1. Change the default PHP5 handler to suPHP
2. Enable the option "Prevent 'nobody' from sending mail" in tweak settings
3. Set "The maximum number of emails each domain can send out per hour" to 500 in tweak settings
4. Make the following settings in "Exim Configuration Editor"
------------------------------------o
a) SpamAssassin™: Reject mail at SMTP time if the spam score is greater
than this number. (Positive or negative, single decimal points allowed.)
: 20
b) SpamAssassin™: Ratelimit hosts which transport messages with a spam
score above this number. (Positive or negative, single decimal points
allowed.) : 20
c) RBL: zen.spamhaus.org - ON
------------------------------------o
5. Add the following line in exim configuration file:
+++++++++++++++++++++++++++++++
log_selector = +address_rewrite +all_parents +arguments
+connection_reject +delay_delivery +delivery_size +dnslist_defer
+incoming_interface +incoming_port +lost_incoming_connection +queue_run
+received_sender +received_recipients +retry_defer +sender_on_delivery
+size_reject +skip_delivery +smtp_confirmation +smtp_connection
+smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
+++++++++++++++++++++++++++++++
This setting is useful for catching spammers sending mails using scripts.
6. Append the following filters to '/etc/antivirus.exim' file which is a
central filter for the exim mail server which lets you setup all kinds
of good filters to stop spam from coming in and going out of your
server:
+++++++++++++++++++++++++++++++++++++++++
# START
# Filters all incoming an outgoing mail
logfile /var/log/filter.log 0644
## Common Spam
if
# Header Spam
$header_subject: contains “Pharmaceutical”
or $header_subject: contains “Viagra”
or $header_subject: contains “Cialis”
or $header_subject: is “The Ultimate Online Pharmaceutical”
or $header_subject: contains “***SPAM***”
or $header_subject: contains “[SPAM]”
# Body Spam
or $message_body: contains “Cialis”
or $message_body: contains “Viagra”
or $message_body: contains “Leavitra”
or $message_body: contains “St0ck”
or $message_body: contains “Viaagrra”
or $message_body: contains “Cia1iis”
or $message_body: contains “URGENT BUSINESS PROPOSAL”
or $message_body matches “angka[^s]+[net|com|org|biz|info|us|name]+?”
or $message_body matches “v(i|1)agra|vag(i|1)n(a|4)|pen( i|1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok”
then
# Log Message – SENDS RESPONSE BACK TO SENDER
# SUGGESTED TO LEAVE OFF to prevent fail loops
# and more work for the mail system
#fail text “Message has been rejected because it hasn
# triggered our central filter.”
logwrite “$tod_log $message_id from $sender_address contained spam keywords”
seen finish
endif
# END
# Filters all incoming an outgoing mail
# START
# All outgoing mail on the server only – what is sent out
#Check forwarders so it doesn’t get blocked
#Forwarders still work =)
## FINANCIAL FAKE SENDERS
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if (
$received_protocol is “local” or
$received_protocol is “esmtpa”
) and (
$header_from contains “@citibank.com” or
$header_from contains “@bankofamerica.com” or
$header_from contains “@wamu.com” or
$header_from contains “@ebay.com” or
$header_from contains “@chase.com” or
$header_from contains “@paypal.com” or
$header_from contains “@wellsfargo.com” or
$header_from contains “@bankunited.com” or
$header_from contains “@bankerstrust.com” or
$header_from contains “@bankfirst.com” or
$header_from contains “@capitalone.com” or
$header_from contains “@citizensbank.com” or
$header_from contains “@jpmorgan.com” or
$header_from contains “@wachovia.com” or
$header_from contains “@bankone.com” or
$header_from contains “@suntrust.com” or
$header_from contains “@amazon.com” or
$header_from contains “@banksecurity.com” or
$header_from contains “@visa.com” or
$header_from contains “@mastercard.com” or
$header_from contains “@mbna.com”
)
then
logwrite “$tod_log $message_id from $sender_address is fraud”
seen finish
endif
## OTHER FAKE SENDERS SPAM
## Enable this to prevent users using @domain from addresses
## Not recommended since users do use from addresses not on the server
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if (
$received_protocol is “local” or
$received_protocol is “esmtpa”
) and (
$header_from contains “@hotmail.com” or
$header_from contains “@yahoo.com” or
$header_from contains “@aol.com”
)
then
logwrite “$tod_log $message_id from $sender_address is forged fake”
seen finish
endif
## KNOWN FAKE PHISHING
### Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if (
$received_protocol is “local” or
$received_protocol is “esmtpa”
) and (
#Paypal
$message_body: contains “Dear valued PayPal member” or
$message_body: contains “Dear valued PayPal customer” or
$message_body: contains “Dear Paypal” or
$message_body: contains “The PayPal Team” or
$message_body: contains “Dear Paypal Customer” or
$message_body: contains “Paypal Account Review Department” or
#Ebay
$message_body: contains “Dear eBay member” or
$message_body: contains “Dear eBay User” or
$message_body: contains “The eBay team” or
$message_body: contains “Dear eBay Community Member” or
#Banks
$message_body: contains “Dear Charter One Customer” or
$message_body: contains “Dear wamu.com customer” or
$message_body: contains “Dear valued Citizens Bank member” or
$message_body: contains “Dear Visa” or
$message_body: contains “Dear Citibank” or
$message_body: contains “Citibank Email” or
$message_body: contains “Dear customer of Chase Bank” or
$message_body: contains “Dear Bank of America customer” or
#ISPs
$message_body: contains “Dear AOL Member” or
$message_body: contains “Dear AOL Customer”
)
then
logwrite “$tod_log $message_id from $sender_address is phishing”
seen finish
endif
# END
# All outgoing mail on the server only – what is sent out
+++++++++++++++++++++++++++++++++++++++++
7. Ensure that the setting ""Block outgoing SMTP except for root, exim
and mailman" has been enabled in CSF firewall which prevent users from
making direct socket connections to mail servers. With users unable to
make direct connections, mail has to be sent via the system MTA (Exim),
leaving a single place to deal with it.
====
-bash-3.2# grep SMTP_BLOCK /etc/csf/csf.conf
SMTP_BLOCK = "1"
====
8. Ensure that reverse DNS records are set to point the server IP address to its hostname.
====
-bash-3.2# host xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx.in-addr.arpa domain name pointer server.domain.com
====
xxx.xxx.xxx.xxx - IP address of the server
server.domain.com - hostname of the server
These settings will help to prevent spamming from your server. But
please note that in-spite of all the settings made, spamming may occur.
It could not be completely eliminated. Eventually it will be the
responsibility of the users in the server, to ensure that spamming won't
occur. You will have to always check your server, make timely updates
to different software's/applications installed in the system, identify
potential spammers and block them and suspend those domains which causes
extensive spamming at a particular instant.
- 5 Users Found This Useful
Related Articles
Adding secondary IPs to Cpanel
To access the IP Functions Menu, click on IP Functions, on the main screen...
Suspended page / Internal Server Error
If domain is showing "Internal Server Error" except suspention page after suspending the domain...
CPanel Log file locations
CPanel stores it’s log files in the /usr/local/cpanel/logs directory. Below is a list of the...
How do convert a dedicated ip to a shared ip on cPanel/WHM
In root SSH, copy the /etc/domainips file and then remove the IP from it: Code: cp...
Install RKHunter
You can install RKHunter on Linux Server by using following steps.1 Login to your server as...