cpanel-spammingcpanel-spamming

Some measures to prevent spamming in a cPanel server

1. Change the default PHP5 handler to suPHP

2. Enable the option “Prevent ‘nobody’ from sending mail” in tweak settings

3. Set “The maximum number of emails each domain can send out per hour” to 500 in tweak settings

4. Make the following settings in “Exim Configuration Editor”

a) SpamAssassin™: Reject mail at SMTP time if the spam score is greater than this number. (Positive or negative, single decimal points allowed.) : 20

b) SpamAssassin™: Ratelimit hosts which transport messages with a spam score above this number. (Positive or negative, single decimal points allowed.) : 20

c) RBL: zen.spamhaus.org - ON

5. Add the following line in exim configuration file:

log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

This setting is useful for catching spammers sending mails using scripts.

6. Append the following filters to ‘/etc/antivirus.exim’ file which is a central filter for the exim mail server which lets you setup all kinds of good filters to stop spam from coming in and going out of your server:

# START
# Filters all incoming an outgoing mail

logfile /var/log/filter.log 0644
## Common Spam
if

# Header Spam
$header_subject: contains “Pharmaceutical”
or $header_subject: contains “Viagra”
or $header_subject: contains “Cialis”
or $header_subject: is “The Ultimate Online Pharmaceutical”
or $header_subject: contains “***SPAM***”
or $header_subject: contains “[SPAM]”

# Body Spam
or $message_body: contains “Cialis”
or $message_body: contains “Viagra”
or $message_body: contains “Leavitra”
or $message_body: contains “St0ck”
or $message_body: contains “Viaagrra”
or $message_body: contains “Cia1iis”
or $message_body: contains “URGENT BUSINESS PROPOSAL”
or $message_body matches “angka[^s]+[net|com|org|biz|info|us|name]+?”
or $message_body matches “v(i|1)agra|vag(i|1)n(a|4)|pen( i|1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok”

then
# Log Message – SENDS RESPONSE BACK TO SENDER
# SUGGESTED TO LEAVE OFF to prevent fail loops
# and more work for the mail system
#fail text “Message has been rejected because it hasn
# triggered our central filter.”
logwrite “$tod_log $message_id from $sender_address contained spam keywords”

seen finish
endif

# END
# Filters all incoming an outgoing mail

# START
# All outgoing mail on the server only – what is sent out

#Check forwarders so it doesn’t get blocked
#Forwarders still work =)

## FINANCIAL FAKE SENDERS
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if (
$received_protocol is “local” or
$received_protocol is “esmtpa”
) and (
$header_from contains “@citibank.com” or
$header_from contains “@bankofamerica.com” or
$header_from contains “@wamu.com” or
$header_from contains “@ebay.com” or
$header_from contains “@chase.com” or
$header_from contains “@paypal.com” or
$header_from contains “@wellsfargo.com” or
$header_from contains “@bankunited.com” or
$header_from contains “@bankerstrust.com” or
$header_from contains “@bankfirst.com” or
$header_from contains “@capitalone.com” or
$header_from contains “@citizensbank.com” or
$header_from contains “@jpmorgan.com” or
$header_from contains “@wachovia.com” or
$header_from contains “@bankone.com” or
$header_from contains “@suntrust.com” or
$header_from contains “@amazon.com” or
$header_from contains “@banksecurity.com” or
$header_from contains “@visa.com” or
$header_from contains “@mastercard.com” or
$header_from contains “@mbna.com”
)
then
logwrite “$tod_log $message_id from $sender_address is fraud”
seen finish
endif

## OTHER FAKE SENDERS SPAM
## Enable this to prevent users using @domain from addresses
## Not recommended since users do use from addresses not on the server
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if (
$received_protocol is “local” or
$received_protocol is “esmtpa”
) and (
$header_from contains “@hotmail.com” or
$header_from contains “@yahoo.com” or
$header_from contains “@aol.com”

)
then
logwrite “$tod_log $message_id from $sender_address is forged fake”
seen finish
endif

## KNOWN FAKE PHISHING
### Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if (
$received_protocol is “local” or
$received_protocol is “esmtpa”
) and (
#Paypal
$message_body: contains “Dear valued PayPal member” or
$message_body: contains “Dear valued PayPal customer” or
$message_body: contains “Dear Paypal” or
$message_body: contains “The PayPal Team” or
$message_body: contains “Dear Paypal Customer” or
$message_body: contains “Paypal Account Review Department” or

#Ebay
$message_body: contains “Dear eBay member” or
$message_body: contains “Dear eBay User” or
$message_body: contains “The eBay team” or
$message_body: contains “Dear eBay Community Member” or

#Banks
$message_body: contains “Dear Charter One Customer” or
$message_body: contains “Dear wamu.com customer” or
$message_body: contains “Dear valued Citizens Bank member” or
$message_body: contains “Dear Visa” or
$message_body: contains “Dear Citibank” or
$message_body: contains “Citibank Email” or
$message_body: contains “Dear customer of Chase Bank” or
$message_body: contains “Dear Bank of America customer” or

#ISPs
$message_body: contains “Dear AOL Member” or
$message_body: contains “Dear AOL Customer”

)
then
logwrite “$tod_log $message_id from $sender_address is phishing”
seen finish
endif

# END
# All outgoing mail on the server only – what is sent out

7. Ensure that the setting “”Block outgoing SMTP except for root, exim and mailman” has been enabled in CSF firewall which prevent users from making direct socket connections to mail servers. With users unable to make direct connections, mail has to be sent via the system MTA (Exim), leaving a single place to deal with it.

-bash-3.2# grep SMTP_BLOCK /etc/csf/csf.conf
SMTP_BLOCK = "1"

8. Ensure that reverse DNS records are set to point the server IP address to its hostname.

These settings will help to prevent spamming from your server. But please note that in-spite of all the settings made, spamming may occur. It could not be completely eliminated. Eventually it will be the responsibility of the users in the server, to ensure that spamming won’t occur. You will have to always check your server, make timely updates to different software’s/applications installed in the system, identify potential spammers and block them and suspend those domains which causes extensive spamming at a particular instant.