Topic: SPAM

[gwag]

Seem to be overwhelmed with SPAM. Mostly from new top level domains .link .xyz etc.
Any suggestions on how to eliminate it? Some mails are being filtered but most get thru.
At this point it would be nice just to block them all together maybe? I tried enabling SFP but it just rejected all mail due to a plugin error, was able to revert sort of thanks to these forums and Stefanos posts.

   Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DNSBL=enabled
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=bl.spamcop.net:zen.spamhaus.org
    RHSBL=disabled
    RelayRequiresAuth=enabled
    SBLList=multi.surbl.org:black.uribl.com:rhsbl.sorbs.net
    TlsBeforeAuth=1
    access=public
    qplogsumm=disabled
    status=enabled

Thanks for any suggestions.

[janet]

gwag

Is your sme server in server & gateway mode or in server only mode ?
If in server only mode, whate router/gateway is in front of it & what spam filtering is enabled in the gateway ?

[gwag]

Server only mode and nothing blocking spam.

[janet]

qwag

Server only mode and nothing blocking spam.

Some of the anti spam measures on sme server are not effective when in server only mode. Better spam control can be achieved if your sme server is in server & gateway mode, & you configure your router/modem in bridged mode (to pass signals straight through to sme server). When sme server acts as the gateway & firewall, spam filtering works better, refer to note in FAQ.

So can you reconfigure your network ?

...I tried enabling SFP...

This is usually something you get your ISP to do (to external records), so whatever you were configuring is probably incorrect, see the Manual Appendix
http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Appendix

Also have you considered to enable executable content filtering (in server manager email panel), as that wil block many spam type messages (which contain viruses etc) when blocking zip files & so on. If you can block ZIPv1 & ZIPv2 you will stop a huge amount of spam.

[gwag]

To much stuff going to make it the gateway. (VOIP etc.)
The SPF records are on ISP. I was referring to http://wiki.contribs.org/Email#SPF_mail_rejection.2Fflagging_policy

After enabling SPF record checking it would no longer accept emails.

[bosco555]

Hi All...same here no more mail once the plugin is installed. And YES, I have opened a bug, however I can't find anything in the logs:
http://bugs.contribs.org/show_bug.cgi?id=8996
thank you

[CharlieBrady]

Hi All...same here no more mail once the plugin is installed.

However gwag said "I tried enabling SFP but it just rejected all mail due to a plugin error, ...". Are you also seeing a "plugin error"? And are you seeing all mail rejected?

Followup to the bug tracker please.

[janet]

gwag

Is spamassassin enabled on your sme server ?
Have you configured custom settings in server manager Email panel (for spamassassin).
Try scores of 4 & 12 for more effective (but relatively safe) filtering.

[gwag]

Yes its on. It would be nice if it could block obvious spam 70%+ would fail a reverse lookup. if i could block all .xyz .link .work domains I'd be happy.

[janet]

gwag

As I said earlier,
....have you considered to enable executable content filtering (in server manager email panel), as that wil block many spam type messages (which contain viruses etc) when blocking zip files & so on. If you can block ZIPv1 & ZIPv2 you will stop a huge amount of spam.

Also maybe this can help
http://forums.contribs.org/index.php/topic,50712.msg258844.html#msg258844


...and particularly this
http://forums.contribs.org/index.php/topic,50712.msg258844.html#msg258844
ie
Looking at http://wiki.contribs.org/Email_Whitelist-Blacklist_Control
You are probably wanting to edit the qmail badmailfrom file
which is located at
/var/qmail/control/...
edit it to include
@spamdomain.com
one entry per line
end of edit:

[Stefano]

please, take a look also to:

http://bugs.contribs.org/show_bug.cgi?id=8980

[janet]

gwag

I have the WBL contrib installed on a sme8.x server, in server & gateway mode.

I entered in the Email WBL panel, blacklist panel, qmail badmailfrom field
@gmail.com
& then tried to send a email message from the online gmail webmail app, to a valid user on the sme server
& received this error upon sending

Delivery to the following recipient failed permanently:
     user@smeserverdomain.com
Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the server for the recipient domain smeserverdomain.com by mail.smeserverdomain.com. [xx.xxx.xxx.xxx].

The error that the other server returned was:
550 sorry, your envelope sender is in my badmailfrom list


The message was not received by the sme server user.
So you can block incoming mail from specified domains !

While you more specifically want to block domain1.xyz & domain2.xyz & so on, you can enter those one by one
ie in the server manager panel it says
Check envelope sender addresses. Reject any that appear (@host or user@host) in badmailfrom during the 'mail' stage.

eg
@domain1.xyz
@domain2.xyz
& so on

I am not sure if this functions the same on sme9, my test server is down at present so I cannot test it.

Note you do not need to have the Email WBL contrib installed, you can edit /var/qmail/control/badmailfrom directly & just add the @domains required

[gwag]

Thats all well and good Janet but I fail to see how it would help much as the domains change daily.
Seem most of these emails are just junk emails that are from hosts that dont even exist much less have proper SPF records, and SME is all to happy to accept and deliver this junk. I have looked thru the forums extensively i guess a third pary solution may be the only answer. I may try getting it to work with the barracuda list as it seems better. Can anyone comet on the geolocation plugin? it sounds like it doesn't work either?
If SME preformed reverse lookups on incoming mail I think it would knock out 80% of it?

[janet]

gwag

You asked how to block domains by suffix.
As you say that approach is flawed as spammers change their "from" address & server IP regularly.
So specifying domains or domain suffixes or email addresses to block, is like chasing your own tail, it will never end.
That's why I firstly suggested other approaches. I have found that blocking by content (eg phrases or attachments etc) is by far a better approach, as the source location is not relevant then.

Of course with the last method referred to previously blocking donain.xyz etc, you will have to keep adding domains to badmailfrom
I think over time you would see a useful reduction in spam, especially where repeat messages are sent ie once blocked you stop anymore junk from that source so other intended recipients on your server will benefit.

You should look at the greylisting plugin, spam will drop to virtually zero or probably zero actually.

I used it many years ago & spam completely stopped. There is a reliance though that sending mail servers will retry to send in a short period of time,& it seems there may be some mail servers that do not conform that well to industry standards, nonetheless greylisting will block spam for sure.

Having your sme server in server only mode reduces sme's ability to block some spam, so you really need to implement spam filtering in your router gateway or as you say some other external system or for example a Barracuda device in front of your network.

Also I think its a user in this community (I think knuddi) who has a commercial offering to filter your mail for you at what seems to me to be a fairly cheap price & he claims it is highly effective. Search here.

[Knuddi]

gwag,

You can try the commercial filter out for free to see whether it makes your life easier. Try it out at www.scanmailx.com. Reach out to jkn@scanmailx.com if you need any help or advice.

Rgds,
Jesper (aka. knuddi)