuleActions>
		</Rule>
	</Rules>

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: What is the best practice to ban the spammers?

Post by Bill48105 » 2012-05-29 02:08

DrmCa,
I don't see anything that jumps out at me at 1st glace but at least that gives us ability to do some testing & try to duplicate issue here. Do you have original EML file available? I do wonder if maybe the rules with : in them could be causing an issue.. Otherwise not sure without doing some testing here.
Thx
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

DrmCa
Normal user
Normal user
Posts: 112
Joined: 2011-02-14 21:30

Re: What is the best practice to ban the spammers?

Post by DrmCa » 2012-05-29 04:44

The email has been received, I can only copy paste the same headers as above. What I see in the email client's file is the same string as showing above. There are other emails with encoded tags, but this one is not encoded.
Since posting the rules I've created another one which checks body for the words 'Kings Palace' and received the following since:

Code: Select all

From - Mon May 28 22:42:33 2012
X-Account-Key: account5
X-UIDL: 1544
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
Return-Path: no-reply@markivauto.com
Received: from markivauto.com ([46.159.2.232]) by mail.DOMAIN.ca ; Mon, 28 May
 2012 22:10:33 -0400
Date: Tue, 29 May 2012 03:10:31 +0100
Message-ID: <532281173162.66857452306270@markivauto.com>
From: no-reply <no-reply@alcaweb.org>
To: <sales@DOMAIN.ca>
Subject: Gagnez sans risque maintenant.
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
X-hMailServer-Spam: YES
X-hMailServer-Reason-1: Rejected by SURBL. - (Score: 3)
X-hMailServer-Reason-2: Rejected by Spamhaus. - (Score: 3)
X-hMailServer-Reason-Score: 6

Recevez enfin un traitement digne d'un joueur V.I.P.

Rejoignez Kings Palace et =E9clatez vous r=E9ellement dans un lieu super.

http://www.kproyalebets.com/

The rule should have been triggered, but it has not been.

DrmCa
Normal user
Normal user
Posts: 112
Joined: 2011-02-14 21:30

Re: What is the best practice to ban the spammers?

Post by DrmCa » 2012-05-29 14:24

As more spam previously blocked has arrived, I've restarted the service which was up since Apr 10.
There must be something wrong with the rules, as I know they used to block those spam items. Perhaps the long running server lost the pointers to them.

DrmCa
Normal user
Normal user
Posts: 112
Joined: 2011-02-14 21:30

Re: What is the best practice to ban the spammers?

Post by DrmCa » 2012-05-29 19:37

I just don't get it. When I am testing the rules, they capture 'vigara' in the subject or body. But the spam still bypasses the rule. There is something special about that 'vigara' spam that I just can't differentiate. What am I doing wrong?

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: What is the best practice to ban the spammers?

Post by Bill48105 » 2012-05-29 19:52

DrmCa wrote:I just don't get it. When I am testing the rules, they capture 'vigara' in the subject or body. But the spam still bypasses the rule. There is something special about that 'vigara' spam that I just can't differentiate. What am I doing wrong?
LOL maybe your server is trying to tell you something "You need this viagra Bud.." :D

I'm sure there is a logical explanation just need to track it down. IP ranges are about the only place you can differentiate spam/av etc per IP which might explain it (you testing would be different IP than spammer) but rules should run either way. Even if AUTH'd or not global rules should run.

Compare the logs for when you test vs when spammer sent it, maybe something will show as different. Possible you have more than 1 global rule & an earlier rule is triggering a skip of later ones?
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: What is the best practice to ban the spammers?

Post by dzekas » 2012-05-29 20:04

DrmCa wrote:The email has been received, I can only copy paste the same headers as above. What I see in the email client's file us the same string as showing above. There are other emails with encoded tags, but this one is not encoded.
Since posting the rules I've created another one which checks body for the words 'Kings Palace' and received the following
Sender's server is on CBL and two ZEN spamhaus blocklists. Check your RBL configuration before you try to fight spam with rules.

DrmCa
Normal user
Normal user
Posts: 112
Joined: 2011-02-14 21:30

Re: What is the best practice to ban the spammers?

Post by DrmCa » 2012-05-30 16:41

dzekas wrote:
DrmCa wrote:Sender's server is on CBL and two ZEN spamhaus blocklists. Check your RBL configuration before you try to fight spam with rules.
What does that mean in terms of instructions? I am not an IT person, just running a small business.

DrmCa
Normal user
Normal user
Posts: 112
Joined: 2011-02-14 21:30

Re: What is the best practice to ban the spammers?

Post by DrmCa » 2012-05-30 16:42

Bill48105 wrote:I'm sure there is a logical explanation just need to track it down. IP ranges are about the only place you can differentiate spam/av etc per IP which might explain it (you testing would be different IP than spammer) but rules should run either way. Even if AUTH'd or not global rules should run.
Compare the logs for when you test vs when spammer sent it, maybe something will show as different. Possible you have more than 1 global rule & an earlier rule is triggering a skip of later ones?
Bill
The difference in the logs is that one email is deleted while another is not. There is nothing else. And I don't have any permissive rules, only the rules that delete.

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: What is the best practice to ban the spammers?

Post by dzekas » 2012-05-30 18:37

DrmCa wrote:
dzekas wrote:
DrmCa wrote:Sender's server is on CBL and two ZEN spamhaus blocklists. Check your RBL configuration before you try to fight spam with rules.
What does that mean in terms of instructions? I am not an IT person, just running a small business.
See http://www.hmailserver.com/documentatio ... sblacklist

cbl.abuseat.org and spamhaus.org are conservative blacklists. If you had any of them configured in hmailserver, sender should be rejected before it starts feeding any emails to your server.

http://cbl.abuseat.org/lookup.cgi?ip=46.159.2.232 (host sends spam to spamtraps, probably trojaned windows machine turned into spambot)

http://www.spamhaus.org/query/bl?ip=46.159.2.232 (XBL shares info with CBL. PBL lists hosts that are not supposed to send emails to other servers)

Your first line of defense is RBL, firewall and greylisting. RBLs act similar to firewalls, but blacklist is maintained in some central location and information about spammers is shared between multiple servers. Your second line of defense is content scanners like spamassassin. Rules are final line of defense. Use multilayered defense instead of relying on your last defense line. Single line of defense stopped working in the first world war and people didn't defend that way even in middle ages.

DrmCa
Normal user
Normal user
Posts: 112
Joined: 2011-02-14 21:30

Re: What is the best practice to ban the spammers?

Post by DrmCa » 2012-05-30 20:22

dzekas wrote:cbl.abuseat.org and spamhaus.org are conservative blacklists. If you had any of them configured in hmailserver, sender should be rejected before it starts feeding any emails to your server.
Both seem to be enabled, and they give score 3 each with total spam score of 6, but there is no rejection occurring.

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: What is the best practice to ban the spammers?

Post by dzekas » 2012-05-30 20:35

DrmCa wrote:
dzekas wrote:cbl.abuseat.org and spamhaus.org are conservative blacklists. If you had any of them configured in hmailserver, sender should be rejected before it starts feeding any emails to your server.
Both seem to be enabled, and they give score 3 each with total spam score of 6, but there is no rejection occurring.
Hm. I am used to different RBL behavior. If you use zen.spamhaus.org, could increase its score to the point where its listing causes rejection and disable cbl.abuseat.org. CBL is included in zen.spamhaus.org listing. You don't have to check both of them.

Thomas Parvais
Normal user
Normal user
Posts: 111
Joined: 2004-12-17 12:21
Contact:

Re: What is the best practice to ban the spammers?

Post by Thomas Parvais » 2012-07-21 10:21

Yoni,

How do you manage with hmailserver to write all spam and ham in these directories ?

The user moves itself the spam email in spam imap folder, but then how to write on disk ?

Thank you
yoni5002 wrote:I've been running hMailServer with spamassassin, DNSbl and Greylisting with really good results... I remember I found few good posts here about it time ago. A search in the board will give you some good hints. I kept spam for a long time trying to decide whether to go with a MySQL database and give users the option to set their own filters or not but ended up just going the easy way. I have a folder to which all spam is reported into and 3 bat files to run as scheduled tasks every night.

Learn Spam:
sa-learn-spam.bat
---------------------
@echo off
sa-learn.exe --spam "D:\sa\SPAM\spam\*"
del /q D:\sa\SPAM\spam\*.*
exit

Learn Ham:
sa-learn-ham.bat
@echo off
sa-learn.exe --ham "D:\sa\SPAM\ham\*"
del /q D:\sa\SPAM\ham\*.*
exit

Updates:
sa-update.bat
--------------------
sa-update.exe -v --nogpg --channelfile UpdateChannels.txt
if NOT EXIST .\share\3.003001\updates_spamassassin_org.cf EXIT /B 1

After training Spamassassin with all those messages I kept and the ones reported by users I rarely get to see spam which is brave to say :D
Interrested by Law & new technologies ?
Intéressé par le droit de l'internet et des nouvelles technologies ?
Visit/Visitez http://www.droit-technologie.org

Post Reply