How to stop spam -- DEAD in its tracks!!

Jean Egan

New Member
I just saw your thread when I came here to look for something else. I decided to do #1-6 today and spam stopped coming in immediately! I went through your setting and had everything set as you recommended, except #6 - the custom RBL code. It made all the difference in the world. Thanks!!
 

RMedure

New Member
Cool! There's some good stuff going on in those RBL's. :)

I noticed that WHM/cPanel updates to ver 11.50 is being pushed out. I was under the impression that it's still has issues. Is knownhost on board with running this version now? I'm pretty anxious to try out the built-in greylisting.
 

KH-RileyA

Technical Support Operator
Staff member
Well, they put it in release tier which is general availability. Personally, I'm going to wait for a few more point releases.
 

Jean Egan

New Member
I went on and did #7 as well as #10, since greylisting in the new WHM/cPanel was so easy. If I'm ambitious, I'll do "Nolisting" next.

I'm not going to do #8 (spamassassin settings) for each client account. (Am I understanding that correctly?) I also won't be doing #9 because only a handful of my clients use IMAP.

This all is wonderful. Not only has spam email stopped, but it seems to have stopped the ridiculous flow of failed SMTP AUTH logins as well. I'm curious which of these steps has impacted that aspect of server hacking.

Thanks so much for this, RMedure!
 

RMedure

New Member
I went on and did #7 as well as #10, since greylisting in the new WHM/cPanel was so easy. If I'm ambitious, I'll do "Nolisting" next.

I'm not going to do #8 (spamassassin settings) for each client account. (Am I understanding that correctly?) I also won't be doing #9 because only a handful of my clients use IMAP.

This all is wonderful. Not only has spam email stopped, but it seems to have stopped the ridiculous flow of failed SMTP AUTH logins as well. I'm curious which of these steps has impacted that aspect of server hacking.

Thanks so much for this, RMedure!
I can hardly wait to try the stock greylisting. I'm holding off on 11.50 for a while though. I'm curious to know exactly how it handles greylist tracking (by messageID+server hash or server only). Hopefully I'll have time to look into that soon (if that level of details are even documented at all).

Step #8 can be done by user or at the server level. I highly recommend the spamassassin score(ing) in my document vs. the defaults for those particular filters. But if you pay attention to the spam scoring in your email headers (spam that gets thru to your inbox, and spam that ends up in your spam folder) ... you'll get a feel for how you should adjust your filter scores.

Don't know about the failed SMTP AUTH warnings, I assume you mean from LFD? Maybe one of the settings in step #3 is affecting this. Or maybe with greylisting on and/or spam rejected at SMTP time (via RBL's) ... those attacking servers are maybe giving up before they go on to a brute force step.
 

KH-RileyA

Technical Support Operator
Staff member
A while back, I was able to stop checking RBLs at all on my (non-cpanel) server and just use greylisting. No spam got through. The wait finally annoyed me, though.
 

Jean Egan

New Member
Yes, from CSF/LFD - I was getting flooded with them recently - and 1,000 blocked IPs were rolling around every 3 days, rather than ever 7 or 8 months or so. Interesting - now that you mention it, yes, I did change the last 2 IPs to Google IPs in step 3. Hmm!

I wish I could go through the full logic of everything you shared. I'm getting it slowly. I'm not quite a techie (I come from a design background.) I'm just a techie wannabe who wants to have a smooth-running server that delivers site pages fast, keeps everything secure and keeps spam from client's inboxes. I appreciate what you've shared and just had to express my thanks again!
 

RMedure

New Member
A while back, I was able to stop checking RBLs at all on my (non-cpanel) server and just use greylisting. No spam got through. The wait finally annoyed me, though.
Greylisting if done properly, will retain a database of "known good mail servers" ... so that the wait only happens once per sender.
 

RMedure

New Member
Yes, from CSF/LFD - I was getting flooded with them recently - and 1,000 blocked IPs were rolling around every 3 days, rather than ever 7 or 8 months or so. Interesting - now that you mention it, yes, I did change the last 2 IPs to Google IPs in step 3. Hmm!

I wish I could go through the full logic of everything you shared. I'm getting it slowly. I'm not quite a techie (I come from a design background.) I'm just a techie wannabe who wants to have a smooth-running server that delivers site pages fast, keeps everything secure and keeps spam from client's inboxes. I appreciate what you've shared and just had to express my thanks again!
Hmm, that's step 2. I was thinking more along the lines of some of the ACL or security settings in step 3. If you want to seriously lock down your mailserver, check this out: https://forums.knownhost.com/threads/mailserver-security-whm-cpanel.3372/ :) A reseller might think twice about "requiring SSL" to get mail - all of your clients would have to be informed on how to properly setup their mail client accordingly.

And you're very welcome!
 

Jean Egan

New Member
Step 2/Step 3 - hah, whoops - you're right. Silly me. Hm, that's weird though - I already had everything set up as you spec'd it out on that step.

Thanks for the additional resource. Hm, I think most of my clients do use the SSL connection to get their mail - that may be worth enforcing :) Thanks!
 

Sherrie

Member
Hello I have started adding your suggestions. Originally when I enabled spam assasin a few months ago my spam dropped considerably but I have just started getting over 100+ spam a day, maybe double that.

Anyway in the advanced Exim editor I was given an error for your code under “custom_begin_rbl”

This was my error:

Code:
error
error in ACL: unknown ACL condition/modifier in "_text"
This is my copy and paste:

Code:
# spamhaus zen
  deny message = JunkMail rejected - $sender_fullhost - $sender_address_domain - is in the $dnslist_domain dnsbl, see: $dnslist
_text
      hosts = +backupmx_hosts 
      dnslists = zen.spamhaus.org
  warn dnslists = zen.spamhaus.org
      set acl_m8 = 1
      set acl_m9 = "JunkMail rejected - $sender_fullhost - $sender_address_domain - is in the $dnslist_domain dnsbl, see: $dnsl
ist_text"
  warn condition = ${if eq {${acl_m8}}{1}{1}{0}}
      ratelimit = 0 / 1h / strict / per_conn
      log_message = "Increment Connection Ratelimit - $sender_fullhost - $sender_address_domain - because of $dnslist_domain ma
tch"
  drop condition = ${if eq {${acl_m8}}{1}{1}{0}}
      message = ${acl_m9}
# spamhaus DBL - Domain name blocking list
  deny message = JunkMail rejected - $sender_fullhost - $sender_address_domain - is listed on Spamhaus DBL. see: $dnslist_text
      hosts = +backupmx_hosts
      dnslists = dbl.spamhaus.org/<,$sender_address_domain 
  warn dnslists = dbl.spamhaus.org/<,$sender_address_domain
      set acl_m8 = 1
      set acl_m9 = "JunkMail rejected - $sender_fullhost - $sender_address_domain - is in $dnslist_domain, see: $dnslist_text"
  warn condition = ${if eq {${acl_m8}}{1}{1}{0}}
      ratelimit = 0 / 1h / strict / per_conn
      log_message = "Increment Connection Ratelimit - $sender_fullhost - $sender_address_domain - because of $dnslist_domain dn
sbl match"
  drop condition = ${if eq {${acl_m8}}{1}{1}{0}}
      message = ${acl_m9} 
# spamcop
  deny message = JunkMail rejected - $sender_fullhost - $sender_address_domain - is in the $dnslist_domain dnsbl, see: $dnslist
_text
      hosts = +backupmx_hosts
      dnslists = bl.spamcop.net
  warn dnslists = bl.spamcop.net
      set acl_m8 = 1
      set acl_m9 = "JunkMail rejected - $sender_fullhost - $sender_address_domain - is in the $dnslist_domain dnsbl, see: $dnsl
ist_text"
  warn condition = ${if eq {${acl_m8}}{1}{1}{0}}
      ratelimit = 0 / 1h / strict / per_conn
      log_message = "Increment Connection Ratelimit - $sender_fullhost - $sender_address_domain - because of $dnslist_domain ma
tch"
  drop condition = ${if eq {${acl_m8}}{1}{1}{0}}
      message = ${acl_m9}
# URIBL - black
  deny message = JunkMail rejected - $sender_fullhost - $sender_address_domain - is in the $dnslist_domain dnsbl, see: $dnslist
_text
      hosts = +backupmx_hosts
      dnslists = black.uribl.com/<,$sender_address_domain 
  warn dnslists = black.uribl.com/<,$sender_address_domain
      set acl_m8 = 1
      set acl_m9 = "JunkMail rejected - $sender_fullhost - $sender_address_domain - is in $dnslist_domain, see: $dnslist_text"
  warn condition = ${if eq {${acl_m8}}{1}{1}{0}}
      ratelimit = 0 / 1h / strict / per_conn
      log_message = "Increment Connection Ratelimit - $sender_fullhost - $sender_address_domain - because of $dnslist_domain dn
sbl match"
  drop condition = ${if eq {${acl_m8}}{1}{1}{0}}
      message = ${acl_m9} 
# barracudacentral
  deny message = JunkMail rejected - $sender_fullhost - $sender_address_domain - is in the $dnslist_domain dnsbl, see: http://w
ww.barracudacentral.org/rbl
      hosts = +backupmx_hosts
      dnslists = bb.barracudacentral.org
  warn dnslists = bb.barracudacentral.org
      set acl_m8 = 1
      set acl_m9 = "JunkMail rejected - $sender_fullhost - $sender_address_domain - is in the $dnslist_domain dnsbl, see: http:
//www.barracudacentral.org/rbl"
  warn condition = ${if eq {${acl_m8}}{1}{1}{0}}
      ratelimit = 0 / 1h / strict / per_conn
      log_message = "Increment Connection Ratelimit - $sender_fullhost - $sender_address_domain - because of $dnslist_domain ma
tch"
  drop condition = ${if eq {${acl_m8}}{1}{1}{0}}
      message = ${acl_m9}
# SpamRATS - NoPtr
  deny message = JunkMail rejected - $sender_fullhost - $sender_address_domain - is in the $dnslist_domain dnsbl, see: $dnslist
_text
      hosts = +backupmx_hosts
      dnslists = noptr.spamrats.com
  warn dnslists = noptr.spamrats.com
      set acl_m8 = 1
      set acl_m9 = "JunkMail rejected - $sender_fullhost - $sender_address_domain - is in $dnslist_domain, see: $dnslist_text"
  warn condition = ${if eq {${acl_m8}}{1}{1}{0}}
      ratelimit = 0 / 1h / strict / per_conn
      log_message = "Increment Connection Ratelimit - $sender_fullhost - $sender_address_domain - because of $dnslist_domain dn
sbl match"
  drop condition = ${if eq {${acl_m8}}{1}{1}{0}}
      message = ${acl_m9}
 

EricWPM

New Member
Hi Sherrie,

I'm guessing your "copy and paste" went bad and broke a few lines. Try it again and make sure all your spacing is correct. You'll have to manually adjust your lines to look the same as Robert's code.

Here's what I'm talking about:

In your code paste on line #3 from the top you have:
_text

that should actually be at the end of line #2 so that the end of line #2 looks like this:
$dnslist_text

When you copied and pasted the "_text" was broken from line #2 causing your error...

Here's another example in line #9. You have:
ist_text"

That should be added to the end of the line #8

There are more broken lines to fix from your copy and paste. Robert did provide all the raw files you need. So whether you used his files or copied and pasted from the PDF I would open Notepad full screen and then copy and paste the code into that. Check all the code for any broken lines and then when it all looks good just copy and paste that into your settings panel.

This should fix your error codes that you are getting. Try that and see what happens :)
 

Sherrie

Member
Ah cool I didn't notice the raw files, that's my fault for looking at this thread before going to bed then going through the PDF the next night.

I did do a straight copy and paste from the pdf a few times with same error which is why I then posted that copy and paste in here to check if that is what the problem was.

thanks for your help :)
 

Marco_B

New Member
Hello,

Is this still applicable from the first document? Or do I need to keep track of the change log also?

Thanks,

Marco
 

RMedure

New Member
Yes, the raw files are better for cut/paste. Wasn't able to figure out how to get 'code' in the pdf to work right with copy/paste unfortunately. Well, that's why I put the raw files out there.

Regarding the changes (or change log), I update all of the documents and provide the change log for people who happened to use earlier instructions and want to make changes without having to go back through everything. :)
 

Marco_B

New Member
Allright, vert good to hear!

Wonderful job you did with this thread, thanks lot for you erfforts!

Ciao,

Marco
 

Sherrie

Member
Thanks very much, my spam has been reduced dramatically, I just need to go through that pdf again to see what I need to do so people using yahoo can still email me as they're being blocked atm.
 

Marco_B

New Member
Can someone maybe help me out on how to do this step in the attachment?

awww.guorillamarketing.com_img_step.png

Thanks in advance,

Marco
 
Top