Page 2 of 2

Re: regex.custom.pm stopped working

Posted: 07 Oct 2019, 22:02
by ocahui
BallyBasic79 wrote: 07 Oct 2019, 19:41 What is the syntax of your port declaration?
Presently:
{ return ("SMTP error 3",$1,"exim_main_error3","1","25","14400");}
Have also used:
{ return ("SMTP error 3",$1,"exim_main_error3","1",$3,"14400");}
And:
{ return ("SMTP error 3",$1,"exim_main_error3","1",,"14400");}

All are treated identically. Perhaps if only one port, you need to force the scalar into an array? I know next to nothing about Perl.

Re: regex.custom.pm stopped working

Posted: 07 Oct 2019, 23:57
by ocahui
BallyBasic79 wrote: 07 Oct 2019, 19:41 Through the combination of strategic countries, ASN, and netblocks, I've reduced spam, email account attempts, and log size by 96%.
I have similar results using CC_DENY plus blocklists
SPAMDROP
SPAMEDROP
BDE
BDEALL
FULLBOGON
(all run by IPset)

Only a few ports are open on my server, the SSH port not being one of them. (The actual port used for SSH is obscure, because the number of users of it on my system is countable on one hand.) As a result, the vast majority of entries logged by iptables is from "TCP_IN BLOCKED" or "CC_DENY".

However, the open ports are of course targeted, with the email server being the main target.

My email filtering is based on the following concept:
The objective of filtering is to
a) keep out the bad stuff and
b) let the good stuff through.

You can only do one of those things perfectly. A perfect air filter is a sealed can, but anyone in a sealed can,will die.

There are many businesses much bigger than mine that run an email server that uses a commercial filtering outfit that throws tons of legitimate queries into a spam hole because they apparently follow the rule that says better to block ten sale prospects than let one spammer through. (For instance, some have a rule that says throw away any email that comes from a host that isn't Google or Microsoft or AT&T or..some other big email outfit. on the theory that a small business that runs its own server is up to no good.)

Because I can't afford to block prospects, my approach needs to be more nuanced.. I have tweaked it over several years and I have it to just about as good as it gets,. My server rarely lets any bad stuff past, but it rejects nothing that is innocent.

Since I have far fewer than 100K SMTP connections a day, the spamhaus zen server is free.
One simple test against that RBL in the check_mail acl of exim.conf stops the vast majoruity of ordinary spam:

Code: Select all

  deny  log_message   = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
          dnslists   = +defer_unknown : zen.spamhaus.org
Almost all spammer hosts, whether zombie farms, or whatever, get into a zen rbl before they get around to hitting my site, so running the host against zen catches the vast majority before they ever get far enough to send any mail. I can't imagine any small server not using such an amazingly effective free service.

Once an email gets past the dozen or so additional exim configuration tests against various other attacks, SpamAssassin is run against any sent by hosts not on a host whitelist. (I whitelist about 50 host.) Only emails with a VERY high SA score are redirected to webmaster (me under a different account). Those that look like spam but with a lower score get marked as possible spam but are delivered normally. About 99% of emails that SA scans have a zero score. It is a rare week that more than a couple of spam messages are delivered to my inbox and those are typically marked as probables.

Re: regex.custom.pm stopped working

Posted: 09 Oct 2019, 07:50
by BallyBasic79
ocahui wrote: 07 Oct 2019, 22:02
BallyBasic79 wrote: 07 Oct 2019, 19:41 What is the syntax of your port declaration?
Presently:
[1] { return ("SMTP error 3",$1,"exim_main_error3","1","25","14400");}
Have also used:
[2] { return ("SMTP error 3",$1,"exim_main_error3","1",$3,"14400");}
And:
[3] { return ("SMTP error 3",$1,"exim_main_error3","1",,"14400");}

All are treated identically. Perhaps if only one port, you need to force the scalar into an array? I know next to nothing about Perl.
The syntax looks good on all with the following notes:
[1] Should block only port 25.
[2] Not sure that will work. It could. Not sure how the script will parse it.
[3] I'd suggest passing an empty value with "", rather than omitting a parameter.

Perl is funny – variables can shift type (duck typed).

I suggest starting with a conventional declaration to verify that it is working and then modify from there.

I appreciate reading about your approach – especially because it provides me a different perspective. It confirms that everyone has different operating environments, priorities, and constraints. This means that there's no one way that is best for everyone. I've been thinking about sharing my general configuration, particularly because it can provide others with ideas that they might incorporate into their approach (or not.)

Hold the Wall