lots of spam getting through lately???

mctDarren

Well-Known Member
Jan 6, 2004
662
6
168
New Jersey
cPanel Access Level
Root Administrator
Yes, working well for me too. Here's your average image spam that I used to have write a custom filter for -- using SA with a tight SARE ruleset and ImageInfo, with Chirpy's MailScanner set up that includes DCC and Razor (plus a Bayesian DB I've trained extensively). These are coming through at a big rate with subject of "it me {name}", "Re:{rnd txt}" and "me again {rnd name}". Seems to be stopping about 95% of these for now...

Code:
Score	Matching Rule
2.00	BAYES_80
0.48	DATE_IN_PAST_03_06
3.00	DC_GIF_UNO_LARGO
4.20	HELO_DYNAMIC_IPADDR
0.37	HTML_30_40
0.75	HTML_MESSAGE
2.05	RCVD_IN_SORBS_DUL

score=12.848	 
6	required
 

jamesbond

Well-Known Member
Oct 9, 2002
737
1
168
Has anyone tried this plugin for SA?
I installed it yesterday and it seems to be useful. Together with the SARE stock rules most of the stock spam is being filtered.

One question though, where do you guys install the spamassassin plugins? I added the ImageInfo.pm to /usr/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/Plugin/ since that's where I found other plugins.

Upgrading perl would obviously mean I would have to reinstall the plugin. Doesn't it make more sense to create a directory /etc/mail/spamassassin/plugins and change the spamassassin plugin path?
 

Solokron

Well-Known Member
Aug 8, 2003
852
2
168
Seattle
cPanel Access Level
DataCenter Provider
How often are the stock filters updated? These past two days we have received a new influx of stock spam getting through that the filters are missing.
 

HappymanUK

Well-Known Member
May 3, 2003
255
1
168
Can someone just confirm something to me please.

I have recently disabled Spamassassin from within cpanel, and installed Chirpy's MailScanner package.

Does MailScanner still use Spamassassin, or are they two completely different things - as I am getting the two confused.

Thanks
Daniel
 

HappymanUK

Well-Known Member
May 3, 2003
255
1
168
Thank you.

I'm still not 100% sure what MailScanner offers that SpamAssassin doesn't already do on its own.. - I've look at the Mailscanner website, but I'm none the wiser .... :(

Daniel
 

mctDarren

Well-Known Member
Jan 6, 2004
662
6
168
New Jersey
cPanel Access Level
Root Administrator
How often are the stock filters updated? These past two days we have received a new influx of stock spam getting through that the filters are missing.
Just had more last night - for Superlattice Nano Technology. I hope the company crashes and burns...

Anyway, quick ruleset added to /etc/mail/spamassassin/local.cf and teaching Bayesian DB through MailWatch quickly took care of it for me:

## SUPERLATTICE NANO TECHNOLOGY
body NANO_01 /\bNSLT/
score NANO_01 1.800
body NANO_02 /\bnano/i
score NANO_02 1.800
body NANO_03 /superlattice/i
score NANO_03 1.800
body NANO_04 /symbol/i
score NANO_04 1.800

add this at the bottom of local.cf, restart exim, restart MS, load up MailWatch and watch the spam get drop kicked... fun fun
 

mctDarren

Well-Known Member
Jan 6, 2004
662
6
168
New Jersey
cPanel Access Level
Root Administrator
The MailScanner / Spam Assassin / ClamAV / DCC / Razor / RulesDuJour combo from Chirpy gives you a one stop solution to turn on/off and tune spam filters, attachment scanners, anti-virus, etc. And with MS you can do it on a per-user basis for all those options. It's much more flexible than a standard Exim/SA/Clamd setup IMO.
 

HappymanUK

Well-Known Member
May 3, 2003
255
1
168
The MailScanner / Spam Assassin / ClamAV / DCC / Razor / RulesDuJour combo from Chirpy gives you a one stop solution to turn on/off and tune spam filters, attachment scanners, anti-virus, etc. And with MS you can do it on a per-user basis for all those options. It's much more flexible than a standard Exim/SA/Clamd setup IMO.
With Chirpy's solution, does it allow you to keep all the settings away from individual users cpanel's ?? - ie, all control is done via WHM ??

Does it also keep itself updated with definitions etc, and rules?.

Thanks,
Daniel
 

mctDarren

Well-Known Member
Jan 6, 2004
662
6
168
New Jersey
cPanel Access Level
Root Administrator
You have the option to let them have it or not on their cPanel. All your control can be done through WHM if you order the MSFE.

Clamd is kept up to date through the freshclam cron. Spam filters are kept up to date through Rules Du Jour.
 

barous

Registered
Jul 20, 2004
1
0
151
team offer an excellent service

Thank Sarah, the team offer an excellent anti-spam , anti-virus and a fast and good service
the set up kill 99% of the SPAM and 99% of the image spam :D

http://www.configserver.com/cp/mailscanner.html
thank you with the team configserver

Merci Sarah, ils offrent une parfaite combinaison pour les virus et les spams,
un excellent service et rapide. cela détruit 99% des spams écrit et 99% des images spams.:D


http://www.configserver.com/cp/mailscanner.html
merci à toute l'équipe de configserver
 

Un Area

Well-Known Member
Nov 16, 2006
90
1
156
HELO Control

Some spammers uses private IP address for sending. There is no reason for doing that. So you may apply this at /etc/exim.conf under begin acl

# Helo should not be RFC 1918 address
deny hosts = !+relay_from_hosts
message = RFC 1918 IP address in HELO.
condition = ${if match {$sender_helo_name}{\N^(\[)?(10\.[0-9]{1,3}|172\.(1[6-9]|2[0-9]|31)|192\.168)\.[0-9]{1,3}\.[0-9]{1,3}(\])?$\N}{yes}{no}}

This will prevent private internet address such as:

10.0.0.0
172.16.0.0
192.168.0.0
169.254.0.0

This ACL is other layer of security for your mail server :)

Then you want to type as root grep RFC 1918 /var/log/exim_mainlog and see the results :)

I hope to be useful.

Bye!
 
Last edited:

mickalo

Well-Known Member
Apr 16, 2002
782
5
318
N.W. Iowa
Some spammers uses private IP address for sending. There is no reason for doing that. So you may apply this at /etc/exim.conf under begin acl

# Helo should not be RFC 1918 address
deny hosts = !+relay_from_hosts
message = RFC 1918 IP address in HELO.
condition = ${if match {$sender_helo_name}{\N^(\[)?(10\.[0-9]{1,3}|172\.(1[6-9]|2[0-9]|31)|192\.168)\.[0-9]{1,3}\.[0-9]{1,3}(\])?$\N}{yes}{no}}

This will prevent private internet address such as:

10.0.0.0
172.16.0.0
192.168.0.0
169.254.0.0

This ACL is other layer of security for your mail server :)

Then you want to do grep RFC 1918 /var/log/exim_mainlog and see the results :)

I hope to be useful.

Bye!
would be place here:

Code:
#!!# These ACLs are crudely constructed from Exim 3 options.
#!!# They are almost certainly not optimal. You should study
#!!# them and rewrite as necessary.

begin acl

# ADD HERE - Helo should not be RFC 1918 address


#!!# ACL that is used after the RCPT command
check_recipient:
is this correct entry location ??

TIA,
Mickalo
 

Un Area

Well-Known Member
Nov 16, 2006
90
1
156
This is how it looks:

#!!#######################################################!!#
#!!# This new section of the configuration contains ACLs #!!#
#!!# (Access Control Lists) derived from the Exim 3 #!!#
#!!# policy control options. #!!#
#!!#######################################################!!#

#!!# These ACLs are crudely constructed from Exim 3 options.
#!!# They are almost certainly not optimal. You should study
#!!# them and rewrite as necessary.

begin acl


#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :

deny message = RFC 1918 IP address in HELO.
log_message = RFC 1918 IP address
condition = ${if match {$sender_helo_name}{\N^(\[)?(10\.[0-9]{1,3}|172\.(1[6-9]|2[0-9]|31)|192\.168)\.[0-9]{1,3}\.[0-9]{1,3}(\])?$\N}{yes}{no}}
 

mickalo

Well-Known Member
Apr 16, 2002
782
5
318
N.W. Iowa
This is how it looks:

#!!#######################################################!!#
#!!# This new section of the configuration contains ACLs #!!#
#!!# (Access Control Lists) derived from the Exim 3 #!!#
#!!# policy control options. #!!#
#!!#######################################################!!#

#!!# These ACLs are crudely constructed from Exim 3 options.
#!!# They are almost certainly not optimal. You should study
#!!# them and rewrite as necessary.

begin acl


#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :

deny message = RFC 1918 IP address in HELO.
log_message = RFC 1918 IP address
condition = ${if match {$sender_helo_name}{\N^(\[)?(10\.[0-9]{1,3}|172\.(1[6-9]|2[0-9]|31)|192\.168)\.[0-9]{1,3}\.[0-9]{1,3}(\])?$\N}{yes}{no}}
got it ... thx's

Mickalo
 

bsasninja

Well-Known Member
Sep 2, 2004
527
0
166
this condition wont block local_domains senders also?

I think

cause if you are in a lan with IP 192.162.x.x when you connect through the smtp server the connection will be refused cause the mail is comming from a rfc 1918 address.

I think this must be added to the rule for avoid local senders of being refused.

!host = +relay_host
!authenticated = *

Remote Connections to the smtp will come from public addresses. If a remote connection comes from a private address it´s a spammer. :p
 

mickalo

Well-Known Member
Apr 16, 2002
782
5
318
N.W. Iowa
this condition wont block local_domains senders also?

I think

cause if you are in a lan with IP 192.162.x.x when you connect through the smtp server the connection will be refused cause the mail is comming from a rfc 1918 address.

I think this must be added to the rule for avoid local senders of being refused.

!host = +relay_host
!authenticated = *

Remote Connections to the smtp will come from public addresses. If a remote connection comes from a private address it´s a spammer. :p
how exactly would this be added then or entered into the exim.conf along with the other part of the rule ?

Mickalo
 

lloyd_tennison

Well-Known Member
Mar 12, 2004
697
1
168
Why would any of those IP even get through since they have no reverse IP that would match the reverse DNS?
 

Un Area

Well-Known Member
Nov 16, 2006
90
1
156
Yes local senders always connect through the smtp server from a private address. Outside senders connecting to the smtp directly with private addresses is likely a spammer using a bulk mailing soft from their machines.

Sorry the mistake, here the complete acl:

deny message = RFC 1918 IP address in HELO.
log_message = RFC 1918 IP address
!hosts = +relay_hosts
!authenticated = *
condition = ${if match {$sender_helo_name}{\N^(\[)?(10\.[0-9]{1,3}|172\.(1[6-9]|2[0-9]|31)|192\.168)\.[0-9]{1,3}\.[0-9]{1,3}(\])?$\N}{yes}{no}}



Now this will prevent local senders from being refused. :D

I will post a acl rule that blocks lot of stocks spam.. stay tuned :cool: