ASSP Deluxe for cPanel

[Radio_Head]

Hello

You can fix the "grscripts.com is temporarly not available" updating your ASSP WHM from console in this way

# cd /usr/local/cpanel/whostmgr/docroot/cgi
# wget -r -nH --cut-dirs=10 http://www.grscripts.com/whm/whm.tar.gz
# tar xvzf whm.tar.gz;rm -f whm.tar.gz

After this step you can update your ASSP Deluxe using the ASSP WHM interface .

If you have still problems please contact me at [email protected] for support , thank you.

 

[manokiss]

Thanx Radio, that worked!

 

[SoftDux]

I know I have asked this before, but how's the clustering option coming along?


I would LOVE to be able to whitelist certain domains / IP's, easily on all our cPanel servers and think a clustering option would make just much easier than having to login to each server one-by-one and adding the domain(s) / IP('s) to be whitelisted

BUMP! Did you see this?

 

[Radio_Head]

Currently I'm working in a huge update which I hope to offer soon, which will support ASSP 1.9.x , internal php 5.3.x , cPanel 11.31 (which has a new exim interface) , new docs . Due to its complexity, clustering is not in plan and will not be in plan in the near future. Whitelisting via cPanel , considering how works ASSP...

1- automatic whitelisting each time your user send an email
2- [email protected]
3- whitelist in ASSP are not personal
4- and a nospam code tag included in a bounced email ,available in ASSP 1.9.x

I can't see a reason to see a feature like this in ASSP cPanel frontend, however if I'll receive some feedback in this way I can consider it .

 

[SoftDux]

Currently I'm working in a huge update which I hope to offer soon, which will support ASSP 1.9.x , internal php 5.3.x , cPanel 11.31 (which has a new exim interface) , new docs . Due to its complexity, clustering is not in plan and will not be in plan in the near future. Whitelisting via cPanel , considering how works ASSP...

1- automatic whitelisting each time your user send an email
2- [email protected]
3- whitelist in ASSP are not personal
4- and a nospam code tag included in a bounced email ,available in ASSP 1.9.x

I can't see a reason to see a feature like this in ASSP cPanel frontend, however if I'll receive some feedback in this way I can consider it .

Clustering would help in a scenario where a host has more than 1 server with Mailscanner installed and need to have some domains (for example, Blackberry servers or other trusted ISP's / hosting companies) whitelisted on every server to ensure clients on all the servers gets mail from those companies, without any problems.

OR, another example which I ran into recently.

The same spam messages came through on multiple servers. So, when uses Bob on ServerA reports spam, it would be useful to have the same spam blocked on all the servers automatically, instead of Jane on ServerB also reporting the same spam. This could cut-down on excessive bandwidth usage quite a lot.

 

[Radio_Head]

I think you are talking about ASSP , however in ASSP 1.9 there will be an ASSP "Configuration Sharing" menu (in your ASSP Web Interface) which should help you in this way , it will permit you to share between your servers whitelist , spamdb and several other files/values.

 

[SoftDux]

I think you are talking about ASSP , however in ASSP 1.9 there will be an ASSP "Configuration Sharing" menu (in your ASSP Web Interface) which should help you in this way , it will permit you to share between your servers whitelist , spamdb and several other files/values.

That sounds a lot like clustering

Will it also allow to have the same settings on all the servers?

i.e. If there's one master server then all the other "slave" servers automatically gets their settings from the master server?

 

[Radio_Head]

This is new and untested (by me) feature in ASSP 1.9.x web interface, you can surely have a better reply to your question here ASSP Forum • View forum - Suggestion and feedback .

BTW I checked now and yes you can set master , slave and several other settings. There is a configuration file which permits to share almost or all your settings, depending on your needs.

 

[manokiss]

Hi there, i have upgraded to the last version and there are some missing things.

1- cpanel x3 whm do not show the per user/domain setting in scoring mode, i mean the drop down that is showing in the new version image.

2- well...Radio, i do the Spanish translation...contact me as all the new text and the show/hide links are not there in the Spanish version.

3- Do the "Setting up TLS native support for your ASSP listen ports " replace the stunneled version...should we do anything to remove that first or simply enable this new option without somehow disabling the stunneled one?

Thanx!

 

[Radio_Head]

Hello

1 - Please reinstall the theme for x3 , if it does not work please email at [email protected]
2- thank you , I will send details via email next days. The main changes are in "Help" page.
3- The stunnel installation should be detected and there should be an option to remove it automatically.
If it's not your behavior please email at [email protected] .

Thank you!

 

[SoftDux]

What steps can be taken to cut-down on OUTBOUND SPAM? The most common scenario is where a client's website gets hacked, and the hackers upload a spam script which sends out thousands of spam mails in one go.

 

[Radio_Head]

All the ways are summarized in

1- local sender checks ( using DoLocalSenderDomain and DoLocalSenderAddress )
2- Using ASSP scoring for local senders
3- local spam activity detector (using ex_localdomains.php and find_abusers.php )

1) and 2) are good if your customer send outgoing spam using smtp authenticated sessions.
If the email are sent via script/email-socket the better way is using point 3) and analyzing
the email activity report using the new "email queue finder". Also to reduce the issue where a client's website gets hacked , you may run regularly clamscan in your /home account using a cron. Another good behaviour is setting strict limits per hour in your WHM / Tweak settings. Most of the outgoing spam will go in queue, and using the step 3) you can analyze it and stop the activity very soon.

The activity spam detector has been improved in ASSP WHM 6.x, now you will receive via email a message email like this

2940 email sent ::= > /home/daaclimi/public_html
:: Example email ::
2012-03-05 10:55:53 1S4d4b-001BbG-GE <= [email protected] U=daaclimi P=local S=558 T="From Find out how to pick up females right."
2012-03-05 10:55:53 1S4d4b-001Bbh-UX <= [email protected] U=daaclimi P=local S=522 T="From How to pick up ladies correctly?"
2012-03-05 10:55:54 1S4d4c-001Bc2-On <= [email protected] U=daaclimi P=local S=527 T="From Easy way to pick up a female."

which shows you the location of the script sending the spam
/home/daaclimi/public_html , some example email containing EXIM id and the email subject which in the example above is a clear spam.
Once received the email , you can analyze the email content using the new EXIM QUEUE FINDER in your ASSP WHM INTERFACE and take actions (i.e removing the malicious script,suspending the account if the activity was caused by the owner account..)

 

[SoftDux]

All the ways are summarized in

1- local sender checks ( using DoLocalSenderDomain and DoLocalSenderAddress )
2- Using ASSP scoring for local senders
3- local spam activity detector (using ex_localdomains.php and find_abusers.php )

1) and 2) are good if your customer send outgoing spam using smtp authenticated sessions.
If the email are sent via script/email-socket the better way is using point 3) and analyzing
the email activity report using the new "email queue finder". Also to reduce the issue where a client's website gets hacked , you may run regularly clamscan in your /home account using a cron. Another good behaviour is setting strict limits per hour in your WHM / Tweak settings. Most of the outgoing spam will go in queue, and using the step 3) you can analyze it and stop the activity very soon.

The activity spam detector has been improved in ASSP WHM 6.x, now you will receive via email a message email like this

2940 email sent ::= > /home/daaclimi/public_html
:: Example email ::
2012-03-05 10:55:53 1S4d4b-001BbG-GE <= [email protected] U=daaclimi P=local S=558 T="From Find out how to pick up females right."
2012-03-05 10:55:53 1S4d4b-001Bbh-UX <= [email protected] U=daaclimi P=local S=522 T="From How to pick up ladies correctly?"
2012-03-05 10:55:54 1S4d4c-001Bc2-On <= [email protected] U=daaclimi P=local S=527 T="From Easy way to pick up a female."

which shows you the location of the script sending the spam
/home/daaclimi/public_html , some example email containing EXIM id and the email subject which in the example above is a clear spam.
Once received the email , you can analyze the email content using the new EXIM QUEUE FINDER in your ASSP WHM INTERFACE and take actions (i.e removing the malicious script,suspending the account if the activity was caused by the owner account..)

That's all good and well, but by the time someone's seen the reports and done something about it a spammer has already sent out 15,000 viagra spam emails and the server in question is blacklisted. This actually happened to a one of our servers last week.

So, how can ASSP Deluxe STOP these emails from even existing the server altogether?
Does it detect SPAM? And I'm not talking about bulk mail, I'm talk about SPAM - people selling viagra and Rolex watches or someone trying to get 150,000,000 USD into the country cause his uncle died, etc.


How do we STOP the SPAM from even leaving the server?
And, ideally, can ASSP Deluxe archive those mails for inspection, but remove them from the Mail queue and set the user's hourly limit to 1, or something like that?

 

[Radio_Head]

That's all good and well, but by the time someone's seen the reports and done something about it a spammer has already sent out 15,000 viagra spam emails and the server in question is blacklisted. This actually happened to a one of our servers last week.
>

You can set automatic chmod 000 for the folder sending the spam. Using the automatic block you can risk to block a good mailing , no problem next time you put the script in ignore list, however you can block huge spam activity at early stage. Another good behavior is setting strict limits per hour in your WHM / Tweak settings and using regularly clamscan in your /home account using a cron. Teh ASSP email activity detectors exists to stop this kind of activity.

>
How do we STOP the SPAM from even leaving the server?
>

Please read again my reply above, 1) and 2) are good if your customer send outgoing spam using smtp authenticated sessions. If the email are sent via script/email-socket with ASSP there is and there could not be a way , since these kind of email (email send via socket) does not pass for ASSP, however using the step 3 you can stop them at early stage,also automatically (if you activate chmod 000 for the script folder).

 

[manokiss]

The best way as a start point is limit email per hour for your users, giving unlimited option in they hosting plans is a risk.
You can set this limit per user account through WHM, edit hosting packages.

 

[SoftDux]

That's all good and well, but by the time someone's seen the reports and done something about it a spammer has already sent out 15,000 viagra spam emails and the server in question is blacklisted. This actually happened to a one of our servers last week.
>

You can set automatic chmod 000 for the folder sending the spam. Using the automatic block you can risk to block a good mailing , no problem next time you put the script in ignore list, however you can block huge spam activity at early stage. Another good behavior is setting strict limits per hour in your WHM / Tweak settings and using regularly clamscan in your /home account using a cron. Teh ASSP email activity detectors exists to stop this kind of activity.

>
How do we STOP the SPAM from even leaving the server?
>

Please read again my reply above, 1) and 2) are good if your customer send outgoing spam using smtp authenticated sessions. If the email are sent via script/email-socket with ASSP there is and there could not be a way , since these kind of email (email send via socket) does not pass for ASSP, however using the step 3 you can stop them at early stage,also automatically (if you activate chmod 000 for the script folder).

Ok, but that doesn't actually detect SPAM. It merely detects when a script suddenly sends a LOT of mail.

Here's an example:

A client's account has been active for 3 or 4 years, and a hacker hacks into his website and uploads a spam script. HE knows that many server admins simply monitor the mailq and act upon a sudden large mailq, so he sends his spam in batches of 3 emails, every 10 minutes. He doesn't really care since he's doing it from a highspeed connection and he's using many proxy's and stolen accounts todo this.

Your script doesn't pick this up and the spam still gets out.

The best way as a start point is limit email per hour for your users, giving unlimited option in they hosting plans is a risk.
You can set this limit per user account through WHM, edit hosting packages.

No, that doesn't help much. PHP & PERL scripts are not "bound" to the max hourly mail limit in cPanel and hackers will still send out thousands of emails, even if you have that limit set. That limit is only useful for SMTP-initiated mail

 

[manokiss]

No, that doesn't help much. PHP & PERL scripts are not "bound" to the max hourly mail limit in cPanel and hackers will still send out thousands of emails, even if you have that limit set. That limit is only useful for SMTP-initiated mail

Is bound to the username so if has been sent by smtp, php or perl do not matters as long as you have suexec and suphp running should work ok as the blocking is at the exim queue level by username, please check at Tweak Settings for explanation. At least is how is working in our servers.

 

[SoftDux]

Is bound to the username so if has been sent by smtp, php or perl do not matters as long as you have suexec and suphp running should work ok as the blocking is at the exim queue level by username, please check at Tweak Settings for explanation. At least is how is working in our servers.

Look here: http://forums.cpanel.net/f43/max-hourly-emails-issue-245611.html#post1014962


ALSO, if someone sends mail to a remote SMTP server then those limits also don't apply, but your server is still blacklisted

 

[manokiss]

Read the "NETLINKIE" post the 5th from the top....we are in that situation too, perhaps you have to check the configurations and test in your server.

About ..."ALSO, if someone sends mail to a remote SMTP server then those limits also don't apply, but your server is still blacklisted"....not sure what do you mean, if someone is sending using an external mailserver then is that mailserver's ip the one that is blacklisted, basically is not sending your server to send the emails so i dont know how you can be blacklisted. Perhaps im not understanding what do you mean.

 

[SoftDux]

Read the "NETLINKIE" post the 5th from the top....we are in that situation too, perhaps you have to check the configurations and test in your server.

A compromised account sent out 8127 mails last week. His max hourly limits were set to 200/hour (all our servers has this as standard). The hackers used a PHP script and didn't use SMTP authentication. suexec & suphp is on, so we know who actually sent the mails. But suPHP doesn't stop the mails, it merely controls which scripts can send mail, and since the hackers got hold of his FTP account details, the scripts were allowed to send the mails.

About ..."ALSO, if someone sends mail to a remote SMTP server then those limits also don't apply, but your server is still blacklisted"....not sure what do you mean, if someone is sending using an external mailserver then is that mailserver's ip the one that is blacklisted, basically is not sending your server to send the emails so i dont know how you can be blacklisted. Perhaps im not understanding what do you mean.

Simple. If your server is hacked, and the hackers send mail to another server, and that other server's admin see it, he'll blacklist you / your server as a spammer. We've had that too.