The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server Setup Tips - stop spam/viruses

Discussion in 'General Discussion' started by jcsolutions, Aug 21, 2003.

  1. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Ok, this Sobig.f virus and the recent formmail.pl breach *attemtps* have had me scrambling. I've been reading, reading, reading to find information on how to block unwanted messages (spam, viruses, attachments, etc.). Unfortunately, the info is scattered all over the Internet and some is hard to find. (And I'm sure I haven't found everything yet!)

    So, I thought I would start this thread to see if it might help myself and others. Especially since there are many servers still getting hammered by Sobig.f. Please list any and all configuration tips, special scripts, suggested installs, etc. that you think might be beneficial to others. Keep in mind that people with little knowledge might be reading this, so being descriptive will help alot.

    Please no comments about people not already knowing this stuff shouldn't have a server, etc. Honestly, that may be true, but it's not the world we live in. Spam and viruses affect all of us. The more servers out there combating the problem, the better off we *all* are!

    Ok, let's get on with it.

    My first suggestion for people just starting out would be to use the following guide to install MailScanner and ClamAV anti-virus. I found it quite easy to use and get going. This will help with viruses, attatchments, and possibly spam.
    http://www.cpanelplus.com/staticpages/index.php?page=2003073009541160

    There are many configuration tweaks that would be better than the default install. I'm hoping others can add input on this.

    -----
    -----

    Exim options and definitions:
    Exim has many options that are not part of the default config file. The options, as well as complete descriptions, are located at http://www.exim.org/exim-html-4.20/doc/html/spec_13.html#CHAP13

    Complete Exim documentation is found here:
    http://www.exim.org/docs.html

    -----
    -----

    ACLs (Access Control Lists)
    http://www.exim.org/exim-html-4.20/doc/html/spec_37.html#CHAP37

    Does what the name says. Lets you control access to and from your server, though the above docs can be a bit overwhelming.

    -----
    -----

    SPAM Prevention
    Directly related to the above notes, in your /etc/exim.conf file, find the following:

    check_message:
    require verify = header_sender
    accept

    And place this under it:

    # Check sending hosts against DNS black lists.
    # Reject message if address listed in blacklist.
    deny message = rejected because $sender_host_address is blacklisted at $dnslist_domain\n $dnslist_text
    dnslists = sbl.spamhaus.org : relays.ordb.org : list.dsbl.org

    # This statement uses regular expressions to reject addresses with local parts that
    # contain any of the characters ``@'', ``%'', ``!'', ``/'', and ``|'', or that begin with
    # dots. Although these characters are entirely legal in local parts (in the case of "@"
    # and leading dots, only if correctly quoted), they do not normally occur in Internet
    # mail addresses.
    deny local_parts = ^.*[@%!/|] : ^\\.
    message = I've never seen @, %, !, /, or | in an e-mail. Neither should you.

    # Allow mail to postmaster on blacklisted local domains
    # Mail to postmaster is never blocked by any subsequent tests.
    accept local_parts = postmaster
    domains = +local_domains

    # Requires the sender address to be verified.
    require verify = sender

    -----
    -----

    The above are just suggested code and reading. Settings for your own server(s) may need to be different.

    Please submit your own settings! Thanks.:)

    cPanel.net Support Ticket Number:
     
    #1 jcsolutions, Aug 21, 2003
    Last edited: Aug 28, 2003
  2. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Note: I have just discovered that when using the Exim Configuration Editor in WHM, any changes you made to the exim.conf file that were NOT through the editor get overwritten.

    So, either make a backup of exim.conf before you use the editor, then add your modifications again. Or, just don't use the editor and do all edits through SSH.

    cPanel.net Support Ticket Number:
     
  3. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Guess this will be my own little thread... ;)

    Here's another helpful hint:

    In the exim.conf file, smtp_enforce_sync is set to false by default. Change this to true. If it's set to true, it requires the client to wait for a response from the server at certain points in the dialogue. It will reject messages if the client sends further output without waiting for a server response (which would then most likely be a spammer).

    This can also be found in the exim docs.

    cPanel.net Support Ticket Number:
     
  4. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    After installing the layer1 MailScanner+ClamAV we can no longer add any of the RBLs like this. Anyone have any suggestions?

    cPanel.net Support Ticket Number:
     
  5. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    Thanks for the Tips!

    cPanel.net Support Ticket Number:
     
  6. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    You're welcome! :)

    Since this seems to be useful to at least one person, I'll keep going... hehe

    HOW TO BLOCK SPECIFIC DOMAINS FROM THE SERVER:

    /etc/exim.conf

    Near the top of the file, under 'domainlist relay_domains', add:
    domainlist reject_domains = lsearch;/etc/rejectdomains

    Then scroll down to the Routers section. At the end of this section, add:
    # Deny and send notice to list of rejected domains.
    reject_domains:
    driver = redirect
    domains = +reject_domains
    allow_fail
    data = :fail: The domain $domain is no longer supported.

    Exit and save the changes.

    Now create the 'rejectdomains' file in the /etc directory. Add each domain you want to block on a new line.

    Restart exim and you're done.

    Elsewhere in the forums I have seen the suggestion to use the /etc/spammers file to block domains, however it appears this does not work unless each client has Spam Assassin turned on. So I don't use this.

    cPanel.net Support Ticket Number:
     
    #6 jcsolutions, Aug 26, 2003
    Last edited: Aug 26, 2003
  7. justchil

    justchil Active Member

    Joined:
    Aug 1, 2003
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Hmmm Great help!

    I think.. I'm not having any luck with this at all..

    The only thing in question was this... Maybe I put that last section of code in the wrong area? Below is where I put mine...


    fail_remote_domains:
    driver = redirect
    domains = ! +local_domains
    allow_fail
    data = :fail: unrouteable mail domain "$domain"

    # Deny and send notice to list of rejected domains.
    reject_domains:
    driver = redirect
    domains = +reject_domains
    allow_fail
    data = :fail: The domain $domain is no longer supported.



    #!!#######################################################!!#
    #!!# Here follow routers created from the old directors, #!!#
    #!!# for handling local domains. #!!#
    #!!#######################################################!!#


    Also I've added domains to the /etc/rejectdomains.. i added

    msn.com
    anotherdomain.com

    and tried sending email... and it worked! incoming and outgoing :\

    sorry for the sloppy post :|

    cPanel.net Support Ticket Number:
     
  8. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Ok, I'm confused by your above comments. Are you having problems or did you get it working?

    From what I can tell, it appears that the code and placement is correct. Is your exim_paniclog saying anything?

    cPanel.net Support Ticket Number:
     
  9. justchil

    justchil Active Member

    Joined:
    Aug 1, 2003
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Sorry what I meant was emails are still coming through. So I haven't got it working. I don't see anything related in the panic log.

    I am using the right format in my /etc/rejectdomains right?

    foo.com
    # this would block everything from foo.com

    cPanel.net Support Ticket Number:
     
  10. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Yep. That's right. (I've just tested it again just to make sure.)

    Where did you place the following line in the exim.conf file?

    domainlist reject_domains = lsearch;/etc/rejectdomains

    cPanel.net Support Ticket Number:
     
  11. justchil

    justchil Active Member

    Joined:
    Aug 1, 2003
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Right here (below)


    #!!# This setting defines a named domain list called
    #!!# local_domains, created from the old options that
    #!!# referred to local domains. It will be referenced
    #!!# later on by the syntax "+local_domains".
    #!!# Other domain and host lists may follow.

    domainlist local_domains = lsearch;/etc/localdomains
    domainlist reject_domains = lsearch;/etc/rejectdomains

    domainlist relay_domains = lsearch;/etc/localdomains : \
    lsearch;/etc/secondarymx
    hostlist relay_hosts = lsearch;/etc/relayhosts : \
    localhost

    what about permissions on /etc/rejectdomains?

    -rw-r--r--

    that should be more than enough i think
     
    #11 justchil, Aug 27, 2003
    Last edited: Aug 27, 2003
  12. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    The location is good and your permissions are the same as mine.

    Unfortunately, this is now going beyond my abilities. It worked right away for me. I can't think of anything else that should be checked. Did you restart exim after the changes? There are much more experienced users here than I. Perhaps one of them can help.

    cPanel.net Support Ticket Number:
     
  13. wwwhosts

    wwwhosts Well-Known Member

    Joined:
    Apr 25, 2003
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    NZ
    this works well, thx
    great thread too jcs

    is it possible to add .pif, .scr to the code above to stop all these virus's piling up on the mail queue?
    but thats an attachment isn't it, so wouldn't be read?

    cPanel.net Support Ticket Number:
     
  14. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    The code above won't do that, but this will. (Big thanks to rlpittman for this!)


    BLOCK .PIF, .SCR, OR .EXE ATTACHMENTS

    In /etc/antivirus.exim, before the section:

    if not first_delivery
    then
    finish
    endif


    Add the following:

    # Look for .pif, .scr or .exe in files and REMOVE them!
    if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|exe|pif|scr)\")"
    then
    seen finish
    endif

    # same again using unquoted filename [content_type_unquoted_fn_match]
    if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|exe|pif|scr))"
    then
    seen finish
    endif

    # Look for .pif, .scr or .exe in files and REMOVE them!
    # Quoted filename - [body_quoted_fn_match]
    if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|exe|pif|scr)\")[\\\\s;]"
    then
    seen finish
    endif

    # same again using unquoted filename [body_unquoted_fn_match]
    if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|exe|pif|scr))[\\\\s;]"
    then
    seen finish
    endif


    Original post found here:
    http://forums.cpanel.net/showthread.php?s=&threadid=13699&postid=64732#post64732

    cPanel.net Support Ticket Number:
     
  15. psw1

    psw1 Active Member

    Joined:
    Apr 3, 2002
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    ENDACLBLOCK ???

    I Guess I'm a true dummy but I can't locate the %ENDACLBLOCK% referred to in the original post.

    I am in the editor on WHM, I see all the text boxes, even the ACL area, but I can't locate the ENDACLBLOCK

    Please point me in the right direction?

    Thanks in advance and sorry for asking a stupid question...

    cPanel.net Support Ticket Number:
     
  16. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Re: ENDACLBLOCK ???

    Sorry, when I originally posted that message, I was using the Exim Configuration Editor in WHM. %ENDACLBLOCK% is a reference to that. I have since stopped using it, as it overwrites any changes made outside the editor (see my second post in this thread).

    Look for these lines in your exim.conf file and place the code below here.

    check_message:
    require verify = header_sender
    accept

    (I've also edited my original post for this. Thanks for pointing it out psw1.)

    cPanel.net Support Ticket Number:
     
    #16 jcsolutions, Aug 28, 2003
    Last edited: Aug 28, 2003
  17. wwwhosts

    wwwhosts Well-Known Member

    Joined:
    Apr 25, 2003
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    NZ
    thanks for BLOCK .PIF, .SCR, OR .EXE ATTACHMENTS

    it would probably be better to edit exim.conf via whm or any changes made may be overwritten.

    in any case always make a back up of the original file, and your edited file/s

    smtp_enforce_sync is placed in the configure field (the first box at the top)

    cPanel.net Support Ticket Number:
     
  18. equivity

    equivity Well-Known Member

    Joined:
    Aug 12, 2003
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Daytona Beach, Florida
    Thank you thank you for starting this forum I have been working on doing these things today. I got the MailScanner working and it seems to be working well since I got over 100 notices about virus, now how the hell can I turn that off (notification of a virus that is), I really do not want to keep getting those, unless it is something I should keep track of, please let me know.

    cPanel.net Support Ticket Number:
     
  19. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Personally I'd put that code between these lines NOT before them
    if not first_delivery
    then
    <place code here>
    finish
    endif

    If you place it before them you will delete legitimate .exe and .scr without informing the sender (as per code in rest of antivirus.exim file). Placing it where I say will delete mail in the queue that cannot be returned (with the warning to zip the file).

    cPanel.net Support Ticket Number:
     
  20. equivity

    equivity Well-Known Member

    Joined:
    Aug 12, 2003
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Daytona Beach, Florida
    I got this when I updated the exim.cnof file and tried to restart it, earlier in the day I did a perl modult update, do I now need to update this and if so how?


    Starting spamd: Can't locate HTML/Parser.pm in @INC (@INC contains: ../lib /usr/lib/perl5/site_perl/5.6.1/i386-linux /usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/5.6.1/i386-linux /usr/lib/perl5/5.6.1 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.6.1/i386-linux /usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl .) at /usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/HTML.pm line 7.
    BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/HTML.pm line 7.
    Compilation failed in require at /usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm line 44.
    BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm line 44.
    Compilation failed in require at /usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin.pm line 62.
    BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin.pm line 62.
    Compilation failed in require at /usr/bin/spamd line 32.
    BEGIN failed--compilation aborted at /usr/bin/spamd line 32.

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page