Help With SMTP Banner Version for SpamD



  • Hi folks,

    Sorry if this is not considered a pfsense related question. I'm running pfsense version 2.2.5 and I'm desperately trying to alleviate my spam problem. I've tried pfblocker and pfblockerng with block lists from iblocklist (I've bought the subscription), spamhaus, etc but I'm still seeing a surprisingly high number of spam messages that still get through. I'm not sure if this is "normal" but I personally receive 10+ messages per hour on average, other than what ends up in my spam folder in Outlook. Other users on my network see similar activity.

    So I'm now trying the spamd package but need help with the SMTP banner version. I'm just not an expert in this stuff or even close to it to figure this out and documentation on the web was not very helpful for me. Can I just put anything I want in there or is it something that I need to get from my internal mail server?  Just to test things out, I put a value of "1" in there, enabled it, accepted the default minute values for all the various settings, set the internal IP address of my mail server, etc. However, every email that is received is whitelisted immediately, spam or otherwise, and it flows into my mail server I would imagine that it has something to do with the SMTP banner version?

    Any help would be appreciated. And if you want to chime in on why so much spam gets missed by my block lists in pfblocker, I'd appreciate it too.

    Thanks a lot,
    Jack


  • Moderator

    Hi Jack,

    IBlock is not the best solution to block spam. You should add more mail specific IP Blocklists. Please check out a script that I wrote which will add 50+ blocklists to pfBlockerNG, in there you will see a "Mail" specific Blocklist Alias. Some of the other Aliases in the script will help block spam also.

    See installation link here:
    https://forum.pfsense.org/index.php?topic=86212.msg549973#msg549973

    If you host your own mail server, then you can add Spam (RBL) filters such as:

    You can also add rhsbl's like dbl.spamhaus.org



  • Thanks for the reply. I did what you recommended and imported the list. I also disabled my existing list. I noticed several list download errors when I did a Force Update. It seems like a bunch of the list URLs are wrong or outdated. So, this is probably normal and to be expected. I've attached a screenshot of my pfblockerng widget showing the lists with errors.

    I'm still wondering what level of spam reduction I can expect with a setup like this. I'm still seeing LOTS of spam (about 28 messages) 3 hours or so after I did my import and forced the 1st update. FYI in my previous list setup, I did have spamhaus and some of the other spam-related lists from iblocklist.com. So comparing the amount of spam I'm getting now to my previous list setup, I'd say it's probably a wash.

    Should I just accept things to be normal like this or could there be something else that is going on here? I've made sure to increase my maximum table entries size in System/Advanced. Is there anything else I can check for that might be causing things to not work properly?

    @BBcan177:

    Hi Jack,

    IBlock is not the best solution to block spam. You should add more mail specific IP Blocklists. Please check out a script that I wrote which will add 50+ blocklists to pfBlockerNG, in there you will see a "Mail" specific Blocklist Alias. Some of the other Aliases in the script will help block spam also.

    See installation link here:
    https://forum.pfsense.org/index.php?topic=86212.msg549973#msg549973

    If you host your own mail server, then you can add Spam (RBL) filters such as:

    You can also add rhsbl's like dbl.spamhaus.org



  • Moderator

    Some lists that have ssl errors need to use 'flex' state. Also some more details here:
    https://forum.pfsense.org/index.php?topic=86212.msg548372#msg548372

    What do the email headers show for those 28 spam emails? If you are getting hit by the same IPS, you can add those to a custom blocklist.

    The spamhaus IP blocklist is not the same as zen.spamhaus.com

    You can also use the Spamcop service to report spam abuse:
    www.spamcop.net



  • Thanks again. I've gone through and fixed some of the ones that had SSL-related errors.

    And here are the top 2 lines of the header data from a few of the most recent emails. I guess they look like they're from just a couple of spammers. Can I (or should I?) do something to block ones from that .top domain?

    
    Microsoft Mail Internet Headers Version 2.0
    Received: from 08081f4d.foriock.top ([216.169.99.199]) by 
    
    Microsoft Mail Internet Headers Version 2.0
    Received: from 0fc2719d.at3b8.top ([107.172.242.46]) by 
    
    Microsoft Mail Internet Headers Version 2.0
    Received: from 0fc27194.tvxwk.top ([66.199.237.177]) by 
    
    Microsoft Mail Internet Headers Version 2.0
    Received: from 0fc2719c.1kfqk.top ([107.172.242.45]) by 
    
    Microsoft Mail Internet Headers Version 2.0
    Received: from 08081f4c.focrions.top ([216.169.99.198]) by
    
    Microsoft Mail Internet Headers Version 2.0
    Received: from 0fc27192.tgfj5.top ([66.199.237.176]) by
    
    Microsoft Mail Internet Headers Version 2.0
    Received: from 0fc2719b.lmt80.top ([107.172.242.44]) by
    
    Microsoft Mail Internet Headers Version 2.0
    Received: from 0fc27191.oh6vt.top ([66.199.237.175]) by
    
    Microsoft Mail Internet Headers Version 2.0
    Received: from 0fc2719a.iygs6.top ([107.173.77.105]) by 
    
    Microsoft Mail Internet Headers Version 2.0
    Received: from 0fc27199.11xw1.top ([107.173.77.104]) by
    
    Microsoft Mail Internet Headers Version 2.0
    Received: from 0fc2718f.ynyyz.top ([66.199.237.173]) by
    


  • @BBcan177:

    You can also use the Spamcop service to report spam abuse:
    www.spamcop.net

    Just did this. Felt pretty satisfactory. I guess every little bit helps the battle!


  • Moderator

    I'd block these ranges completely as you see multiple IPs in those ranges.

    66.199.237.0/24
    107.173.77.0/24
    107.172.242.0/24
    216.169.99.0/24

    These are all USA based btw… All in Brooklyn/Buffalo NY..

    http://www.tcpiputils.com/browse/ip-address/216.169.99.199
    http://multirbl.valli.org/lookup/216.169.99.199.html
    https://sitecheck.sucuri.net/results/foriock.top

    Also see if you can use those DNSRBLs that I mentioned before… the reverse dbl.spamhaus.com would have caught most of those ...

    If you see repeat Domain names, add those to pfBNG DNSBL.



  • @BBcan177:

    I'd block these ranges completely as you see multiple IPs in those ranges.

    66.199.237.0/24
    107.173.77.0/24
    107.172.242.0/24
    216.169.99.0/24

    Added them and a few  others that have come up since then and I've noticed a difference. It seems like they come in batches from particular sources.

    @BBcan177:

    Also see if you can use those DNSRBLs that I mentioned before… the reverse dbl.spamhaus.com would have caught most of those ...

    I've just confirmed that I have in fact had these blocklists also configured in my Exchange server

    I just added bl.spamcop.net as well. But assuming things are working properly in pfblockerng, in theory nothing would get through the firewall that would then be handled by Exchange since these lists are already in pfblockerng.

    Just to make sure I understand, are you asking that I add dbl.spamhaus.org to my Exchange block list configuration (i.e. along with zen.spamhaus.org, b.barracudacentral.org, etc)?

    @BBcan177:

    If you see repeat Domain names, add those to pfBNG DNSBL.

    Is this the tab that needs the Unbound DNS resolver? I think I can block emails from an entire top level domain (in this case, *.top). I'm going to do that first and see how it goes.

    Thanks so much for your help with this. It looks like I'm figuring out multiple ways which all together will significantly reduce spam traffic.


  • Moderator

    @jackgh:

    Just to make sure I understand, are you asking that I add dbl.spamhaus.org to my Exchange block list configuration (i.e. along with zen.spamhaus.org, b.barracudacentral.org, etc)

    dbl.spamhaus is a domain based block list. I do not use Exchange, so check to see where in the configuration you can define a Domain based list.

    http://www.spamhaus.org/faq/section/DNSBL Usage

    Thanks so much for your help with this. It looks like I'm figuring out multiple ways which all together will significantly reduce spam traffic.

    NP Spam must die! :)


Log in to reply