Ban an IP Address From The Server Published: Mar 17, 2005
  • Rating

    3/5

Are you and your clients tired of getting bombarded with spam email? Stop spam before it gets to your inbox with Exim's RBL,realtime blackhole list, configuration options, an invaluable tool for any Cpanel admin.

HowTo: RBL or DNSBL with Exim - Stop Spam with Exim
This is my micro-howto for how I set up RBL using the Exim Configuration Editor

Are you and your clients tired of getting bombarded with spam email? Stop spam before it gets to your inbox with Exim's RBL,realtime blackhole list, confAiguration options, an invaluable tool for any Cpanel admin.

What is a RBL?
Realtime Blackhole List. A list of open mail relays and rogue sites. Subscribers to the RBL reject all mail and/or connection attempts from RBL'd IP addresses, effectively cutting off irresponsible/incompetent domains from the rest of the Internet.

UPDATE:
Sept. 26, 2005: Fixed the RBL list begin section, because Exim wasn't accepting the old entries.

With many thanks to cPanel.Net Forum's:
Richard (Noldar), for his invaluable suggestions...
"jcsolutions" for router section blacklist in "Server Setup Tips" thread...
and "Cyberspirit" for his thread "rejecting mail instead of failing it"

TESTED WITH VERSIONS
-------------------------------------------
WHM 9.4.0 cPanel 9.4.1-S65 
RedHat Enterprise 3 - WHM X v3.1.0

WHM 8.5.1 cPanel 8.5.3-S3 Exim 4.24
WHM 8.8.0 cPanel 8.8.0-S74
RedHat 7.3 - WHM X v2.1.1 / WHM X v2.1.2
-------------------------------------------

----------------------
Creating lsearch files
These files are used to manually block spammers, ignore certain domains or incoming hosts.
*****************

Create three text files in the /etc directory:
/etc/rblblacklist
/etc/rblbypass
/etc/rblwhitelist

touch /etc/rblblacklist; touch /etc/rblbypass; touch /etc/rblwhitelist

Examples with sample data:
/etc/rblblacklist
Is a manual blacklist, it rejects specific spammer hosts BEFORE they can send more email to your server:
domain1.com
domain2.com
domain3.com

/etc/rblbypass
Bypasses RBL email testing for specific destination (local) domains that don't want RBL filtering or prefer SpamAssassin tagging:
domain1.com
domain2.com
domain3.com

/etc/rblwhitelist
Blocks RBL email testing for listed incoming hosts, (wildcards allowed), in case an important client's mailserver is listed on an RBL you use, also automatically excludes relayhosts:
mail.domain1.com
*.domain2.com
*.domain3.com


-------------------------------
EXIM CONFIGURATION EDITOR
-------------------------------

If you use the WHM-based Exim Configuration Editor, all of your modifications will be reproduced after each update. If you edit exim.conf directly, cPanel updates MAY overwrite your changes! Because of this, the following changes should be entered using the Exim Configuration Editor.

------------------------
Setting up lsearch files
*******************

At the top of the editor, in the window below:
#!!# cPanel Exim 4 Config

Enter these lines:
domainlist rbl_blacklist = lsearch;/etc/rblblacklist
domainlist rbl_bypass = lsearch;/etc/rblbypass
hostlist rbl_whitelist = lsearch;/etc/relayhosts : partial-lsearch;/etc/rblwhitelist

----------------------------
RBL entries in ACL Section
*********************

RBL selection depends on many factors, be sure to edit the list below to reflect your priorities... Postmaster and abuse bypass allows blocked users to contact admin.

In the center window of the ACL section, directly below the line:
accept hosts = :

Enter these lines:

#**#
#**# RBL List Begin
#**#
#
# Always accept mail to postmaster & abuse for any local domain
#
accept domains = +local_domains
local_parts = postmaster:abuse
#
# Check sending hosts against DNS black lists.
# Accept all locally generated messages
# Reject message if address listed in blacklist.
deny message = Message rejected because $sender_fullhost is blacklisted at $dnslist_domain see $dnslist_text :
!hosts = +relay_hosts
!authenticated = *
dnslists = dnsbl.njabl.org : bl.spamcop.net : sbl.spamhaus.org : list.dsbl.org : cbl.abuseat.org : relays.ordb.org :
# RBL Bypass Local Domain List
!domains = +rbl_bypass
# RBL Whitelist incoming hosts
!hosts = +rbl_whitelist
#**#
#**# RBL List End
#**#


NOTICE: The following below didn't work for my configuration of RHE and WHM 9.4
so I had to remove it. I recommend you try it first to see if it works, if not then come back and remove this.

Scroll down the center window of the ACL section, directly below the line:
accept domains = +local_domains

Enter these lines:

#**#
#**# Reject Email to Invalid Recipient
#**#
endpass
message = unknown user
verify = recipient
#**#


--------------------------------
RBL entries in ROUTERS Section
**************************

In the ROUTERS section window, directly below the line:
# in the "local_domains" setting above.

Enter these lines:

# Deny and send notice to list of rejected domains.
reject_domains:
driver = redirect
# RBL Blacklist incoming hosts
domains = +rbl_blacklist
allow_fail
data = :fail: Connection rejected: SPAM source $domain is manually blacklisted.


-----------------------------
RBL Testing and Verification
***********************

Once your file changes are in place, be sure to keep an eye out for errors... missing files and other errors will be listed here:
If the above NOTICE scares you then you need to check this log file. If you see Exim failed message then go back and remove that.
tail -50 /var/log/exim_paniclog

You can view your spam filtering by reviewing the reject log:
tail -50 /var/log/exim_rejectlog

If your RBL tests include sbl.spamhaus.org, you can test the blacklist and whitelist functions by sending an email, USING THE MAILSERVER YOU WISH TESTED, to:
nelson-sbl-test@crynwr.com

It will attempt to send an email from mailserver sbl.crynwr.com, which is blacklisted in sbl.spamhaus.org

If the blacklist works, you'll get an email that looks something like this:

Subj: Your SBL test report
Testing your SBL block. See http://www.crynwr.com/spam/ for more info.
Please note that this test will not tell you if your server is open for
relaying. Instead, it tests to see if your server blocks email from IP
addresses listed in various blocking lists; in this case, the SBL list.

Here's how the conversation looked from sbl.crynwr.com.
Note that some sites don't apply the SBL block to postmaster, so
I use your envelope sender as the To: address.

I connected to 64.246.24.14 and here's the conversation I had:

220-whm.yourserver.com ESMTP Exim 4.24 #1 Thu, 16 Oct 2003 08:23:23 -0700
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
helo sbl.crynwr.com
250 whm.yourserver.com Hello sbl.crynwr.com [192.203.178.107]
mail from:<>
250 OK
rcpt to:<eMtnMan@yourdomain.com>
550-Message rejected because sbl.crynwr.com [192.203.178.107] is blacklisted at
550 sbl.spamhaus.org see http://www.spamhaus.org/SBL/sbl.lasso?query=SBLTEST
Terminating conversation

If the RBL block fails, you'll receive TWO emails:

Subj: Your SBL test report
Testing your SBL block. See http://www.crynwr.com/spam/ for more info.
Please note that this test will not tell you if your server is open for
relaying. Instead, it tests to see if your server blocks email from IP
addresses listed in various blocking lists; in this case, the SBL list.

Here's how the conversation looked from sbl.crynwr.com.
Note that some sites don't apply the SBL block to postmaster, so
I use your envelope sender as the To: address.

I connected to 64.246.24.14 and here's the conversation I had:

220-whm.yourserver.com ESMTP Exim 4.24 #1 Thu, 16 Oct 2003 08:19:44 -0700
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
helo sbl.crynwr.com
250 whm.yourserver.com Hello sbl.crynwr.com [192.203.178.107]
mail from:<>
250 OK
rcpt to:<eMtnMan@yourdomain.com>
250 Accepted
data
354 Enter message, ending with "." on a line by itself
From: nelson-SBL-test@crynwr.com
To: eMtnMan@yourdomain.com
Date: Thu, 16 Oct 2003 15:19:46 -0000
Message-Id: <1066317586@sbl.crynwr.com>

Test message
.
250 OK id=1AA9uj-0005xq-2l
quit
Successful termination. As far as I can tell, the email was delivered.
That might not be what you want.

Subj: (BLANK)
Uh-oh, your SBL block is not working!


----------------
RBL Log Counts
*************

I use this script to count the log hits for various RBL's, you should change it to reflect your RBL's and error syntax. Mine relies on the unique word "blacklisted" in every RBL bounce entry.

Place it anywhere you want to view reports in SSH. Eg: /root/spam

pico /root/spam


SAMPLE SCRIPT:
Copy and paste in the following:

grep "blacklisted" /var/log/exim_mainlog -i > kilme
tail -100 kilme
tail /var/log/exim_paniclog
printf "n"
printf "Spam Count = "
grep "blacklisted" kilme -c -i
printf "njabl.org = "
grep "njabl.org" kilme -c
printf "spamcop = "
grep "bl.spamcop" kilme -c
printf "spamhaus = "
grep "sbl.spamhaus" kilme -c
printf "dsbl.org = "
grep "dsbl" kilme -c
printf "abuseat = "
grep "abuseat.org" kilme -c
printf "ordb.org = "
grep "ordb" kilme -c
printf "Manual = "
grep "manual" kilme -c
printf "verify fail= "
grep "verify fail" /var/log/exim_mainlog -c
printf "No Relay = "
grep "not permitted" /var/log/exim_mainlog -c
printf "n"
printf "All Spam: n"
zgrep -ci "blacklisted" /var/log/exim_mainlog*
printf "n"


Save and exit.
Ctrl + O then Y

Assuming the script is called spam, after you:
chmod 755 spam

... it can be executed with: ./spam

Example Spam Script Output!

Spam Count = 488
njabl.org = 134
spamcop = 278
spamhaus = 9
dsbl.org = 4
abuseat = 63
ordb.org = 0
Manual = 0
verify fail= 697
No Relay = 382


HOPE THIS HELPS!

 

  • Rating

    3/5

Related Articles

Comments (10)

  • Gravatar - agreseanu vlad
    agreseanu vlad 16:49, October 25, 2005
    how i can ban a intruder? i know his ip<br />
    <br />
  • Gravatar - Dusty
    Dusty 12:49, April 18, 2006
    Do you people really enjoy banning other people,,Is it in your nature to do this.Maybe you should be ban as well to see how it feels.
  • Gravatar - tomofumi
    tomofumi 13:42, September 12, 2006
    Acutally you can save the current iptables entries and keep the setting after reboot by running "service iptables save"
  • Gravatar - jethbrown
    jethbrown 15:14, July 17, 2007
    Is there a way to ban a ip range with APF? Reason I am asking is for banning the Panscient Data Services bot, that seems to hammer my server regularly.<br />
    <br />
    Read about it here: http://web-robot-abuse.blogspot.com/2006/09/panscientdataservices.html<br />
    <br />
    Or is there a way to see the specific IP's they are using to block those?
  • Gravatar - omid
    omid 21:33, October 19, 2007
    how can i delete an ip from the iptables?
  • Gravatar - Jim
    Jim 18:54, September 29, 2008
    When calling IPtables the first argument is the action. So -A is add, so you can guess how deleting is done:<br />
    <br />
    iptales -D <the rest><br />
    <br />
    When i forget <the rest> i always run iptables-save, then you will (save) get a list with all rules in detail with <the rest> info.<br />
    <br />
  • Gravatar - maybe
    maybe 01:31, December 10, 2009
    dfdsfafasfasfsafsadfdfdfdsfdsfds
  • Gravatar - shag
    shag 06:05, December 10, 2009
    I've found that using a .htaccess file is a pretty easy way to handle this. I'm no expert but it seems to work well for me. I created a .htaccess file and placed it above my publicly accessible directories (so it applied to all my sites) and used this...<br />
    # allow all except those indicated here<br />
    <Files *><br />
    order allow,deny<br />
    allow from all<br />
    deny from xxx.xxx.xxx.xxx<br />
    deny from .*blahblah\.com.*<br />
    </Files> <br />
    this is on apache of course and I used vim to create and edit the file while I was logged in as root. Like I said, I'm no expert but it worked on my server.
  • Gravatar - mhineqhoe
    mhineqhoe 03:15, January 21, 2010
    plz. give me some IP ban
  • Gravatar - xander
    xander 01:27, January 31, 2010
    how about banning a mac address in cpanel? Is that possible on the server level? Tnx

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2018 WebHostGear.com