The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

exim: dropping spam based on score threshold?

Discussion in 'General Discussion' started by jnagro, Dec 5, 2006.

  1. jnagro

    jnagro Active Member

    Joined:
    Jun 28, 2003
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    I've made exim servers deny spam based on a score threshold, ie if the score is above X dont accept the message (deny) or :fail: it. I've poked around the cpanel config and its perl functions but i'm having a hard time adding it. Does anyone know where/how i can do that? I'm assuming ClamAV also won't accept malware? (deny? or :fail:?)
     
  2. jnagro

    jnagro Active Member

    Joined:
    Jun 28, 2003
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    figured it out...

    i added this to the 'check_message' acl:

    Code:
    deny message = Spam score too high ($spam_score)
        spam = mailnull:true/defer_ok
        condition = ${if >{$spam_score_int}{150}{1}{0}}
    which will deny any mail with a spam score of 15 or higher (fyi: exim will do something like score * 10 = 150, hence the 150)
     
  3. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    very handy :) Added it through the Exim Editor and watched the log file. seems to work quiet nicely:
    Code:
    tail -f /var/log/exim_rejectlog | grep "Spam score too high"
    
    2006-12-05 15:45:56 1Gri6o-0006Os-Qa H=(dsl85-98-16622.ttnet.net.tr) [85.98.64.238] F=<unfulfilledtambourines@abwc.com> rejected after DATA: Spam score too high (17.0)
    2006-12-05 15:47:12 1Gri7z-0006Rg-I5 H=foreaud.classcom.pl [195.150.77.145] F=<sadvoipreadinessuni@voipreadiness.com> rejected after DATA: Spam score too high (17.8)
    2006-12-05 15:47:36 1Gri8M-0006T5-03 H=foreaud.classcom.pl [195.150.77.145] F=<sadxinergistixuni@xinergistix.com> rejected after DATA: Spam score too high (22.2)
    
    Thx's
    Mickalo
     
  4. alan-tor

    alan-tor Active Member

    Joined:
    Dec 7, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Does :fail: work when specified in cPanel's "E-mail Filtering"?

    I've created mail filters in cPanel's "E-mail Filtering", called "Filter Maintenance" once you're on that page. I set spam above a certain score to "Discard", but I wonder if :fail: would work there.

    Actually, I'm wondering how this can work or how the original poster's idea can work. Presumably mail must first be received at the server in order to be scanned by SpamAssassin. So how can it be set to :fail: when it has already been received?
     
    #4 alan-tor, Dec 5, 2006
    Last edited: Dec 5, 2006
  5. nxds

    nxds Well-Known Member

    Joined:
    Jan 6, 2006
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    6
    That rocks my world. :) Thx
     
  6. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Be sure you add this through the Exim configuration editor in WHM. Adding this by editing the exim.conf file directly will cause cPanel to overwrite it the next time it updates.
     
  7. kdarray

    kdarray Well-Known Member

    Joined:
    Apr 13, 2006
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Washington
    thanks

    thanks jnagro for this short and sweet tip ;)
     
  8. alwaysweb

    alwaysweb Well-Known Member

    Joined:
    Mar 8, 2002
    Messages:
    97
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Dallas, TX
    cPanel Access Level:
    Root Administrator
    Simple little addin to exim config, thanks! :)
     
    #8 alwaysweb, Dec 11, 2006
    Last edited: Dec 11, 2006
  9. alan-tor

    alan-tor Active Member

    Joined:
    Dec 7, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Can someone please explain how this works?

    Presumably mail must first be received at the server in order to be scanned by SpamAssassin. So how can it be set to :fail: when it has already been received? :confused:
     
  10. nxds

    nxds Well-Known Member

    Joined:
    Jan 6, 2006
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    6
    The SMTP conversation isn't completed until the DATA verb is OK'd by the receiving server. In this test, the SA score is calculated after receiving the DATA section, and if too high the message is rejected, if not it is accepted into the queue for delivery. Rejecting the mail during any part of the SMTP conversation is a :fail: action and the sending server is responsible for any NDR, not yours.
     
  11. alan-tor

    alan-tor Active Member

    Joined:
    Dec 7, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Since SpamAssassin will scan the message and the message will be :fail:ed before being actually received, is it then possible to do this also for cPanel mail forwarders? I'd love to be able to have SpamAssassin work on mail forwarders rather than just on mail accounts.
     
  12. delsurf

    delsurf Registered

    Joined:
    Apr 17, 2002
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Nice add!! I just installed it and it seems to be working great... I lowered the threshold to 80 though. Hopefully someone can find a way to do this for emails with forwarders.

    Thanks again for the script config!
     
  13. sds1az

    sds1az Registered

    Joined:
    Oct 27, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Yes indeed, very impressive, I put this in last night and checked my logs this morning and was stunned at how effective this is working. I highly recommend everyone to add this to their exim config, thanks for the tip jnagro!
     
  14. simplybe

    simplybe Well-Known Member

    Joined:
    Nov 29, 2002
    Messages:
    153
    Likes Received:
    0
    Trophy Points:
    16
    Hi,
    Trying it now :)
    Thanks
     
    #14 simplybe, Dec 15, 2006
    Last edited: Dec 15, 2006
  15. alan-tor

    alan-tor Active Member

    Joined:
    Dec 7, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Has anyone discovered whether this also works for cPanel mail forwarders?

    Since SpamAssassin will scan the message and the message will be :fail:ed before being actually received, then it would seem that it should work for mail forwarders.

    I'd love to be able to have SpamAssassin work on mail forwarders as well as on mail accounts.
     
  16. SoftDux

    SoftDux Well-Known Member

    Joined:
    May 27, 2006
    Messages:
    983
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Johannesburg, South Africa
    cPanel Access Level:
    Root Administrator
    How would I allow all users to edit their own score? Let''s say I create this rule as a default in cPanel, and it appears in all users' cPanel as a mail filter rule. How would I do that?
     
  17. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    This should work for e-mail forwarders and also for mail sent out through the server. I did also run some tests and this does appear to be the case (although very limited tests). This is because any e-mail that comes into the server (whether it is being sent out or being received from another SMTP server) would be checked for spam. After the DATA command and after the message is completed, the message is scanned for spam. If the SpamAssassin score is above the limit, then the message is rejected and not accepted. This means that if a user sends a message with their e-mail client through the server and it is detected as spam, the user should receive an error stating that the message did not get sent. Likewise, in the case of an e-mail forwarder, the message is rejected before it is accepted on the server and forwarded on to the forwarded address.

    I can see where this would have real promise in helping with e-mail forwarder spam as well as sending spam and just generally any spam. I haven't yet implemented this, I am still running some tests and I am keeping an eye on this thread for user experience.
     
  18. innsites

    innsites Well-Known Member

    Joined:
    Nov 30, 2005
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    Absolutely BEAUTIFUL coding! Great success.

    :)

    Am very pleased with the results.

    Just to clarify.......my ACL edit looks like this below. I learned I had to move the accept line below the new addition and then it worked like a charm!

    deny message = Spam score too high ($spam_score)
    spam = mailnull:true/defer_ok
    condition = ${if >{$spam_score_int}{150}{1}{0}}
    accept
     
  19. nxds

    nxds Well-Known Member

    Joined:
    Jan 6, 2006
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    6
    I have been running this for a while, mostly with great success. However, I have noticed on a few servers that the spamd process can end up consuming a very large amount of memory resulting in high loads and bad response times.

    One strange thing was that this jump in memory consumption was only happening on 2 out of 6 servers even though they are all identically configured. I didn't get to the bottom of this, but I've just noticed that another server has gotten the memory problem so I think it may be triggered by specific message content.

    Does anyone have any more information on what causes spamd to eat so much memory and how to fix it?

    In the meantime, as a workaround, I am running a cron job every 2 minutes to check the memory consumption of spamd. If the total is above 300MB I send a sighup to force new children to be started. Here's the code:


    Code:
    #!/bin/sh
    #Restart spamd if sum of process sizes > 300MB
    ps aux | awk '/[s]pamd/ {sum += $5} END {if (sum > 300000) {exit 1}};' || pkill -HUP spamd
     
  20. innsites

    innsites Well-Known Member

    Joined:
    Nov 30, 2005
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    Does increase load.......but....still good

    I notice that my load average doubled with this code in use, but it has denied 6,870 pieces of "too high" (greater than 15 score) mails in a 12 hour period.

    Thanks for that workaround tip. I may put it into action.
     
Loading...

Share This Page