1) Since verification is now done on the RCPT stage, make the default catch-all to :fail: , not :blackhole: . For new accounts, change the settings in the “tweak settings” from WHM. For existing accounts, see script below.
The reasons are:
1. :blackhole: accepts the email and receives it, then sends it to /dev/null. This wastes your bandwidth and actually breaks the SMTP RFC because you’re not notifying the sender that the email is undelivered.
2. :fail: stops the email from being received, because verify = recipient occurs at the RCPT phase of the SMTP exchange before any data has been received. No bounce is sent, the exchange simply termintates with an SMTP error code. This means much less processing resources on your SMTP server, much less bandwidth (you don’t actually receive the email) and you maintain RFC compliance by notifying the senders SMTP server that the delivery failed (which spammers ignore and real people appreciate if they’ve made an addressing mistake).
(Jonathan Michaelson)
ACTION
Script to change all existing catch-all emails from :blackhole: to :fail:
Run this in a different directory than valiases, I recomend your home directory because it will create a backup of the current aliases (just in case)
This also keeps permissions and owners settings.
tar -cf valiases_backup.tar /etc/valiases/*
gzip valiases_backup.tar
files=`find /etc/valiases -type f`
for file in $files
do
cp -p $file $file.tmp
cat /dev/null > $file.tmp
cat $file | sed ‘s/\:blackhole\:/\:fail\:/g’ > $file.tmp
mv $file.tmp $file -f
done
2) Let exim read userdomains!
It happens that eximstats cannot read /etc/userdomains as this fille is owned by root.mail, and smtp records in /var/log/exim_mainlog dont contain the system user so a lookup must be used.
This affects bandwidth measures will improve the accurracy, by including transfers in the users which were previously being counted towards the mailnull or cpanel user.
ACTION
open /etc/passwd with your favourite editor and change this line:
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
to
mailnull:x:47:12::/var/spool/mqueue:/sbin/nologin
3) Fix BFD to properly check the Exim logs
You should already be running APF and BFD.
BFD 0.9 script does not work for me , and it doesnt parse exim logs properly, so I had to hack it.
I would advise you to do the same, if you want to block IP addresses that consistently try to flood your email server and they belong to a spam list
ACTION
In the BFD itself, I changed one line. Here’s the diff:
root@host [/usr/local/bfd]# diff bfd bfd.backup
126c126
< for ihost in `echo $ARG_VAL | tr ' ' '\n' | tr ':' ' ' | awk '{print$1}' | grep -E '[.0-9]+' | sort -u`; do
---
> for ihost in `echo $ARG_VAL | tr ‘ ‘ ‘\n’ | tr ‘:’ ‘ ‘ | awk ‘{print$1}’ | grep -E ‘[.0-9]+’ | uniq`; do
In the rules directory , I changed my exim file and it looks like this now:
REQ=”/usr/sbin/exim”
if [ -f “$REQ” ]; then
LP=”/var/log/exim_mainlog”
TLOG_TF=”exim”
TRIG=”10″
# Max log entries to process at once for this rule
MLOG=2500
## EXIM
ARG_VAL=`$TLOGP $LP $TLOG_TF | grep -iw “rejected RCPT” | awk ‘{print$4}’ | tr -d ‘[]’ | tr ‘:’ ‘ ‘ | awk ‘{print$1}’ | grep -E ‘^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$’ | tail -n $MLOG`
fi
I have also setup BFD to run once a minute, with minimal performance impact.
DISCUSSION
I found that uniq doesnt really uniq the list down, but simply uniques lines that are consecutively repeated. So it will change this:
192.168.0.1
192.168.0.1
192.168.0.2
192.168.0.3
192.168.0.1
into this:
192.168.0.1
192.168.0.2
192.168.0.3
192.168.0.1
when in reality, what we want is this:
192.168.0.1
192.168.0.2
192.168.0.3
which is what sort -u does.
The original exim rules don’t parse my exim log properly, so my exim file placed in the directory rules does the job. I found that the original rule does not take the ip address properly, because it tries to make a match at 192.168.0.1:1312, where in reality we need first to remove the port number (:1312) and then look for an ip address, I also found it lets things like (domain.com) pass, which shouldn’t.
Dealing with SPAM:
More (a lot more) to come, but some links for now: