The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam Filter

Discussion in 'General Discussion' started by mickalo, Nov 26, 2006.

  1. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    Hello,

    we have been working on cutting down our spam this past week, and thanks to all the great info provided on this forum, have reduced it greatly.

    I recall a thread regard this new spam coming through, with the subject:
    SomeNameHere wrote: , IE: Debra Wrote: which seems to still getting through. But can seem to find that thread that addressed this issue.

    If someone knows how to caught this type of spam, would appreciate a rule or filter to caught these types.

    TIA,
    Mickalo
     
  2. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Add a rule to local.cf if you are using spamassassin:
    Code:
    header    WROTESPAM     Subject =~ /^wrote\:/i
    score     WROTESPAM     9.000
    
    Note that the spaces in-between are tabs. Afterward I would install a stocks ruleset and image rules so you can reduce the score or eliminate this. hope that helps!
     
  3. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    thx's webtiva, we'll add this and see what happens, much appreciated.

    where can one get these "stock rulesets" from. We already implemented the image rules which seem to be working great .... so far!!

    Mickalo
     
  4. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
  5. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    again, much appreciated :)

    I tried to get that "Rules Du Jour" auto setup, but the link that was posted here to that earlier on this forum seems to be a dead link or incorrect. Do you happen to have that correct link for this setup ?

    Thx's
    Mickalo
     
  6. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    A decent auto installer is located here, or you can check out their how to page here.

    I also highly recommend Chirpy's MailScanner setup here, which includes it. For $35 they install Mailscanner with clamAV; they set up SA, Vipul's Razor and DCC; plus they install a WHM front end for you and your hosting customers. WELL worth the cost!
     
  7. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    Much appreciate all the info, you've been a big help :)

    I've been strongly considering having Chirpy do his setup w/MailScanner package, on our server, but just abit concerned about the load I've read alot about that this MailScanner can put on the server.

    we only run about 45 domains on our server, with approx., 3-4000 emails daily and about 100 POP accounts. We do run 1GB mem., and average about 30-40% CPU usage daily, which I think the server should be able to handle. Gonna think about a bit more tho.

    Again, appreciate you info,
    Mickalo

    P.S. to any one that may use the autoinstaller, they must edit two configurations settings, 1)location of spamassassin folder and 2) path to restart spam
    this is for the Cpanel install.
     
    #7 mickalo, Nov 26, 2006
    Last edited: Nov 26, 2006
  8. secretreal

    secretreal Member

    Joined:
    Nov 20, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1

    it doesnt effect :S

    i use mailscanner should i do different think ?
     
  9. secretreal

    secretreal Member

    Joined:
    Nov 20, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    can anybody give advise about this :(
     
  10. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    After adding that rule, restart exim and MailScanner and check again. I use MailScanner as well...
     
  11. asmithjr

    asmithjr Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    475
    Likes Received:
    1
    Trophy Points:
    18
    Where did you put the rule?
    local.cf ??
     
  12. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    Messages that contain "Name wrote:" are still getting by. Any advice?

    I added the code to /etc/mail/spamassassin/local.cf

    Thanks,
    Mike
     
  13. Adrnalnrsh

    Adrnalnrsh Well-Known Member

    Joined:
    Apr 6, 2005
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    AZ
    Not working for me either, using Chirpy's MailScanner installation.
     
  14. intonet

    intonet Registered

    Joined:
    Nov 22, 2006
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    I'm trying to capture these damned "xxx wrote:" e-mail as well.

    I've added a rule to the global local.cf file, which as you can see from the following header extract it is picking up. What it's not doing though is marking it as SPAM. I've set the score to 6.0 in the rule...

    X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on
    xeon.intonet-technology.co.uk
    X-Spam-Level: **
    X-Spam-Status: No, score=2.5 required=5.0 tests=BAYES_00,LOCAL_WROTE_RULE
    autolearn=no version=3.1.7

    Any ideas folks?

    - Tim
     
  15. cbwass

    cbwass Well-Known Member

    Joined:
    Mar 29, 2002
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    You can stop them getting through using etc/antivirus.exim.

    Find:

    if error_message and $header_from: contains "Mailer-Daemon@"
    then
    # looks like a real error message - just ignore it
    finish
    endif

    #Than right under it put:

    if $header_subject: contains "wrote"
    then
    seen finish
    endif

    It should look like this.

    if error_message and $header_from: contains "Mailer-Daemon@"
    then
    # looks like a real error message - just ignore it
    finish
    endif

    if $header_subject: contains "wrote"
    then
    seen finish
    endif
     
  16. asmithjr

    asmithjr Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    475
    Likes Received:
    1
    Trophy Points:
    18
    Great!

    Remember to make sure your WHM->System Configuration->Exim Configurator Editor has the /etc/antivirus.exim selected (Use the Default)
     
  17. asmithjr

    asmithjr Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    475
    Likes Received:
    1
    Trophy Points:
    18
    Sure did on 3 of my servers.
     
  18. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Wont this stop any email that has the word "wrote" in the subject?
     
  19. cbwass

    cbwass Well-Known Member

    Joined:
    Mar 29, 2002
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    It will stop all mail with 'wrote' in the subject.
     
  20. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    We need to figure out why that rule isn't hitting your spam. When you look at the headers, what is the SA score on those that are getting through? If you see that it's not hitting for some reason, something is wrong with the set up. If you see it is hitting, then you might have a higher spam score requirement then what we are assigning in that rule. Sometimes I will write several rules, just to make sure that legit mail can still sneak past.

    It's probably because of my custom set up, however, that mine are getting blocked. I have an extensively trained Bayesian database, plus I raise some rules scores as well - giving that little extra push for these annoying messages. Right now the "(name) wrote:" spam is hitting these rules for our servers:

    3.50 BAYES_99 Bayesian spam probability is 99 to 100%
    2.86 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters
    4.50 NAMEWROTE
    1.00 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
    2.40 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50%
    1.00 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)

    So the only "wrote:" spam rule I have is this:
    Code:
    ## (NAME) WROTE:
    header  NAMEWROTE       Subject =~ /.*wrote\:/i
    score   NAMEWROTE       4.500
    
    You could also add another like so:
    Code:
    ## (NAME) WROTE2:
    header  NAMEWROTE2       Subject =~ /.*wrote/i
    score   NAMEWROTE2       2.200
    
    This way if the "wrote:" (with the colon) is there, it hits both and ups the score. If someone puts in their legit mail subject "I wrote to you yesterday!" it will only hit the smaller score and lessen the chance for a false positive. But for those that it is not hitting, check your High Spam Score on those email accounts that these are slipping past. If you have a high spam score of 12 needed, and the spam is hitting a score of 9 only, they will come through. Use the tools you have (bayesian database, DCC, Razor, etc) to get your system to the point that these will be blocked. Hope this helps...
     
Loading...

Share This Page