How to prevent Spamming on a Cpanel server
cPanel servers have a good small file named as antivirus.exim. It is a central filter for the exim mail server which lets you setup all kinds of good filters which helps you to stop spam from coming in and going out of your server.
In this article I will provide you my /etc/antivirus.exim config file which will help you to protect your servers from spammers. First off the default /etc/antivirus.exim has a couple different rule sets in it. The main ones are attachment filters to help stop email viruses from your users. They stop things like .src and .com and .exe attachments.This shows you some custom rules to stop spammers from sending out of your server, you can also use it to stop spam from coming in. I don’t really go into a lot of detail for filtering incoming mail since other applications like Spam Assassin handle that better IMO.
You will need root access to your cPanel server.
First off we need to create a special log file for these filters do this:
touch /var/log/filter.log chmod 0644 /var/log/filter.log
Now open up the configuration file vi /etc/antivirus.exim
Simply add this to your existing file, and save the changes and they take effect instantly.
# START # Filters all incoming an outgoing mail
logfile /var/log/filter.log 0644 ## Common Spam if
# Header Spam $header_subject: contains “Pharmaceutical” or $header_subject: contains “Viagra” or $header_subject: contains “Cialis” or $header_subject: is “The Ultimate Online Pharmaceutical” or $header_subject: contains “***SPAM***” or $header_subject: contains “[SPAM]”
# Body Spam or $message_body: contains “Cialis” or $message_body: contains “Viagra” or $message_body: contains “Leavitra” or $message_body: contains “St0ck” or $message_body: contains “Viaagrra” or $message_body: contains “Cia1iis” or $message_body: contains “URGENT BUSINESS PROPOSAL” or $message_body matches “angka[^s]+[net|com|org|biz|info|us|name]+?” or $message_body matches “v(i|1)agra|vag(i|1)n(a|4)|pen( i|1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok”
then # Log Message – SENDS RESPONSE BACK TO SENDER # SUGGESTED TO LEAVE OFF to prevent fail loops # and more work for the mail system #fail text “Message has been rejected because it hasn # triggered our central filter.” logwrite “$tod_log $message_id from $sender_address contained spam keywords”
seen finish endif
# END # Filters all incoming an outgoing mail
# START # All outgoing mail on the server only – what is sent out
#Check forwarders so it doesn’t get blocked #Forwarders still work =)
## FINANCIAL FAKE SENDERS ## Log all outgoing mail from server that matches rules logfile /var/log/filter.log 0644 if ( $received_protocol is “local” or $received_protocol is “esmtpa” ) and ( $header_from contains “@citibank.com” or $header_from contains “@bankofamerica.com” or $header_from contains “@wamu.com” or $header_from contains “@ebay.com” or $header_from contains “@chase.com” or $header_from contains “@paypal.com” or $header_from contains “@wellsfargo.com” or $header_from contains “@bankunited.com” or $header_from contains “@bankerstrust.com” or $header_from contains “@bankfirst.com” or $header_from contains “@capitalone.com” or $header_from contains “@citizensbank.com” or $header_from contains “@jpmorgan.com” or $header_from contains “@wachovia.com” or $header_from contains “@bankone.com” or $header_from contains “@suntrust.com” or $header_from contains “@amazon.com” or $header_from contains “@banksecurity.com” or $header_from contains “@visa.com” or $header_from contains “@mastercard.com” or $header_from contains “@mbna.com” ) then logwrite “$tod_log $message_id from $sender_address is fraud” seen finish endif
## OTHER FAKE SENDERS SPAM ## Enable this to prevent users using @domain from addresses ## Not recommended since users do use from addresses not on the server ## Log all outgoing mail from server that matches rules logfile /var/log/filter.log 0644 if ( $received_protocol is “local” or $received_protocol is “esmtpa” ) and ( $header_from contains “@hotmail.com” or $header_from contains “@yahoo.com” or $header_from contains “@aol.com”
) then logwrite “$tod_log $message_id from $sender_address is forged fake” seen finish endif
## KNOWN FAKE PHISHING ### Log all outgoing mail from server that matches rules logfile /var/log/filter.log 0644 if ( $received_protocol is “local” or $received_protocol is “esmtpa” ) and ( #Paypal $message_body: contains “Dear valued PayPal member” or $message_body: contains “Dear valued PayPal customer” or $message_body: contains “Dear Paypal” or $message_body: contains “The PayPal Team” or $message_body: contains “Dear Paypal Customer” or $message_body: contains “Paypal Account Review Department” or
#Ebay $message_body: contains “Dear eBay member” or $message_body: contains “Dear eBay User” or $message_body: contains “The eBay team” or $message_body: contains “Dear eBay Community Member” or
#Banks $message_body: contains “Dear Charter One Customer” or $message_body: contains “Dear wamu.com customer” or $message_body: contains “Dear valued Citizens Bank member” or $message_body: contains “Dear Visa” or $message_body: contains “Dear Citibank” or $message_body: contains “Citibank Email” or $message_body: contains “Dear customer of Chase Bank” or $message_body: contains “Dear Bank of America customer” or
#ISPs $message_body: contains “Dear AOL Member” or $message_body: contains “Dear AOL Customer”
) then logwrite “$tod_log $message_id from $sender_address is phishing” seen finish endif
# END # All outgoing mail on the server only – what is sent out
The log file will have the logging format like this: /var/log/filter.log
2006-05-10 12:05:13 1Fds7S-0002Sa-MV from smooth595@gmail.com contained spam keywords 2006-05-10 14:18:47 1FduCn-0006GV-1r from dayton.nowellu7xn@gmail.com contained spam keywords 2006-04-27 15:44:35 1FZDLn-0005Mo-5z from nobody@ocean.wavepointmedia.com is fraud 2006-04-27 16:37:40 1FZEB9-0002KQ-VP from nobody@ocean.wavepointmedia.com is phishing
Date and time, the Exim message ID, the sender and the section of the filter, like phishing, fraud or spam. You can check the mail message by grepping the exim_mainlog for it like this
grep 1FZEB9-0002KQ-VP /var/log/exim_mainlog
Note: This article came from hostentrepreneur.com. The domain there seemed to have expired and I got this from Google Cache.
