Re: Blacklisted URL in message

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Blacklisted URL in message

Kebba Foon
Dear List,

Just recently seems to encounter this same issue, suddently i started having "rejected during MIME ACL checks: Blacklisted URL in message. (africell.gm) in. See http://lookup.uribl.com." in my log files but checking the site for the africell.gm domain reveal that it was not listed. I went to the exim_surbl.pl and disable the uri checking and yet to confirm it this solve the problem, but my question is this was working all the time why just the sudden change? i dont remember doing and configuration on update on my servers, i must admit my server process a lot of mails as i am an ISP but how cant i check that my queries are been rejected by uribl.com.

Kebba

On Tue, 2014-09-02 at 06:16 -0400, [hidden email] wrote:
Send users mailing list submissions to
	[hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
	https://exim4u.org/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
	[hidden email]

You can reach the person managing the list at
	[hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of users digest..."


Today's Topics:

   1. Blacklisted URL in message (Terry)
   2. Re: Blacklisted URL in message (Gordon Dickens)
   3. Re: Blacklisted URL in message (Terry)
   4. Re: Blacklisted URL in message (Gordon Dickens)
   5. Re: Blacklisted URL in message (Terry)
   6. Re: Blacklisted URL in message (Gordon Dickens)
   7. Fix suggestion for broken login on Linux Distributions with
      suhosin patched PHP (e.G. Debian Wheezy) (Seidel, Michael)
   8. exim 4.84 (Valkanover Harald)


----------------------------------------------------------------------

Message: 1
Date: Thu, 19 Jun 2014 12:08:23 +0100
From: Terry <[hidden email]>
To: [hidden email]
Subject: [Exim4U] Blacklisted URL in message
Message-ID: <[hidden email]>
Content-Type: text/plain; charset=ISO-8859-1

Hi one of our customers complained about not receiving some email and it
seems they were blocked due to black listed url but I went and checked
and they are not listed. Unless they recently became unlisted ?


+++ 1WxHw9-000PUG-3y has not completed +++
2014-06-18 15:38:09 1WxHw9-000PUG-3y H=mail50.scotnet.co.uk
(sys30.scotnet.net) [217.16.223.65] F=<[hidden email]> rejected
during MIME ACL checks: Blacklisted URL in message.
(pritchard-edwards.co.uk) in. See http://lookup.uribl.com.

+++ 1Wwpio-000MvZ-TN has not completed +++
2014-06-17 09:30:31 1Wwpio-000MvZ-TN H=smtp.clearstreamgroup.co.uk
(smtp2.clearstreamtechnology.co.uk) [46.17.208.145]
F=<[hidden email]> rejected during MIME ACL checks:
Blacklisted URL in message. (familyarbitrator.com) in. See
http://lookup.uribl.com.

-- 
------------------------------------
Terry 





------------------------------

Message: 2
Date: Thu, 19 Jun 2014 08:01:41 -0400
From: Gordon Dickens <[hidden email]>
To: Exim4U General Discussion <[hidden email]>
Subject: Re: [Exim4U] Blacklisted URL in message
Message-ID: <[hidden email]>
Content-Type: text/plain; charset="us-ascii"

An HTML attachment was scrubbed...
URL: <http://exim4u.org/pipermail/users/attachments/20140619/d09f4d1c/attachment-0001.html>

------------------------------

Message: 3
Date: Fri, 20 Jun 2014 09:41:01 +0100
From: Terry <[hidden email]>
To: [hidden email]
Subject: Re: [Exim4U] Blacklisted URL in message
Message-ID: <[hidden email]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

They have had there own email blocked yesterday as well when trying to 
email from a home address.
But when I check the logs it seems to be catching legitimate emails as 
well as it should.
I didn't want to disable it as it does a good job but may have to.








-- 
------------------------------------
Terry




------------------------------

Message: 4
Date: Fri, 20 Jun 2014 08:54:23 -0400
From: Gordon Dickens <[hidden email]>
To: Exim4U General Discussion <[hidden email]>
Subject: Re: [Exim4U] Blacklisted URL in message
Message-ID: <[hidden email]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Exim4U does not do a URIBL check for authenticated mail.  So, assuming 
that they use authentication for local mail, something very weird is 
going on for their own mail to be blocked.  That should not be 
possible.  Otherwise, their exim4u configuration must have somehow 
gotten mangled.

It sounds like they may be having a DNS problem with the URIBL lookups.  
Do they use their own caching DNS server or are they using a public DNS 
server?  I strongly recommend that they use their own DNS server with 
bind/named.  Otherwise, the use of public DNS servers can cause 
unpredictable results such as refused queries and false positive 
results.  Note that URIBL may refuse queries from any high volume DNS 
server.  So, if they are using a public DNS server then I recommend that 
they setup their own caching name server with bind/named.

FYI,

Gordon




On 06/20/2014 04:41 AM, Terry wrote:
> They have had there own email blocked yesterday as well when trying to 
> email from a home address.
> But when I check the logs it seems to be catching legitimate emails as 
> well as it should.
> I didn't want to disable it as it does a good job but may have to.
>
>
>
>
>
>
>
>




------------------------------

Message: 5
Date: Tue, 24 Jun 2014 14:12:58 +0100
From: Terry <[hidden email]>
To: [hidden email]
Subject: Re: [Exim4U] Blacklisted URL in message
Message-ID: <[hidden email]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hi by there own address I meant a gmail one so they noticed the block. 
They do have there own caching dns server and every thing seems in order.
I have disabled the check for them so things are fine now. But it was a 
bit puzzling

-- 
------------------------------------
Terry




------------------------------

Message: 6
Date: Thu, 26 Jun 2014 08:55:44 -0400
From: Gordon Dickens <[hidden email]>
To: Exim4U General Discussion <[hidden email]>
Subject: Re: [Exim4U] Blacklisted URL in message
Message-ID: <[hidden email]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hi Terry,

I thought of another thing to look at.  The uribl lookups are done in a 
script that is included in the Exim4U installation here:

/etc/exim/exim.pl/exim_surbl.pl

This script checks three URL blacklists: SURBL, URIBL and DBL. The exim 
log entries that you sent in your first email were all only URIBL 
lookups.  So, you may consider re-enabling the lookups in 
/etc/exim/exim.conf and disabling only the URIBL blacklist directly in 
/etc/exim/exim.pl/exim_surbl.pl to determine if the problem is only with 
the URIBL blacklist or with all three blacklists.

Look at lines 61 through 65 in exim_surbl.pl:

     # The following ariables enable or disable the SURBL, URIBL and DBL
     # lookups.  Set to 1 to enable and 0 to disable.
     my $surbl_enable = 1;
     my $uribl_enable = 1;
     my $dbl_enable = 1;

Here, you can disable/enable each blacklist individually.  If, for some 
reason, you find that the problem only exists with the URIBL blacklist 
then you can keep the script running and benefit from the other two 
blacklists.

This script was written by Erik Mugele and you can read more about it here:

http://www.teuton.org/~ejm/exim_surbl/

If you find that all three lists generate false positives, then I would 
suggest that the problem probably is directly related to this 
installation's DNS lookups.  Whereas, if the problem only occurs with 
the URIBL then I'm not sure what to say.  In any event, Erik Mugele's 
script is well known and popular within the exim community and this is 
the first time that I have ever heard of this type of problem that was 
not caused by the use of a public or large ISP's DNS servers.  So, if 
you make any progress diagnosing this problem please let me know what 
you find.

Thanks,

Gordon



On 06/24/2014 09:12 AM, Terry wrote:
> Hi by there own address I meant a gmail one so they noticed the block. 
> They do have there own caching dns server and every thing seems in order.
> I have disabled the check for them so things are fine now. But it was 
> a bit puzzling
>




------------------------------

Message: 7
Date: Tue, 5 Aug 2014 07:09:13 +0000
From: "Seidel, Michael" <[hidden email]>
To: "'[hidden email]'" <[hidden email]>
Subject: [Exim4U] Fix suggestion for broken login on Linux
	Distributions with suhosin patched PHP (e.G. Debian Wheezy)
Message-ID:
	<[hidden email]>
Content-Type: text/plain; charset="us-ascii"

Hi List,

I ran into a problem lately and I thought it was best to report my findings. I was upgrading a system Debian Lenny to Wheezy (yeah, I know, it took some time, but it was for internal use anyway) and therefor from vexim to exim4u.

So far so good, but after changing the password from CHANGE to something else failed my login. A quick look in the database revealed the issue:

The password encryption scheme changed from md5 to sha512, as you can easily see on the encrypted passwords itself:

Old: CHANGE : $1$12345678$2lQK5REWxaFyGz.p/dos3/
New: CHANGE : $6$P0s1h8hgqT/K$qGoe/zSh6crG/MsDTlnxmnGGufEVftsB2sPCgfopV6TmoT2XBVgGQ6cAu00GJUY9GHaTO1RsNDJUNwY1MZqQa/

See http://php.net/manual/en/function.crypt.php for those without crypto basic knowledge with additional information on this.

The old one was plain MD5 (starting with $1$SALT$...), which you should not use anymore, but better than plain, right guys? ;-))) A real patch for this incoming? I'll be looking at http://axel.sjostedt.no/misc/dev/vexim-customizations/ next.
The new one is SHA-512 (Starting with $6$SALT$...), which is way longer (so it needed the - already implemented - var(255) mysql patch mentioned on this list before) and it has a 16 character salt.

But login was broken at that point. I found out, that a suhosin patch was added to Debian PHP - to promote more secure passwords, but it broke some older scripts.

After some fiddling with the function crypt_password code in ./config/functions.php I'd suggest a code change to:

---------------------------

function crypt_password($clear, $salt = '')
    {
        global $cryptscheme;

        if ($cryptscheme == 'sha')
        {
            $hash = sha1($clear);
            $cryptedpass = '{SHA}' . base64_encode(pack('H*', $hash));
        }
        else
        {
            if ($salt != '')
            {
                if ($cryptscheme == 'sha512')
                {
                   $salt = substr($salt, 0, 16);
                }
                else
                if ($cryptscheme == 'des')
                {
                    $salt = substr($salt, 0, 2);
                }
                else
                if ($cryptscheme == 'md5')
                {
                    $salt = substr($salt, 0, 12);
                }
                else
                {
                    $salt = '';
                }
                $cryptedpass = crypt($clear, $salt);
            }
            else {
                $cryptedpass = crypt($clear);

            }
        }

        return $cryptedpass;
    }

---------------------------

So if somebody ran into that problem again they just have to set

/* Set to either "sha", "sha512", "des" or "md5" depending on your crypt() libraries */
  $cryptscheme = "sha512";

in

./config/variables.php

---------------------------

Some real class to check which encoding to use would be more cool but not necessary IMHO. You need to configure your backend with certain encoding anyways, just think about IMAP/POP services which require a set crypt scheme.

BUG: My code piece will result in first login failures if somebody just did not login first to have the password converted from md5 to sha-512 to find out their system changed their encoding but already changed the var in variables.php to sha512.
They eventually come here to read about this: So please change it back to default: md5 , login and than change it back to sha512 or copy that sha512 crypt password from above to database.

So what does the List say about this? Is this the correct solution?

Regards,

Michael Seidel
System Administrator
FAI rent-a-jet AG
http://www.fai.ag




------------------------------

Message: 8
Date: Tue, 2 Sep 2014 09:22:12 +0200
From: "Valkanover Harald" <[hidden email]>
To: <[hidden email]>
Subject: [Exim4U] exim 4.84
Message-ID: <[hidden email]>
Content-Type: text/plain; charset="us-ascii"

Hi list!

 

Is anyone sucessfully running exim4u with exim 4.84?  I made an update to
that exim version and had to find out that several transports were broken
(around remove_header, failed to expand with some sql statements etc.).

I made some customizations but it looks like a general compatibility problem
- can anyone confirm?

 

Kind regards, 

Valki

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://exim4u.org/pipermail/users/attachments/20140902/46526caa/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users


------------------------------

End of users Digest, Vol 35, Issue 1
************************************


_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Blacklisted URL in message

Terry


----------------------------------------------------------------------

> Message: 1
> Date: Tue, 07 Oct 2014 11:28:55 +0000
> From: Kebba Foon <[hidden email]>
> To: [hidden email]
> Subject: Re: [Exim4U] Blacklisted URL in message
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>
> Dear List,
>
> Just recently seems to encounter this same issue, suddently i started
> having "rejected during MIME ACL checks: Blacklisted URL in message.
> (africell.gm) in. See http://lookup.uribl.com." in my log files but
> checking the site for the africell.gm domain reveal that it was not
> listed. I went to the exim_surbl.pl and disable the uri checking and yet
> to confirm it this solve the problem, but my question is this was
> working all the time why just the sudden change? i dont remember doing
> and configuration on update on my servers, i must admit my server
> process a lot of mails as i am an ISP but how cant i check that my
> queries are been rejected by uribl.com.
>
> Kebba
>
> On Tue, 2014-09-02 at 06:16 -0400, [hidden email] wrote:




Hi Kebba in my case they were blocking my dns server that I used so I
swapped to my own and all was fine
If you get this
host -tTXT 2.0.0.127.multi.uribl.com
2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused.
See http://uribl.com/refused.shtml for more information [Your DNS IP:
217.112.88.90]"

Info on the link they provide
Then your dns server is blocked
Terry

_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Blacklisted URL in message

gldickens3
Administrator
Hi Kebba,

Terry is absolutely correct.  Over the years, the uribl folks have
gotten more and more selective about blocking public DNS servers and it
is imperative that you install your own DNS server with bind/named or
similar software.  The uribl service can't afford all the queries from
large ISPs so they block them.  Nevertheless, you should be fine with
your own DNS server.

In today's world, everybody running exim4u should also install their own
DNS server too.  Otherwise, this may eventually happen to anybody
relying on a public DNS services.

FYI,

Gordon




On 10/07/2014 07:42 AM, Terry wrote:

>
>
> ----------------------------------------------------------------------
>
>> Message: 1
>> Date: Tue, 07 Oct 2014 11:28:55 +0000
>> From: Kebba Foon <[hidden email]>
>> To: [hidden email]
>> Subject: Re: [Exim4U] Blacklisted URL in message
>> Message-ID: <[hidden email]>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Dear List,
>>
>> Just recently seems to encounter this same issue, suddently i started
>> having "rejected during MIME ACL checks: Blacklisted URL in message.
>> (africell.gm) in. See http://lookup.uribl.com." in my log files but
>> checking the site for the africell.gm domain reveal that it was not
>> listed. I went to the exim_surbl.pl and disable the uri checking and yet
>> to confirm it this solve the problem, but my question is this was
>> working all the time why just the sudden change? i dont remember doing
>> and configuration on update on my servers, i must admit my server
>> process a lot of mails as i am an ISP but how cant i check that my
>> queries are been rejected by uribl.com.
>>
>> Kebba
>>
>> On Tue, 2014-09-02 at 06:16 -0400, [hidden email] wrote:
>
>
>
>
> Hi Kebba in my case they were blocking my dns server that I used so I
> swapped to my own and all was fine
> If you get this
> host -tTXT 2.0.0.127.multi.uribl.com
> 2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query
> Refused. See http://uribl.com/refused.shtml for more information [Your
> DNS IP: 217.112.88.90]"
>
> Info on the link they provide
> Then your dns server is blocked
> Terry
>
> _______________________________________________
> users mailing list
> [hidden email]
> https://exim4u.org/mailman/listinfo/users


_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users