More spam bypassing Cpanel11 RBLs

[Alejandro P]

Hello, I was very happy with Cpanel11 RBL, they were working quite well days ago, but recently more spam is going through them, how can I strength them again.

Most of the spam is getting less than 5 points in spamassassin score and flooding our users mailboxes.

Any suggestion?

 

[Alejandro P]

Any ideas to add more strenght to spamassassin rules? it was working quite well days ago but now more spam is going over the filter.

 

[SageBrian]

Any ideas to add more strenght to spamassassin rules? it was working quite well days ago but now more spam is going over the filter.

It usually comes in waves as the spammers find a way around the filters, and spamassassin learns and eventually blocks.

I have had a spam increase in the last week or 2, likely due to the large amounts of bayes-poison the spammers are sending. "Hello! I am tired this afternoon"

Eventually things balance out again.

Brian

 

[rpmws]

Hello, I was very happy with Cpanel11 RBL, they were working quite well days ago, but recently more spam is going through them, how can I strength them again.

Most of the spam is getting less than 5 points in spamassassin score and flooding our users mailboxes.

Any suggestion?

I see in your title that you refer to cPanel's RBL's ..spamassassin uses it's own rbl but are you actually using the 2 that cPanel makes easily available as well?

 

[HelloAdam]

Hey,

I do not think you can use SpamAssassin and have cPanel's RBL run at the same time...


Thanks,
Adam

 

[rpmws]

Hey,

I do not think you can use SpamAssassin and have cPanel's RBL run at the same time...


Thanks,
Adam

that's strange ..I have been using them both since Dec 2006

 

[twhiting9275]

Hello, I was very happy with Cpanel11 RBL, they were working quite well days ago, but recently more spam is going through them, how can I strength them again.

Most of the spam is getting less than 5 points in spamassassin score and flooding our users mailboxes.

Any suggestion?

Sugggestion:
Give up entirely on using SA and EXIM RBL's. Use something that handles things a LOT better and is very user friendly, like assp . There's two versions for CPanel alone, though I'd strongly suggest going with the paid version.


SA is bad, Exims RBLs are bad. Using the MTA (exim) to handle any spam filtering is a bad idea in general. It should all be done before it hits the MTA, through a mail proxy which is configured to handle things.

 

[sehh]

SA is bad, Exims RBLs are bad. Using the MTA (exim) to handle any spam filtering is a bad idea in general. It should all be done before it hits the MTA, through a mail proxy which is configured to handle things.

i'm sorry but i don't agree.

i've been using SA for many years, along with Exim and some of the popular RBL's and they all do an excellent job at filtering spam.

to be more specific, the combination of SA+Exim+RBL and the default rules in cPanel v11 have managed to cut spam to just about... zero. We do get 1-2 spam emails per month in our entire company with hundreds of emails!!! thats like 99,9% success.

we also monitor false positives but so far there haven't been any, so at the moment all marked spam are automatically deleted and the originating IP address is banned by the firewall.

SpamAssassin+Exim+RBL are a great combination!

 

[twhiting9275]

i'm sorry but i don't agree.

And that's your right and choice to do, but if you haven't used anything else, who are you to disagree?

I've managed, and used, both SA/Exim settings AND ASSP/Exim settings, and let me tell you, SA doesn't stand a chance.

SA loads down the server because of user filtering. ASSP does not
SA has minimalistic checks on things such as RBLs, ASSP can check any RBL you tell it to

I could go on and on comparing one to the other, but the fact is that SA doesn't even come close to ASSP's processing, from personal experience, without a LOT of plugins, a LOT of addons, and a good bit of server load.

 

[sehh]

i never said i haven't used anything else.

you are wrong about SA, but its obvious that you feel strongly about assp... for some reason.

i don't care, but you shouldn't be wrongly influencing others.

 

[rpmws]

And that's your right and choice to do, but if you haven't used anything else, who are you to disagree?

I've managed, and used, both SA/Exim settings AND ASSP/Exim settings, and let me tell you, SA doesn't stand a chance.

SA loads down the server because of user filtering. ASSP does not
SA has minimalistic checks on things such as RBLs, ASSP can check any RBL you tell it to

I could go on and on comparing one to the other, but the fact is that SA doesn't even come close to ASSP's processing, from personal experience, without a LOT of plugins, a LOT of addons, and a good bit of server load.

I wouldn't say that SA isn't a bloated hunk of blood sucking crap myself. It will kill a server in seconds if the spammers hit it right. BUT having said that ..if you use cPanel's built-in RBL's or configure your own in the exim config editor you can knock down 90% of connections at SMTP time so SA doesn't have to scan so much. works fine for me. The RBL's alone on a typical box will reject 90% of all attempts and I haven't gotten the first false positive in a year. 1000+ domains/users

 

[Kent Brockman]

Hi, I have to turn off SA for a while due to the high usage of memory it does. SA crashed several times a day, making fail webmaild and eximd each time.

Does anybody know about good ACLs or RBLs to use with Exim only?
Or any way to minimize the resource usage from SpamAssassin? (when using SA, unfiltered spam was 0.1%, using Exim only it is about 5%)

 

[rpmws]

Hi, I have to turn off SA for a while due to the high usage of memory it does. SA crashed several times a day, making fail webmaild and eximd each time.

Does anybody know about good ACLs or RBLs to use with Exim only?
Or any way to minimize the resource usage from SpamAssassin? (when using SA, unfiltered spam was 0.1%, using Exim only it is about 5%)

if you enable the 2 RBL's cpanel provides in the exim config editor, that alone on a busy server will block 80-90% of ALL email attempts. The other 10% will be a 50-50 mixture of legit mail and some spam. I have 2 year's worth of MRTG graphs to show the ratios.

 

[Kent Brockman]

if you enable the 2 RBL's cpanel provides in the exim config editor, that alone on a busy server will block 80-90% of ALL email attempts. The other 10% will be a 50-50 mixture of legit mail and some spam. I have 2 year's worth of MRTG graphs to show the ratios.

Hi, we use the 2 RBL's: bl.spamcop.net and zen.spamhaus.org and do a good work, but there are certain domains that are receiving hundreds of spam mails daily that's not being filtered by this RBLs.
We also have activated the option of "Sender Verification". The other option, "Sender Verification Callouts", did a great work stopping spam, but had to be deactivated because also filter legit newsletters that use to setup a different Return-Path in their messages cause they send thru group manager softwares or specialized list manager websites.

any other idea? maybe references to smarter ACL rules?

 

[rpmws]

Hi, we use the 2 RBL's: bl.spamcop.net and zen.spamhaus.org and do a good work, but there are certain domains that are receiving hundreds of spam mails daily that's not being filtered by this RBLs.
We also have activated the option of "Sender Verification". The other option, "Sender Verification Callouts", did a great work stopping spam, but had to be deactivated because also filter legit newsletters that use to setup a different Return-Path in their messages cause they send thru group manager softwares or specialized list manager websites.

any other idea? maybe references to smarter ACL rules?

do you have all your default addresses set to :fail: ?

Keep in mind RBL's are not filters really. they contain IP addresses of know spammers and the list is used to block at SMTP time. If the email is accepted then the sending server or IP is not on the RBL. Typically these come from infected client computers and eventually will be blocked. But making sure you are not wide open to dictionary attacks is a good idea ..also using cPanel's ratelimiter helps.

 

[Kent Brockman]

do you have all your default addresses set to :fail: ?

Keep in mind RBL's are not filters really. they contain IP addresses of know spammers and the list is used to block at SMTP time. If the email is accepted then the sending server or IP is not on the RBL. Typically these come from infected client computers and eventually will be blocked. But making sure you are not wide open to dictionary attacks is a good idea ..also using cPanel's ratelimiter helps.

Yep, I have activated all the very best methods of filtering offered by WHM, but not the Spam Assassin.
Even more, I've tried lowering the email size threshold for which an email will bypass the scanning by SA but this didn't avoid SA using too much resources for the solely fact of being enabled.

I would love to see any way to enable SA for only those 6-7 domains that are suffering the sustained spam storm. Actually you can selectively disable Spam Assassin for selected websites, but I don't know if even may be created a script to mass edit individual config files to disabling SA and after that, manually activate SA only in the affected domains. That would be so cool...

 

[sehh]

If you have a VPS (or a system with the equivalent power of a 386) then edit your WHM configuration and set SA's max-children to 2 or even 1. The default is too high for small VPS servers.

 

[Kent Brockman]

If you have a VPS (or a system with the equivalent power of a 386) then edit your WHM configuration and set SA's max-children to 2 or even 1. The default is too high for small VPS servers.

ok, where in the WHM can this be set?

 

[sehh]

in WHM, under the cPanel section, click on "Manage Plugins", in this page, then install the spamdconf plugin by selecting the "Install and Keep updated". Click Save at the bottom of the page.

Now, under the Plugins section, click on "Setup Spamd Startup Configuration" and in this page set the Maximum Children to 2 or 1.

 

[Kent Brockman]

Cool, do you know what are the default values used by SA? because I've been testing setting "Maximum Children" to 5 and has been running pretty well. Now I know about this spamdconf plugin I found in this forums that others have set "Maximum Connections Per Child" to 25. I don't how that setting could impact on performance if I set a lower value: will it delay email scanning?

Also, do I need to set any value to "Allowed IPs" or 127.0.0.1 will be the "de facto" value?

Regards