Community Discussions and Support
Mercury Server appearing on spammers IP blacklists

[quote user="Thomas R. Stephenson"]

where within Mercury I ammend these settings so that it makes use of spamhaus and spamcop?

Configuration | MercuryS |  Spam control  Here's my blacklist configuration file that I use that you can copy to Notepad (or any other ASCII editor) and save to the Mercury directory to see how this is done.  You can use tagging for awhile ( I watched for a couple of months) like I did for each list until I was sure there were no false positives.  If you use tagging you can use a Mercury/32 filter to move these messages to a spam user account.  I created the user "blacklist" and filtered mail with the tags to that user.

-------------------------------------------------- MS_SPAM.MER  ------------------------------------

# Mercury/32 SMTP server block query definitions data file.
# Mercury/32 Mail Transport System, Copyright 1993-2006, David Harris.

Begin
Name: SpamHaus-Zen
Enabled: Y
QueryType: Blacklist
QueryForm: Address
Hostname: zen.spamhaus.org
Strictness: Range 127.0.0.2 - 127.0.0.8
Action: Reject
Parameter: Blocked by SpamHaus.org See http://spamhaus.org for removal instructions
End

Begin
Name: PSBL
Enabled: Y
QueryType: Blacklist
QueryForm: Address
Hostname: psbl.surriel.com
Strictness: Normal
Action: Reject
Parameter: X-Blocked: by PSBL See http://psbl.surriel.com for removal instructions
End

Begin
Name: SpamCop
Enabled: Y
QueryType: Blacklist
QueryForm: Address
Hostname: bl.spamcop.net
Strictness: Normal
Action: Reject
Parameter: Spam blocked see: http://spamcop.net/bl.shtml?
End

Begin
Name: SpamHaus Zen PBL
Enabled: Y
QueryType: Blacklist
QueryForm: Address
Hostname: zen.spamhaus.org
Strictness: Range 127.0.0.10 - 127.0.0.11
Action: Reject
Parameter: X-Blocked:  by SpamHaus.org PBL See http://spamhaus.org for removal instructions
End

---------------------------------------------------- cut here ------------------------------------------------------------------------

[/quote]

Just out of curiosity why do you use normal strictness for the Spamcop and PSBL lists and ranges for spamhaus?

[quote user="Thomas R. Stephenson"]<blockquote>where within Mercury I ammend these settings so that it makes use of spamhaus and spamcop?</blockquote><p>Configuration | MercuryS |  Spam control  Here's my blacklist configuration file that I use that you can copy to Notepad (or any other ASCII editor) and save to the Mercury directory to see how this is done.  You can use tagging for awhile ( I watched for a couple of months) like I did for each list until I was sure there were no false positives.  If you use tagging you can use a Mercury/32 filter to move these messages to a spam user account.  I created the user "blacklist" and filtered mail with the tags to that user.</p><p>-------------------------------------------------- MS_SPAM.MER  ------------------------------------ </p><p># Mercury/32 SMTP server block query definitions data file. # Mercury/32 Mail Transport System, Copyright 1993-2006, David Harris. Begin Name: SpamHaus-Zen Enabled: Y QueryType: Blacklist QueryForm: Address Hostname: zen.spamhaus.org Strictness: Range 127.0.0.2 - 127.0.0.8 Action: Reject Parameter: Blocked by SpamHaus.org See http://spamhaus.org for removal instructions End Begin Name: PSBL Enabled: Y QueryType: Blacklist QueryForm: Address Hostname: psbl.surriel.com Strictness: Normal Action: Reject Parameter: X-Blocked: by PSBL See http://psbl.surriel.com for removal instructions End Begin Name: SpamCop Enabled: Y QueryType: Blacklist QueryForm: Address Hostname: bl.spamcop.net Strictness: Normal Action: Reject Parameter: Spam blocked see: http://spamcop.net/bl.shtml? End Begin Name: SpamHaus Zen PBL Enabled: Y QueryType: Blacklist QueryForm: Address Hostname: zen.spamhaus.org Strictness: Range 127.0.0.10 - 127.0.0.11 Action: Reject Parameter: X-Blocked:  by SpamHaus.org PBL See http://spamhaus.org for removal instructions End</p><p>---------------------------------------------------- cut here ------------------------------------------------------------------------ </p><p>[/quote]</p><p>Just out of curiosity why do you use normal strictness for the Spamcop and PSBL lists and ranges for spamhaus? </p>

Hi Everyone,

I have a problem that I thought I had fixed but has re-occured 3 days later. My server unfortunately broke down and I had to do a completely new build. Originally it was not myself who configured Mercury so it was quite a stab in the dark to fix but it appeared that I had got it working. I managed to get the service up and running so that me and my collegue we're receiving our mail. Unfortunately at the time I hadn't fixed our spam filter so we we're receiving thousands of junk mail in the two days it took me to sort.

Since then our mail calmed down but we ended up on www.spamhaus.org and cbl.abuseat.org as an IP address that are potentially SPAMing people. This was put down to a few reasons highlighted on the sites that suggested that our server had become infected with either a trojon or some form of virus. I have since ran full scans for spyware, ad-ware etc etc and turned up nothing. I request to be delisted from the blacklists and have been fine for three days but unfortunately have end up back on the lists.

 I am lost for ideas on what it may be as the system hosting the server appears to be fine. Any and all help and suggestions would be greatly appreciated.

 Wee Craig

<P>Hi Everyone,</P> <P>I have a problem that I thought I had fixed but has re-occured 3 days later. My server unfortunately broke down and I had to do a completely new build. Originally it was not myself who configured Mercury so it was quite a stab in the dark to fix but it appeared that I had got it working. I managed to get the service up and running so that me and my collegue we're receiving our mail. Unfortunately at the time I hadn't fixed our spam filter so we we're receiving thousands of junk mail in the two days it took me to sort. </P> <P>Since then our mail calmed down but we ended up on <A href="http://www.spamhaus.org/">www.spamhaus.org</A> and cbl.abuseat.org as an IP address that are potentially SPAMing people. This was put down to a few reasons highlighted on the sites that suggested that our server had become infected with either a trojon or some form of virus. I have since ran full scans for spyware, ad-ware etc etc and turned up nothing. I request to be delisted from the blacklists and have been fine for three days but unfortunately have end up back on the lists. </P> <P> I am lost for ideas on what it may be as the system hosting the server appears to be fine. Any and all help and suggestions would be greatly appreciated.</P> <P> Wee Craig</P>

It appears you are relaying, but I'm not all that sure since you have not provided and details at all, i.e. host name, IP address, etc that would allow us to verify.  Check the setting in Configuration | MercuryS | Connection control.  Make sure that relaying is turned off and strict relaying are both checked.

 

<p>It appears you are relaying, but I'm not all that sure since you have not provided and details at all, i.e. host name, IP address, etc that would allow us to verify.  Check the setting in Configuration | MercuryS | Connection control.  Make sure that relaying is turned off and strict relaying are both checked.</p><p> </p>

Hi Thomas thanks for your speedy response.

 I have had a quick look and I had checked the "Do not permit SMTP relaying of non-local mail" but had not done "Use strict local relaying restrictions", so i have checked also. The final two options are currently unchecked.

The IP address in question is 80.192.120.150. let me know what other information would be helpful.

I have requested removal from the blacklist and this appears to have been done, however i will be away now until tuesday so hoepfully we don't get put back on! I will try get back to the postings over the weekend to see any suggestions or try send you any additional information you need.

Craig

<P>Hi Thomas thanks for your speedy response.</P> <P> I have had a quick look and I had checked the "Do not permit SMTP relaying of non-local mail" but had not done "Use strict local relaying restrictions", so i have checked also. The final two options are currently unchecked.</P> <P>The IP address in question is 80.192.120.150. let me know what other information would be helpful.</P> <P>I have requested removal from the blacklist and this appears to have been done, however i will be away now until tuesday so hoepfully we don't get put back on! I will try get back to the postings over the weekend to see any suggestions or try send you any additional information you need.</P> <P>Craig</P>

had not done "Use strict local relaying restrictions"

This is the one that probably did it and you'll be getting a lot of bounces since the spammers used one of your email addresses to relay off the server.

The IP address in question is 80.192.120.150. let me know what other information would be helpful.

I did a couple of simple checks on the address for relaying and it looks like you are now blocking relaying.

 

 

<blockquote><p> had not done "Use strict local relaying restrictions"</p></blockquote><p>This is the one that probably did it and you'll be getting a lot of bounces since the spammers used one of your email addresses to relay off the server. </p><blockquote><p>The IP address in question is 80.192.120.150. let me know what other information would be helpful.</p></blockquote><p>I did a couple of simple checks on the address for relaying and it looks like you are now blocking relaying. </p><p> </p><blockquote><p> </p></blockquote>

Hi Thomas,

After applying the two options to stop relaying our email stopped getting through. I am getting reports from my spamfilter that the messages are being "shunned" by Mercury.

Our spam filter receives my mail from my ISP on port 25 and then FW to port 26 for Mercury to collect and distribute. I can only think that the way the ports are setup may be the issue?

Thanks

Craig

<P>Hi Thomas,</P> <P>After applying the two options to stop relaying our email stopped getting through. I am getting reports from my spamfilter that the messages are being "shunned" by Mercury. </P> <P>Our spam filter receives my mail from my ISP on port 25 and then FW to port 26 for Mercury to collect and distribute. I can only think that the way the ports are setup may be the issue?</P> <P>Thanks</P> <P>Craig</P>

After applying the two options to stop relaying our email stopped

getting through. I am getting reports from my spamfilter that the

messages are being "shunned" by Mercury.

Not sure what this "shunned" means but I suspect that your spam filter is accepting everything and MercuryS is rejecting the invalid users and spammers trying to relay.  What do the MercuryS logs say?
Our spam filter receives my mail from my ISP on port 25 and then FW to

port 26 for Mercury to collect and distribute. I can only think that

the way the ports are setup may be the issue?

Not the ports, the spam filter. Apparently the spam filter does not really know your domains  and local IP addresses so what is accepts could be rejected when received by MercuryS.  Personally I find that Spamhalter and/or POPFileD work so well (+99.7% effectiveness and >0.05% FPR) that I would not think of putting something else in front of it.  ;-)
<blockquote>After applying the two options to stop relaying our email stopped getting through. I am getting reports from my spamfilter that the messages are being "shunned" by Mercury.</blockquote>Not sure what this "shunned" means but I suspect that your spam filter is accepting everything and MercuryS is rejecting the invalid users and spammers trying to relay.  What do the MercuryS logs say? <blockquote>Our spam filter receives my mail from my ISP on port 25 and then FW to port 26 for Mercury to collect and distribute. I can only think that the way the ports are setup may be the issue?</blockquote>Not the ports, the spam filter. Apparently the spam filter does not really know your domains  and local IP addresses so what is accepts could be rejected when received by MercuryS.  Personally I find that Spamhalter and/or POPFileD work so well (+99.7% effectiveness and >0.05% FPR) that I would not think of putting something else in front of it.  ;-)

Hi Thomas,

I have email you an extract of the spam filters log, which shows you the "shunned" message. The program being used as the filter is called Spamfilter (very original) by Logstat. While I was away my colleague disabled the filter so everything is getting through at the moment, which as you can imagination is a tad of a nightmare, but everything we want in is also not being blocked anymore. :(  My collegue tried configuring Mercury's built in spam filter but seems to have had no sucess.

Perhaps I am missing an updated database with spamming address etc on it or the filter needs time to learn what mail is junk or not?

Regards

Craig

<P>Hi Thomas,</P> <P>I have email you an extract of the spam filters log, which shows you the "shunned" message. The program being used as the filter is called Spamfilter (very original) by Logstat. While I was away my colleague disabled the filter so everything is getting through at the moment, which as you can imagination is a tad of a nightmare, but everything we want in is also not being blocked anymore. :(  My collegue tried configuring Mercury's built in spam filter but seems to have had no sucess. </P> <P>Perhaps I am missing an updated database with spamming address etc on it or the filter needs time to learn what mail is junk or not?</P> <P>Regards</P> <P>Craig</P>

Looks like MercuryS is rejecting the connection.  Have you set MercuryS to use short term blacklisting?  If so you will be blacklisting your spam filter since all of your mail comes from the same source.

Enable short-term blacklisting for compliance failures  If you check this control, MercuryS will note the IP addresses of systems that exceed the limits you set for relaying and RCPT command failures (see above) and will prevent them from connecting for a period of 30 minutes. This is intended to make life difficult for spammers and other undesirable elements who may attempt to "harvest" addresses from your system by dictionary attacks. The short-term blacklist is automatically cleared if you restart Mercury. Transaction-level filtering expressions (see below) can also result in a system being blacklisted on a short-term basis, but only if this control is checked.

 This of course is one of the major problems of using a secondary anti-spam system as a front end that has fewer capabilities than the server.  ;-)  Again, I would do away with the anti-spam front end and use Greywall, Clamwall, Spamhalter and blacklists to block the spam at MercuryS.  If you want to continue using the system you have make sure that the connections from the anti-spam system are not blocked for any reason.

<p>Looks like MercuryS is rejecting the connection.  Have you set MercuryS to use short term blacklisting?  If so you will be blacklisting your spam filter since all of your mail comes from the same source. </p><p><i><b>Enable short-term blacklisting for compliance failures</b></i>  If you check this control, MercuryS will note the IP addresses of systems that exceed the limits you set for relaying and RCPT command failures (see above) and will prevent them from connecting for a period of 30 minutes. This is intended to make life difficult for spammers and other undesirable elements who may attempt to "harvest" addresses from your system by dictionary attacks. The short-term blacklist is automatically cleared if you restart Mercury. Transaction-level filtering expressions (see below) can also result in a system being blacklisted on a short-term basis, but only if this control is checked. </p><p> This of course is one of the major problems of using a secondary anti-spam system as a front end that has fewer capabilities than the server.  ;-)  Again, I would do away with the anti-spam front end and use Greywall, Clamwall, Spamhalter and blacklists to block the spam at MercuryS.  If you want to continue using the system you have make sure that the connections from the anti-spam system are not blocked for any reason. </p>

Lol, I can understand the issues with running the applications side by side. I suppose really the only reason I was trying to get it working again is that the previous setup seemed to complement each other. At the moment i have given up with the SpamFilter software and am now concentrating on Mercury's Greywall/Clamwall etc It has made a small improvement but I still receive about 60 spam a day now. Is there a backend database that I should have downloaded that contains a general list of known rogue IP address'?

 Wee Craig

<P>Lol, I can understand the issues with running the applications side by side. I suppose really the only reason I was trying to get it working again is that the previous setup seemed to complement each other. At the moment i have given up with the SpamFilter software and am now concentrating on Mercury's Greywall/Clamwall etc It has made a small improvement but I still receive about 60 spam a day now. Is there a backend database that I should have downloaded that contains a general list of known rogue IP address'?</P> <P> Wee Craig</P>

Is there a backend database that I should have downloaded that contains a general list of known rogue IP address'?
Yes and they are called blacklists.  I use  Spamhaus zen.spamhaus.org and Spamcop  bl.spamcop.net since these are the ones I have found to have almost zero false positives.  I'm sure that your SpamFilter software was using one of these at least.
<blockquote>Is there a backend database that I should have downloaded that contains a general list of known rogue IP address'?</blockquote>Yes and they are called blacklists.  I use  Spamhaus <a href="http://www.spamhaus.org" mce_href="http://www.spamhaus.org">zen.spamhaus.org</a> and Spamcop  <a href="http://spamcop.net" mce_href="http://spamcop.net">bl.spamcop.net</a> since these are the ones I have found to have almost zero false positives.  I'm sure that your SpamFilter software was using one of these at least.

Hi Thomas,

Spamhaus sounds familiar... I had to have our IP address removed from it! I have had a look on Mercury at the settings for it's built in spamfilter and I can not see any reference to either of the two sites you suggested. Can I ask then, in what will hopefully be the final solution to my problems, where within Mercury I ammend these settings so that it makes use of spamhaus and spamcop?

Thanks for your patience!

Craig

<P>Hi Thomas, </P> <P>Spamhaus sounds familiar... I had to have our IP address removed from it! I have had a look on Mercury at the settings for it's built in spamfilter and I can not see any reference to either of the two sites you suggested. Can I ask then, in what will hopefully be the final solution to my problems, where within Mercury I ammend these settings so that it makes use of spamhaus and spamcop?</P> <P>Thanks for your patience!</P> <P>Craig</P>

where within Mercury I ammend these settings so that it makes use of spamhaus and spamcop?

Configuration | MercuryS |  Spam control  Here's my blacklist configuration file that I use that you can copy to Notepad (or any other ASCII editor) and save to the Mercury directory to see how this is done.  You can use tagging for awhile ( I watched for a couple of months) like I did for each list until I was sure there were no false positives.  If you use tagging you can use a Mercury/32 filter to move these messages to a spam user account.  I created the user "blacklist" and filtered mail with the tags to that user.

-------------------------------------------------- MS_SPAM.MER  ------------------------------------

# Mercury/32 SMTP server block query definitions data file.
# Mercury/32 Mail Transport System, Copyright 1993-2006, David Harris.

Begin
Name: SpamHaus-Zen
Enabled: Y
QueryType: Blacklist
QueryForm: Address
Hostname: zen.spamhaus.org
Strictness: Range 127.0.0.2 - 127.0.0.8
Action: Reject
Parameter: Blocked by SpamHaus.org See http://spamhaus.org for removal instructions
End

Begin
Name: PSBL
Enabled: Y
QueryType: Blacklist
QueryForm: Address
Hostname: psbl.surriel.com
Strictness: Normal
Action: Reject
Parameter: X-Blocked: by PSBL See http://psbl.surriel.com for removal instructions
End

Begin
Name: SpamCop
Enabled: Y
QueryType: Blacklist
QueryForm: Address
Hostname: bl.spamcop.net
Strictness: Normal
Action: Reject
Parameter: Spam blocked see: http://spamcop.net/bl.shtml?
End

Begin
Name: SpamHaus Zen PBL
Enabled: Y
QueryType: Blacklist
QueryForm: Address
Hostname: zen.spamhaus.org
Strictness: Range 127.0.0.10 - 127.0.0.11
Action: Reject
Parameter: X-Blocked:  by SpamHaus.org PBL See http://spamhaus.org for removal instructions
End

---------------------------------------------------- cut here ------------------------------------------------------------------------

<blockquote>where within Mercury I ammend these settings so that it makes use of spamhaus and spamcop?</blockquote><p>Configuration | MercuryS |  Spam control  Here's my blacklist configuration file that I use that you can copy to Notepad (or any other ASCII editor) and save to the Mercury directory to see how this is done.  You can use tagging for awhile ( I watched for a couple of months) like I did for each list until I was sure there were no false positives.  If you use tagging you can use a Mercury/32 filter to move these messages to a spam user account.  I created the user "blacklist" and filtered mail with the tags to that user.</p><p>-------------------------------------------------- MS_SPAM.MER  ------------------------------------ </p><p># Mercury/32 SMTP server block query definitions data file. # Mercury/32 Mail Transport System, Copyright 1993-2006, David Harris. Begin Name: SpamHaus-Zen Enabled: Y QueryType: Blacklist QueryForm: Address Hostname: zen.spamhaus.org Strictness: Range 127.0.0.2 - 127.0.0.8 Action: Reject Parameter: Blocked by SpamHaus.org See http://spamhaus.org for removal instructions End Begin Name: PSBL Enabled: Y QueryType: Blacklist QueryForm: Address Hostname: psbl.surriel.com Strictness: Normal Action: Reject Parameter: X-Blocked: by PSBL See http://psbl.surriel.com for removal instructions End Begin Name: SpamCop Enabled: Y QueryType: Blacklist QueryForm: Address Hostname: bl.spamcop.net Strictness: Normal Action: Reject Parameter: Spam blocked see: http://spamcop.net/bl.shtml? End Begin Name: SpamHaus Zen PBL Enabled: Y QueryType: Blacklist QueryForm: Address Hostname: zen.spamhaus.org Strictness: Range 127.0.0.10 - 127.0.0.11 Action: Reject Parameter: X-Blocked:  by SpamHaus.org PBL See http://spamhaus.org for removal instructions End</p><p>---------------------------------------------------- cut here ------------------------------------------------------------------------ </p>

Hi Thomas,

Thanks for the info, I applied a few days ago and have been monitoring Mercury's activity. The change is excellent. I have an account set up to capture everything that is stopped by the blacklist. It has been capturing about 90% of everything coming in, so far blocking nearly 1000 spam messages and out of that iv only had two false positives. Since then I have been making minor adjustments to the filtering rules in the content control section of mercury. This has again further improved the amount being blocked. I think it will take a few weeks of tinkering but the end result is looking nearer!

Using the content control list with the blacklist, what would you say would be a good weight setting for capturing mail? The default appears to be 50 but from reviewing the logic of the rules some of the remaining spam is still getting through as the combined weights of some of the mail isn't reaching 50 as a few of the rules a designed to capture cumulatively based on there being several "key" words within the mail.

I have to thank you again for all your support without I doubt I would have got this far. Having been stepped through the setup by yourself iv developed an appreciation for Mercury and that it is in actual fact a powerful tool as opposed to being a nightmare piece of software.  [:D]

Craig

<P>Hi Thomas, </P> <P>Thanks for the info, I applied a few days ago and have been monitoring Mercury's activity. The change is excellent. I have an account set up to capture everything that is stopped by the blacklist. It has been capturing about 90% of everything coming in, so far blocking nearly 1000 spam messages and out of that iv only had two false positives. Since then I have been making minor adjustments to the filtering rules in the content control section of mercury. This has again further improved the amount being blocked. I think it will take a few weeks of tinkering but the end result is looking nearer! </P> <P>Using the content control list with the blacklist, what would you say would be a good weight setting for capturing mail? The default appears to be 50 but from reviewing the logic of the rules some of the remaining spam is still getting through as the combined weights of some of the mail isn't reaching 50 as a few of the rules a designed to capture cumulatively based on there being several "key" words within the mail.</P> <P>I have to thank you again for all your support without I doubt I would have got this far. Having been stepped through the setup by yourself iv developed an appreciation for Mercury and that it is in actual fact a powerful tool as opposed to being a nightmare piece of software.  [:D]</P> <P>Craig</P>

Using the content control list with the blacklist, what would you say

would be a good weight setting for capturing mail? The default appears

to be 50 but from reviewing the logic of the rules some of the

remaining spam is still getting through as the combined weights of some

of the mail isn't reaching 50 as a few of the rules a designed to

capture cumulatively based on there being several "key" words within

the mail.

I no longer use content control but those that do usually use 50% and set the one that trigger to 51% so that any item that triggers is spam. 

I'm now just using POPFileD, blacklists, Clamwall and Greywall with a  couple of filters to catch the spam at a 99.86% with 0.05% FPR.  Spamhalter, when properly trained, should work at least at the 99% level.  I use this on one of my Mercury/32 test setups downloading some real spammy mail from my ISP POP3 account and a couple of Yahoo groups and it's currently working at ~99.2% with zero FPR.   Get's a few leakers (~ 1 in 500) but not enough to worry about.

<blockquote>Using the content control list with the blacklist, what would you say would be a good weight setting for capturing mail? The default appears to be 50 but from reviewing the logic of the rules some of the remaining spam is still getting through as the combined weights of some of the mail isn't reaching 50 as a few of the rules a designed to capture cumulatively based on there being several "key" words within the mail.</blockquote><p>I no longer use content control but those that do usually use 50% and set the one that trigger to 51% so that any item that triggers is spam.  </p><p>I'm now just using POPFileD, blacklists, Clamwall and Greywall with a  couple of filters to catch the spam at a 99.86% with 0.05% FPR.  Spamhalter, when properly trained, should work at least at the 99% level.  I use this on one of my Mercury/32 test setups downloading some real spammy mail from my ISP POP3 account and a couple of Yahoo groups and it's currently working at ~99.2% with zero FPR.   Get's a few leakers (~ 1 in 500) but not enough to worry about. </p>
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Cancel
Delete
Pending draft ... Click to resume editing
Discard draft