How to stop spam -- DEAD in its tracks!!

Discussion in 'Linux VPS/Dedicated - cPanel' started by RMedure, Mar 23, 2015.

  1. RMedure

    RMedure New Member

    This turned out to be a rather long document, and I haven’t had time yet to thoroughly proof read it. So PLEASE let me know if you find any errors or anything that just doesn’t make sense. Also, the appendix containing more verbose reasoning and explanation is TBD. Otherwise, enjoy! :)

    https://powerproductsandservices.com/public/mailserver/Spam Control.pdf

    There's a fair amount of code and other text associated with the greylisting module. Rather than copy/paste from the document, you can also get the files here:
    https://powerproductsandservices.com/public/mailserver/

    Cheers!
     
    Jean Egan and Chimpie like this.
  2. John Fosella

    John Fosella New Member

    Thanks for putting that together. Exactly what I've been looking for!
     
  3. John Fosella

    John Fosella New Member

    Been adding your mods a little at a time. Just finished step #6 “custom_begin_rbl” block in the acl_smtp_rcpt ACL
    I'm not sure I need to go any further. (but probably will!)
    The constant stream of spam has stopped completely.
    In 3 hours time since I added step #6 I have received no spam and 14 spam emails have been blocked with no false positives.

    Thanks again for your efforts. You saved me a lot of time.
     
  4. RMedure

    RMedure New Member

    Yes! Steps 1 - 6 should go a very long way. And as with most things in life ... the last 10% takes 90% of the effort. ;) I may be a glutton for punishment so far as that goes with perfectionism. The RBL function is so very important; and it boggles my mind that cPanel sets up their stock configuration to quite literally break this functionality. It was the KnownHost support staff (Amos) who figured out the IPv4/v6 issue with named. And I figured how to do RBL "domain name" checks in exim (not just ip address).

    I think I do mention in the write-up that we only had one or two email accounts that had (very minor) issues beyond this step. Oh wait, I don't mention that until right before grey-listing. Anyway, I typically see a LOT of rejections based on RBL, sync enforce/delay, DKIM, and SPF (primarily steps 1 - 6).

    Glad it's working out for you! :D
     
  5. EricWPM

    EricWPM New Member

    Hello Evryone,

    Quick Question - Can a newbie who knows how to FTP do this? I looked at the PDF and it seems doable but I have no idea what I'm changing or where to find all this :)

    Does this have to be done for each cPanel setup? Or is it handled through the WHM and each new cpanel setup gets these settings auto transferred based on the WHM?


    I currently have shared reseller hosting elsewhere but want to join KH because I heard they have excellent Managed VPS solutions and high ratings about their service in general. My shared hosting has SPAM issues in that I get 20-30 spams per day on each cpanel account! My customers are going nuts and I don't know how to solve other than using Google Business Accounts to run their mail through Google's Gmail app which costs $50/yr.

    I would like to move to KH Managed VPS and set it up like a Reseller account so I can sell hosting with separate cpanels to my customers.

    KH Mods - Is this spam setup listed here in the thread something that you offer on Managed VPS or would I be able to pay you to set it up like RMedure has listed?

    It's sounds like an excellent solution to get rid of SPAM. I wonder why hosting companies don't do this already?

    Thanks everyone! It feels good to know that I might have found a solution to my customer's SPAM issues!!!

    Eric
     
  6. Dion

    Dion Member

    Some of the options listed could potentially have a significant negative effect on server performance.
     
  7. RMedure

    RMedure New Member

    @Eric: It's pretty much all in WHM and/or via root level SSH ... not in each cpanel account separately.

    @Dion: I would expect that steps 1 - 6 would be sufficient for most people as it was for John above (and probably about as far as you'd want to go if you're a reseller). But I would also submit that steps 1 - 6 will not negatively affect server performance, assuming that we're talking about speed and load. The RBL checks go very fast as DNS zone lookups are by design fast, cheap, and easy. And I think most people are probably running spamassassin already on all mail, so nothing new there; but even if you tried to use something else - that something else that scans each email is going to have similar load associated with it.

    For what it's worth, having implemented everything in the write-up - I've not seen any server load issues (see attached), but then again I'm not a reseller with 20+ accounts. Your mileage may vary ... :D
     

    Attached Files:

  8. EricWPM

    EricWPM New Member

    Hey thanks @RMedure I have been so frustrated in dealing with spam issues for my clients. I am really looking forward to joining the KnownHost Managed VPS hosting and trying this out! All my websites are for small local businesses so I should not have any load issues I'm guessing. Most of my websites get less than 100 emails per day... My clients just don't like getting the 30-40 spam emails per day though!!!

    Thank you for taking the time to document and write this up! I'm currently on shared reseller hosting so the only tool I've had access to was Spam Assassin which has really done nothing to stop the problem no matter how aggressive I am with the settings.

    Can't wait to get back into town and sign up with KnownHost and try your settings :)
     
  9. KH-FreddieA

    KH-FreddieA Technical Support Operator Staff Member

  10. RMedure

    RMedure New Member

  11. KH-FreddieA

    KH-FreddieA Technical Support Operator Staff Member

  12. RMedure

    RMedure New Member

    I just noticed that, and you beat me to it!! Is KH recommending upgrade from 11.48 to 11.50? Has anyone tried out the greylisting in 11.50 yet?

    In the meantime, I fixed a few bugs in my greylist solution that hopefully didn't stump anybody. The updated guide is at the same link:
    https://powerproductsandservices.com/public/mailserver/Spam Control.pdf

    I created a simple changelog:
    https://powerproductsandservices.com/public/mailserver/Spam Control Changelog.txt
     
  13. KH-FreddieA

    KH-FreddieA Technical Support Operator Staff Member

    This is just me personally speaking, but the CURRENT tier is listed as a release candidate. I wouldn't upgrade until RELEASE at the earliest.

    But that's just me.
     
    Dan likes this.
  14. Dan

    Dan Moderator

    I second @KH-FreddieA's recommendation. Wait for the release.
     
  15. KH-Jonathan

    KH-Jonathan Director of Managed Services Staff Member

    Being on the private information release chain about bugs appearing/getting fixed in 11.50......wait for release ;)
     
  16. EricWPM

    EricWPM New Member

    I was SPAM free thanks to Robert's method above. I completed Steps 1 - 6 and Step 9 (which changes IMAP folder from SPAM to JUNK) This solution worked perfectly for the last 45 days! Zero spam and all normal email delivered.

    Now this week I have 2-3 spam emails getting through every day. Not sure why this just started this week.

    Is there something I need to update in this process like the RBL (DNS blocklists) or does this happen automatically through the blocklist providers? I thought maybe something changed in my WHM so I checked all the setttings again and nothing has changed.

    I know Spam keeps evolving and getting 2-3 messages per day is not bad... but I had zero before and just wondered if there was anything I need to update in the process to eliminate those 2-3 spams per day?

    ==============

    When I did verify the settings for steps 1-6 I had a question on Step 4

    4. Exim Configuration – Advanced Settings (delay and sync)

    Robert's example for accept hosts = 127.0.0.1 (plus 3 more IP addresses listed after)

    Mine is setup like below. Should I add the IP address for my WHM after the 127.0.0.1

    # Do not enforce sync (and likewise delay) for these hosts
    accept hosts = 127.0.0.1
    control = no_enforce_sync
    accept delay = 15s
     
  17. RMedure

    RMedure New Member

    I would be very interested in seeing the email headers for the spam that's getting through. My observations to date:

    1. Could be because of not greylisting. Some spammer's roll through blocks of IP numbers and randomly generated domain names to stay ahead of the RBL's. But the greylisting injects a 5 minute deferral (delay) that gives the RBLs time to catch up. This was a big problem for me. You can verify this as follows: When an unwanted spam arrives, immediately check the sending IP at http://multirbl.valli.org/ and see if it's on any of the RBL's that we're checking. Then check again 5 minutes later. If the IP is not on one of our RBL's initially, but then is later ... then greylisting will mitigate it.

    2. I've observed that modules in step 7 really do a decent job of catching some of spam and bulk mail from reputable senders. If you do step 7, then be sure to change the spamassassin scoring as indicated in step 8 to prevent false positives.

    3. I've also observed that some reputable bulk mail senders get TOO much credit for the efforts of getting themselves onto various white lists. You can see if this is happening by looking at the spam scores at the bottom of the email header. So again, make the scoring adjustments at step 8 to mitigate this.

    This would normally all be explained in the appendix which gives all the how/why info ... but I haven't had time to write it yet. :) Sorry.

    Hope this helps!
     
  18. RMedure

    RMedure New Member

    I noticed that after I setup the accept delay/sync ... I could detect that 15s delay in my own email client and was a little annoyed, so I added some common static IP's that I work from. :) You can do the same with your own IP numbers (ip number list delimited by a ":") if you detect the same annoying little delay. :)
     
  19. EricWPM

    EricWPM New Member

    Hi Robert,

    Thanks for your replies. I will make the changes and check the spam IP the next time I get them. I'm not really a tech guy so I didn't do the advanced greylisting stuff in your guide but if the spam does get worse I will give greylisting a try :)

    I included 4 spam headers for you in a text file that I pulled from my Outlook email client. Thanks for your help!
     

    Attached Files:

  20. RMedure

    RMedure New Member

    The first one (173.254.228.199) is on the barracuda list now ... greylisting may have gotten this one.
    The second (173.254.228.202) is also on barracuda list now ...
    The third one (173.254.228.205) is also on the barracuda list now ...
    The forth one (173.254.228.210) is also on the barracuda list now ...

    Note that all 4 of these are the same spammer rolling through an IP block. If spamassassin doesn't catch it, then the only way to stop them at smtp time is with greylisting, or maybe nolisting might work too if they only check the first MX record.

    Also, I noticed that you have no X-Spam score, this means that spamassassin is not running, or the email is not being sent to spamassasin at all. You should fix that regardless of whether or not you try greylisting or nolisting. Note that the modules in step 7 are spamassassin plugins.

    Cheers!
     

Share This Page