In case this is useful to anyone, here's how to add spam blacklists to your Exim mail server. This will block many spammers at the SMTP level, which avoids using server resources to process them further. It could however block some legitimate e-mail so if you have clients you may want to ensure that's what they all want. The two blacklists below are however not overly aggressive as some are (i.e. Spamcop/SPEWS).

1. Go to WHM and select Exim Configuration Editor
2. Click on Switch to Advanced Mode
3. Find where there are 3 entry boxes in a row, go into the middle one that already has text in it
4. Right after the statement "accept hosts = :", add the following:

drop dnslists = sbl-xbl.spamhaus.org : \
list.dsbl.org

message = REJECTED - Host $sender_host_address is listed in $dnslist_domain=$dnslist_value - $dnslist_text
log_message = match $dnslist_domain

5. Click Save

6. Send a test mail (from your server's SMTP) to nelson-sbl-test@crynwr.com and wait for it to send test results.

7. Monitor /var/log/exim_rejectlog to see whats actually being rejected.

Here's a much more aggressive list I use personally as I don't resell. Before using, I'd recommend you research what each one does, and monitor your logs periodically to ensure they are still working.

drop dnslists = sbl-xbl.spamhaus.org : \
list.dsbl.org : \
web.dnsbl.sorbs.net : \
misc.dnsbl.sorbs.net : \
http.dnsbl.sorbs.net : \
smtp.dnsbl.sorbs.net : \
korea.services.net : \
dul.dnsbl.sorbs.net

message = REJECTED - Host $sender_host_address is listed in $dnslist_domain=$dnslist_value - $dnslist_text
log_message = match $dnslist_domain

[Edited to update last section with different SBL list]

Sound's interesting and easy to implement. I'm just worried about the fact that it can block some legitimate e-mail.

Anyone else have experience in this field ?

By the way, thanks for this post. I will be watching it closely cause this is all new to me and there's so much spam out there.

I enabled spam assasin but not quite convinced that this is the best solution.

Check out http://www.spamhaus.org/ and http://dsbl.org/main if you want to learn more about the two referenced below. Some ISP's and webhosts use blacklists by default, not sure how many though. I use the VPS only for myself, so easier to make the decision, and I put an alternate contact e-mail on my website just in case.

I was kind of forced into this as one of my domains is being hit by spam dictionary attacks from IP addresses all over the world, at a rate of 10-20/minute. I didn't even know it until I went to a VPS and could see the log. While the default :fail: blocks most of it, it still allows the spammers to continue to probe for valid addresses. Since I added the blacklists (including asia) it seems to be dropping, my hope is they periodically clean out domains that are clearly blocking them. If it ever dies down enough maybe I'll remove the blacklists.

While some lists can get a server blacklisted by coughing the wrong way, lists such as spamhaus and dsbl have been pretty decent. They're used by quite a few mail service providers.

I would say give it a try for a week or so and monitor your customer feedback. If you notice any complaints about mail, you can disable it again. :)

Where in the file do I add this part?

korea.services.net : \
cn-kr.blackholes.us : \
taiwan.blackholes.us : \
hongkong.blackholes.us

I keep getting a configuration error when I add it under the other lines,

Thanks.

Below is the complete working set of code copied out of my own config file.

drop dnslists = sbl-xbl.spamhaus.org : \
list.dsbl.org : \
korea.services.net : \
cn-kr.blackholes.us : \
taiwan.blackholes.us : \
hongkong.blackholes.us

message = REJECTED - Host $sender_host_address is listed in $dnslist_domain=$dnslist_value - $dnslist_text
log_message = match $dnslist_domain

Thank you, it works now.

I am a reseller and I added spamhaus and dsbl to play it safe.

How do I configure exim to block e-mail from a single IP address?

I believe you can block the ip in apf (/etc/apf/deny_hosts.rules), but it will block all other traffic, if any, from that ip too. apf uses iptables to block the ips. Else, you can use iptables to block all mail (port 110/25) traffic
from that ip.

Is it possible to create a whitelist of IPs for this? I had a false-positive yesterday.

We shouldn't use a lot of lists.
just my comment about it.

I tend to stay with sbl and xbl from spamhaus... because i have one of my server which ip is on a whole netblock banned from one list. http://www.spews.org/html/S2688.html
I'm in the phatservers netblock ... this isn't funny. So, i imagine i'm not the only one with a netblock blocked by some lists...

Some of the lists are not really maintened or are too strict( like banning a whole netblock )...
This is the case of spews. http://www.spews.org but there's more!

sbl and xbl from spamhaus works very well... and i could use only these two without worrying about spam.

btw, i think powervps ( or netblock ... ) is blocked in http://www.blars.org/block.html

just test your ip on http://www.dnsstuff.com/ and see :)

this is the exact thing i was saying in my previous post... we shouldn't use too much list ... or you could ban emails from good people like us.

blars is on crack. read his site a little. Its a joke.

Fred, please be very careful when you make blanket comments like this on the public forums where potential customers read this.

Indeed some blocks are in rbls and spews (those from ***, etc) - but there should not be any VPS customer IP's listed in any of the RBL's on a /24 basis. Either the aleron/coi blocks or anything out of our own /19 space should be listed.

Any of the major blocks in these rbls (like *** blocks) are there forever and are not coming out, even though we never spamed on them or allow spamming now. We take UCE very serious and have terminated a few customers for abuses based on this very matter.

Just to add a PS to this - if a VPS customer has any of their IP's listed in any RBLs, please let us know ASAP - you should not have, and if so, we need to correct this immediately.

Fred, please be very careful when you make blanket comments like this on the public forums where potential customers read this.

Indeed some blocks are in rbls and spews (those from ***, etc) - but there should not be any VPS customer IP's listed in any of the RBL's on a /24 basis. Either the aleron/coi blocks or anything out of our own /19 space should be listed.

Any of the major blocks in these rbls (like *** blocks) are there forever and are not coming out, even though we never spamed on them or allow spamming now. We take UCE very serious and have terminated a few customers for abuses based on this very matter.

sorry, I should think before :( I will in the future...
but my limited english didn't help the impressions that give my message... and i do understand your concerns... your reply stated every facts as they are.

sorry, I should think before :( I will in the future...
but my limited english didn't help the impressions that give my message... and i do understand your concerns... your reply stated every facts as they are.

No problem nor apology needed! I just wanted to clear up your concern/comments, other "competitors" may point to this thread and try and make an issue out of it, etc, that is all I wanted to make clear.

The good and bad of running public forums I guess!

sbl and xbl from spamhaus works very well... and i could use only these two without worrying about spam.

I'm only using the ones suggested in these forums (spamhaus & DSBL). My "false-positive" was not our server, but a friend's server trying to e-mail us. It rejected him. I advised him to e-mail his ISP to get his IP off the blacklist, but my question is can I exclude his IP (or anyone's) from the Spamhaus & DSBL testing?

Thanks.

I don't know any way to exclude one IP.

In case a legitimate sender gets blocked I added a note in my bounce message that they can visit the website for an alternate e-mail address. On the website I indicate a Google mail account, which in turn forwards to my domain's e-mail account.

By the way, if anyone was using the blackholes.us lists I had in the original post, I started getting DNS lookups errors so stopped using them. I edited my original post to show the list I use now, which is pretty aggressive but I'm the only user of the VPS and really fed up with the high volume of spam and dictionary attacks.

I just added this.. Noticed I dont have a /var/log/exim_rejectlog
Will this be auto created?

Also I sent the test email and all that came back was:

Testing your SBL block. See http://www.crynwr.com/spam/ for more info.
Please note that this test will not tell you if your server is open for
relaying. Instead, it tests to see if your server blocks email from IP
addresses listed in various blocking lists; in this case, the SBL list.

Does this mean its not working?

I would guess the rejectlog would get created automatically once something is rejected, however I'm not very knowledgable at the system level so check with support if it's not showing up.

It looks like that test system via e-mail is not working. It's supposed to show a record of the conversation it had.

Another list to consider using apart from the safe two (spamhaus and dsbl) - relays.ordb.org

I am using this myself and they seem to be using a custom-built testing engine plus are using a frequently updated list, every hourly. And in the event an open relay gets fixed, the maximum removal time is 7 - 10 hours.

:confused:


4. Right after the statement "accept hosts = :", add the following:

drop dnslists = sbl-xbl.spamhaus.org : \
list.dsbl.org

message = REJECTED - Host $sender_host_address is listed in $dnslist_domain=$dnslist_value - $dnslist_text
log_message = match $dnslist_domain

5. Click Save


I'm trying to use this at my vps, but some of my customers can’t send mail because his ADSL IP (Dynamic IP from his ISP Provider) is black listed.

Another’s users send mail to persons of his same domain but the server rejects the message.

2006-04-28 10:49:31 H=(xx) [201.240.xxx.xxx] F=<user@domain.com.pe> rejected RCPT <user2 of the same domain@domain.com.pe>: match list.dsbl.org

Seems Exim is checking the IP of the end user host and not the IP of the SMTP server?

Any idea to implement this without checking the end user IP?

There is a good tutorial on adding rbl to exim on this site http://www.webhostgear.com/175.html In addition to what is listed in the tutorial here, the webhostgear site includes whitelists, blacklists and bypast lists so you can whitelist a feinds IP even if he is on an rbl somewhere. Likewise you can add an account to the bypast list should a customer not want rbl applied to his mail.

Another good tutorial on spam blocking is on the RVSkins site at http://www.rvskin.com/index.php?page=public/antispam called Spam+Virus Protection for cPanel server using
Exim+Exiscan+Clamav+RBL+Spamassassin+SARE+Razor+DC C. I have used this on my servers and it works well. It also has some integration with the RVSkin so your customers can change the spam filter settings themselves.

I also use the dictionary spam detector/block (see the tutuial at http://www.configserver.com/free/eximdeny.html ) This is very effective and I wouldn't be without it.