Hi
I installed this on my cpanel server
http://www.rvskin.com/index.php?page=public/antispamand I applied the optimization indicated on the first post ,
1. Disable Spam scanning for outgoing email.
http://forums.rvskin.com/index.php?s=&...post&p=49012. Rearrange the ACL for RBL and unknown user
http://forums.rvskin.com/index.php?s=&...post&p=47883. Auto blacklist the Server sending high score spam mail to the server.
http://forums.rvskin.com/index.php?s=&...post&p=4739Well now on the first WHM Exim Configuration Editor in the first textarea I haveCODE
# clamd scanner for email
av_scanner = clamd:/var/clamd
log_selector = -host_lookup_failed -lost_incoming_connection
# For debugging purpose add +subject and +argument.
# It will show the subject of email and the folder of the script invoking sendmail !.
# 200c-04-22 00:50:19 cwd=/home/username/public_html/spamsource 3 args: /usr/sbin/sendmail -t -i
# You will find spammer on your server easier.
#log_selector = +subject +arguments -host_lookup_failed -lost_incoming_connection
#http://www.webhostgear.com/118.html
# How many bad receipients must fail before we drop the connection?
ALLOWEDRCPTFAIL=3
##################################
# Sender blacklist and remote mail server blacklist
# http://www.rvskin.com/index.php?page=public/antispam POINT 4.1
##################################
acl_smtp_connect = acl_check_host
#acl_smtp_mail = acl_check_sender
# If you implement HELO test, skip these 3 lines.
# If you don't implement HELO test, you need to remove # in a line below to declare rv_relay_host.
#hostlist rv_relay_hosts = net-iplsearch;/etc/relayhosts
##################################
# HELO TEST
# http://www.rvskin.com/index.php?page=public/antispam POINT 4.3
##################################
hostlist rv_relay_hosts = net-iplsearch;/etc/relayhosts
##################################
# RBL setting + Sender whitelist + receiver whitelist + Remote mail server whitelist
# http://www.rvskin.com/index.php?page=public/antispam POINT 4.4
##################################
domainlist rv_rbl_receiver_domain_whitelist = lsearch;/usr/local/cpanel/base/eximacl/rv_rbl_receiver_domain_whitelist
hostlist rv_rbl_server_ip_whitelist = net-iplsearch;/usr/local/cpanel/base/eximacl/rv_rbl_server_ip_whitelist
addresslist rv_rbl_sender_address_whitelist= lsearch*@;/usr/local/cpanel/base/eximacl/rv_rbl_sender_address_whitelist
##################################
# spam protection
# http://www.rvskin.com/index.php?page=public/antispam POINT 5
##################################
addresslist rv_spam_sender_address_whitelist= lsearch*@;/usr/local/cpanel/base/eximacl/rv_spam_sender_address_whitelist
on the 2th WHM Exim Configuration Editor in the first textarea I haveCODE
##################################
# Sender blacklist and remote mail server blacklist
# http://www.rvskin.com/index.php?page=public/antispam POINT 4.1
##################################
#!!# This ACL is used at the start of an incoming connection.
#!!# The tests are run in order until the connection is
#!!# either accepted or denied.
acl_check_host:
##
# Reject email sent from mail server IP listed in the blacklist
##
deny message = Host $sender_host_address is blocked
hosts = /usr/local/cpanel/base/eximacl/rv_server_ip_blacklist
##
# Reject email sent from mail server IP listed in the blacklist
##
deny message = Connection temporary denied from $sender_host_address after spam attack
hosts = /usr/local/cpanel/base/eximacl/rv_server_ip_blacklist.abl
!hosts = @[]
!hosts = +rv_relay_hosts
accept
#!!# This ACL is used for the MAIL FROM: command in an
#!!# incoming SMTP transaction. The tests are run in order until the
#!!# sender address is either accepted or denied.
acl_check_sender:
##
# Reject email sent from sender listed in the blacklist
##
deny message = Sender $sender_address is blocked
senders = /usr/local/cpanel/base/eximacl/rv_sender_address_blacklist
#delay = 3s
on the 3th WHM Exim Configuration Editor in the first textarea I haveCODE
#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
################ANTI DICTIONARY ATTACK
################ http://www.configserver.com/free/eximdeny.html
accept hosts = :
drop hosts = /etc/exim_deny
!hosts = /etc/exim_deny_whitelist
message = Connection denied after dictionary attack
log_message = Connection denied from $sender_host_address after dictionary attack
!hosts = +relay_hosts
!authenticated = *
drop message = Appears to be a dictionary attack
log_message = Dictionary attack (after $rcpt_fail_count failures)
condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
!verify = recipient
!hosts = /etc/exim_deny_whitelist
!hosts = +relay_hosts
!authenticated = *
# Accept bounces to lists even if callbacks or other checks would fail
################ END ANTI DICTIONARY ATTACK
################ http://www.configserver.com/free/eximdeny.html
# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
{yes}{no}}
accept condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
{yes}{no}}
# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
{yes}{no}}
accept condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
{yes}{no}}
#if it gets here it isn't mailman
##################################
# HELO TEST
# http://www.rvskin.com/index.php?page=public/antispam POINT 4.3
##################################
#
# Be polite and say HELO. Reject anything from hosts that havn't given
# a valid HELO/EHLO to us.
##
deny message = Bad HELO: Empty HELO, please see RFC 2821 section 4.1.1.1
condition = ${if eq{$sender_helo_name}{}{yes}{no}}
##
# Forged hostname -HELOs as one of my own IPs
##
# Forged HELO (our ip/hostname)
deny message = Forged HELO: you are not $sender_helo_name as that is our IP Address and you are not allowed to use it in HELO/EHLO as per RFC Standards.
!hosts = @[]
!hosts = +rv_relay_hosts
!authenticated = *
condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}
##
# Forged hostname - HELOs as my own hostname or domain
##
deny message = Forged HELO: you are not $sender_helo_name our local domain and you are not allowed to use as per RFC Standards.
# accept helo which is in local_domain if we relay or had smtp auth
!hosts = @[]
!hosts = +rv_relay_hosts
!authenticated = *
condition = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}
##
# Hacked HELO (DOMAIN.com) (constructed by viruses)
##
deny message = Hacked HELO: you are not $sender_helo_name
condition = ${if match {$sender_helo_name}{\N^[A-Z0-9]+\.[a-z]+$\N}{yes}{no}}
condition = ${if match {$sender_helo_name}{\N^[0-9]+\.[a-z]+$\N}{no}{yes}}
!hosts = @[]
!hosts = +rv_relay_hosts
!authenticated = *
################################## END
# HELO TEST
# http://www.rvskin.com/index.php?page=public/antispam POINT 4.3
################################## END
##################################
# RBL setting + Sender whitelist + receiver whitelist + Remote mail server whitelist
# http://www.rvskin.com/index.php?page=public/antispam POINT 4.4
##################################
# sender verifications are required for all messages that are not sent to lists
require verify = sender
##
# If the receiver domain is on this server, deny if the receiver email addresses doesn't exist.
# Default address for the receiver domain have to set to :fail: to work with this ACL.
# If the default address set to :blackhole: or /dev/null, Exim will always think that email exist
# and pass to lower ACL. Domains being attacked by dictionary attack spam are suggested to set
# default address to :fail:.
##
deny domains = +local_domains
!verify = recipient
log_message = unknown user
message = "The recipient cannot be verified. Please check all recipients of this message to verify they are valid."
##
# Reject email sent from server listed in DNS blacklists.
##
deny message = Message rejected because $sender_fullhost is blacklisted at $dnslist_domain see $dnslist_text
!hosts = @[]
!hosts = +rv_relay_hosts
!authenticated = *
# RBL Bypass Local Domain List
!domains = +rv_rbl_receiver_domain_whitelist
# RBL Whitelist Incoming hosts
!hosts = +rv_rbl_server_ip_whitelist
# RBL Bypass Sender Domain List
!senders = +rv_rbl_sender_address_whitelist
# The following is a list of RBL to check for spam.
dnslists = list.dsbl.org : \
sbl.spamhaus.org : \
relays.ordb.org
accept domains = +local_domains
accept domains = +relay_domains
################################## END
# RBL setting + Sender whitelist + receiver whitelist + Remote mail server whitelist
# http://www.rvskin.com/index.php?page=public/antispam POINT 4.4
################################## END
warn message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
hosts = +relay_hosts
accept hosts = +relay_hosts
warn message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
condition = ${perl{checkrelayhost}{$sender_host_address}}
accept condition = ${perl{checkrelayhost}{$sender_host_address}}
accept hosts = +auth_relay_hosts
endpass
message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.
authenticated = *
deny message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.
#http://www.rvskin.com/index.php?page=public/antispam
#!!# ACL that is used after the DATA command
check_message:
require verify = header_sender
##################################
# spam protection
# http://www.rvskin.com/index.php?page=public/antispam POINT 5
##################################
# Accept Sender that usually send a lot of emails to minimize spamd load
accept senders = +rv_spam_sender_address_whitelist
accept hosts = @[]
accept hosts = +rv_relay_hosts
accept authenticated = *
# Messages larger than 50k are accepted without spam scanning to reduce spamd load
accept condition = ${if >{$message_size}{50k}{true}}
##
# Reject spam messages with score over 15.
# Keep in mind that $spam_score_int is the messages score multiplied by ten.
##
deny message = Spam score too high ($spam_score)
# Bypass Sender that usually send a lot of emails to reduce spamd load
!senders = +rv_spam_sender_address_whitelist
spam = mailnull:true/defer_ok
#http://forums.cpanel.net/showthread.php?p=233776#post233776
# If emails get high score coming into the server from the same host address
# more than 3 times within Last 60 seconds. Sender's server will be blocked for 1 hours
condition = ${run{/etc/eximSpamDeny.pl $sender_host_address $spam_score_int $sender_address }{yes}{yes}}
condition = ${if >{$spam_score_int}{150}{1}{0}}
##
# Add a warning header if email scored between 12 and 15.
# Delete email in the System Filter File, if sender or receiver is not listed in the whitelists.
##
warn message = X-Exiscan-SA-Spam: Yes
# Bypass Sender that usually send a lot of emails to reduce spamd load
!senders = +rv_spam_sender_address_whitelist
spam = mailnull:true/defer_ok
condition = ${if >{$spam_score_int}{120}{1}{0}}
##
# Rewrite subject if email scored between 9 and 15.
##
# Always put X-Spam-Score header in the message.
# It looks like this:
# X-Exiscan-SA-Score: 6.6 (++++++)
# When a MUA cannot match numbers, it can match for an
# equivalent number of '+' signs.
warn message = X-Exiscan-SA-Score: $spam_score ($spam_bar)\
# Put X-Spam-Report header in the message.
# This is a multiline header that informs the user
# which tests a message has "hit", and how much a
# test has contributed to the score.
\nX-Exiscan-SA-Report: $spam_report\
# For the subject tag, we prepare a new subject header in the
# ACL, then swap it with the original Subject in the system filter.
\nX-Exiscan-SA-New-Subject: *SPAM* $h_subject:
# Bypass Sender that usually send a lot of emails to reduce spamd load
!senders = +rv_spam_sender_address_whitelist
spam = mailnull:true/defer_ok
condition = ${if >{$spam_score_int}{90}{1}{0}}
##################################
# virus protection
# http://www.rvskin.com/index.php?page=public/antispam
##################################
##
# Reject messages with serious MIME container errors
##
deny message = This message contains malformed MIME ($demime_reason).
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
##
# Reject messages attach illegal extension files
##
deny message = We do not accept ".$found_extension" attachments here. If you meant to send this file then please package it up as a zip file and resend it.
# You might need to remove some of these extensions if you want to allow your user get these files
demime = bat:cmd:com:cpl:pif:reg:scr
##
# Reject messages attach attach a file with a CLSID in the name
# which causes Windows to hide the file extension.
##
deny message = Hiding of file extensions(CLSID hidden) is not allowed.
regex = ^(?i)Content-Disposition::(.*?)filename=\\s*"+((\{[a-hA-H0-9-]{25,}\})|((.*?)\\s{10,}(.*?)))"+\$
##
# Add a warning header if email contains illegal extension files but acccept the message
##
warn message = X-Antivirus-Filetype: Infected - $found_extension
# You might need to remove some of these extensions if you want to allow your user get these files
demime = ade:adp:bas:bat:chm:cmd:com:cpl:crt:eml:exe:hlp:hta:inf:ins:isp:jse:lnk:mdb:mde:msc:msi:msp:pcd:pif:reg:scr:sct:shs:url:vbs:vbe:wsf:wsh:wsc
##
# Add a warning header if email contains Virus but acccept the message
##
warn message = X-Antivirus-Scanner: Infected - $malware_name
demime = *
malware = */defer_ok
accept
my problems
1) As can you see
#acl_smtp_mail = acl_check_sender
is commented . If I leave this uncommented I cannot send email , I receive and Admnistration deny error.
Anyone can tell me why ?2) also with the optimization applied , cpu goes at maximum very often !
I noticed that spamd is always on my top applications eating 30% cpu or more almost all time !
Is there any way to run spamd more light ?
I noticed that when I check a message from command line using spamassassin in this way
#cd /home/dreamli/mail/domain.com/domain/new/
#spamassassin -r -D < 1163586535.H878049P23358.hostname.myhostname.net
spamassassin loads and checks tons of plugins and most of them are not used .
What to do to configure spamassassin to run smoothly and to eat less cpu ?
Or is there any cache for spamassassin ?
3) I noticed that my /var/log/exim_rejectlog is getting bigger because it
now contains also full header of the email (!) . How to make the exim_rejectlog more more light ?
4) which is the utility of Razor, dcc and similar ... Only to report the spammer to their datacenter ?
Or they are useful also to identify the spammer ?
THANK YOU!
