ASSP & ASSP Deluxe for cPanel (notes, articles, and post installation FAQs)

Updated May 19 2009

 

 

ASSP Deluxe for cPanel post-installation steps  ( #16 )

I strongly recommend you to apply carefully following steps right after the installation ;
these steps (0-13) reduce possible "false problems" for you (admin) and for your clients .

0)   ASSP (ASSP = Anti Spam Smtp Proxy) works like an smtp proxy before EXIM  ; each time you need to analyze a problem always remember how works ASSP

So, each time you need to analyze an email problem first check if the problem is on ASSP using commands like this

# tail -60000 /usr/local/assp/maillog.txt | grep "email"
or
# tail -60000 /usr/local/assp/maillog.txt | grep "ip_address"

and , If the problem is not on ASSP then check the exim maillog with a command like this

# tail -60000 /var/log/exim_mainlog | grep "email"
or
# tail -60000 /var/log/exim_mainlog | grep "ip_address"

You can monitor ASSP running in this way

# tail -f /usr/local/assp/maillog.txt

1)  After the installation, and for the first 12/24 hours ASSP is running execute this often

# cd /usr/local/assp;/usr/bin/perl /usr/local/assp/rebuildspamdb.pl

You can execute this command also using the WHM ASSP interface. (REBUILD SPAM DB) . Each time you execute this ASSP Bayesian filter learns what is good and what is bad . If you followed carefully the "HOW TO", you should have already set a cronjob to execute rebuildspamdb.pl each 24 hours. Only in the first hours of usage you should execute it more often, so the ASSP Bayesian filter can learn better and faster.

In the first days/hours some  good email could be blocked for spam incorrectly (false positives) . It happens especially because your spamdb is new and you should give some guideline to ASSP Bayesian filter.  If spambox is enabled these email are not lost and following steps will strongly reduce this problem in the first days of usage;

Invite your users to read/check the spambox and to report (forward) the email as good (or as spam). Spambox can be read in several ways. This can be done sending email to asspblock@userdomain.com , reading spambox using pop3 , imap , webmail (Horde,Squirrel,Roundcube), or ASSP Deluxe cPanel frontend . You should simply invite the client to read the HELP, WHITELIST and SPAMBOX button , on the cPanel frontend so he can learn how to use spambox , how to  report email , how to whitelist email or domain names.

Once the user is able to read the spambox and he find a good email in spambox he should forward the email to assp-notspam@clientdomain.com , so ASSP can correct the error and learn better and faster.  In the same way the user can report a SPAM found in his inbox , forwarding the SPAM to assp-spam@clientdomain.com . It's all explained on the client ASSP Deluxe cPanel frontend.

If this easy procedure can't be done by the client for some reason, you can do this for the client as admininstrator. Go to ASSP WHM and open the SPAM ANALYZER. Here you can search the email which was blocked , using [R] you can resend the email to user inbox , and using NOTSPAM button you can help ASSP to correct the error .  As admininstrator you can also whitelist the email or the ip address (or add it No Processing Domains or NO Processing Addresses) using the ASSP Web interface  .

Another good idea to reduce problems with false positive is to invite your users to use assp-white@clientdomain.com to whitelist their email customer list.  Even if ASSP automatically creates the whitelist In this way ASSP create a good whitelist faster and it could strongly reduce false positves in the first days. The users can read how to use assp-white in the ASSP Deluxe frontend , HELP and WHITELIST buttons .

 

2) Enable the "ASSP SCORING MODE" using the ASSP WHM interface . Optional step ,  strongly recommended because it increases significantly spam detection , strongly reduces false positives , increasing EASY OF USE for your clients .

     Advantages :
      - clients have only few SPAM filters on their cPanel , less confusion , easy of use
      - very good SPAM detection and reduced risk to lose a good email

Once you have enabled ASSP SCORING MODE you may/can analyze what's happening on ASSP maillog

# tail -f /usr/local/assp/maillog.txt 

Any "message ok" is a message accepted which will passed to exim. Any "[spam found]" is a message rejected by ASSP scoring mode, for example ;

Apr-16-08 01:38:34 190.50.185.143 <cx@spam.com> to: user@myserver.com [spam found] (MessageScore 48, limit 40)

If you activate the SPAMBOX (see the steps below) the blocked spam will go on the client spambox .


3) Delaying (also known as greylisting) filter permits to block more SPAM (if required) , however it has 2 negative points ;
      -it's behavior could create big confusion to unexperienced users
      -the email rejected due to delaying filter cannot be retrieved using the SPAMBOX@ plugin.

For these reason "turn off"  , for all users , Delaying filter  using the "ASSP DOMAIN CONFIG" in your WHM ASSP Deluxe interface  .  The client can/will decide if it's the case to turn delaying filter ON using his cPanel frontend .  
 
IMPORTANT : Set also delaying off by default using the "DEFAULT SETTINGS" > FILTER STATUS DEFAULT SETTINGS  on your WHM ASSP Deluxe interface , so that new hosting clients will receive delaying off/disabled automatically .

4) Read all the HELP included on ASSP deluxe cPanel frontend (HELP button near the Change Language drop down).
Read how to use the ASSP email interface to report false positives or spam ( assp-spam@ assp-notspam@ .....) and  also this article .  Invite your clients to read documentation included . Read carefully how works the "no local address spam filter".

 

5) Remember that ASSP never blocks or "spam filters" a LOCAL email , so if a local user can't send
     an email please read this .

The correct way to send email with ASSP is always using
smtp   mail.clientdomain.com  plus smtp auth ON

ONLY using this way ASSP will not consider the local users as remote . ONLY using this way ASSP will never block a local email and will able to build an efficient Bayesian filter.  The client can send email on port 25 or the alternative port 26 (by default) .  The alternative port is already configured on ASSP Web interface and it should NOT configured on WHM > Services .

If the isp blocks port 25 and 26 and the client can't send email ,  simply set an uncommon alternative port  for example 56384  instead of default 26.
Open the ASSP Web Interface (http://your_server_ip:55555) > Network Setup > Second SMTP Listen Port (listenPort2)  and enter  56384 , save settings.
Be sure to allow the port 56384  TCP IN/OUT Open the port  on your firewall. Now invite the client which is not able to use port 25 to send email on smtp port 56384 . The isp will not block this uncommon port  and your client will be able to send email correctly using smtp  mail.clientdomain.com .  
 

6) . (#.6) optional ( strongly recommended ) ,enable the SPAMBOX@ plugin using WHM ASSP, so your clients can easly track false positives , no rejected email will be lost , and the client can report false positives as good using the ASSP Email Interface (assp-notspam@clientdomain.com) : if you completed point 4) you already know how works the ASSP Email Interface .
NOTE THAT YOU CAN USE A NOT REGISTERED DOMAIN NAME to set your spambox plugin. The main spambox domain MUST NOT BE a reseller account and it can't be your hostname . The main spambox domain must have CGI functionalities . When you enable the spambox plugin you will see other features on your ASSP WHM ; you will be able to enable/disable imap spambox per domain , and you will be able to enable/disable spam daily reports. Also the client will have a new button/functionality on his cpanel frontend (SPAMBOX near the "change language" dropdown) where he can receive help and disable/enable each spambox feature.

Are you lost installing SPAMBOX ? Try following 3 minutes installation

7) avoid to change countless settings on ASSP web interface ( http://yourip:55555 ) . I can guarantee/support  the usage of ASSP and ASSP Deluxe only if you use my default configuration.  Of course you can use ASSP Web interface to whitelist a domain , unprocess a domain , spamtrap and email , change ASSP scoring and so on . Avoid to change something like smtp settings , spamlovers , or other core settings,  and you will not have problems.
 

8) There is no need to uninstall ASSP if you have a temporarly problem and you want return temporarly to the cPanel way. 
    Learn how to disable temporarly ASSP in case of problems which you can't solve ;
    http://www.grscripts.com/howtofaq.html#20 
   
9) .ASSP uses DNS very often to executes antispam checks. If your DNS is slow you should fix your
/etc/resolv.conf  . You can test your DNS speed using following ASSP Deluxe for cPanel command

# cd /usr/local/assp/deluxe;/usr/local/cpanel/3rdparty/bin/php-cgi dns_check.php

The test will be completed in about 1 minute .

10)  I recommend you to read carefully all other FAQs on this page when you have some time or each time you have a problem

11) To block more spam as possible you can always find latest/updated ASSP recommended settings and tweakings in this page .
 

12) Recommended articles

                                  

13) If you have ASSP installed on more than 1 server , I recommend to whitelist all the ips of your ASSP servers
      Open the ASSP web interface > Whitelisting/Redlisting menu > Whitelisted IPs
  

14). If in the ASSP usage you will experience big delays to send email or smtp timeouts sending email these could be due only to 2 reasons (#14) ;

a) server DNS slow
b) server under heavy email attack (number of ASSP smtp sessions is too high to be supported) .

Case a) . Check your server DNS speed using  the command already discussed above at point/step 9)

# cd /usr/local/assp/deluxe;/usr/local/cpanel/3rdparty/bin/php-cgi dns_check.php

If you receive VERY GOOD or EXCELLENT dns speed , there is no problem in your DNS. If you receive lower result speed , you should otpmize your /etc/resolv.conf and you should be sure your DNS is caching results. Each time you tweak /etc/resolv.conf , restart your DNS and try the DNS speed check again. When you will receive VERY GOOD or EXCELLENT results you should stop to experience smtp timeouts to send your email. If you have still problems your server is probably under a huge email attack in this case read the next case b) below.
 

Case b)  Exactly when you are experiencing delay to send email (or smtp timeouts to send email) , open your ASSP WHM and click the SMTP CONN button . If you see a lot of* simultaneos smtp connections your server is under an email attack which your server is not able to support .  Using

/usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php

you can understand which are accounts most bombarded . Now to reduce the attack you may ;
- Be sure the "no local filter" is enabled for at least your 5 most bombarded accounts .
- Configure a more aggressive bad ip collection using  find_abusers.php .
- Configure a very aggressive bad ip collection using  find_abusers.php per domain (dm=)
   or better per domains using dm=file (recommended and efficient).
- Open ASSP Web Interface > IP Blocking menu > and set  maxSMTPipConnects to 1 and maxSMTPdomainIP to 1. Save settings.
- You may consider to move your most 1-3 bombarded accounts on another server , or consider to use a remote MX service
  for these accounts .
- Only if ASSP restarts frequently try using following cronjob to monitor ASSP status

*/4 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/status.php long=1

- if you want accept traffic only from some country, open ASSP Web Interface > sender base menu and set  
"Do Country Blocking" to block and CountryCodeBlockedRe to all and in Ignore Country Codes (NoCountryCodeRe) enter all the countries from which you want receive email (separated by a pipe | ) for example  US|FR|ES|IT

- If after these steps you are still experiencing timeouts/big delays to send email open ASSP Web interface , go to SPF/SRS menu , and set "Enable SPF Validation (ValidateSPF)" to disabled ; now go to URIBL menu and set  "Enable URI Blocklist Validation (ValidateURIBL)" to disabled ; now go to DNBL and set "Maximum Time (RBLmaxtime)" to 5; now go to SMTP Session Limits menu and set   "Maximum Sessions Per IP Address (maxSMTPipSessions)" to 4 and "SMTP Idle Timeout (smtpIdleTimeout)" to 20. Save ASSP settings . Now go to ASSP WHM > SCORE settings and increase a little score for Bayesian and RBL.

- If after these steps you was not able to cut at least 40%-60% of your bad smtp connections and consequently you are still experiencing timeouts to send email , you should configure deeper your ASSP settings or you should upgrade your server hardware or you  should move most bombarded accounts towards another server .
If you need professional and fast support to reduce the attack you may consider my services.

a lot of* = for an old server about 20-30 smtp sessions
               for a new powerful server about 30-50 smtp sessions
               for a monster server about 50-70 smtp sessions

Case a) and b)  . Sometime I found servers which are under attack and the dns is slow too ; in this situation you should first fix the dns issue then you should configure ASSP to limit the attack (as explained above).

14) Subscribe to ASSP Deluxe for cPanel Mailing List to be notified in case of important updates (you can subscribe below)

15) Before upgrading always read carefully the changelog

 

 

FAQs

Which is the required cronjob to use ASSP ?  ( #04 )

only this 

10 4 * * * cd /usr/local/assp;perl /usr/local/assp/rebuildspamdb.pl

Which are required cronjobs to use ASSP Deluxe for cPanel  ?  ( #0002 )

If you followed the how to , you have already set cronjobs as required , here you can
read again more info about required cronjobs .

following 2 cronjobs are required to mantain your list of local email updated

*/59 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/ex_localdomains.php
*/3 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/update_email.php

following cronjob is required to mantain a list of bad ips (please be sure to enter it on a single line)

*/20 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php sw=12 sc=32 er=13 lm=13 dc=25 rl=20 on=1

following cronjob is required to restart ASSP automatically ASSP if it crashes

*/1 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/status.php

following cronjob is required for a better spam detection using clamd (more info)

30 7 * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/signatures.php

If you don't want receive email notification each time these cron executes enter them at the end of your cronjob list in this way (please avoid the "> /dev/null" solution , since it DOES NOT work with these scripts.)

MAILTO=""
*/59 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/ex_localdomains.php
*/3 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/update_email.php
*/1 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/status.php
*/20 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php sw=12 sc=32 er=13 lm=13 dc=25 rl=20 on=1
30 7 * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/signatures.php
MAILTO=root 

If you install the SPAMBOX@ plugin you should use also

*/5 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/spam_cronjob.php
26 3 * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/clear_spambox.php 

Also for these 2 cronjobs if you do not want receive email notifications put them between  MAILTO="" and
MAILTO=root.

what are spam_cronjob.php and clear_spambox.php ?
spam_cronjob.php is required to use spambox@ .   clear_spambox.php run each day , removing @spambox email on all your user accounts older than 7 days (by default 7 days) . If you want change the default (7 days) you should enter the cron in this way

10 4 * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/clear_spambox.php sday=n

and replace n with your days. For example ...

10 4 * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/clear_spambox.php sday=15

removes spambox@ emails on all your user accounts older than 15 days.

Which are required cronjob to update clamav antivirus signatures ?

following cronjob  mantains your clamd signature file updated . You can execute it daily.

10 12 * * * /usr/bin/freshclam --quiet --daemon-notify

I am receiving licensing errors , what to do now ?

Go to console and try executing this

# cd /usr/local/assp/deluxe
# wget -r -nH --cut-dirs=10 http://www.grscripts.com/assp150/deluxe/license.deluxe
# mv -f license.deluxe license.php;chmod 755 license.php

Do you support secondary home locations ?  [#89]

yes , the secondary home location (i.e. home2) is automatically detected. Only please be sure to set *exactly * the secondary alternative home location on WHM > "Basic cPanel/WHM Setup"  > "Home Directory Prefix".  For example if your seconday home location is /home2 you should enter home2 .

 

How to monitor assp status ( #19 )

If you followed the how to , you should are already monitoring assp status using status.php cronjob.
You can read more info  here.

How to change/customize language or html for your ASSP deluxe for cPanel frontend ?

By default the ASSP Deluxe cPanel frontend will use the english language . If you want use another language style or if you want change something on the html layout please read here .

How can I turn off ASSP filtering for some accounts ? ( #71 )

If you followed the post installation step you should have already  ASSP scoring ON on your ASSP Deluxe WHM interface. 
By default your clients have following filters (on ASSP Deluxe cPanel frontend)

assp scoring   
delaying           
no local
antivirus

by default your clients can't turn off ASSP scoring  , however you can allow them to turn ASSP scoring OFF or ON using

ASSP WHM> ASSP SCORING MODE > ENABLE ASSP SCORING MODE USER CONTROL

Once you have done this step, the client can turn off/on also "ASSP Scoring" using the ASSP Deluxe cPanel frontend , and you can do that too using

ASSP WHM> ASSP DOMAIN CONFIG > Score

If you would FULLY disable ASSP for a client domain (antivirus included) you should put "domain.com"
on

ASSP 1.3.5 5.0 and below
ASSP web interface > SPAM Lover/No Processing >No Processing Addresses* /(noProcessing)/

ASSP 1.5.1.2  (and 1.3.9 and 1.4.4 and 1.5.1)
ASSP web interface > No Processing >No Processing Addresses* /(noProcessing)/

 

If your client CAN'T SEND email OR receive 530 Relaying not allowed errors  ( #00001 )

Common problems if your client can't send email

A)  If your client can't send email, could be due to your "SMTP AUTH status" on your assp WHM interface
 

B)  The client can't send email omn port 25 (using smtp mail.clientdomain.com)  ; probably his isp is blocking port 25 invite the client to use the alternative port (by default 26) or set an uncommon alternative port if also port 26 is blocked by his isp. (read post installation steps point 6 for more info)

C)  If your client can't still send email, check if the client domain name is listed on /etc/localdomains or
     if it's incorrectly listed on /etc/remotedomains


D) if after these points the client can't send email

     - ask to the client his ip address
     - check why ASSP is blocking him in this way

       #  tail -100000 /usr/local/assp/maillog.txt | grep "ip_address"

What could be happened ... ;

- probably the client was/is using his ISP smtp to send email (if the his ISP mailserver is misconfigured or listed on some RBL ,
  ASSP could penalize the IP) .
- probably the client is/was not sending email correctly and ASSP is returning relay errors.

How to solve the problem ?

invite the client/all your clients to send email correctly , the correct way to send email  is ...
You (admin) should set  SMTP AUTH ON (using ASSP WHM)

The client should use following settings to send email
=====================
smtp mailserver : mail.clientdomain.com plus smtp authentication ON   smtp port 25
=======================

If their isp is blocking oprt 25 invite the client to use the alternative port (by default 26) or set an uncommon alternative port if also the port 26 is blocked by his isp. (read post installation steps for more info) .


E)  If after all these points the client can't send email,  ask the client ip , and execute this

# tail -100000 /usr/local/assp/maillog.txt | grep "ip_address"

Send me the results clicking here for support.
 

What should I do when I transfer an hosting account on a server running ASSP Deluxe for cPanel (45)

each time you transfer an account from another server you should execute

# /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/ex_localdomains.php

in this way the email/domain for the transferrred account will be immediately available for ASSP usage.
Otherwise they will be available in max 59 minutes ( ex_localdomains.php cron execution )

 

How to move "assp deluxe for cpanel" from an old server to new server (#34)

You should follow these steps to move "ASSP Deluxe for cPanel " from an old server to a new server.

You can follow 2 ways/procedures (A and B)

Procedure A (expert , faster way) ::
The faster/expert/better to migrate ASSP between 2 server is ;

1) email me and provide me OLD server ip and NEW server ip . I'll reply you when your ASSP Deluxe license will be updated
    (usually in 12/24 hours). There is no fee to change your licensed server ip.

When the new server ip will be licensed follow these steps ;

2) install ASSP on new server and leave it stopped ; rsync from old to new server all your old ASSP , for example
    in /usr/local/assp/old . Then, execute this on your old server , and replace 209.xx.xx.xx with your new server ip .

# rsync -av ssh /usr/local/assp root@209.xx.xx.xx:/usr/local/assp/old

Then using # mc (mc=midnight commander; you can install it in this way  # yum install mc ) move from /usr/local/assp/old to /usr/local/assp  , /spam and /notspam folders ,whitelists , spamdb , assp deluxe settings ..

3) Start ASSP on new server , rebuild the spamDB.


Procedure B (easy , slower way) ::
1) Move hosting accounts from old server to new server using WHM .
2) email me and provide me OLD server ip and NEW server ip . I'll reply you when your ASSP Deluxe license will be updated
    (usually in 12/24 hours). There is no fee to change your licensed server ip.

When the new server ip will be licensed follow these steps ;

3) STOP ASSP on old server using this procedure
4) Install "ASSP Deluxe for cPanel" on the new server following the HOW TO
5) STOP ASSP on new server using this procedure
6) Move following files and folders (from old server to new server)
  
/usr/local/assp/whitelist
/usr/local/assp/spamdb.helo
/usr/local/assp/spamdb
/usr/local/assp/red
/usr/local/assp/assp.cfg  (move this file is you want restore assp settings from old server)

/usr/local/assp/files/ipnp.txt
/usr/local/assp/files/ipwl.txt
/usr/local/assp/files/blackdomains.txt
/usr/local/assp/files/whitedomains.txt
/usr/local/assp/files/redre.tx
/usr/local/assp/files/bombre.txt

/usr/local/assp/deluxe/
/usr/local/assp/deluxe/assp_catch_all
/usr/local/assp/deluxe/per_domain_frontend_status
/usr/local/assp/deluxe/frontend_status
/usr/local/assp/deluxe/assp_default
/usr/local/assp/deluxe/*_spam_lover  (all _spam_lover files)

finally move these folders
/usr/local/assp/spam
/usr/local/assp/notspam

7) Re-enable ASSP on new server using this procedure
8) Now open WHM ASSP Deluxe interface on new server and enable ASSP SCORING MODE , and SPAMBOX (if these services/plugins were enabled on old server too) .
 

How to allow a remote MX ? ( #36 )

If you have some user using remote MX , you should put the ip address of their remote mx server on ISP/Secondary MX Servers .
Open the "ASSP web interface" go to "Relaying menu" , "ISP/Secondary MX Servers" ,  and click edit file , then add  the remote ip and Save. 
NEW : with assp deluxe 2.8.0 and above,  the cronjob ex_localdomains.php take care of this automatically .

I messed up my assp.cfg what to do now ?  ( #08 )

To reinstall a working assp.cfg execute this

STOP ASSP using ASSP WHM. Now from console execute this

# cd /usr/local/assp;wget -r -nH --cut-dirs=10 http://www.grscripts.com/135_50/assp.cfg
# pico assp.cfg

...and replace the first 5 lines ;

webAdminPassword:=nospam4me
EmailAdminReportsTo:=email@youremail.com
EmailFrom:=email@youremail.com
SpamError:=500 Mail appears to be unsolicited -- send error reports to email@youremail.com

as follow....

a) email addresses
    replace email@youremail.com 
    with your email address
b) change the default assp web interface password (nospam4me) with a new password
     webAdminPassword:=nospam4me

replace email@youremail.com  with your email address .  Your email address should be a local email , I recommend the usage of   root@yourhostname.com (of course replace yourhostname.com  with your hostname . 
You can get know your current server hostname simply executing

# hostname

 

Save settings , now START ASSP using ASSP WHM.

Now force an ASSP upgrade to any supported version (even if you already have latest version) and be sure to allow overwriting of your assp.cfg .

Finished , now you have reset your assp.cfg and all should work correctly.
 

I'm using "ASSP scoring mode ON" but I am still receiving some spam ....

If few spam is passing , first be sure you followed the post installation steps . If spam is still passing after this step , copy the spam (email header included) , and paste it inside a myspam.txt file ; repeat this step for min 10 received spam . Now save the file, compress/zip the  myspam.txt file and send it to this email

 

How can we whitelist email address or a full domain name @domain.com ?  [#51]

The user

1) Using the assp email interface : the user should send an email to assp-white@clientdomain.com (to whitelist an email)    

Assuming that your local-domain is mydomain.com,
To add email addresses or full domain names to the whitelist, create a message to assp-white@mydomain.com.   You can either put the addresses in the body of the message,
or as recipients of the message.  The email should be sent using smtp auth ON (email client) ; after few second the user should receive an email notification.
Note that the whitelist is rebuilded each 24 hours (rebuildspamdb.pl cronjob)

2) each time your user send an email to someone , the email will be whitelisted automatically, so
    the user should never reply to a spammer.

Starting with ASSP version 1.3.5 the user can also whitelist a full domain name.
the user should send an email to assp-white@clientdomain.com and he should put 
_ALL_@domain.com on the body of the message (where domain.com is the domain name to be whitelisted)

The server admin
The server admin can whitelist full domain name (@domain.com) and/or email addresses.

As admin you can use points 1) and 2) and if you open the  ASSP WEB INTERFACE (port 55555),  Whitelisting menu , you have a several options and especially ;

Whitelist Domains and ips
set Regular Expression to Identify Non-Spam

The whitelist file is stored on /usr/local/assp/whitelist .

mailing list email extraction (mailman problem)

The /user/local/assp/deluxe/assp_local_email file contains all your local/server email (email forwarders and mailing lists included) . If some mailing listing is not working (ie. test@youdomain.com) and you cannot find test@youdomain.com on your assp_local_email flat file , execute this to fix the problem .

# /scripts/fixmailman
# /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/ex_localdomains.php

Antivirus and attachments [#41]

With default ASSP antivirus/attachment configuration following attachments are not allowed (cannot be received)  

ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]

Please note that ad[ep] means .ade and .adp ,  ba[st] means .bas and .bat and so on ...

You can receive these attachments only if they are compressed using .zip

Infact if anyone try to send your assp server above attachments the sender receives following error
500 These attachments are not allowed -- Compress before mailing.

Following extensions are allowed
ai|asc|bhx|dat|doc|eps|gif|htm|html|ics|jpg|jpeg|hqx|pdf|ppt|rar|rpt|rtf|snp|txt|xls|zip

You can change these settings using your ASSP Web Interface as required.

 

ASSP is not detecting virus..

open your /etc/clamd.conf file using pico and check the line
LocalSocket /var/clamd
if you have something different from /var/clamd open the ASSP Web interface and
change /var/clamd with your LocalSocket value. Apply the settings and restart ASSP.

uninstall xinetd service

Since the xinetd is not required by cPanel and ASSP , and if you have a firewall running on your server (or firewall hardware), I suggest you to stop xinetd service and to remove it from startup programs in this way

service xinetd stop
chkconfig --del xinetd

What is the delaying filter ?!

Delaying/greylisting is another powerful ASSP feature to fight spam .

How does work the  DELAYING filter ?
As explained also on the ASSP Deluxe cPanel web interface (HELP button) Delaying is a method of blocking significant amounts of spam at the mailserver level .This method is also called "Greylisting".
Delaying works on the idea that a correctly configured SMTP server will always attempt re-delivery of an email message if it gets a soft failure.
How does it work exactly ? When someone send an email to our server (and you or your client have the delaying filter enabled), ASSP will return a 451 error (soft failure) which requests deliverly again later. If the sending mail server is correctly configured it will reattempt deliver in X number of minutes. (it depends upon his configuration) . If the sender mail server waits and redelivers , the triplet (email address, domain,IP) gets whitelisted (delaying whitelist) and you'll receive the email .
When will you receive the email ? If the mail server is configured correctly you should receive the email after min 5 minutes (default embargo time) and max 28 hours (default wait time)  . If the Spammer mailserver doesn't reattempt the deliver (and the spammers usually do not reattempt the deliver) the email will be rejected after the wait time (28 hours) and you'll never receive the spam message.

May I lose some valid email ? Only if the sender (mailserver sender) is not configured to reattempt the deliver the email will be rejected. If the client can see some valid email on his delaying Log page he can still whitelist the email using the REPORT button.  

By RFC, all mailservers have to retry the delivery.

Negative points related to the delaying filter ;

      delaying filters has the following negative points ;

      -it's behavior could create big confusion to unexperienced users    
      -the email rejected due to delaying filter cannot be retrieved using the SPAMBOX@ plugin.

For these reasons I strongly recommend "turn off"  , for all users , Delaying filter  using the "ASSP DOMAIN CONFIG" in your WHM ASSP Deluxe interface  .  The client can/will decide if it's the case to turn delaying filter ON using his cPanel frontend .  
 
IMPORTANT : Set also delaying off by default using the "DEFAULT SETTINGS" > FILTER STATUS DEFAULT SETTINGS  on your WHM ASSP Deluxe interface , so that new hosting clients will receive delaying off/disabled automatically .

 

Using the "ASSP Email interface" .

As you have probably already read on ASSP documentation the "ASSP Email inteface" is a powerful ASSP feature which permits to add or remove email to the Whitelist, report Spam, or false-positives improving the Bayesian filter.  For example the "R" button that you can see on the "ASSP deluxe for cpanel" log pages uses the ASSP email interface to report false positives. Some user could report you that is not able to forward a spam message to  assp-spam@clientdomain.com . ASSP email interface (assp-spam@clientdomain.com assp-white@clientdomain.com and so on) accepts reports only if the sender client uses smtp auth on  (only from smtp authenticated users).

Horde, Squirrel and Roundcube  are automatically configured by ASSP Deluxe for cPanel to use the ASSP email interface (thanks to Steve Hollar for Horde and Squirrel tweaks).

 

We are getting the following error "Bayesian spam database is small or empty: '/usr/local/assp/spamdb'"

This error happens on the first hours of ASSP usage . It's normal since ASSP has still to build it's database. You can remove this error running following command for 2 or 3 times

cd /usr/local/assp;/usr/local/assp/rebuildspamdb.pl

Otherwise this error will be automaticaly fixed when the rebuildspamdb.pl cronjob will run (each 24 hours).
 

How to find and release good messages ? How does work spambox@ ?
Clients have been asking - how do they retrieve legitimate messages that have been rejected by ASSP ?

First of all you should activate spambox@ using  the assp WHM web interface.
Then to release a good message your client should use spambox @ pop3 ; or your client can check the /spambox imap folder to read all received spam (and report false positives to assp-notspam@clientdomain.com)

You , server admin , should activate the  ASSP Deluxe for cPanel SPAMBOX@ plugin using WHM assp web interface. 

If you (server admin) activate the assp deluxe for cPanel SPAMBOX@ plugin
the SPAMBOX@ plugin redirects all rejected spam(*) to  spambox@clientdomain.com  , only if the client creates a spambox@clientdomain.com email AND always to the /spambox imap subfolder of each email user .


Some example

a) Using spambox@domain.com pop3
If your client creates spambox@domain.com (pop3 account) all spam sent to @domain.com will reach
spambox@domain.com .

Now if the client login on his pop3 account spambox@domain.com he can see all the spam which reached his domain name @domain.com  . If he see a false positive (good email) he can forward (or forward as attachment , better) the email to the destination contact , for example test@domain.com .
He can check spambox@domain.com such as any other email account on his server , using his email client , horde or  squirrel.

b) Using imap
ASSP deluxe spambox@ sends all the received spam also to each account on your server (exactly to the /spambox imap folder of each email account).
For example if the owner of  test@domain.com checks the email using imap (using an imap email client such as Thunderbird or webmail Horde), if he received some spam , he can find the spam on the  /spambox imap folder.  If no /spambox imap folder exists it means that test@domain.com received no spam . If the owner of test@domain.com see a valid email on /spambox he can forward this email to assp-notspam@domain.com , and it will be never blocked. Or he can simple reply to the email , and assp will never block it again.

3) Using webmail
Using webmail Horde , Squirrel , and Roundcube the user can check the spam reading the /spambox folder.
Horde detects the /spambox folder automatically (after the first spam received) . On Squirell  and horde the user should subscribe
the /spambox imap folder (there are easy instruction on ASSP Deluxe cpanel frontend).  If the owner of test@domain.com see a valid email on /spambox he can forward this email to assp-notspam@domain.com , and it will be never blocked (or he can simple reply to the email , and assp will never block it again). Using Squirrell the user can also move to INBOX the false positive contained on /spambox (!)

 

Is my Antivirus clamAV working fine ?

You can execute 2 checks ;

1) restart exim from command line while assp is running 

service exim restart

The line

Starting clamd: [ OK ]

should not report errors.

2) Open the ASSP Web interface (port 55555)

Click on infostat (left menu)
Click on Module Add-ons

You should see a line like this
File::Scan::ClamAV              1.8                     CPAN

If instead of ClamAV version you see an error your clamd antivirus is NOT working .
 

Do I need to create email addresses assp-white@client.com ?

NO !. ASSP will parse these emails automatically . It's the ASSP Email Interface feature ; if you followed my HOW TO the Email Interface is enabled by default . 


Only smtp authenticated users will be able to use the ASSP Email Interface .

 

How to edit the ASSP whitelist  ?  ( #74 )

There is no way to see/edit the whitelist used by ASSP using ASSP Deluxe or ASSP web interface because the list
is created dynamically by ASSP.  For example each time you send an email , ASSP automatically whitelist each email destination .
Also each time you use assp-notspam@ (and assp-white@ of course) , assp whitelist the emails .
For this reason the whitelist file should not be edited , but you should act with it using assp-white@ assp-notwhite@ assp-notspam@ and so on... . As admin you can also use the whitelist menu on ASSP web interface of course.

If you want see the whitelist

# cat /usr/local/assp/whitelist
or
# pico /usr/local/assp/whitelist

for the reason explained above I do not suggest you to edit the whitelist file.

 

How to disable ASSP temporarly ?  ( #20 )

If for some reason (for example you have an email problem and you don't know if the problem is related to assp,exim or your firewall) you need to disable ASSP temporarly and you want use only exim (standard cPanel usage) you should  follow these steps ;


If you have using ASSP WHM 4.0.0  (or above) and ASSP Deluxe 3.1.5 (or above) skip point 1)
 

1) First we should be sure that ASSP will not restart automatically. If you are using  the status.php cronjob , comment it (# crontab -e and comment status.php line). If you are using ASSP MONITOR  open WHM then select Service  Configuration > Service Manager and uncheck assp service.

 

2) STOP ASSP using WHM ASSP (do not stop it from command line/console).

3) Open WHM , Exim Configuration Editor , then select Advanced Editor

On the first box comment this line (add a #) on the first box

# local_interfaces = 127.0.0.1.125

or these 2 lines (if you are using daemon_smtp_ports)

# local_interfaces = 127.0.0.1
# daemon_smtp_ports = 125

4) Save exim .

Exim now is working without ASSP , normal cPanel usage.

To re-enable ASSP which was temporarly stopped  .....

1) Open WHM , Exim Configuration Editor , then select Advanced Editor

On the first box un-comment the line on the first box  (remove the #)

local_interfaces = 127.0.0.1.125

or un-comment following 2 lines if you are using daemon_smtp_ports (remove the #)

local_interfaces = 127.0.0.1
daemon_smtp_ports = 125

2) Save exim .  If exim does not re-start now ,no worry , is normal.

3) START ASSP using WHM ASSP .

4) RESTART exim using WHM (it should re-start without errors)
 

If you have using ASSP WHM 4.0.0  (or above) and ASSP Deluxe 3.1.5 (or above) skip point 5)

5) re-enable the ASSP monitor cronjob (crontab -e) uncommenting the line ..

*/1 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/status.php

 

I'm receiving  "Server replied: 111 Can't open SMTP stream" using Squirrel/Horde

The problem is not related with ASSP . You should find the problem on your firewall. Be sure you have  port 25 TCP IN/OUT  and 125 TCP IN opened . Also your alternative port (26 i.e.) should be opened.

My client domain cannot receive email and it's receiving a "relay attempt blocked" error. ( #57 )

Check if your client domain is listed correctly on /etc/localdomains (or if it's listed incorrectly on /etc/remotedomains) .
If no, add the client domain name to your /etc/localdomains file (#pico /etc/localdomains)  . Restart ASSP using the WHM assp web interface. It fixes the problem. If the problems does not fix check also if the client main domain is listed on /etc/trueuserdomains . 

how to bypass ASSP ? ( #56 )

if you want disable ASSP fully for a LOCAL domain name ,
open ASSP Web interface > spamlover >
and add your domain to "No Processing Addresses* /(noProcessing) " , Save .

If you want fully disable ASSP for a REMOTE domain sender
open ASSP Web interface > spamlover >
and add your domain to "No Processing Domains* (noProcessingDomains)", Save.

With ASSP 1.4.4 and above versions also the asspof@ and asspon@ are available on ASSP Web Interface (email interface menu) (more info).

ASSP restarts often , or eats a lot of cpu , what to do ? ( #10 )

It should not happen if you are using 1.3.9 or above versions  . If it happens , be sure you are running latest versions of each scripts (using assp WHM web interface) and check if your server is under ddos email attack.

exim restart often , what to do ?

exim restarts are not due to ASSP .  You may try this

/scripts/eximup --force;/etc/rc.d/init.d/assp stop
/etc/rc.d/init.d/exim restart;/etc/rc.d/init.d/assp start

If after this step exim has still problems you can disable temporarly ASSP in this way
http://www.grscripts.com/howtofaq.html#20 , then open a ticket with cPanel and ask to have exim fixed.

Are you running out of disk space on /usr ?

First of all you can delete all old assp logs in this way

cd /usr/local/assp
rm -f *.maillog.txt

If you have still disk space problems you can create a symlink for /usr/local/assp/spam and /usr/local/assp/notspam

Suppose you want symlink data from /usr/local/assp/spam to /home/spam and from from /usr/local/assp/notspam to /home/notspam

STOP ASSP using WHM then execute this

# mv /usr/local/assp/spam /home/spam
# mv /usr/local/assp/notspam /home/notspam
# ln -s -f /home/spam /usr/local/assp/spam
# ln -s -f /home/notspam /usr/local/assp/notspam

Now START ASSP using WHM .
Done.  You should not have more disk space problem on your /usr partition due to assp.

socket bind() to port 125 ?

If you are receiving this error when you start assp (exim maillog)
2007-04-16 10:42:22 socket bind() to port 125 for address 127.0.0.1 failed: Address already in use: daemon abandoned
you can ignore it.

ex_localdomains.php (some useful command for advanced users)

ex_localdomains.php creates an updated list of email/forwarders/domains/subdomains of your server .
Email are stored on /usr/local/assp/deluxe/assp_local_email , domain names are stored on assp_local_domains . It executes also some other important check (i.e. it checks default assp per domain configuration , checks integrity for spamlovers files , checks if horde,squirrel and mailman are configured correctly to work with assp).

There is some useful hidden command ;

1) If you execute ex_localdomains.php cronjob using crow=1 in this way
      
          /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/ex_localdomains.php crow=1

you may add also one email address as a spamlover. The email address you entered will not be overwritten .

HOW TO use the crow=1 option
Suppose a client ask you to turn off RBL (i.e.) not for all his domain name (he can do that himself with assp deluxe cpanel frontend) but only for one email on his domain .  For example he wants that the email clientemail@domain.com bypasses the RBL filter ;  you should do this

• be sure you are running ex_localdomains.php cronjob with crow=1 (see above)
• open the "assp web interface" and open the  "SPAM Lover/No Processing" menu
• go to DNSBL Failures Spam-Lover (which is the RBL filter) click on edit ,and add the clientemail@domain.com to the list .  

In this way clientemail@domain.com will bypass RBL filter check.

If you do not use the crow=1 option the email added to the spamlover list will be removed each time
will be execute ex_localdomains.php .

2) If you execute ex_localdomains.php from command line could be useful the option show=1
# /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/ex_localdomains.php show=1
It will show all the output of ex_localdomains.php . I do not suggest you to add this option
to your cronjob too , it's useful only if you use it from command line.

3) If you add the addhost=1 option , ex_localdomains.php will configure your hostname
to receive email using assp. You should execute it each time you change hostname. You should use it only if you want receive email on your hostname .

clear_spambox.php (some useful command for advanced users)  ( #09 )

If you are using the spambox@ plugin , mailbox for your client could grow very fast especially for clients receiving a lot of spam.  To avoid disk usage problems for your clients set following cronjob (you can run it daily) using "crontab -e" from command line   

10 4 * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/clear_spambox.php

By default the cronjob above will run each day , removing @spambox email on all your accounts older than 7 days . If you want  change the default (7 days) you should enter the cron in this way

10 4 * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/clear_spambox.php sday=n

and replace n with your days. For example ...

10 4 * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/clear_spambox.php sday=15

removes spambox@ emails on all your accounts older than 15 days.

With assp deluxe 2.3.0 I added some other advanced command which could be added to your clear_spambox.php cronjob

noemail=yes ;   it disables email notifications

 

sp=yes ;
limitspace=x     (x = disk space in Kilobytes)
remdays=x       (x = other days to be removed)
 

These 3 commands (sp limitspace and remdays) should be used/entered at the same time  . At the end of cleaning operation ,  clear_spambox.php checks if disk usage for each already cleaned mail folder is over your limitspace in kilobytes  . If some mail folder is over limit it removes other remdays from this spam folder.

For example, if you set this cronjob

......../deluxe/clear_spambox.php sday=15 sp=yes limitspace=10000 remdays=5

First it removes email older than 15 days . If at the end of cleaning , some cleaned folder is using
over 10000 Kbytes (about 10 MB) ,clear_spambox.php will clean other 5 (remdays) days of older spam from these accounts .

Other useful clear_spambox.php commands are

nodisabled=yes
If you add nodisabled=yes to your clear_spambox cronjob , all the users having imap spambox disabled will not be processed/cleared .

noemail=yes
If you add noemail=yes the clear_spambox will not sent email also if you have DAILY SPAM REPORTS enabled.
 

high=x    (x = server load)
If the server load will go over this value the script will sleep . By default this value is 5.
 

norep=yes
If you have DAILY SPAM REPORTS enabled on your ASSP WHM and you want execute clear_spambox.php from console without executing the DAILY SPAM REPORTS .

noclean=yes
If you have DAILY SPAM REPORTS enabled on your ASSP WHM and you want execute clear_spambox.php without cleaning the email from emali older than n days.

update_email.php (commands for avanced users)

nohup=yes
If you add  nohup=yes  to your update_email.php cronjob , update_email.php  stops to store "number of assp smtp connections" on ASSP STATUS CHART (also if the HUP signal each 3 minutes to store assp connections does not delay assp in any way , someone asked me this feature).

.ASSP SSL

ASSP 1.5.1 and above versions supports SSL natively ; please follow the ASSP SSL HOW TO
to enable ASSP SSL .

You can monitor SSL using check_ssl=yes added to your status.php cronjob.

If you are using an older ASSP version (below 1.5.1) and you would use SSL please read this how to
 

I would fully disable ASSP for a client (#15b)

If you want fully disable/bypass ASSP for a client you should put all his domain names on ASSP "no processing list".
Open the ASSP WEB INTERFACE , open the "SPAM Lover/No Processing" menu , then enter your client domain names on
No Processing Addresses* (noProcessing) . You can also enter  file:files/noproc.txt , if you want enter your domain names
on a txt files. (enter file:files/noproc.txt save , return to "SPAM Lover/No Processing" and click on Edit ). 
 

how to set a postmaster@ and abuse@ email for all my clients to fix RFC errors on dnsstuff ?  (#20b)

If you want set a working postmaster@  and abuse@ email for each domain , subdomain , addon domain  or parked domain
on your server , ASSP Deluxe deluxe takes care of this too (since version 2.6.5) .
Please follow the procedure explained below

First remove from "no processing , spamlover, whitelist" or from any other ASSP web interface menu, 
each abuse@ and postmaster@ value. 

Now simple execute this from console
/usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/fix_abuse_postmaster.php

The scripts will create 2 forwarders for each domain , subdomain , addon domain  or parked domain on your server.
1) abuse@domain.com redirected to user@domain.com
2) postmaster@domain.com redirected to user@domain.com

If you want forward all the email sent to abuse@ and postmaster to your preferred server email (your own postmaster) for example  abuse@myserver.com (for abuse@) and  post@myserver.com (for postmaster@) you should execute this instead
 

# cd /usr/local/assp/deluxe

# /usr/local/cpanel/3rdparty/bin/php-cgi fix_abuse_postmaster.php forwardto=abuse@myserver.com forwardto2=post@myserver.com

The scripts will create 2 forwarders for each domain , subdomain , addon domain  or parked domain on your server and

1) abuse@domain.com redirected to abuse@myserver.com
2) postmaster@domain.com redirected to post@myserver.com
 

Once you have executed fix_abuse_postmaster.php wait about 5 minutes (in tihs way update_email.php conrjob will load your new forwarders on assp_local_email) and all should work correctly . Now if you check dns for any domain on your server

http://private.dnsstuff.com/tools/dnsreport.ch?domain=clientdomain.com

the mail error related to abuse@ and postmaster@ should be fixed.

Note :
1) the script will not create the forwarder if a pop3 or forwarder abuse@ or postmaster@ email already exists for that domain.

2) If you want undo the changes , removing all postmaster@ and abuse@ lines from your /etc/valiases/* files you should execute this
/usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/fix_abuse_postmaster.php clean=yes

Set a cronjob
If you want be sure that also new domain names will be set with  abuse@ and postmaster@  you may set a cronjob
for fix_abuse_postmaster.php (such as other assp deluxe cronjob put it between MAILTO="" and MAILTO="root" ).

For example the command below will execute the cron each 12 hours ,
10 */12 * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/fix_abuse_postmaster.php

Credits : fix_abuse_postmaster.php was created following an idea of Elie P. by webdomain.com

 

How to remove automatically old ASSP maillog ? (#55)

You should simply add clean_logs=yes to your ex_localdomains.php cron , in this way

*/59 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/ex_localdomains.php clean_logs=yes

By default all old ASSP maillog except of latest 2 will be removed. You can customize this value (min 2 max 10) using your
ASSP WHM > ASSP Deluxe for cPanel Advanced tools > REMOVE OLD LOGS and click on  [ change it ]

How to detect possible SPAM activity which is exiting from my server ? (#56b)

With ASSP Deluxe 3.1.7 and above versions in ex_localdomains.php and find_abusers.php has been added  code to detect possible huge SPAM activity which is exiting from your server using a script (perl,php..other). In case of detected SPAM activity you will receive an email warning or you may change permissions on the folder which is sending the email .


1) SPAM ACTIVITY DETECTOR using ex_localdomains.php

If any user on your server sends 800 email (a) using a script and the exim queue value is greater than 500 (b), you will receive a detailed email warning with the script location which is sending the email. ex_localdomains.php analyzes latest 100000 lines of your exim_mainlog .

The user will not be blocked automatically , however you can investigate and block him if required.
The email will be sent to the email contact you have set on your ASSP WHM.

(a) this can be customized adding lim_email=your_value to to your
ex_localdomains.php cron
(b) this can be customized adding lim_queue=your_value to to your
ex_localdomains.php cron

This feature is enabled by default. If you would disable this functionality you should add nsp=yes to your ex_localdomains.php cron , in this way

*/59 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/ex_localdomains.php nsp=yes

2) SPAM ACTIVITY DETECTOR using find_abusers.php
 

Ok but what is find_abusers.php ? Click here to read the article or skip it if you are already using it.

By default if you execute  find_abusers.php from console

/usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php

you may receive something like this

Email sent from your server using a script : looking for more than 100 email on latest 100000 lines of your exim_maillog
=============================================
82 = > /home/chat/public_html/preloginchat4
26 = > /home/harleyb/public_html/condo/yabb

By default , as explained on the title above (Email sent from your server using a script...) , find_abusers.php analyzes latest 100000 (a) lines of your exim_maillog looking for clients which sent more than 100 (b) email using a script.
You will not receive an email notification such as with ex_localdomains.php and the user will not be blocked in any way. It will only show you the results on your console (such as on the example above).

(a) it can be customized adding ex=your_value to your find_abusers.php
(b) it can be customized adding lim_email=your_value to your find_abusers.php

Blocking and avanced features
If you add bl=1 to your find_abusers.php cronjob , find_abusers.php will check if latest 5 (c) new created hosting accounts send more than 600 email (d) . In this case (if bl=1 has been set) the script location will be chmoded 000 and you will receive an email warning. This is useful to block spammers which open new accounts only to send spam after few days/hours .

(c) this can be customized adding lu=your_value to your find_abusers.php cronjob
(d) this can be customized adding lx=your_value to your find_abusers.php cronjob

Also (a) and (b) can be customized (see above).

If you add demo=1 you will only receive the email warning , however the chmod 000 will not apllied (demo mode)
If you would monitor some suspected account add the username to  /usr/local/assp/deluxe/checkabuser (one user per line)
If you would ignore some account add the user to  /usr/local/assp/deluxe/checkignore (one user per line)
 

Of course these customized values can be added togheter with your find_abusers.php values used for bad ip collection.
For example you may use also lu=0 and enter only your suspected users on /usr/local/assp/deluxe/checkabuser



You may report bug or suggestions here . Thank you!.

A powerful tool , find_abusers.php

Click here to read the article (advanced users)

Why are some senders blocked (also with low score) ?  (#15)

NEW ::: starting with ASSP 1.3.9 PB extreme starts disabled and the "alternative PB extreme" find_abusers.php is installed by default ; if you installed ASSP 1.3.9 or 1.4.4 or 1.5.1.2  you already have the "alternative PB extreme" cronjob .

With "ASSP Scoring Mode" enabled,  spam filters (Bayesian , MX/A , PTR , HELO , SPF , RBL , URIBL , BOMBre) contribute to SPAM scoring .ONLY if the received email has a score greater than the "Threshold for Combined Scores per Message" (by default 40 ,PB menu) , the message will be rejected.

If an ip address sends emails with repetitive errors (for example BlacklistedHelo) , also if assp scoring mode does not reject it (because BlacklistedHelo is only 5 points and required points fro assp scoring are 40 i.e.) , Penalty Box (PB) will count and sum BlacklistedHelo score errors on PenaltyBox Database , and when the Extreme Scoring Threshold (PenaltyExtreme) value will be reached the ip address will be  added to /usr/local/assp/pb/exportedextreme.txt  and blocked at smtp time generating following errror ;

554 5.7.1 Penalty Box error, please contact the server support to ensure delivery

By default assp 1.3.5 and 1.3.3.8 comes installed with PenaltyBox Extreme enabled . If you would disable PB extreme read below .

How to disable PB extreme blocking  ;

a) If you are using assp 1.3.3.8
you should use Penalty Box (PB) to mode 2 and uncheck Do Extreme Denying for Mode 2 (PB MENU) . In this way you will use only assp scoring mode and ips will not be penalized  for a repetitive error.  

b) If you are using assp 1.3.5

  -  assp web interface > PB menu  and set "PenaltyBox Extreme - IP Profiles (DoPenaltyExtreme)" to 0 .
  -  assp web interface > PB menu  and uncheck  "Use Exported Penalty BlackBox Extreme for SMTP Denying" .  
   - assp web interface > PB menu , set to 0 "Use Exported Penalty BlackBox Extreme for SMTP Denying (exportExtremeFileDeny)"
 

c) If you are using assp 1.3.9 or 1.4.4 or 1.5.1 or 1.5.1.2

PB extreme starts disabled and the "alternative PB extreme" find_abusers.php is installed by default ; if you installed ASSP 1.3.9 or 1.4.4 you already have the "alternative PB extreme" find_abusers.php cronjob . The exportedextreme.txt is not used.

_ :  find_abusers.php (bad ip collection) #70

(Thanks for idea to Remy Gardien  e-dot.nl ,and Manuel  arteryplanet )
With ASSP Deluxe 2.8.0 and above , if you would collect and block all ips which are bombarding your server ONLY using

"email dictionary attack"
"assp scoring mode"
"max errors"
"relay attempt blocked"
"limited connections"

you can do that adding this cron to your  "ASSP cron list"

*/20 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php show=14 sc=32 er=13 lm=13 dc=25 rl=20 on=1

dc= for "email dictionary attack"
sc= for "assp scoring mode"
rl= for "relay attempt blocked"
er= for "max errors"
lm= for "limited connections"
on=1 (or on=yes) = required for ip collection
sw=n (or show=n)  any value below n will not be processed ! .
                           If you don't specify show=n a default value of 15 will be assigned
log=logfile optional use it only if you would analyze a log different from current maillog.txt


note: be sure that the sw= value should be always lesser than any value set.

This cron collects (each 20 minutes) on your /files/denysmtp.txt file (denySMTPConnectionsFrom) all ips which received min.  32 "assp scoring mode" failures or min 13 "max errors" or min 20 "relay attempt blocked" or min 13 "limited connections" . These ips will be blocked by denySMTPConnectionsFrom .
All ips which received min 25 "email dictionarty attacks" (invalid address check)  will be collected on your /files/blockip.txt  and blocked by  denySMTPConnectionsFromAlways .

 

If you think the some good/valid sender ip is blocked   , open ASSP web interface and add blocked ip in
Penalty box MENU > Don't do Profiling for these IP's* /(noPB) In this way the ip  will not be blocked again .
You may also put the blocked ip in ASSP Web interface > whitelist menu > white ips or in
ASSP Web interface > no processing menu > no processing ips

If you are using ASSP Deluxe 3.2.0 or above you can also put the ip on this file /usr/local/assp/files/ignore.txt and find_abusers.php will remove ips in this list from /files/denysmtp.txt and  /files/blockip.txt automatically.

Of course

dm=  feature  (#h01)

With ASSP Deluxe 2.9.2 and above versions is available also the dm= feature .  Suppose you are using a conservative cron ip collection like this

/usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php show=15 sc=40 lm=30 dc=25 on=1

however you have a single domain which is under heavy email dictionary attack . You can add another cron (this time aggressive) to collect ip on a single domain , for example

/usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php show=1 sc=20 lm=30 dc=2 dm=domain.com er=2  on=1

it will collect bad ips only for domain.com . In other words you can set an aggressive bad ips collection per domain easly, and use at the same time a relaxed ip collection server wide. 

note: using dm=n following features are disabled
        Email sent by ISP organizations
        Email sent from Foreign Country
        Email sent from your server using a script check

With ASSP Deluxe 3.5.8 and above versions If you have more than 1 domain name under heavy email dictionary attack, instead to use several find_abusers.php cronjobs with the dm= feature, you can add all your domain names under heavy attack in the file /usr/local/assp/deluxe/dmfile (one domain per line), then you can use this

/usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php show=2 sc=8 lm=30 dc=3 dm=file er=2  on=1

...using dm=file , find_abusers.php will processe domain names from file /usr/local/assp/deluxe/dmfile
 

So for example you may have this 2 cronjobs..

*/30 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php show=14 sc=32 er=13 lm=13 dc=25 rl=20 on=1
*/10 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php show=2 sc=6 dm=file er=6 lm=4 dc=3 on=1

where the first find_abusers.php is server wide , and it will create a failry moderate bad ip collection , while the second find_abusers.php cron line will create a very aggressive bad collection ip using only domain names in  /usr/local/assp/deluxe/dmfile .  /usr/local/assp/deluxe/dmfile contains a list of your most bombarded domain names ( you can get the list executing

/usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php

)


unexpected disconnection while reading SMTP command

If on EXIM maillog you see "unexpected disconnection while reading SMTP command" lines without ACL errors , it's a normal behavior , ASSP is disconnecting from EXIM because the email was rejected due to spam (email dictionary attack or any other reason) .

 

Is dovecot IMAP compatible with ASSP Deluxe ? #j0

Yes , ASSP Deluxe is compatible with dovecot IMAP (available with cPanel 11.24 and above)
 

Is NSD compatible with ASSP ? #h0

If you are using ASSP 1.4.4 ,1.5.1 , 1.5.1.2
Yes , NSD is fully supported .

If you are using ASSP 1.3.9
partially ; NSD is not recommended with ASSP 1.3.9  because all the RBL(DNSBL) and URIBL checks will pass  .

If you really need to use NSD on your server you may choose one of these 3 ways which permits to use RBL and URIBL checks correctly.

1) Enable OPENDNS on your ASSP Web Interface
you should enable OPENDNS on your ASSP web interface in this way

Open ASSP web interface > DNS SETUP MENU > UNCHECK UseLocalDNS

Now  be sure you have  208.67.222.222|208.67.220.220  on DNS Name Servers (DNSServers)
Save Settings. Now STOP and START ASSP using ASSP WHM interface.

2) Enable OPENDNS server wide
    use/setup OPENDNS nameservers on your /etc/resolv.conf and /etc/named.conf (more info on http://opendns.com)

3) Upgrade to ASSP 1.4.4 ,1.5.1 , 1.5.1.2 which fully support NSD
 

How to check if ASSP is using RBL checks (DNSBL) correctly ?
Open your ASSP WHM , and click on SCORE STATISTICS ; If you will read a zero value near

DNSBL failed

0

RBL (DNSBL) checks are not working. If you see a value greater of zero RBL checks are working correctly.
 

DoLocalSenderDomain enabled by default with ASSP WHM 4.6.0  #90

With ASSP WHM 4.6.0 and above versions,  ASSP DoLocalSenderDomain (ASSP Web interface , Relaying menu) is set enabled by default.  DoLocalSenderDomain blocks local spammers like this
 

Mar-6-09 01:00:07 127.0.0.1 <random@yahoo.com> to: anyemail@any.com relay attempt blocked for unknown local sender address

where the sender ip is local or authenticated but the sender domain is not local (spam sent from local server) , in the email above the sender is yahoo.com which is not local . For additional protection you can also use/enable  Do Local Address Check for Local Sender  ( ASSP Web interface >>  Relaying menu >> Do Local Address Check for Local Sender (DoLocalSenderAddress) ), which checks also the local sender email (not only the domain sender).

If you don't like the DoLocalSenderDomain behavior because it blocks for example your ticket system between your servers running ASSP in a way like this ...

Mar-6-09 01:00:07 127.0.0.1 <myticket@myticketsystem.com> to: user@anyemail.com relay attempt blocked for unknown local sender address

 ... you can add your myticketsystem.com domain in /usr/local/assp/deluxe/custom_assp_local_domains (assp deluxe 3.4.5 or above required) . In this way myticketsystem.com will be added to your /usr/local/assp/deluxe/assp_local_domains list automatically and your ticket email from myticketsystem.com will be allowed. Wildcard are accepted so you can use enter also
*.myticketsystem.com . You can enter as many domains as you wish in /usr/local/assp/deluxe/custom_assp_local_domains , one by line.

If you don't like at all the DoLocalSenderDomain behavior simply open ASSP Web interface , Relaying menu , and set it DoLocalSenderDomain  off . Your change will be preserved after each future ASSP upgrade .
 

I would "no local address filter" enabled for all users but hide it from the cpanel interface. How to do it ? #75

1) Only for some domain names

Suppose you want "no local" filter ENABLED for main domain , for example domainx.com (and all its subdomains and parked/addon domain names), but you would the filter "no local" fully HIDDEN on customer control panel you should do this tweak ;

1) Open ASSP WHM , open ASSP DOMAIN CONFIG, select nolocal and be sure that nolocal filter for domainx.com is ENABLED.

2) Open ASSP WHM , open ASSP DOM FILTER STATUS, select nolocal,  and be sure that nolocal filter for domainx.com is ENABLED.

3) Now go to console and execute this

echo "domainx.com_nolocal" >> /usr/local/assp/deluxe/per_domain_frontend_status

(of course replace domainx.com with the main domain of your client)

In case you would turn back , simply remove the line domainx.com_nolocal from
/usr/local/assp/deluxe/per_domain_frontend_status using an editor like pico,nano,vi ..
 

2) for all your accounts

simply execute this

# touch /usr/local/assp/deluxe/nolocal_hidden
# chmod 605 /usr/local/assp/deluxe/nolocal_hidden

no local filter will not be shown on cpanel frontend. However you can control no_local filter status using ASSP WHM

To disable this feature and show again "no local" filter on cpanel frontend simply execute this

# rm -f /usr/local/assp/deluxe/nolocal_hidden

 

how to use roundcube webmail with ASSP Deluxe ?

If you would use ASSP email interface on Roundcube you should only
change in the roundcube conf file following line

$rcmail_config['smtp_server'] = '';

with

$rcmail_config['smtp_server'] = 'localhost';

Then restart exim and ASSP. It will allow you to use the ASSP Email interface (assp-spam@ assp-notspam@..)

How to add custom email/domain names to your assp_local_email and assp_local_domains #820

If you want add custom domain names to your autogenerated /deluxe/assp_local_domains , execute this

# pico /usr/local/assp/deluxe/custom_assp_local_domains

and add allowed local domain names , line by line .

If you want add custom email to your autogenerated /deluxe/assp_local_email , execute this

# pico /usr/local/assp/deluxe/custom_assp_local_email

and add allowed local email , line by line .
 

Automatic ASSP restarts to freeup resources #819

ASSP Deluxe automatically safe restarts ASSP to free up resources  , only if there are 0 ASSP connections and if memory usage is over 90 MB. To avoid multiple restarts this check will not apply again for 3 hours.

If you would customize it 3 options can be added to your update_email.php cronjob can be used

=> raml=n to customize default 90MB
=> fr=1 to force an ASSP restart even if there are more than 0 ASSP connections.
=> nofreeup=yes to disable the automatic restarts