Spam protection (Thanks to Chirpy)

motoenth

Registered
Jan 29, 2004
4
0
151
NC, USA
I've been visiting this forum for a while and don't have a lot of posts but I felt this was important enough to share.

If any of you are tired of banging your head against a wall trying to combat spam, please visit http://www.configserver.com/cp/mailscanner.html and buy this service. It was installed quickly and I couldn't be happier. It's packed full of features and darn easy to manage. I'm thankful I found it.

Thanks very much, Jonathon!

Blair
 

dgbaker

Well-Known Member
PartnerNOC
Sep 20, 2002
2,531
9
343
Toronto, Ontario Canada
cPanel Access Level
DataCenter Provider
Well no one can ever say Jonathan does not give good bang for the buck. (good thing I spelled that right) :D

Jonathan is one of the few people I would ever trust giving access to our servers. :cool:
 

SageBrian

Well-Known Member
Jun 1, 2002
413
2
318
NY/CT (US)
cPanel Access Level
Root Administrator
I've actually been getting more business thanks to Chirpy's service. As people complain about spam, my customers mention that they don't get much anymore. Ring ring.... hi, I hear your servers get no spam? :)

Even if you can do it yourself, the cost of having Jonathon doing it makes it a no-brainer.

Brian
 

brianc

Well-Known Member
May 16, 2003
191
7
168
Highly recommended

Hi All:

Chirpy installed the Mailscanner package last night for me and I was blown away by the functionality of his package when I checked the server out this morning.

This package blows away the Exiscan - ClamAV - Exim offering that is being mentioned on these boards. I used the Exiscan service with cPanel's installation of Spam Assassin and it was simply not doing the job of keeping up with the unending onslaught of the spamming hordes.

I would recommend this package whole-heartedly and you may want to order it before Chirpy becomes a good capitalist and raises the price of the installation. ;) Especially after he reads all of this great feedback.

Chirpy and RFX Networks is a credit to the web hosting industry.

Brian
 

Spiral

BANNED
Jun 24, 2005
2,018
8
193
Really what is provided in Cpanel is already more than sufficient in controlling SPAM
assuming you take a few moments to configure "Spamassassin" and "Exim" properly.

By default, both of those programs are not really configured for SPAM by cPanel
but that is something that only takes a few moments to fix and will make your
spam protection about a million times more effective ....

In your Linux shell as root, do the following:
# cd /etc
# touch rblblacklist rblbypass rblwhitelist
Next, login to your WHM control panel for your server and open
up the "Exim Configuration Editor" under the "Service Configuration" section
and make sure the following option is checked:

"Verify the existance of email senders"

Next, click on the button labeled "Switch to Advanced Mode". This will allow
you to directly edit the configuration for the Exim mail server so you can
give your server the ability to check incoming mail against blacklists
immediately upon the SMTP initial connection.

In the very first whitebox you see where it says "#!!# cPanel Exim 4 Config"
just above the whitebox, paste the following lines:
domainlist rbl_blacklist = lsearch;/etc/rblblacklist
domainlist rbl_bypass = lsearch;/etc/rblbypass
hostlist rbl_whitelist = lsearch;/etc/relayhosts : partial-lsearch;/etc/rblwhitelist
Scroll on down to where it says "begin acl" and you will see 3 whitebox areas
under that line that you can input configuration instructions.

In the center box of those 3 whiteboxes, paste the following:
#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :
#**#
#**# RBL List Begin
#**#
#
# Always accept mail to postmaster & abuse for any local domain
#
accept domains = +local_domains
local_parts = postmaster:abuse
#
# Check sending hosts against DNS black lists.
# Accept all locally generated messages
# Reject message if address listed in blacklist.
deny message = Message rejected because $sender_fullhost is blacklisted at $dnslist_domain see $dnslist_text
!hosts = +relay_hosts
!authenticated = *
dnslists = dnsbl.njabl.org :bl.spamcop.net :sbl.spamhaus.org :list.dsbl.org :cbl.abuseat.org :relays.ordb.org :dnsbl.sorbs.net
# RBL Bypass Local Domain List
!domains = +rbl_bypass
# RBL Whitelist incoming hosts
!hosts = +rbl_whitelist
#**#
#**# RBL List End
#**#

# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
{yes}{no}}

accept condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
{yes}{no}}


# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
{yes}{no}}

accept condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
{yes}{no}}

#if it gets here it isn't mailman

#sender verifications are required for all messages that are not sent to lists

require verify = sender
accept domains = +local_domains
#**#
#**# Reject Email to Invalid Recipient
#**#
endpass
message = unknown user
verify = recipient
#**#
endpass

#recipient verifications are required for all messages that are not sent to the local machine
#this was done at multiple users requests

message = "The recipient cannot be verified. Please check all recipients of this message to verify they are valid."
verify = recipient

accept domains = +relay_domains

warn message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
hosts = +relay_hosts
accept hosts = +relay_hosts

warn message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
condition = ${perl{checkrelayhost}{$sender_host_address}}
accept condition = ${perl{checkrelayhost}{$sender_host_address}}

accept hosts = +auth_relay_hosts
endpass
message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.
authenticated = *

deny message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.


#!!# ACL that is used after the DATA command
check_message:
require verify = header_sender
accept
(NOTE: If you get any error messages when saving your EXIM config, long wrapping
lines probably got cut into two lines in your cut and paste, EXIM doesn't like this so
any wrapping lines should be put back together into 1 single line. An example
would be the "dnslists" line above which is very long)

Continuing on, next scroll on down to the first whitebox you see under the
section labeled "ROUTERS CONFIGURATION" and paste the following lines:
# Deny and send notice to list of rejected domains.
reject_domains:
driver = redirect
# RBL Blacklist incoming hosts
domains = +rbl_blacklist
allow_fail
data = :fail: Connection rejected: SPAM source $domain is locally blacklisted.
Save your Exim configuration. All mail is now verified and also checked
against the major blacklists and known spam senders are blocked immediately
upon connecting to your SMTP server.

Now if you want to find out how much SPAM you have already blocked with
the new settings I just gave you above, just go to "/var/log" in your Linux
shell and type the following commands:
# cd /var/log
# grep -c "blacklist" ./exim_mainlog
The number returned is the number of incoming messages from known
spam senders that were blocked immediately upon connection.

If you want to actually see the list, delete the "-c" from the above command.

The next thing I would do is go back into your Linux shell and optimize the
configuration for Spamassassin and increase the score on those rules that
would only be in SPAM messages. An example from my own server would be:
score BAYES_00 -6.00
score BAYES_05 -4.00
score BAYES_20 -2.00
score BAYES_40 1.00
score BAYES_50 2.00
score BAYES_60 4.00
score BAYES_80 6.00
score BAYES_95 8.00
score BAYES_99 10.00

score SUBJ_HAS_UNIQ_ID -1.00
score MORE_SEX 3.50
score FREE_PORN 3.50
score CUM_SHOT 3.50
score LIVE_PORN 3.50
score HARDCORE_PORN 3.50
score HOT_NASTY 1.50
score NASTY_GIRLS 4.10
score BAD_CREDIT 1.75
score SELECTED_YOU 2.25
score SUBJECT_DRUG_GAP_VIA 3.50
score FORGED_RCVD_HELO 1.20
score FORGED_HOTMAIL_RCVD 3.50
score FORGED_HOTMAIL_RCVD2 2.50
score HELO_DYNAMIC_IPADDR 5.20
score HELO_DYNAMIC_IPADDR2 4.20
score HELO_DYNAMIC_HCC 4.70
score OBSCURED_EMAIL 3.90
score CHARSET_FARAWAY_HEADER 4.25
score DATE_IN_FUTURE_48_96 3.60
score RCVD_HELO_IP_MISMATCH 3.50
score BIZ_TLD 0.00
score INFO_TLD 0.00

score RCVD_IN_BL_SPAMCOP_NET 5.00
Spamassassin rule updates can be put either in "/etc/mail/spammassin/local.cf" for
global server wide configuration changes or locally on each individual account by
editing "/home/(login)/.spamassassin/user_prefs"

For a detailed description of all the options you can set in those files, please see:
http://spamassassin.apache.org/doc/Mail_SpamAssassin_Conf.html

You also might want to check out the "configuration tool" page by Michael Moncur
which will actually write your configuration file for you based upon configuration options
that you choose on his page at http://www.yrex.com/spam/spamconfig.php

Hope that helps. Good luck and happy SPAM trapping ...
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
One of the main problems of that approach, IMO, is that:

1. Users have no control over blocked email, i.e. if they require all email to be delievered and not blocked, the RBL checking is of no use to them. There are many companies (esp legal and financial ones) that must have all email delievered, but still want any spam specifically tagged that is on an RBL.

2. IIRC, forwarded, piped and outgoing email is not scanned

3. Your configuration options are a whole factor lower than with MailScanner where you can have nearly every option very easily tweaked on a per email address level which simply is not possible using SA+Exim, especially on exactly how you want to process each and every email address

Whatever the differences, you obviously do what works best for you and the needs of your clients. If you don't need much control, then your suggestions are great, however with a complex set of requirements for web hosting clients, we've found that MailScanners configurability is hard to match with any other solution :)
 
Last edited:

ramorse

Well-Known Member
Sep 6, 2003
256
5
168
cPanel Access Level
Root Administrator
MailScanner looks good. I am interested. I've been very frustrated with the inconsistency of SpamAssassin. What about the cpanel service packages? Has anyone had experience with them?
 

motoenth

Registered
Jan 29, 2004
4
0
151
NC, USA
We use Jonathan's cPanel service and couldn't be happier. We were having lots of problems that we couldn't figure out and decided to sign up for the monthly service. He came in and cleared up ALL our problems, made great suggestions that we now implement and, basically, took over as our sysadmin. Trying to manage our server was a chore that was taking time away from serving our customers.

His services are just great... what more can I say?

Blair
 

Fractal

Member
Jul 11, 2003
10
0
151
I wouldn't use sorbs.net blacklist

Great How-to Spiral.

I noticed one of the blacklists was sorbs.net though. In my opinion I don't think they are very good as they will often block and entire netblock if one or two IPs on it are spamming. If you are on the same netblock as a spammer you could be out of luck.

To make matters worse many hosts use the same IP for lots of different virtual accounts. If someone on one the same IP as you spams they will put your IP on the blacklist and not remove it until you pay $50.00. So even if the spammer is removed from the server, you still need to pay $50.00 to be removed.

Maybe I am missing something but not only does this seem almost like extortion to me, but spammers could just "buy" the right to spam again.

-Fractal
 
Last edited:

wipl

Active Member
Oct 12, 2003
37
0
156
Chirpy rocks :) ...we had been using his mailscanner packages on all servers and not only this has helped us to bring down the load but also to reduce the amount of spam and viruses.

He is the gem & rocking start of this community :)
 

ctbhost

Well-Known Member
May 31, 2002
138
0
316
just had chirpy install mailscanner on my server, and was thinking today 'gee not gettign many emails today' then realised it was just the spam had decreased so much.

fantastic

i spent days trying to reduce spam my self, all i ended up doing is causing problems with incomming legitimate emails for some clients.

i spent 5 mins sighning up for chirpys service and a few bucks and in just over a week i have noticed a huge reduction in spam.

WELL DONE CHIRPY
 

Drew Nichols

Well-Known Member
May 5, 2003
96
0
156
SC
I'm really wanting to do this. Cost is not an issue, I just wonder what we'll do if cpup ever breaks something and Cpanel won't support the mail issue due to having this?

Spam has absolutely gotten out of control for our server, and SA just doesn't do it.
 

dave9000

Well-Known Member
Apr 7, 2003
888
1
168
arkansas
cPanel Access Level
Root Administrator
Chirpy will handle any issues that cpanel breaks in a prompt professional fashion.

We had a cpanel update break MS and chirpy had it fixed for us within a hr of submitting a ticket :D
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
It's also quite simple to remove MailScanner from the mail process for checking/support issues incase MailScanner is an issue for support to help.
 

wipl

Active Member
Oct 12, 2003
37
0
156
With Chirpy's Script it would take less than 2 minutes to uninstall the mailscanner package should you require it to be removed ;)