Stop Spam At The Server with Exim RBL Published: Sep 21, 2004
  • Rating

    4/5

Are you and your clients tired of getting bombarded with spam email? Stop spam before it gets to your inbox with Exim's RBL,realtime blackhole list, configuration options, an invaluable tool for any Cpanel admin.

HowTo: RBL or DNSBL with Exim - Stop Spam with Exim
This is my micro-howto for how I set up RBL using the Exim Configuration Editor

Are you and your clients tired of getting bombarded with spam email? Stop spam before it gets to your inbox with Exim's RBL,realtime blackhole list, confAiguration options, an invaluable tool for any Cpanel admin.

What is a RBL?
Realtime Blackhole List. A list of open mail relays and rogue sites. Subscribers to the RBL reject all mail and/or connection attempts from RBL'd IP addresses, effectively cutting off irresponsible/incompetent domains from the rest of the Internet.

UPDATE:
Sept. 26, 2005: Fixed the RBL list begin section, because Exim wasn't accepting the old entries.

With many thanks to cPanel.Net Forum's:
Richard (Noldar), for his invaluable suggestions...
"jcsolutions" for router section blacklist in "Server Setup Tips" thread...
and "Cyberspirit" for his thread "rejecting mail instead of failing it"

TESTED WITH VERSIONS
-------------------------------------------
WHM 9.4.0 cPanel 9.4.1-S65 
RedHat Enterprise 3 - WHM X v3.1.0

WHM 8.5.1 cPanel 8.5.3-S3 Exim 4.24
WHM 8.8.0 cPanel 8.8.0-S74
RedHat 7.3 - WHM X v2.1.1 / WHM X v2.1.2
-------------------------------------------

----------------------
Creating lsearch files
These files are used to manually block spammers, ignore certain domains or incoming hosts.
*****************

Create three text files in the /etc directory:
/etc/rblblacklist
/etc/rblbypass
/etc/rblwhitelist

touch /etc/rblblacklist; touch /etc/rblbypass; touch /etc/rblwhitelist

Examples with sample data:
/etc/rblblacklist
Is a manual blacklist, it rejects specific spammer hosts BEFORE they can send more email to your server:
domain1.com
domain2.com
domain3.com

/etc/rblbypass
Bypasses RBL email testing for specific destination (local) domains that don't want RBL filtering or prefer SpamAssassin tagging:
domain1.com
domain2.com
domain3.com

/etc/rblwhitelist
Blocks RBL email testing for listed incoming hosts, (wildcards allowed), in case an important client's mailserver is listed on an RBL you use, also automatically excludes relayhosts:
mail.domain1.com
*.domain2.com
*.domain3.com


-------------------------------
EXIM CONFIGURATION EDITOR
-------------------------------

If you use the WHM-based Exim Configuration Editor, all of your modifications will be reproduced after each update. If you edit exim.conf directly, cPanel updates MAY overwrite your changes! Because of this, the following changes should be entered using the Exim Configuration Editor.

------------------------
Setting up lsearch files
*******************

At the top of the editor, in the window below:
#!!# cPanel Exim 4 Config

Enter these lines:
domainlist rbl_blacklist = lsearch;/etc/rblblacklist
domainlist rbl_bypass = lsearch;/etc/rblbypass
hostlist rbl_whitelist = lsearch;/etc/relayhosts : partial-lsearch;/etc/rblwhitelist

----------------------------
RBL entries in ACL Section
*********************

RBL selection depends on many factors, be sure to edit the list below to reflect your priorities... Postmaster and abuse bypass allows blocked users to contact admin.

In the center window of the ACL section, directly below the line:
accept hosts = :

Enter these lines:

#**#
#**# RBL List Begin
#**#
#
# Always accept mail to postmaster & abuse for any local domain
#
accept domains = +local_domains
local_parts = postmaster:abuse
#
# Check sending hosts against DNS black lists.
# Accept all locally generated messages
# Reject message if address listed in blacklist.
deny message = Message rejected because $sender_fullhost is blacklisted at $dnslist_domain see $dnslist_text :
!hosts = +relay_hosts
!authenticated = *
dnslists = dnsbl.njabl.org : bl.spamcop.net : sbl.spamhaus.org : list.dsbl.org : cbl.abuseat.org : relays.ordb.org :
# RBL Bypass Local Domain List
!domains = +rbl_bypass
# RBL Whitelist incoming hosts
!hosts = +rbl_whitelist
#**#
#**# RBL List End
#**#


NOTICE: The following below didn't work for my configuration of RHE and WHM 9.4
so I had to remove it. I recommend you try it first to see if it works, if not then come back and remove this.

Scroll down the center window of the ACL section, directly below the line:
accept domains = +local_domains

Enter these lines:

#**#
#**# Reject Email to Invalid Recipient
#**#
endpass
message = unknown user
verify = recipient
#**#


--------------------------------
RBL entries in ROUTERS Section
**************************

In the ROUTERS section window, directly below the line:
# in the "local_domains" setting above.

Enter these lines:

# Deny and send notice to list of rejected domains.
reject_domains:
driver = redirect
# RBL Blacklist incoming hosts
domains = +rbl_blacklist
allow_fail
data = :fail: Connection rejected: SPAM source $domain is manually blacklisted.


-----------------------------
RBL Testing and Verification
***********************

Once your file changes are in place, be sure to keep an eye out for errors... missing files and other errors will be listed here:
If the above NOTICE scares you then you need to check this log file. If you see Exim failed message then go back and remove that.
tail -50 /var/log/exim_paniclog

You can view your spam filtering by reviewing the reject log:
tail -50 /var/log/exim_rejectlog

If your RBL tests include sbl.spamhaus.org, you can test the blacklist and whitelist functions by sending an email, USING THE MAILSERVER YOU WISH TESTED, to:
[email protected]

It will attempt to send an email from mailserver sbl.crynwr.com, which is blacklisted in sbl.spamhaus.org

If the blacklist works, you'll get an email that looks something like this:

Subj: Your SBL test report
Testing your SBL block. See http://www.crynwr.com/spam/ for more info.
Please note that this test will not tell you if your server is open for
relaying. Instead, it tests to see if your server blocks email from IP
addresses listed in various blocking lists; in this case, the SBL list.

Here's how the conversation looked from sbl.crynwr.com.
Note that some sites don't apply the SBL block to postmaster, so
I use your envelope sender as the To: address.

I connected to 64.246.24.14 and here's the conversation I had:

220-whm.yourserver.com ESMTP Exim 4.24 #1 Thu, 16 Oct 2003 08:23:23 -0700
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
helo sbl.crynwr.com
250 whm.yourserver.com Hello sbl.crynwr.com [192.203.178.107]
mail from:<>
250 OK
rcpt to:<[email protected]>
550-Message rejected because sbl.crynwr.com [192.203.178.107] is blacklisted at
550 sbl.spamhaus.org see http://www.spamhaus.org/SBL/sbl.lasso?query=SBLTEST
Terminating conversation

If the RBL block fails, you'll receive TWO emails:

Subj: Your SBL test report
Testing your SBL block. See http://www.crynwr.com/spam/ for more info.
Please note that this test will not tell you if your server is open for
relaying. Instead, it tests to see if your server blocks email from IP
addresses listed in various blocking lists; in this case, the SBL list.

Here's how the conversation looked from sbl.crynwr.com.
Note that some sites don't apply the SBL block to postmaster, so
I use your envelope sender as the To: address.

I connected to 64.246.24.14 and here's the conversation I had:

220-whm.yourserver.com ESMTP Exim 4.24 #1 Thu, 16 Oct 2003 08:19:44 -0700
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
helo sbl.crynwr.com
250 whm.yourserver.com Hello sbl.crynwr.com [192.203.178.107]
mail from:<>
250 OK
rcpt to:<[email protected]>
250 Accepted
data
354 Enter message, ending with "." on a line by itself
From: [email protected]
To: [email protected]
Date: Thu, 16 Oct 2003 15:19:46 -0000
Message-Id: <[email protected]>

Test message
.
250 OK id=1AA9uj-0005xq-2l
quit
Successful termination. As far as I can tell, the email was delivered.
That might not be what you want.

Subj: (BLANK)
Uh-oh, your SBL block is not working!


----------------
RBL Log Counts
*************

I use this script to count the log hits for various RBL's, you should change it to reflect your RBL's and error syntax. Mine relies on the unique word "blacklisted" in every RBL bounce entry.

Place it anywhere you want to view reports in SSH. Eg: /root/spam

pico /root/spam


SAMPLE SCRIPT:
Copy and paste in the following:

grep "blacklisted" /var/log/exim_mainlog -i > kilme
tail -100 kilme
tail /var/log/exim_paniclog
printf "n"
printf "Spam Count = "
grep "blacklisted" kilme -c -i
printf "njabl.org = "
grep "njabl.org" kilme -c
printf "spamcop = "
grep "bl.spamcop" kilme -c
printf "spamhaus = "
grep "sbl.spamhaus" kilme -c
printf "dsbl.org = "
grep "dsbl" kilme -c
printf "abuseat = "
grep "abuseat.org" kilme -c
printf "ordb.org = "
grep "ordb" kilme -c
printf "Manual = "
grep "manual" kilme -c
printf "verify fail= "
grep "verify fail" /var/log/exim_mainlog -c
printf "No Relay = "
grep "not permitted" /var/log/exim_mainlog -c
printf "n"
printf "All Spam: n"
zgrep -ci "blacklisted" /var/log/exim_mainlog*
printf "n"


Save and exit.
Ctrl + O then Y

Assuming the script is called spam, after you:
chmod 755 spam

... it can be executed with: ./spam

Example Spam Script Output!

Spam Count = 488
njabl.org = 134
spamcop = 278
spamhaus = 9
dsbl.org = 4
abuseat = 63
ordb.org = 0
Manual = 0
verify fail= 697
No Relay = 382


HOPE THIS HELPS!

 

  • Rating

    4/5

Related Articles

Comments (28)

  • Gravatar - Mevrick
    Mevrick 03:20, October 3, 2004
    Do you have any list about the spam domain or ip ? because i don't know about the blacklist.<br />
    <br />
    Thanks
  • Gravatar - Steve
    Steve 23:10, October 3, 2004
    Mevrick, the domains included in the RBL ruleset have updated lists of spammers IPs that will be blocked from sending/receiving any email automatically.
  • Gravatar - Wilton Bennet
    Wilton Bennet 01:05, October 14, 2004
    I put the :\ in the end of each line RBL. Without that it happened error in Exim Configuration Editor.<br />
    <br />
    It is not possible line break in:<br />
    deny message = Message rejected because $sender_fullhost <br />
    is blacklisted at $dnslist_domain see $dnslist_text<br />
    <br />
    I put those alterations and it worked. Thank you.<br />
  • Gravatar - Gareth S
    Gareth S 01:17, October 28, 2004
    Just wanted to say thanks for a first rate guide on setting up and RBL / Spam Filter in Exim4.<br />
    <br />
    I'll admit the exim conf file scares the hell out of me but thanks to your guide I now have a lot of happy customers!! thanks a million!!
  • Gravatar - Ashish Chadha
    Ashish Chadha 13:53, October 31, 2004
    What Wilton Bennet told was absolutely corrent the author need this change to be updated. One more BUG in the tutorial.<br />
    <br />
    Replace the following lines :<br />
    <br />
    dnslists = dnsbl.njabl.org : <br />
    bl.spamcop.net : <br />
    sbl.spamhaus.org : <br />
    list.dsbl.org : <br />
    cbl.abuseat.org : <br />
    relays.ordb.org<br />
    <br />
    <br />
    #WITH<br />
    <br />
    dnslists = dnsbl.njabl.org : bl.spamcop.net : sbl.spamhaus.org : list.dsbl.org : cbl.abuseat.org :<br />
    <br />
    ----------------<br />
    <br />
    Remeber that no enter should be there. Below is the correct ACL Section :<br />
    <br />
    #**#<br />
    #**# RBL List Begin<br />
    #**#<br />
    #<br />
    # Always accept mail to postmaster & abuse for any local domain<br />
    #<br />
    accept domains = +local_domains<br />
    #**#<br />
    #**# Reject Email to Invalid Recipient<br />
    #**#<br />
    endpass<br />
    message = unknown user<br />
    verify = recipient<br />
    #**#<br />
    local_parts = postmaster:abuse<br />
    #<br />
    # Check sending hosts against DNS black lists.<br />
    # Accept all locally generated messages<br />
    # Reject message if address listed in blacklist.<br />
    deny message = Message rejected because $sender_fullhost is blacklisted at $dnslist_domain see $dnslist_text :<br />
    !hosts = +relay_hosts<br />
    !authenticated = *<br />
    dnslists = dnsbl.njabl.org : bl.spamcop.net : sbl.spamhaus.org : list.dsbl.org : cbl.abuseat.org : relays.ordb.org :<br />
    # RBL Bypass Local Domain List<br />
    !domains = +rbl_bypass<br />
    # RBL Whitelist incoming hosts<br />
    !hosts = +rbl_whitelist <br />
    #**#<br />
    #**# RBL List End<br />
    #**#
  • Gravatar - Icarus
    Icarus 19:18, November 2, 2004
    Are you the same that started this post?<br />
    <br />
    http://forums.ev1servers.net/showthread.php?s=&threadid=34689<br />
    <br />
    Othewise you should credit eMtnMan<br />
    <br />
  • Gravatar - Zach W
    Zach W 04:48, November 25, 2004
    <br />
    FreeBSD users manually modifying the exim configuration file note that Cpanel uses /usr/local/etc/exim/configure instead of /etc/exim.conf. Make a symbolic link if that's easier.<br />
    <br />
    Good tutorial!
  • Gravatar - Paul (eMtnMan)
    Paul (eMtnMan) 04:34, April 13, 2005
    No, I'm eMtnMan and this thread was posted with my permission. <br />
    <br />
    I just updated my original post with a great new anti-spam solution... see:<br />
    http://forums.ev1servers.net/showpost.php?p=342702<br />
    - and -<br />
    http://forums.ev1servers.net/showpost.php?p=343002<br />
    <br />
    Feel free to PM me at ev1... :)<br />
    <br />
    Paul (eMtnMan)
  • Gravatar - Stefin
    Stefin 17:20, May 9, 2005
    One of my clients ISP got black listed. Now he can't send emails through his domain hosted on our server from his outlook express.<br />
    <br />
    The client got dynamic IP, not a domain name.<br />
    <br />
    So i do i allow him to send emails using my server ?<br />
    <br />
    Lets say his IPS provide dialup IP in the range of 120.123.112.*<br />
    <br />
    Can i add IP (120.123.112.*) to <br />
    <br />
    /etc/rblwhitelist<br />
    <br />
    Regards,<br />
    <br />
    Yujin<br />
    <br />
  • Gravatar - Snowman
    Snowman 03:55, May 10, 2005
    Ive suddently found for no reason at all that a lot of incoming mail is being blocked and that exim is throwing 550 Administrative prohibition and 550 unknown user errors.<br />
    <br />
    Has anyone else seen these? <br />
    <br />
    The only change i have made to exim in the past few months is that i added the clamavconnector and set it up to scan in zips in a bid to stop the Sober worm.<br />
  • Gravatar - Enigmatic
    Enigmatic 22:16, July 1, 2005
    Is there a way to allow all host to relay outgoing messages.<br />
    Some of our people are getting blocked by RBLs so the script/line to skip scanning these hosts will be helpful.<br />
    <br />
    Thanks!
  • Gravatar - Steve
    Steve 15:52, July 26, 2005
    Add their IP to the whitelist...<br />
    <br />
    /etc/rblwhitelist
  • Gravatar - mike
    mike 22:24, January 24, 2006
    #**#<br />
    #**# Reject Email to Invalid Recipient<br />
    #**#<br />
    endpass<br />
    message = unknown user<br />
    verify = recipient<br />
    #**#<br />
    <br />
    This looks like it is included in WHM 10.8... Added quotes to the message, so you might try that if you are having problems with other versions.
  • Gravatar - Felipe
    Felipe 17:43, February 7, 2006
    Hi, I have the same problem as Stevie "A lot of my clients ISP got black listed. Now they can't send emails through his domain hosted on our server from his outlook express."<br />
    <br />
    There is any solution for this?<br />
    <br />
    I´m having to delete some rbls sites to solve the situation
  • Gravatar - Steve
    Steve 04:48, February 8, 2006
    It's the responsibility of the ISP to make sure their IPs remain clean. Get the client on the backs of their ISPs, this is needed to ensure spam remains at bay.
  • Gravatar - cristian
    cristian 04:14, May 24, 2006
    This is still valid before all maildir changes on recen cpanel/whm ?<br />
    <br />
    cristian
  • Gravatar - Raj
    Raj 07:49, June 3, 2006
    failed to open /etc/rblwhitelist for linear search: Permission denied (euid=47 egid=12) <br />
    <br />
    this error is showing in exim log any idea
  • Gravatar - AndyM
    AndyM 17:40, July 17, 2006
    I'd like to point out that if you are using SpamAssassin as part of cpanel, then mail is already checked against various RBLs and there's no need to add it separately to exim.<br />
    <br />
    However, this does require that the account owner enables SpamAssassin for their account, so if you want a server wide RBL check, then this will be of use to you.<br />
  • Gravatar - skylap
    skylap 11:05, November 22, 2006
    what this rbl setup needs is an auto whitelist of senders domains on your server so that your own clients don't get blacklisted when their ISP's become blacklisted because of other users, this RBL is great in theory but it causes more support tickets than worth it on some servers, we disabled on some busy servers and let clients use spam assassin instead independently.<br />
    <br />
    Basically enabling RBL on your servers will be a big headache with many clients not being able to send emails and many clients not being able to receive emails.
  • Gravatar - Rumahweb
    Rumahweb 20:18, January 30, 2007
    relays.ordb.org is closed. Please delete it from your exim.conf otherwise you'll get problem with callback feature
  • Gravatar - pankaj singh
    pankaj singh 23:14, February 6, 2007
    The exim is not working for particular domain and gives out following error with hylafax ::<br />
    <br />
    <br />
    [email protected] R=dnslookup_relay_to_domains T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host rcom-outblaze-com.mr.outblaze.com [205.158.62.207]: 550 <[email protected]>: No thank you rejected: Domain not found<br />
    2007-02-06 15:58:56 1HEXOy-0002qI-ML <= <> R=1HEXOw-0002p8-6g U=Debian-exim P=local S=2963<br />
    2007-02-06 15:58:56 1HEXOy-0002qI-ML ** [email protected] <[email protected]>: Unrouteable address<br />
    2007-02-06 15:58:56 1HEXOy-0002qI-ML Frozen (delivery error message)<br />
    2007-02-06 15:58:56 1HEXOw-0002p8-6g Completed<br />
  • Gravatar - Wareagle
    Wareagle 15:43, February 9, 2007
    I just installed this on my server but the only one the is working is obm, the others are getting through, can someone tell me if they had the same problem and were to start looking to correct it. thanks
  • Gravatar - Roj Niyogi
    Roj Niyogi 09:04, February 21, 2007
    As mentioned by Rumahweb, remove relays.ordb.org since this breaks the ability for remote servers to verify using Callbacks. More information here:<br />
    <br />
    http://www.webhostingtalk.com/showthread.php?t=577577&highlight=sender+callout+verify<br />
    <br />
    Roj
  • Gravatar - jakejammin
    jakejammin 03:05, May 17, 2007
    Is there a way to rotate the exim_rejectlog as I can see this file getting big.<br />
    <br />
    Can I add that to the Logrotate?
  • Gravatar - jakejammin
    jakejammin 03:32, May 17, 2007
    Can you please not post that last question I asked, as I now found out that my Logrotate is set to rotate the exim_paniclog and exim_rejectlog.<br />
    <br />
    Sorry for the stupid question without atleast looking for the answer first.<br />
    <br />
    Jake Jammin
  • Gravatar - gaurav.gh
    gaurav.gh 22:51, May 25, 2007
    hi,<br />
    will thi work with cpanel 11 ?<br />
    are there any cheap package where you can get this enabled on the server without mail scanner.<br />
    <br />
    ofcourse great piece of work.<br />
    <br />
    look forward to get this done on 2 server atleast.
  • Gravatar - Trigger
    Trigger 05:53, July 5, 2007
    relays.ordb.org have now closed so should be removed. <br />
    Otherwise it will cause timeout issues on incoming mail to the server.
  • Gravatar - Diego
    Diego 19:40, August 24, 2007
    Im using cpanel 11 and I dont see any accept domains = +local_domains line at exim.conf so where should I locate <br />
    <br />
    #**#<br />
    #**# Reject Email to Invalid Recipient<br />
    #**#<br />
    endpass<br />
    message = unknown user<br />
    verify = recipient<br />
    #**#

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2024 WebHostGear.com