Hi. I have been using spamdyke for quite some time now, and it reduces my spammails alot. But it have a hell of a problem with spammers (often viagra) the spoof the localdomains. I often get spammails where the sending address is the same as my receiving address. And i dint know how to block them.
I have pasted my configurationfiles so you coould see if there is some issues. Using Debian and Plesk 9.2. spamdyke.conf ------------------------------------ log-level=verbose filter-level=normal local-domains-file=/var/qmail/control/rcpthosts max-recipients=20 idle-timeout-secs=60 graylist-level=only graylist-dir=/var/qmail/spamdyke/greylist graylist-min-secs=300 graylist-max-secs=1814400 sender-whitelist-file=/var/qmail/spamdyke/whitelisted_senders rdns-whitelist-file=/var/qmail/spamdyke/whitelisted_rdns ip-whitelist-file=/var/qmail/spamdyke/whitelisted_ip sender-blacklist-file=/var/qmail/spamdyke/blacklisted_senders recipient-blacklist-file=/var/qmail/spamdyke/blacklisted_recipients ip-blacklist-file=/var/qmail/spamdyke/blacklisted_ip dns-blacklist-entry=zen.spamhaus.org reject-empty-rdns reject-unresolvable-rdns greeting-delay-secs=5 reject-missing-sender-mx policy-url=http://www.your-domain-here.com/spam_policy -------------------------------------------------------------------- smtp_psa -------------------------------------------------- service smtp { socket_type = stream protocol = tcp wait = no disable = no user = root instances = UNLIMITED env = SMTPAUTH=1 server = /var/qmail/bin/tcp-env server_args = -Rt0 /usr/local/bin/spamdyke -f /etc/spamdyke.conf /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true } --------------------------------------------------------- The whitelisted_ip file contains the mailservers ip-addresses. The blacklisted_senders file contains the localdomains (@domain.tld). The blacklisted_words contains alot of words like .t-dialin.net, .t-ipconnect.de, .in-addr.arpa, .dhcp, .net, in-addr.arpa, dhcp, dynamic, and so on. I understand the spamdyke filters that they work something like this. If the sending server is listed in whitelisted_ip the mail passes the filter. If its not listed in whitelisted_ip it then checks the blabklisted_senders if the sending address is listed it drops the mail. Is that correct? Here is a sample of the mail.log of a spammail that in my opinion should have been dropped but passes all filters. Dec 15 17:52:55 web01 spamdyke[24928]: TLS_ENCRYPTED from: (unknown) to: (unknown) origin_ip: 80.179.197.221 origin_rdns: 80.179.197.221.cable.012.net.il auth: (unknown) Dec 15 17:52:56 web01 qmail-queue-handlers[24946]: Handlers Filter before-queue for qmail started ... Dec 15 17:52:56 web01 qmail-queue-handlers[24946]: from=vioirecyf8...@012.net.il Dec 15 17:52:56 web01 qmail-queue-handlers[24946]: to=i...@domain.tld Dec 15 17:52:56 web01 spf filter[24947]: Starting spf filter... Dec 15 17:52:56 web01 spf filter[24947]: SPF result: neutral Dec 15 17:52:56 web01 spf filter[24947]: SPF status: PASS Dec 15 17:52:56 web01 qmail: 1260895976.491935 new msg 4252544 Dec 15 17:52:56 web01 qmail: 1260895976.491935 info msg 4252544: bytes 2246 from <vioirecyf8...@012.net.il> qp 24948 uid 2020 Dec 15 17:52:56 web01 qmail-local-handlers[24949]: Handlers Filter before-local for qmail started ... Dec 15 17:52:56 web01 qmail-local-handlers[24949]: from=vioirecyf8...@012.net.il Dec 15 17:52:56 web01 qmail-local-handlers[24949]: to=i...@domain.tld Dec 15 17:52:56 web01 qmail-local-handlers[24949]: mailbox: /var/qmail/mailnames/domain.tld/info Dec 15 17:52:56 web01 qmail: 1260895976.515935 starting delivery 2744: msg 4252544 to local 9-i...@domain.tld Dec 15 17:52:56 web01 qmail: 1260895976.515935 status: local 1/10 remote 0/20 Dec 15 17:52:56 web01 qmail: 1260895976.523935 delivery 2744: success: did_0+0+2/ Dec 15 17:52:56 web01 qmail: 1260895976.523935 status: local 0/10 remote 0/20 Dec 15 17:52:56 web01 qmail: 1260895976.523935 end msg 4252544 Dec 15 21:22:57 web01 /var/qmail/bin/relaylock[6350]: /var/qmail/bin/relaylock: mail from 125.25.15.31:52521 (125.25.15.31.adsl.dynamic.totbb.net) Dec 15 21:22:59 web01 spamdyke[6349]: TLS_ENCRYPTED from: (unknown) to: (unknown) origin_ip: 125.25.15.31 origin_rdns: 125.25.15.31.adsl.dynamic.totbb.net auth: (unknown) Dec 15 21:23:01 web01 qmail-queue-handlers[6354]: Handlers Filter before-queue for qmail started ... Dec 15 21:23:02 web01 qmail-queue-handlers[6354]: from=kundtja...@domain.tld Dec 15 21:23:02 web01 qmail-queue-handlers[6354]: to=kundtja...@domain.tld Dec 15 21:23:02 web01 spf filter[6355]: Starting spf filter... Dec 15 21:23:02 web01 spf filter[6355]: Error code: (2) Could not find a valid SPF record Dec 15 21:23:02 web01 spf filter[6355]: Failed to query MAIL-FROM: No DNS data for 'domain.tld'. Dec 15 21:23:02 web01 spf filter[6355]: SPF result: none Dec 15 21:23:02 web01 spf filter[6355]: SPF status: PASS Dec 15 21:23:02 web01 qmail-queue[6356]: scan: the message(drweb.tmp.Wu6OR3) sent by kundtja...@domain.tld to kundtja...@domain.tld is passed Dec 15 21:23:02 web01 qmail: 1260908582.819935 new msg 4253887 Dec 15 21:23:02 web01 qmail: 1260908582.819935 info msg 4253887: bytes 2469 from <kundtja...@domain.tld> qp 6357 uid 2020 Dec 15 21:23:02 web01 qmail-local-handlers[6358]: Handlers Filter before-local for qmail started ... Dec 15 21:23:02 web01 qmail-local-handlers[6358]: from=kundtja...@domain.tld Dec 15 21:23:02 web01 qmail-local-handlers[6358]: to=kundtja...@domain.tld Dec 15 21:23:02 web01 qmail-local-handlers[6358]: mailbox: /var/qmail/mailnames/domain.tld/kundtjanst Dec 15 21:23:02 web01 qmail: 1260908582.855935 starting delivery 2998: msg 4253887 to local 98-kundtja...@domain.tld Dec 15 21:23:02 web01 qmail: 1260908582.855935 status: local 1/10 remote 0/20 Dec 15 21:23:02 web01 qmail: 1260908582.859935 delivery 2998: success: did_0+0+2/ Dec 15 21:23:02 web01 qmail: 1260908582.859935 status: local 0/10 remote 0/20 Dec 15 21:23:02 web01 qmail: 1260908582.859935 end msg 4253887 How can i check that smtp_auth is working? Im starting to wonder that it's not. I hope someone have the time to answer. I have been struggling with this for a long time withput getting rid of those annoying mails. Kind Regards M Eduard Svarc skrev: > > Hello, > > these keywords .net and .com are used just for testing if IP is in > reverse DNS listed. Is not done against normal reverse DNS records for > servers like mail.somedomain.net. So in combination with keyword > reject-ip-in-cc-rdns and .net in file > /etc/spamdyke/ip-in-rdns-keyword-blacklist-file it will reject mail > from 242-29-179-94.pool.ukrtel.net because that sender will be > positively tested as not valid reverse DNS. > > use just net without that '.' is not suficient because SPAMDYKE use > this '.' as flag for testing end of string only. So listing .com and > .net does magic for SPAMDYKE when it testing IP in reverse DNS for > country code DNS, like .it,, .uk etc it does same for .com and .net. > Personally I did add into that file other ones special domains like > .eu, .org, .info, .biz. These should not be used by ISP providers for > assigning reverse names, but who knows. Anyway it doesn't hurt my > configuration and I'm preparded. > > Eduard Švarc > > DATA Intertech s.r.o. > Kladenská 46 > 160 00 Praha 6 > Czech Republic > tel. +420-235365267, fax +420-235361446 > > spamdyke-users-boun...@spamdyke.org wrote on 14.12.2009 09:55:45: > > > thanks Eduard Švarc > > > > Same query as david stiller raised, .com, .net are valid domain right? > > > > also > > > > @400000004b25fa572bd181a4 CHKUSER accepted rcpt: from <fx...@bmelaw. > > com::> remote <microsof-7b1919:unknown:94.179.29.242> rcpt > > <validdomainu...@mydomain.com> : found existing recipient > > @400000004b25fa572bd2316c spamdyke[27021]: ALLOWED from: > > fx...@bmelaw.com to: validdomainu...@mydomain.com origin_ip: 94.179. > > 29.242 origin_rdns: 242-29-179-94.pool.ukrtel.net auth: (unknown) > > > > the above ip is listed in rbl , > > > > IP Address Lookup > > > > > [image removed] > > > > 94.179.29.242 is not listed in the SBL > > 94.179.29.242 is listed in the PBL, in the following records: > > PBL239543 > > 94.179.29.242 is not listed in the XBL > > > > > > > > > > > this doesnt look like false positive > > > > From: Eduard Svarc <esv...@intertech.cz> > > To: spamdyke users <spamdyke-users@spamdyke.org> > > Sent: Mon, December 14, 2009 12:48:07 PM > > Subject: Re: [spamdyke-users] spamdyke configuration finetuneing > > > > > > Hello, > > > > I see you have two things out. 1st you using RBLS, that could give > > you a lot positive false spam. 2nd you completely have commented out > > best thing in SPAMDYKE. Is sniffing IPs in reverse DNS. Most of bots > > and spams comming from Internet zombies. Here are my advices: > > > > 1 - comment out dns-blacklist-entry=zen.spamhaus.org > > 2 - uncoment reject-empty-rdns, reject-ip-in-cc-rdns, reject- > > missing-sender-mx and reject-unresolvable-rdns > > 3- into /etc/spamdyke/blacklist_recipients add your domain in format > > @your-domain (it will block all mails like to: n...@your-domain from: > > n...@your-domain) > > 4- into /etc/spamdyke/ip-in-rdns-keyword-blacklist-file put these > words : > > > > dsl > > .com > > .net > > broadband > > dynamic > > > > I could guarantee you will fall bellow 1% of SPAM with nearly zero > > false positives. Of course someone who can't follow certain > > guidelines for theirs servers will not be able to send you e-mails > > at all. But you can easily handle it by adding IP's in > > /etc/spamdyke/whitelist_ip or adding senders into > > /etc/spamdyke/whitelist_senders > > > > I stop using any RBLS services ages ago, they are way unreliable. > > > > Good luck, > > Eduard Švarc > > > > DATA Intertech s.r.o. > > Kladenská 46 > > 160 00 Praha 6 > > Czech Republic > > tel. +420-235365267, fax +420-235361446 > > > > spamdyke-users-boun...@spamdyke.org wrote on 14.12.2009 07:24:03: > > > > New Windows 7: Find the right PC for you. Learn more. > > _______________________________________________ > > spamdyke-users mailing list > > spamdyke-users@spamdyke.org > > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > ------------------------------------------------------------------------ > > _______________________________________________ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > _______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
