More spam bypassing Cpanel11 RBLs

Alejandro P

Well-Known Member
Apr 6, 2007
51
0
156
cPanel Access Level
Root Administrator
Hello, I was very happy with Cpanel11 RBL, they were working quite well days ago, but recently more spam is going through them, how can I strength them again.

Most of the spam is getting less than 5 points in spamassassin score and flooding our users mailboxes.

Any suggestion?
 

SageBrian

Well-Known Member
Jun 1, 2002
413
2
318
NY/CT (US)
cPanel Access Level
Root Administrator
Any ideas to add more strenght to spamassassin rules? it was working quite well days ago but now more spam is going over the filter.
It usually comes in waves as the spammers find a way around the filters, and spamassassin learns and eventually blocks.

I have had a spam increase in the last week or 2, likely due to the large amounts of bayes-poison the spammers are sending. "Hello! I am tired this afternoon"

Eventually things balance out again.

Brian
 

rpmws

Well-Known Member
Aug 14, 2001
1,787
10
318
back woods of NC, USA
Hello, I was very happy with Cpanel11 RBL, they were working quite well days ago, but recently more spam is going through them, how can I strength them again.

Most of the spam is getting less than 5 points in spamassassin score and flooding our users mailboxes.

Any suggestion?
I see in your title that you refer to cPanel's RBL's ..spamassassin uses it's own rbl but are you actually using the 2 that cPanel makes easily available as well?
 

rpmws

Well-Known Member
Aug 14, 2001
1,787
10
318
back woods of NC, USA
Hey,

I do not think you can use SpamAssassin and have cPanel's RBL run at the same time...


Thanks,
Adam
that's strange ..I have been using them both since Dec 2006
 

twhiting9275

Well-Known Member
Sep 26, 2002
560
28
178
cPanel Access Level
Root Administrator
Twitter
Hello, I was very happy with Cpanel11 RBL, they were working quite well days ago, but recently more spam is going through them, how can I strength them again.

Most of the spam is getting less than 5 points in spamassassin score and flooding our users mailboxes.

Any suggestion?
Sugggestion:
Give up entirely on using SA and EXIM RBL's. Use something that handles things a LOT better and is very user friendly, like assp . There's two versions for CPanel alone, though I'd strongly suggest going with the paid version.


SA is bad, Exims RBLs are bad. Using the MTA (exim) to handle any spam filtering is a bad idea in general. It should all be done before it hits the MTA, through a mail proxy which is configured to handle things.
 

sehh

Well-Known Member
Feb 11, 2006
579
6
168
Europe
SA is bad, Exims RBLs are bad. Using the MTA (exim) to handle any spam filtering is a bad idea in general. It should all be done before it hits the MTA, through a mail proxy which is configured to handle things.
i'm sorry but i don't agree.

i've been using SA for many years, along with Exim and some of the popular RBL's and they all do an excellent job at filtering spam.

to be more specific, the combination of SA+Exim+RBL and the default rules in cPanel v11 have managed to cut spam to just about... zero. We do get 1-2 spam emails per month in our entire company with hundreds of emails!!! thats like 99,9% success.

we also monitor false positives but so far there haven't been any, so at the moment all marked spam are automatically deleted and the originating IP address is banned by the firewall.

SpamAssassin+Exim+RBL are a great combination!
 

twhiting9275

Well-Known Member
Sep 26, 2002
560
28
178
cPanel Access Level
Root Administrator
Twitter
i'm sorry but i don't agree.
And that's your right and choice to do, but if you haven't used anything else, who are you to disagree?

I've managed, and used, both SA/Exim settings AND ASSP/Exim settings, and let me tell you, SA doesn't stand a chance.

SA loads down the server because of user filtering. ASSP does not
SA has minimalistic checks on things such as RBLs, ASSP can check any RBL you tell it to

I could go on and on comparing one to the other, but the fact is that SA doesn't even come close to ASSP's processing, from personal experience, without a LOT of plugins, a LOT of addons, and a good bit of server load.
 

sehh

Well-Known Member
Feb 11, 2006
579
6
168
Europe
i never said i haven't used anything else.

you are wrong about SA, but its obvious that you feel strongly about assp... for some reason.

i don't care, but you shouldn't be wrongly influencing others.
 

rpmws

Well-Known Member
Aug 14, 2001
1,787
10
318
back woods of NC, USA
And that's your right and choice to do, but if you haven't used anything else, who are you to disagree?

I've managed, and used, both SA/Exim settings AND ASSP/Exim settings, and let me tell you, SA doesn't stand a chance.

SA loads down the server because of user filtering. ASSP does not
SA has minimalistic checks on things such as RBLs, ASSP can check any RBL you tell it to

I could go on and on comparing one to the other, but the fact is that SA doesn't even come close to ASSP's processing, from personal experience, without a LOT of plugins, a LOT of addons, and a good bit of server load.
I wouldn't say that SA isn't a bloated hunk of blood sucking crap myself. It will kill a server in seconds if the spammers hit it right. BUT having said that ..if you use cPanel's built-in RBL's or configure your own in the exim config editor you can knock down 90% of connections at SMTP time so SA doesn't have to scan so much. works fine for me. The RBL's alone on a typical box will reject 90% of all attempts and I haven't gotten the first false positive in a year. 1000+ domains/users
 

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,329
73
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
Hi, I have to turn off SA for a while due to the high usage of memory it does. SA crashed several times a day, making fail webmaild and eximd each time.

Does anybody know about good ACLs or RBLs to use with Exim only?
Or any way to minimize the resource usage from SpamAssassin? (when using SA, unfiltered spam was 0.1%, using Exim only it is about 5%)
 

rpmws

Well-Known Member
Aug 14, 2001
1,787
10
318
back woods of NC, USA
Hi, I have to turn off SA for a while due to the high usage of memory it does. SA crashed several times a day, making fail webmaild and eximd each time.

Does anybody know about good ACLs or RBLs to use with Exim only?
Or any way to minimize the resource usage from SpamAssassin? (when using SA, unfiltered spam was 0.1%, using Exim only it is about 5%)
if you enable the 2 RBL's cpanel provides in the exim config editor, that alone on a busy server will block 80-90% of ALL email attempts. The other 10% will be a 50-50 mixture of legit mail and some spam. I have 2 year's worth of MRTG graphs to show the ratios.
 

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,329
73
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
if you enable the 2 RBL's cpanel provides in the exim config editor, that alone on a busy server will block 80-90% of ALL email attempts. The other 10% will be a 50-50 mixture of legit mail and some spam. I have 2 year's worth of MRTG graphs to show the ratios.
Hi, we use the 2 RBL's: bl.spamcop.net and zen.spamhaus.org and do a good work, but there are certain domains that are receiving hundreds of spam mails daily that's not being filtered by this RBLs.
We also have activated the option of "Sender Verification". The other option, "Sender Verification Callouts", did a great work stopping spam, but had to be deactivated because also filter legit newsletters that use to setup a different Return-Path in their messages cause they send thru group manager softwares or specialized list manager websites.

any other idea? maybe references to smarter ACL rules?
 
Last edited:

rpmws

Well-Known Member
Aug 14, 2001
1,787
10
318
back woods of NC, USA
Hi, we use the 2 RBL's: bl.spamcop.net and zen.spamhaus.org and do a good work, but there are certain domains that are receiving hundreds of spam mails daily that's not being filtered by this RBLs.
We also have activated the option of "Sender Verification". The other option, "Sender Verification Callouts", did a great work stopping spam, but had to be deactivated because also filter legit newsletters that use to setup a different Return-Path in their messages cause they send thru group manager softwares or specialized list manager websites.

any other idea? maybe references to smarter ACL rules?
do you have all your default addresses set to :fail: ?

Keep in mind RBL's are not filters really. they contain IP addresses of know spammers and the list is used to block at SMTP time. If the email is accepted then the sending server or IP is not on the RBL. Typically these come from infected client computers and eventually will be blocked. But making sure you are not wide open to dictionary attacks is a good idea ..also using cPanel's ratelimiter helps.
 

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,329
73
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
do you have all your default addresses set to :fail: ?

Keep in mind RBL's are not filters really. they contain IP addresses of know spammers and the list is used to block at SMTP time. If the email is accepted then the sending server or IP is not on the RBL. Typically these come from infected client computers and eventually will be blocked. But making sure you are not wide open to dictionary attacks is a good idea ..also using cPanel's ratelimiter helps.
Yep, I have activated all the very best methods of filtering offered by WHM, but not the Spam Assassin.
Even more, I've tried lowering the email size threshold for which an email will bypass the scanning by SA but this didn't avoid SA using too much resources for the solely fact of being enabled.

I would love to see any way to enable SA for only those 6-7 domains that are suffering the sustained spam storm. Actually you can selectively disable Spam Assassin for selected websites, but I don't know if even may be created a script to mass edit individual config files to disabling SA and after that, manually activate SA only in the affected domains. That would be so cool...
 

sehh

Well-Known Member
Feb 11, 2006
579
6
168
Europe
If you have a VPS (or a system with the equivalent power of a 386) then edit your WHM configuration and set SA's max-children to 2 or even 1. The default is too high for small VPS servers.
 

sehh

Well-Known Member
Feb 11, 2006
579
6
168
Europe
in WHM, under the cPanel section, click on "Manage Plugins", in this page, then install the spamdconf plugin by selecting the "Install and Keep updated". Click Save at the bottom of the page.

Now, under the Plugins section, click on "Setup Spamd Startup Configuration" and in this page set the Maximum Children to 2 or 1.
 
  • Like
Reactions: Kent Brockman

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,329
73
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
Cool, do you know what are the default values used by SA? because I've been testing setting "Maximum Children" to 5 and has been running pretty well. Now I know about this spamdconf plugin I found in this forums that others have set "Maximum Connections Per Child" to 25. I don't how that setting could impact on performance if I set a lower value: will it delay email scanning?

Also, do I need to set any value to "Allowed IPs" or 127.0.0.1 will be the "de facto" value?

Regards