Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help With SMTP Banner Version for SpamD

    Scheduled Pinned Locked Moved pfSense Packages
    9 Posts 2 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jackgh
      last edited by

      Hi folks,

      Sorry if this is not considered a pfsense related question. I'm running pfsense version 2.2.5 and I'm desperately trying to alleviate my spam problem. I've tried pfblocker and pfblockerng with block lists from iblocklist (I've bought the subscription), spamhaus, etc but I'm still seeing a surprisingly high number of spam messages that still get through. I'm not sure if this is "normal" but I personally receive 10+ messages per hour on average, other than what ends up in my spam folder in Outlook. Other users on my network see similar activity.

      So I'm now trying the spamd package but need help with the SMTP banner version. I'm just not an expert in this stuff or even close to it to figure this out and documentation on the web was not very helpful for me. Can I just put anything I want in there or is it something that I need to get from my internal mail server?  Just to test things out, I put a value of "1" in there, enabled it, accepted the default minute values for all the various settings, set the internal IP address of my mail server, etc. However, every email that is received is whitelisted immediately, spam or otherwise, and it flows into my mail server I would imagine that it has something to do with the SMTP banner version?

      Any help would be appreciated. And if you want to chime in on why so much spam gets missed by my block lists in pfblocker, I'd appreciate it too.

      Thanks a lot,
      Jack

      1 Reply Last reply Reply Quote 0
      • BBcan177B Offline
        BBcan177 Moderator
        last edited by

        Hi Jack,

        IBlock is not the best solution to block spam. You should add more mail specific IP Blocklists. Please check out a script that I wrote which will add 50+ blocklists to pfBlockerNG, in there you will see a "Mail" specific Blocklist Alias. Some of the other Aliases in the script will help block spam also.

        See installation link here:
        https://forum.pfsense.org/index.php?topic=86212.msg549973#msg549973

        If you host your own mail server, then you can add Spam (RBL) filters such as:

        • zen.spamhaus.org

        • bl.spamcop.net

        • b.barracudacentral.org

        You can also add rhsbl's like dbl.spamhaus.org

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • J Offline
          jackgh
          last edited by

          Thanks for the reply. I did what you recommended and imported the list. I also disabled my existing list. I noticed several list download errors when I did a Force Update. It seems like a bunch of the list URLs are wrong or outdated. So, this is probably normal and to be expected. I've attached a screenshot of my pfblockerng widget showing the lists with errors.

          I'm still wondering what level of spam reduction I can expect with a setup like this. I'm still seeing LOTS of spam (about 28 messages) 3 hours or so after I did my import and forced the 1st update. FYI in my previous list setup, I did have spamhaus and some of the other spam-related lists from iblocklist.com. So comparing the amount of spam I'm getting now to my previous list setup, I'd say it's probably a wash.

          Should I just accept things to be normal like this or could there be something else that is going on here? I've made sure to increase my maximum table entries size in System/Advanced. Is there anything else I can check for that might be causing things to not work properly?

          @BBcan177:

          Hi Jack,

          IBlock is not the best solution to block spam. You should add more mail specific IP Blocklists. Please check out a script that I wrote which will add 50+ blocklists to pfBlockerNG, in there you will see a "Mail" specific Blocklist Alias. Some of the other Aliases in the script will help block spam also.

          See installation link here:
          https://forum.pfsense.org/index.php?topic=86212.msg549973#msg549973

          If you host your own mail server, then you can add Spam (RBL) filters such as:

          • zen.spamhaus.org

          • bl.spamcop.net

          • b.barracudacentral.org

          You can also add rhsbl's like dbl.spamhaus.org

          sshot-22.png
          sshot-22.png_thumb

          1 Reply Last reply Reply Quote 0
          • BBcan177B Offline
            BBcan177 Moderator
            last edited by

            Some lists that have ssl errors need to use 'flex' state. Also some more details here:
            https://forum.pfsense.org/index.php?topic=86212.msg548372#msg548372

            What do the email headers show for those 28 spam emails? If you are getting hit by the same IPS, you can add those to a custom blocklist.

            The spamhaus IP blocklist is not the same as zen.spamhaus.com

            You can also use the Spamcop service to report spam abuse:
            www.spamcop.net

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • J Offline
              jackgh
              last edited by

              Thanks again. I've gone through and fixed some of the ones that had SSL-related errors.

              And here are the top 2 lines of the header data from a few of the most recent emails. I guess they look like they're from just a couple of spammers. Can I (or should I?) do something to block ones from that .top domain?

              
              Microsoft Mail Internet Headers Version 2.0
              Received: from 08081f4d.foriock.top ([216.169.99.199]) by 
              
              Microsoft Mail Internet Headers Version 2.0
              Received: from 0fc2719d.at3b8.top ([107.172.242.46]) by 
              
              Microsoft Mail Internet Headers Version 2.0
              Received: from 0fc27194.tvxwk.top ([66.199.237.177]) by 
              
              Microsoft Mail Internet Headers Version 2.0
              Received: from 0fc2719c.1kfqk.top ([107.172.242.45]) by 
              
              Microsoft Mail Internet Headers Version 2.0
              Received: from 08081f4c.focrions.top ([216.169.99.198]) by
              
              Microsoft Mail Internet Headers Version 2.0
              Received: from 0fc27192.tgfj5.top ([66.199.237.176]) by
              
              Microsoft Mail Internet Headers Version 2.0
              Received: from 0fc2719b.lmt80.top ([107.172.242.44]) by
              
              Microsoft Mail Internet Headers Version 2.0
              Received: from 0fc27191.oh6vt.top ([66.199.237.175]) by
              
              Microsoft Mail Internet Headers Version 2.0
              Received: from 0fc2719a.iygs6.top ([107.173.77.105]) by 
              
              Microsoft Mail Internet Headers Version 2.0
              Received: from 0fc27199.11xw1.top ([107.173.77.104]) by
              
              Microsoft Mail Internet Headers Version 2.0
              Received: from 0fc2718f.ynyyz.top ([66.199.237.173]) by
              
              1 Reply Last reply Reply Quote 0
              • J Offline
                jackgh
                last edited by

                @BBcan177:

                You can also use the Spamcop service to report spam abuse:
                www.spamcop.net

                Just did this. Felt pretty satisfactory. I guess every little bit helps the battle!

                1 Reply Last reply Reply Quote 0
                • BBcan177B Offline
                  BBcan177 Moderator
                  last edited by

                  I'd block these ranges completely as you see multiple IPs in those ranges.

                  66.199.237.0/24
                  107.173.77.0/24
                  107.172.242.0/24
                  216.169.99.0/24

                  These are all USA based btw… All in Brooklyn/Buffalo NY..

                  http://www.tcpiputils.com/browse/ip-address/216.169.99.199
                  http://multirbl.valli.org/lookup/216.169.99.199.html
                  https://sitecheck.sucuri.net/results/foriock.top

                  Also see if you can use those DNSRBLs that I mentioned before… the reverse dbl.spamhaus.com would have caught most of those ...

                  If you see repeat Domain names, add those to pfBNG DNSBL.

                  "Experience is something you don't get until just after you need it."

                  Website: http://pfBlockerNG.com
                  Twitter: @BBcan177  #pfBlockerNG
                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                  1 Reply Last reply Reply Quote 0
                  • J Offline
                    jackgh
                    last edited by

                    @BBcan177:

                    I'd block these ranges completely as you see multiple IPs in those ranges.

                    66.199.237.0/24
                    107.173.77.0/24
                    107.172.242.0/24
                    216.169.99.0/24

                    Added them and a few  others that have come up since then and I've noticed a difference. It seems like they come in batches from particular sources.

                    @BBcan177:

                    Also see if you can use those DNSRBLs that I mentioned before… the reverse dbl.spamhaus.com would have caught most of those ...

                    I've just confirmed that I have in fact had these blocklists also configured in my Exchange server

                    • zen.spamhaus.org

                    • b.barracudacentral.org

                    I just added bl.spamcop.net as well. But assuming things are working properly in pfblockerng, in theory nothing would get through the firewall that would then be handled by Exchange since these lists are already in pfblockerng.

                    Just to make sure I understand, are you asking that I add dbl.spamhaus.org to my Exchange block list configuration (i.e. along with zen.spamhaus.org, b.barracudacentral.org, etc)?

                    @BBcan177:

                    If you see repeat Domain names, add those to pfBNG DNSBL.

                    Is this the tab that needs the Unbound DNS resolver? I think I can block emails from an entire top level domain (in this case, *.top). I'm going to do that first and see how it goes.

                    Thanks so much for your help with this. It looks like I'm figuring out multiple ways which all together will significantly reduce spam traffic.

                    1 Reply Last reply Reply Quote 0
                    • BBcan177B Offline
                      BBcan177 Moderator
                      last edited by

                      @jackgh:

                      Just to make sure I understand, are you asking that I add dbl.spamhaus.org to my Exchange block list configuration (i.e. along with zen.spamhaus.org, b.barracudacentral.org, etc)

                      dbl.spamhaus is a domain based block list. I do not use Exchange, so check to see where in the configuration you can define a Domain based list.

                      http://www.spamhaus.org/faq/section/DNSBL%20Usage

                      Thanks so much for your help with this. It looks like I'm figuring out multiple ways which all together will significantly reduce spam traffic.

                      NP Spam must die! :)

                      "Experience is something you don't get until just after you need it."

                      Website: http://pfBlockerNG.com
                      Twitter: @BBcan177  #pfBlockerNG
                      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.