The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Better spam filters than Apache SpamAssassin?

Discussion in 'cPanel Developers' started by SpiritAu, Apr 28, 2007.

  1. SpiritAu

    SpiritAu Active Member

    Joined:
    Feb 23, 2003
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Aussie Land!
    Is there any better (paid/free) spam filters which can easily be added into the Exim setup?
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    We have been using SpamAssassin (SA) for a very long time and we find it very effective in purging spam. Make sure these filters are also installed and configured properly: Razor-agents (although a little out-date), DCC, SPF, and Pyzor.

    ASSP is another good spam blocker. That will be my choice, if I am looking for a different program than SpamAssassin.

    I'll definitely put MailScanner at the end of my list.
     
  3. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Servertune,

    Isn't MailScanner just a more efficient way of running SpamAssassin?

    Spirit:

    There's detailed instructions for installing a mature setup for MailScanner/SpamAssassin at www.configserver.com. Be warned though, SpamAssassin is a CPU hog and word is out that ASSP is a lot more efficient and effective than SpamAssassin.
     
  4. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    MailScanner (MS) is not tied to any particular virus scanner, but can be used with any combination of about 14 different virus scanners. MS is the resource hog and that's one of the reasons we'll put it at the end of our list. For more information about MS, go to: http://www.mailscanner.info/

    On other hand, SpamAssassin, without MS, is flexible, easy to extend, uses a wide-spectrum of tests, and is CPU friendly. Everything that you could ever want from an anti-spam program.


    I think you meant MailScanner is 'a CPU hog'.
     
  5. kens6139

    kens6139 Active Member

    Joined:
    Dec 21, 2003
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Chattanooga, Tennessee, United
    cPanel Access Level:
    Root Administrator
    Check out ASSP it is way better. and Free

    There are a a couple of packages to integrate it with CPanel

    ASSPX it is a free product and ASSP Deluxe it is 15 per server but a little more robust.

    There is plenty of information in these forums - search ASSP
     
  6. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    No, I meant SpamAssassin.
     
  7. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Brianoz, do you use Mailscanner/SA? Been using MS for well over a year now with no complaints about resource problems. When well configured I think it performs nicely.
     
  8. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    That's interesting. How can you prove that 'SpamAssassin is a CPU hog'? Did you use any tool(s) to reach that conclusion? If yes, what are they? When we talk about 'CPU hog', what is the projected CPU load SA will exert on the server? ;)
     
  9. freedman

    freedman Well-Known Member

    Joined:
    Feb 13, 2005
    Messages:
    312
    Likes Received:
    1
    Trophy Points:
    18
    I havn't found spamassassin to be a problem on any of my machines.
    there have been moments (like right after someone sends out a bulk mailing) that all the bouncebacks will zip through the machine, but even in those times, it's never been too severe.

    if you can help it, put your mail spool on a separate hard drive from the one where the mail ultimately gets delivered.

    from what i've heard ASSP is a bit better.. SA can be a memory hog if you have a lot of large and complex rulesets--and also can take slightly longer per message to process (again, if you have large and complex rulesets).

    I've found most of the bulky rulesets didn't really catch much that weren't already caught by the RBL's, so I've removed them, and on most of my systems, even in peak web use, my uptime rarely goes above 0.9
     
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    MailScanner doesn't have to be a hog if you tune it correctly. As Brionoz has said, I have also seen spamd as a resource hog on many servers and running MailScanner actually used fewer resources. The main function of MailScanner that can cause performance degredation is/was ClamAV which has been improved greatly in recent times, especially if you use the Mail::ClamAV perl module and not clamscan directly.

    I also agree with freedman, large and complex SpamAssassin rules can add significant load to a server regardless of how SA is used.
     
  11. erick_paper

    erick_paper Well-Known Member

    Joined:
    Apr 19, 2005
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    Chirpy, so what installation do you recommend? I do have SA rules that are becoming big by the day. My main problem is that at any time I have like 1800 queued messages on Exim. If the messages that are sent to non-existent email IDs are set to ":fail:" and the rest are being caught by SA, then why are they queued up? Would ASSP or MailScanner help in clearing my queue?
     
  12. freedman

    freedman Well-Known Member

    Joined:
    Feb 13, 2005
    Messages:
    312
    Likes Received:
    1
    Trophy Points:
    18
    if you have that many piling up, then it's for one (or more) of a number of reasons:
    1) you're allowing open relaying--very bad, fix this if you are.
    2) you're clients are running mailing lists which aren't cleaned up very often...some mail hosts dont properly reject things to bad email addresses, so they get queued for redelivery until the 4(or so) day timeout.
    3) the return address on bulk emails isn't working right, so the bounces are going back to your server, youre trying to forward them on to somewhere else which isn't working right.
    4) your server load is often high, in which case, exim will go into queue only mode. then it'll start to process the queue, load will go up, it'll stop and go queue only again. (if this is the case, raise the 'deliver_queue_load_max' to 3 or 4 or 5, until the queue flushes out.
    allso consider: smtp_load_reserve and queue_only_load

    (do these through whm if you wish them permanent, otherwise make the change and cpanel will set it back randomly at some point it does an upcp--which is fine if you dont want to have to remember to do it yoruself).

    run through your mail logs, they'll provide a wealth of information.

    Also, try to determine, if you can, which of your larger SA rulesets account for the least number of detections... if you're getting less than a 2-3% hit rate, then you might do well to just do without that set.
     
  13. erick_paper

    erick_paper Well-Known Member

    Joined:
    Apr 19, 2005
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    Thanks freedman, very informative! I think for me it may be a combination of those, but no.3 is the most common. This is because the email address I have for one of my domains keeps getting spam that is like something has bounced (which it could not have, because I never sent those emails). To counter this, in my Exim config, I checked the "Exim Verify the existence of email senders" but it hasn't helped at all. What can I do to stop these bounces, or make sure that these fake emails are killed but the email address remains intact?
     
  14. freedman

    freedman Well-Known Member

    Joined:
    Feb 13, 2005
    Messages:
    312
    Likes Received:
    1
    Trophy Points:
    18
    ahhh.. these types of bounces are caused by spammers sending mail from their own servers, but listing "FROM" as an email address @YOURDOMAIN.

    if you set the catchall address for each of your domains to ":fail:" then it should just toss all these in the garbage.

    (dont use :blackhole: and, I think, you have to just have :fail: all by itself .. if you have ":fail: REASON" then exim wont treat it the same, as I understand it.

    so, check the /etc/valiases/ file for this domain, make sure the catchall is either a valid address or:
    *: :fail:
     
  15. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    OK OK I retreat in defeat :)

    Let me be more precise. I can only say empirically that SA appears to be a resource hog. In fact, if I'm to be entirely accurate with what I've observed I'd have to say that I've observed that MS/SA combined is a hog, which is not at all inconsistent with what you're saying. I do like some MS features - one of the nicest is that it keeps a log of incoming email and that has proven invaluable in tracking email on the odd occasion. I promise - I wasn't meaning to cast fair aspersions, apologies for the loose speaking! ;)

    ASSP looks interesting, in particular because it's clear it's not a CPU/resource hog.
     
  16. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    As Chirpy said, it doesn't have to be. Our setup has Exim blocking a large percentage of spam before either SA or ClamAV even touches it. It's made all the difference in the world and allowed us to run Mailscanner (and have all those great features) with no problems.
     
  17. freedman

    freedman Well-Known Member

    Joined:
    Feb 13, 2005
    Messages:
    312
    Likes Received:
    1
    Trophy Points:
    18
    about 70% of our spam is blocked by RBL's upon connection:
    here are a few to consider:
    dnslists =

    list.dsbl.org
    multi.surbl.org
    zen.spamhaus.org
    relays.ordb.org
    blackholes.mail-abuse.org

    check each ones site, .. some of them have more targeted lists which may be more suitable for your environment.
     
  18. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Thanks, I should have mentioned what we use as standard set up. Exim with ACLs for Host/Helo checks, RBL checks, Chirpy's Dictionary attack rules, faked sender checks, message size and date checks, plus a couple of custom rules for backscatter and some other common tricks. With Exim handling these pre-anything scanning it the loads stay extremely small. :)
     
Loading...

Share This Page