FINALLY - An end to CPanel SPAM!

Yup, it's been discussed before and I've played with it. It does look good and at a good price on performance, but it's configurability falls far behind that of MailScanner, and that does impose some limitations because of that.

 

Yes, I did mean it is does perform well. It's not free where performance is concerned, if you mean that, scanning email will always cost something in performance. If you mean it's free as in costs $0, then yes, as is MailScanner and other solutions.

Don't get me wrong, I do like it, but having tried it, it really is far less configurable than MailScanner where just about every setting can be controlled down to the email address level.

It's a useful solution amongst many others and would be appropriate depending on your needs but it certainly does not suit all environments.

 

Not meaning to give the assp a kick in the arse, but why should cpanel dictate what spam prevention measures we as system admin's / hosting companies implement ? I for one, have been more than satisfied with my own implementations and i'd rather cPanel not stick its nose where its not welcome to be quite honest with you.

A good solution, perhaps ( i've not looked into it other than just now ), but make it default / cPanel's responsibility ? Not going to happen.

Why? 1. pissed of admin's such as me being bossed around and told what to do and not to do 2. lawsuits up the rear end for cPanel for providing the tools to audit the service.

See, one major thing you have to understand is that cPanel is used in many countries around the world ( not just in the USA ppl ). Take Australia for instance. If an Australian web hosting business starts filtering mail, being for virii or spam, the company itself is responsible for any damages incurred for loss of email, etc. No disclaimer, legal agreement or anything of the like will save us.

I could see this being implemented as perhaps an addon module, but as a standard cPanel default, I wouldn't be a happy camper.

^^ my 0.05cents

 

I agree with haze on this;

And I also agree with the statement;

"It has long been clear to me that the best place to stop spam is at an organization’s SMTP server. This is true for the following reasons:

You can do this with a firewall/hardware solution such as watchgaurd. We have the smtp-proxy solution filtering all email before they reach the servers, plus rbl/clamav on exim and you will still have spam get through. You will never stop all spam.

 

Have you actually used the product and found it as usefull as it is clamed ? Personally, i've not heard of the project, but there are others that I know of that have been around longer. For instance dspam I've heard of and just about to implement. We've also had some great results with a global spamassassin setup, monitoring surbl and various other non hardcore rbl's with a mix of Razor, DCC and Pyzor, etc. We've also got spamtraps everywhere which seem to be picking up and getting rid of a large amount of spam that's sent off to usually Razor or spamcop or a users spamassassin bayes.

Again, I think its a decent idea, but why should cpanel or a 3rd party module developer go the route of ASSP over the others ?

 

Does dspam do spam blocking at SMTP level? I have not dug through the docs much but i think it's allow in all and then handle type of a solution.

Yes i agree on DCC/Pyzor/Razor/Global SA coupled with HELO checks, Dictionary Attack protn wards off a _BIG_ chunk right at smtp level. We too have been using this type of setup.

Anup

 

dspam is a very similar beast. They all have their place since none of them provide all the functionality you might need. Esepcially for those organisations that cannot accept any email not being delivered, but who need potential spam/viruses tagged but delieverd normally so that they can be checked manually which is where the SMTP level scanners tend to fall down.

As with others, I'm happy enough with SA+DCC+Vipuls Razor and a couple of good RBLs and the header checks that Anup has mentioned.

 

Hello anup123, can you tell me how to install the dictionary attack protection? Also, what is "DCC/Pyzor/Razor/Global SA" -- I would like to configure spamassassin at the ADMIN user level (me) instead of the "spambox" functionality that is at a per-domain level in my users' cpanel.

Thanks for any thoughts!

.ep

 

Dictionary Attack Blocking is from Chirpy@Jonnathan. It's available Free from his site.
DCC : http://www.rhyolite.com/anti-spam/dcc/
Razor : http://sourceforge.net/projects/razor/
Pyzor : http://pyzor.sourceforge.net/

I do not use RBL's (except rfc-ognorant) as SA already has that checked and use it only for bumping up score as would not want client being denied SMTP Relay access in case the IP is Listed on RBL's

All used for Spam Score bumping and block spam server wide at SMTP level.

HELO Checks (Rejecting all dubious stuff) -- this acounts for almost 30% blocks and after 'n' hits. the IP triggers Dictionary Attack Protection so gets banned for an hour.

That's it. I rarely provide end user level SpamAssassin configuration stuff.

Anup

 

Thanks for the fantastic info Anup.

Since you seem to know your stuff, may I direct some newbie questions:

1. Would it make sense to have RBLs if not all of my users have sa enabled (and its associated "spambox")? I could have just a couple of the big ones -- spamhaus and spamcop perhaps.

2. Is there a way to enable RBLs in exim.conf, but have a whitelist of my own that precedes the RBL checking?

3. How do you bump scores? I mean, where's the spamassassin.conf file or something like that on a typical WHM setup? Thanks, I'm on CentOS.

4. I've installed Chirpy's dictionary attack protection. Thanks. Is this the same as your HELO check method? If not, can you please point me to where I can find this HELO checking?

Sincerely appreciated!

 

1. Be cautious as to what lists you use, but yes they can be a great aid in that case.

2. Indeed, there are many howto's available, one of which I highly recommend is: http://www.rvskin.com/index.php?page=public/antispam which is far more complex than what you are asking for but it should cover 3 and 4 as well

As for the rest, its a good idea to check out the manual pages and documentation provided by the vendor of the software / service you're going to use much ahead of time so you can get an idea as to what it is you are doing and how it all fits into place, etc.

 

Yes RVSkin has the HELO Checks mentioned also as suggested by me on these forums sometime back ( http://forums.cpanel.net/showthread.php?t=31530 )

I Never use RBL in exim.conf (except rfc-ignorant) As SA3 is already doing it. Bumping up scores does not mean i add custom scores. Just use the default ones. Few rules from rulesemporium would be fine but be careful with those big files. All these scores added up to take the score past a safe figure... safe enough for me to block it at SMTP level.

Having done all this, i have found not more than 0.8% as FAILED messages in WHM and que really never bothers me ... And yes the average messages handled per day is well beyond the average as shown on ASSP users list so never really felt the need to take a dig at ASSP.

[edit]
I learnt many of these tricks from Chripy@Jonnathan
[/edit]

Thanks
Anup

 

Thanks Haze. Do you have any thoughts on what lists are not good to have? I currently use Spamhaus, lists.dsbl.org, rfc-ignorant, and ahbl.

I removed spamcop after I saw they had some false positives, and besides even after removing it, Spamhaus and DSBL catch pretty much everything.

Would love to hear your thoughts. The HELO and the dictionary attack protection are really working! (I think, fingers crossed!)

Cheers

 

The best two I've found are spamhause and, yes, spamcop. I find spamcop to be good because IP's will drop off it if spam is not further reported after 48 hours. I find that most of the others only find duplicates to those two. Using rfc-ignorant can be good, but if you block email using it (i.e. instead of using it just for scoring) you most likely will lose legitimate email.

 

Hi Chirpy

Couple of questions:

(1) How can I use rfc-ignorant only for scoring? By using "warn" instead of "deny"?

(2) If I "deny" a message, but later check through logs that I wanted to retrieve it, can it be done?

Thanks

 

1. You'd add it into /etc/mail/spamassassin/local.cf in the appropriate format for SpamAssassin which I don't have to hand

2. No, once it's denied at the SMTP level you've told the sender that you're not accepting it and it has gone