The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

More spam bypassing Cpanel11 RBLs

Discussion in 'E-mail Discussions' started by Alejandro P, Apr 3, 2008.

  1. Alejandro P

    Alejandro P Well-Known Member

    Joined:
    Apr 6, 2007
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hello, I was very happy with Cpanel11 RBL, they were working quite well days ago, but recently more spam is going through them, how can I strength them again.

    Most of the spam is getting less than 5 points in spamassassin score and flooding our users mailboxes.

    Any suggestion?
     
  2. Alejandro P

    Alejandro P Well-Known Member

    Joined:
    Apr 6, 2007
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Any ideas to add more strenght to spamassassin rules? it was working quite well days ago but now more spam is going over the filter.
     
  3. SageBrian

    SageBrian Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    415
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    NY/CT (US)
    cPanel Access Level:
    Root Administrator
    It usually comes in waves as the spammers find a way around the filters, and spamassassin learns and eventually blocks.

    I have had a spam increase in the last week or 2, likely due to the large amounts of bayes-poison the spammers are sending. "Hello! I am tired this afternoon"

    Eventually things balance out again.

    Brian
     
  4. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    I see in your title that you refer to cPanel's RBL's ..spamassassin uses it's own rbl but are you actually using the 2 that cPanel makes easily available as well?
     
  5. HelloAdam

    HelloAdam Well-Known Member

    Joined:
    Nov 6, 2005
    Messages:
    145
    Likes Received:
    0
    Trophy Points:
    16
    Hey,

    I do not think you can use SpamAssassin and have cPanel's RBL run at the same time...


    Thanks,
    Adam
     
  6. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    that's strange ..I have been using them both since Dec 2006
     
  7. twhiting9275

    twhiting9275 Well-Known Member

    Joined:
    Sep 26, 2002
    Messages:
    538
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Sugggestion:
    Give up entirely on using SA and EXIM RBL's. Use something that handles things a LOT better and is very user friendly, like assp . There's two versions for CPanel alone, though I'd strongly suggest going with the paid version.


    SA is bad, Exims RBLs are bad. Using the MTA (exim) to handle any spam filtering is a bad idea in general. It should all be done before it hits the MTA, through a mail proxy which is configured to handle things.
     
  8. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    i'm sorry but i don't agree.

    i've been using SA for many years, along with Exim and some of the popular RBL's and they all do an excellent job at filtering spam.

    to be more specific, the combination of SA+Exim+RBL and the default rules in cPanel v11 have managed to cut spam to just about... zero. We do get 1-2 spam emails per month in our entire company with hundreds of emails!!! thats like 99,9% success.

    we also monitor false positives but so far there haven't been any, so at the moment all marked spam are automatically deleted and the originating IP address is banned by the firewall.

    SpamAssassin+Exim+RBL are a great combination!
     
  9. twhiting9275

    twhiting9275 Well-Known Member

    Joined:
    Sep 26, 2002
    Messages:
    538
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    And that's your right and choice to do, but if you haven't used anything else, who are you to disagree?

    I've managed, and used, both SA/Exim settings AND ASSP/Exim settings, and let me tell you, SA doesn't stand a chance.

    SA loads down the server because of user filtering. ASSP does not
    SA has minimalistic checks on things such as RBLs, ASSP can check any RBL you tell it to

    I could go on and on comparing one to the other, but the fact is that SA doesn't even come close to ASSP's processing, from personal experience, without a LOT of plugins, a LOT of addons, and a good bit of server load.
     
  10. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    i never said i haven't used anything else.

    you are wrong about SA, but its obvious that you feel strongly about assp... for some reason.

    i don't care, but you shouldn't be wrongly influencing others.
     
  11. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    I wouldn't say that SA isn't a bloated hunk of blood sucking crap myself. It will kill a server in seconds if the spammers hit it right. BUT having said that ..if you use cPanel's built-in RBL's or configure your own in the exim config editor you can knock down 90% of connections at SMTP time so SA doesn't have to scan so much. works fine for me. The RBL's alone on a typical box will reject 90% of all attempts and I haven't gotten the first false positive in a year. 1000+ domains/users
     
  12. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi, I have to turn off SA for a while due to the high usage of memory it does. SA crashed several times a day, making fail webmaild and eximd each time.

    Does anybody know about good ACLs or RBLs to use with Exim only?
    Or any way to minimize the resource usage from SpamAssassin? (when using SA, unfiltered spam was 0.1%, using Exim only it is about 5%)
     
  13. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    if you enable the 2 RBL's cpanel provides in the exim config editor, that alone on a busy server will block 80-90% of ALL email attempts. The other 10% will be a 50-50 mixture of legit mail and some spam. I have 2 year's worth of MRTG graphs to show the ratios.
     
  14. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi, we use the 2 RBL's: bl.spamcop.net and zen.spamhaus.org and do a good work, but there are certain domains that are receiving hundreds of spam mails daily that's not being filtered by this RBLs.
    We also have activated the option of "Sender Verification". The other option, "Sender Verification Callouts", did a great work stopping spam, but had to be deactivated because also filter legit newsletters that use to setup a different Return-Path in their messages cause they send thru group manager softwares or specialized list manager websites.

    any other idea? maybe references to smarter ACL rules?
     
    #14 Kent Brockman, Apr 9, 2008
    Last edited: Apr 9, 2008
  15. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    do you have all your default addresses set to :fail: ?

    Keep in mind RBL's are not filters really. they contain IP addresses of know spammers and the list is used to block at SMTP time. If the email is accepted then the sending server or IP is not on the RBL. Typically these come from infected client computers and eventually will be blocked. But making sure you are not wide open to dictionary attacks is a good idea ..also using cPanel's ratelimiter helps.
     
  16. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yep, I have activated all the very best methods of filtering offered by WHM, but not the Spam Assassin.
    Even more, I've tried lowering the email size threshold for which an email will bypass the scanning by SA but this didn't avoid SA using too much resources for the solely fact of being enabled.

    I would love to see any way to enable SA for only those 6-7 domains that are suffering the sustained spam storm. Actually you can selectively disable Spam Assassin for selected websites, but I don't know if even may be created a script to mass edit individual config files to disabling SA and after that, manually activate SA only in the affected domains. That would be so cool...
     
  17. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    If you have a VPS (or a system with the equivalent power of a 386) then edit your WHM configuration and set SA's max-children to 2 or even 1. The default is too high for small VPS servers.
     
  18. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    ok, where in the WHM can this be set?
     
  19. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    in WHM, under the cPanel section, click on "Manage Plugins", in this page, then install the spamdconf plugin by selecting the "Install and Keep updated". Click Save at the bottom of the page.

    Now, under the Plugins section, click on "Setup Spamd Startup Configuration" and in this page set the Maximum Children to 2 or 1.
     
    Kent Brockman likes this.
  20. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Cool, do you know what are the default values used by SA? because I've been testing setting "Maximum Children" to 5 and has been running pretty well. Now I know about this spamdconf plugin I found in this forums that others have set "Maximum Connections Per Child" to 25. I don't how that setting could impact on performance if I set a lower value: will it delay email scanning?

    Also, do I need to set any value to "Allowed IPs" or 127.0.0.1 will be the "de facto" value?

    Regards
     
Loading...

Share This Page