Tweaking ASSP Deluxe for cPanel & ASSP

 

 

Latest recommended RBLs   (23 May 2010)  #08

Open ASSP Web Interface , DNSBL menu , and change  RBL Service Providers with following ( it's a single line without spaces )

zen.spamhaus.org|cbl.abuseat.org|ix.dnsbl.manitu.net|dnsbl-1.uceprotect.net|bl.spamcop.net|psbl.surriel.com|dnsbl.sorbs.net|dnsrbl.swinog.ch|dsn.rfc-ignorant.org

- Set Maximum Replies to  9 - Set Maximum Hits  to  2 (80% spam) or 3 (99% spam)   - Set  rblValencePB  to 30  (PB menu) Save ASSP settings

note : values above are recommended with SCORING MODE ON

Useful links - http://www.dnsbl.com RBLs news - http://www.sdsc.edu/~jeff/spam/Blacklists_Compared.html  RBLs comparison - http://www.intra2net.com/en/support/antispam/index.php   RBLs comparison - http://multirbl.valli.org   RBLs validation

 

Latest recommend URIBLs (20 March 2010) #08b

Open ASSP Web Interface , URIBL menu , and change  URIBL Service Providers with following ( it's a single line without spaces )

dbl.spamhaus.org|multi.surbl.org|black.uribl.com|dob.sibl.support-intelligence.net|uribl.swinog.ch

- Set Maximum Replies to  5 - Set Maximum Hits  to 2 (recommended)  or  1   - Set  uriblnValencePB to 4  (PB menu) Save ASSP settings

note : values above are recommended with SCORING MODE ON

 

Latest recommended ASSP usage (23 March 2010)  #09

If you are using ASSP from min 3 months and over  AND you followed/applied the post installation steps (especially ASSP scoring ON , no local enabled for most of your users, delaying off per user, spambox enabled) I invite everyone to use following settings .Following settings on ASSP 1.7.1.3 are giving extremely good spam detection and rare false positives .

a) upgrade everything (ASSP and ASSP Deluxe) to latest versions . Be sure you have ASSP 1.7.1.3  (recommended).
    Be sure you have followed post installation steps

b) Open ASSP WHM , go to ASSP WHM > SCORE SETTINGS and load AGGRESSIVE scoring  
    if you would moderate antispam settings (low risk to block valid email) set MessageScoringUpperLimit to 47 or above ; if you would block
    more spam (low risk to block valid email) set  MessageScoringUpperLimit to 41(min) 46(max)

c) apply http://www.grscripts.com/tweaking.html#08

d) apply http://www.grscripts.com/tweaking.html#8

e) apply http://www.grscripts.com/tweaking.html#10

f) be sure your ASSP Deluxe cronjobs are similar to the following
    (please be sure all your crons are on a single line!)

54 2 * * * /usr/bin/freshclam --quiet --daemon-notify
10 7 * * * cd /usr/local/assp;perl /usr/local/assp/rebuildspamdb.pl
MAILTO=""
*/59 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/ex_localdomains.php clean_logs=yes
*/3 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/update_email.php
*/3 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/status.php long=1
*/20 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php sw=12 sc=32 er=13 lm=13 dc=25 rl=20 on=1
0 9 * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/signatures.php
2 */6 * * * /usr/sbin/exiqgrep -o 33600 -i | /usr/bin/xargs /usr/sbin/exim -Mrm
MAILTO=root

and only if you are using the ASSP Deluxe spambox plugin similar to the following

54 2 * * * /usr/bin/freshclam --quiet --daemon-notify
10 7 * * * cd /usr/local/assp;perl /usr/local/assp/rebuildspamdb.pl
MAILTO=""
*/59 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/ex_localdomains.php clean_logs=yes
*/3 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/update_email.php
*/3 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/status.php long=1
*/4 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/spam_cronjob.php high=7
10 8 * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/clear_spambox.php sday=8 sp=yes limitspace=10000 remdays=4
*/20 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php sw=12 sc=32 er=13 lm=13 dc=25 rl=20 on=1
0 9 * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/signatures.php
2 */6 * * * /usr/sbin/exiqgrep -o 33600 -i | /usr/bin/xargs /usr/sbin/exim -Mrm
MAILTO=root
 

(with the above cron the clear_spambox removes automatically from accounts spam from spambox older than 8 days and remove additional 4 days of spam if the spambox folder is greater than 10MB . high=7 used by spam_cronjob.php cron, stops spambox execution is server load is higher than 7)

This line is optional and recommended (it leaves your mail queue cleaner )

2 */6 * * * /usr/sbin/exiqgrep -o 33600 -i | /usr/bin/xargs /usr/sbin/exim -Mrm

g ) Do you want to be protected by spam exiting from your server ?
     Read these
            -  local sender checks
            -  local spam detection
            -  other ways to block outgoing spam
 

ASSP 1.7.1 advanced settings 23 March 2010 #11

With ASSP 1.7.1 you will find some (powerful) features which are disabled by default , and you can enable them (using ASSP Web Interface) depending on your needs.

Some of these are  

• Validate sender addresses to conform with RFC5322 (DoRFC822Sender)
   
• Do Country Blocking
  Do Country Code Scoring
  Suspicious Country Codes
  
  By settings these 3 you can reduce SPAM based on your users/spam Country usage. If you have no idea of what Countries use/enter here , find_abusers.php may help you (read this)
   
• Max Real Size of Message (maxRealSize and maxRealSizeExternal ) #6
  If the rcpt size of the email message exceeds maxRealSize in bytes the transmission of the local message (email sent by local users) will be canceled. This option allows you to limit useless bandwidth wasting based on the total transmit size. The local sender will be notified with a message "552 message exceeds MAXREALSIZE byte (size * rcpt), please reduce attachment size and number of your recipients, or use ftp." .
  
  note : ASSP MaxRealSize  checks rcpt size (for you local email senders) , it does not check the attachment size.
  By default you have a MaxRealSize limit of 100 MB (104857600 bytes) so ..;
  
  if a local (or remote sender) send a 14 Mb attachment to a single email , it passes (because rcpt value is 14 MB < 100MB )
  If a local (or remote sender) send a 14 MB to 10 email it does not pass (because rcpt value is 14*10=140MB > 100MB )
  If a local (or remote sender) send a 1 MB to 14 email it passes (because rcpt value is 1*14=14 MB < 100MB )
  If a local (or remote sender) send a 10 MB to 20 email the email doesn't pass (because rcpt value is 10*20=200 MB < 100MB )
  
  Of course you can customize MaxRealSize limit using ASSP Web Interface > smtp settings menu > MaxRealSize
  You should enter a value in bytes .
  
  maxRealSizeExternal works like maxRealSize but for external senders.
• Max Size of Message  #6
  If the email size of the email message exceeds maxSize in bytes the transmission of the local message (email sent by local users) will be canceled. This option allows you to limit useless bandwidth wasting based on the total transmit size. The local sender will be notified with a message "552 message exceeds MAXSIZE byte (size), please reduce attachment size or use ftp." .
  
  note : By default you have a MaxSize limit of unlimited
  Of course you can customize MaxSize limit using ASSP Web Interface > smtp settings menu > MaxSize
  You should enter a value in bytes .
  
  maxSizeExternal works like maxSize but for external senders.
  
   
• Do Not Copy Messages Above This MessageTotal score (ccMaxScore)
  By default all rejected messages will go on spambox. If you set a  ccMaxScore 70 (i.e.) all email rejected with a score >= 70 will not go on user spambox.
   
• Email interface : ASSP email interface has been improved with 1.5.1
  Over the default commands assp-white@ ,  assp-notwhite@, assp-spam@, assp-notspam@, assp-red@, asspanalyze@ you will find also
       
        asspblock@  ; if a client send the request to asspblock@clientdomain.com  from info@clientdomain.com , he receives an email with a list of all
        the email rejected last 5 days (data extracted from current maillog.txt) . The client can also click the email to resend the email .
        This feature is still in development; currently if your users will abuse this feature , you can experience smtp timeouts .
        asspof@ ; if a client send the request to asspof@clientdomain.com  from info@clientdomain.com , info@clientdomain.com will be added on the
        ASSP noprocessing list . The email info@clientdomain.com will bypass all antispam checks .
        asspon@ ; same of asspof but to remove an email from noprocessing
• Email interface : ASSP email interface has been improved
• OK Address: If a message is marked 'Message OK' the sender addresses are called 'OK Addresses'. These are addresses which are not whitelisted but the sender did not send spam and did send notspam (several times). If this is set to 'whiting' ASSP will whitelist them if OKminhits is reached. If set to 'export only' ASSP will only write them to a file according to OKexporthits. Scoring is set with okaValencePB.
• OK Cache Refresh Interval (OKCacheExp)
  OK Adresses in cache will be removed after this interval in hours. 0 will disable the cache.
• Minimum Hits in OK Cache (OKminhits)
  If a message is marked 'Message OK' the sender addresses are stored in the OK cache. The address will be added to the whitelist if the number of hits in the cache surpasses OKminhits.
• Exported OK Adresses (OKexport)
  OK adresses in cache reaching OKexporthits will be regularly stored into this file.
• Export Hits in OK Cache (OKexporthits)
  Used by OKexport. If 0 all addresses will be exported.
•  other ways to block outgoing spam
  
   

A powerful tool , find_abusers.php   #06

please read this article

 

How to train the ASSP bayesian filter using ASSP NOTSPAM ANALYZER
(updated 28 Jan 2010)  #01

Another way to training the ASSP Bayes algorithm is using ASSP NOT SPAM ANALYZER on ASSP WHM interface;
Open the  ASSP NOT SPAM ANALYZER  and  look for naughty words with the search tool.
You will probably find some SPAM message inside your NOT SPAM collection. Move them to SPAM , and
rebuild the spam db . Each time you do this task , you make the bayesian database better .

for example you can search these keywords on your NOT SPAM ANALYZER

replica watches|MegaDik| cock | penis | pills | Original Viagra | better sex life | average penis | enlargement | orgasm | erections | Viagra | big dick | sperma | Sexual | Erectionsk | Stamina | sildenafil | citrate | Erectile 

(note that there is a space before and after each keyword . Copy and paste the yellow section on
your search form field , then click search )

If you find some message , it's probably spam . Read the messages and move  them to SPAM
if required . At the end of operation rebuild the spamdb (using the REBUILD SPAMDB button). 

If you analyze the keywords above on your spamDB before and after this training operation
( cat /usr/local/assp/spamdb | grep "penis" ) , you will notice that ASSP has assigned more bayesian score to
all the keywords above . If ASSP will receive again an email with one of the keywords above , it will receive a
greater bayesian score with more probability to block the message. I suggest you to execute this training
once a week and searching different  naughty words.

Note that if you are using assp scoring mode ON  , and you do the bayesian corrrection operation explained above often
(weekly i.e.),  after some week your bayesian filter will be much more great and very efficient , so you can consider to raise the
Bayesian score to 35-39 (from default 34) increasing considerably possibility to block spam using "assp scoring mode" with the Bayesian contribute.
 

ASSP SSL support on port 465 using stunnel   (#03)

( updated 23 March 2010 , compatible with 1.3.5 , 1.3.9 , 1.4.4 , 1.5.1, 1.5.1.2 , 1.7.1.3 )

unsupported & untested on VPS . If you would apply on VPS make it at your risk

Be sure your alternative port set on ASSP (by default 26) is allowed on your firewall (TCP IN/OUT).

This article has been written by  Szymon Rybczynski (pro-net-hosting.com and prohost.pl)

HOW TO
All lines starting with # are commands to execute as root.

1. You need stunnel installed. Cpanel should have stunnel installed. To check:
# stunnel -version
If you get something like "stunnel 4.05 on i686-redhat-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.7a Feb 19 2003" you can continue.

2. You can make your own certificate for SSL or use cPanel cert. This howto shows how to use cPpanel cert. To make your own cert just search google for instruction and change cert path in stunnel.conf to your cert.

3. Setting up stunnel user and config file:
 

# adduser stunnel;passwd stunnel

Set password for user stunnel

# cd /etc/stunnel;nano -w stunnel.conf

copy and paste this:

cert = /etc/stunnel/cpanel.pem chroot = /usr/local/cpanel/var/run/stunnel-assp/ pid = /stunnel.pid setuid = stunnel setgid = stunnel output = /var/log/stunnel.log [ssmtp] accept = 465 connect = 127.0.0.2:26

Save the file.

4. Copy cPanel cert.

If you have set correctly your own certificate for your cpanel/exim services in
WHM > Service Configuration >> Manage Service SSL Certificates

execute this

# cp /var/cpanel/ssl/cpanel/mycpanel.pem /etc/stunnel/cpanel.pem

otherwise execute this

# cp /var/cpanel/ssl/cpanel/cpanel.pem /etc/stunnel/cpanel.pem

Now execute this
 

# cd /etc/stunnel/;chown stunnel.stunnel cpanel.pem

5. Create run dir.

# cd /usr/local/cpanel/var/run/;mkdir stunnel-assp;chown stunnel.stunnel stunnel-assp

6. Setup 127.0.0.2 - if you don't do this you will create open relay on SSL port.
 

# cp /etc/sysconfig/network-scripts/ifcfg-lo /etc/sysconfig/network-scripts/ifcfg-lo:1;
# nano -w /etc/sysconfig/network-scripts/ifcfg-lo:1

Change it to look like this:
 

DEVICE=lo:1 IPADDR=127.0.0.2 NETMASK=255.0.0.0 NETWORK=127.0.0.0 BROADCAST=127.255.255.255 ONBOOT=yes NAME=myloop

Save.

7. Now bring lo:1 up.
 

# /etc/sysconfig/network-scripts/ifup-aliases lo

# ifconfig

It should now list 127.0.0.2

8. Login to ASSP web interface (ip:55555) and change:
Network Setup:
------------
Second SMTP Listen Port
26
------------
Second SMTP Destination
127.0.0.1:125
------------
Force SMTP AUTH on Second SMTP Listen Port
Checked
------------

Relaying:
------------
Accept All Mail
127.0.0.1

If you make a mistake here you can make your mail server open relay so double check the settings.

8. Open TCP IN/OUT port 465 on your firewall.

9. Now you are ready to start stunnel. Execute:

# stunnel /etc/stunnel/stunnel.conf

At this moment your SSL connection should work. Test it:

# openssl s_client -quiet -connect localhost:465

If you get error then something is wrong and you need to check /var/log/stunnel.log

If you get something like:
"depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=dom.host.com/emailAddress=ssl.net
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=dom.host.com/emailAddress=ssl.net
verify return:1
220-pol.nameserverus2.com ESMTP Exim 4.63 #1 Mon, 23 Jul 2007 15:42:14 +0200
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail."

Everything is ok and ready to use.

10. if you would monitor stunnel daemon in case it goes down you can add check_ssl=yes to your status.php cron in this way

*/2 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/status.php check_ssl=yes

If you are using an alternative port different from port 26 , i.e. 40000 , in this case you should add also altport=40000

*/2 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/status.php check_ssl=yes altport=40000

 

Unofficial clamD signatures (#8)

You can use Unofficial clamD signatures along with ASSP and existents clamd official signatures to greatly improve SPAM and virus detection.

Requirements ; be sure your clamd is running

ps aux | grep -m1 "clamd"

and be sure ASSP is using clamd in this way ; open the stat page of your ASSP Web interface

http://www.yousite.net:55555/infostats

Click Perl Modules , and if your have "File::Scan::ClamAV 1.8 installed and available" your clamd is working fine.

Finally be sure you have ASSP Deluxe 4.3.0 or above and ASSP WHM 4.4.0 or above .

Note:  by default email verified as bad by unofficial clamd signatures are SCORED (using vsValencePB by default set to 16) as soon the unofficial signature is verified .

 

Now , In order to use and update automatically each day unofficial clamd signatures , simply get into your crontab (crontab -e) and add this line near your ASSP Deluxe crons:

0 5 * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/signatures.php

Unofficial signatures will be updated each day at 05:00 AM (the script contains internal checks to avoid more frequent updates since if you try updating signatures more often your server ip can be easly banned) . The script before starting waits a random amount of time (1m-30m) to make sure everyone using this script doesn't go and download the definitions at the top of the hour.

The script signatures.php loads , installs and update automatically each day following unofficial clamd signatures ;

Updated 10 March 2010

Sanesecurity unofficial signatures (link)
LOW false-positive rating
rsync://rsync.sanesecurity.net/sanesecurity/jurlbl.ndb
rsync://rsync.sanesecurity.net/sanesecurity/phish.ndb
rsync://rsync.sanesecurity.net/sanesecurity/junk.ndb
rsync://rsync.sanesecurity.net/sanesecurity/scam.ndb
rsync://rsync.sanesecurity.net/sanesecurity/rogue.hdb
rsync://rsync.sanesecurity.net/sanesecurity/spamimg.hdb
rsync://rsync.sanesecurity.net/sanesecurity/sanesecurity.ftm
rsync://rsync.sanesecurity.net/sanesecurity/winnow_malware.hdb
rsync://rsync.sanesecurity.net/sanesecurity/winnow_malware_links.ndb

MEDIUM false-positive rating
rsync://rsync.sanesecurity.net/sanesecurity/INetMsg-SpamDomains-2w.ndb
rsync://rsync.sanesecurity.net/sanesecurity/lott.ndb
rsync://rsync.sanesecurity.net/sanesecurity/spam.ldb
rsync://rsync.sanesecurity.net/sanesecurity/spear.ndb
rsync://rsync.sanesecurity.net/sanesecurity/jurlbla.ndb
rsync://rsync.sanesecurity.net/sanesecurity/scamnailer.ndb          (signatures produced by Julian Field )
rsync://rsync.sanesecurity.net/sanesecurity/winnow.complex.patterns.ldb           (signatures produced by OITC)
rsync://rsync.sanesecurity.net/sanesecurity/winnow_phish_complete_url.ndb           (signatures produced by OITC)
rsync://rsync.sanesecurity.net/sanesecurity/winnow_phish_complete_url.ndb           (signatures produced by OITC)

msrbl  unofficial signatures (link)
LOW false-positive rating
rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-SPAM.ndb
rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-Images-FULL-SoN.hdb

securiteinfo.com unofficial signatures (link)

Various badware signatures                :  http://clamav.securiteinfo.com/vx.hdb.gz LOW false-positive rating
Securiteinfo.com Honeypot signatures :  http://clamav.securiteinfo.com/honeynet.hdb.gz LOW false-positive rating
Honeynet.cz signatures                      : http://clamav.securiteinfo.com/securiteinfo.hdb.gz LOW false-positive rating
French antispam signatures                : http://clamav.securiteinfo.com/antispam.ndb.gz HIGH false-positive rating

malware unofficial signatures (link)
http://www.malware.com.br/cgi/submit?action=list_clamav LOW false-positive rating


All the signatures.php script activity is logged here

tail -f /usr/local/assp/deluxe/signatures.log

When all your signatures will be loaded for the first time (it could require also 1 hour to upload all your signatures , due to antiabuse sleeping time) , ASSP spam detection could/will improve greatly .

Note:  by default email verified as bad by unofficial clamd signatures are SCORED (using vsValencePB by default set to 16) as soon the unofficial signature is verified .
 

How to identify which unofficial clamd database scored an email
If you have an email blocked like this in your ASSP maillog

May-06-10 21:24:42 83.103.35.140 <ar@ht.tv> to: fk@fk.is added 70 (virus detected: 'Sanesecurity.Hdr.7928.UNOFFICIAL'), total score for IP '83.103.35.140' is now 84;

and you want know which is the unofficial clamd database which scored the email , get the first part Sanesecurity.Hdr.7928 (without UNOFFICIAL) from Sanesecurity.Hdr.7928.UNOFFICIAL string , and grep it in this way
 

# grep "Sanesecurity.Hdr.7928" /usr/share/clamav/*

You will receive following result , which will show you the clamd db (below shown in green) which blocked the email

/usr/share/clamav/scam.ndb:Sanesecurity.Hdr.7928:4:*:582d4d61696c65723a2054686520426174212028{-500}582d4d534d61696c2d5072696f726

Unofficial clamd signatures , advanced settings

note: using the code below you can exclude some signatures also to safe some RAM in your system.
         The usage of all signatures need about 150 MB RAM.

You may add following values to  signatures.php ;
sa=0 , if you want skip (don't want use/update) Sanesecurity signatures
sm=0 , if you want skip (don't want use/update) Sanesecurity MEDIUM false-positive rating signatures
ms=0 , if you want skip (don't want use/update) msrbl signatures 
se=0 , if you want skip (don't want use/update) securiteinfo.com signatures
sh=0 , if you want skip (don't want use/update) securiteinfo.com HIGH false-positive rating signatures
ma=0 , if you want skip (don't want use/update) malware.com.br signatures

rn=0 , if you want skip the starting random "sleeping" (1 max 30 minutes)
ff=0 , if you want skip the 12 hours delay after each update (not reccomended!)
sg=0 , if you want skip the gpg sanesecurity signature check (faster)

dx=1 : UNINSTALL all the unofficial signatures (no update is executed)

How to uninstall unofficial clamd signatures

# /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/signatures.php dx=1

 

If you would report a bug/idea/suggestion/feedback  related with Unofficial clamd signatures please send an email clicking here.