Email_Spam_Protection_Config_on_cPanel_WHM-min__1_.png

        What is the Email Spam?

           Email Spam คืออะไรถ้าโดยความหมายที่ทุกคนเข้าใจง่ายและน่าจะตรงกันก็คืออีเมลขยะหรืออีเมล์ที่ไม่พึงประสงค์นั่นเองอีเมล์ขยะพวกนี้ปัจจุบันมีความรุนแรงมากขึ้นเพราะถูกใช้เป็นตัวแพร่กระจายพวกไวรัสมัลแวร์ต่างๆด้วย

           การป้องกัน Email Spam บน cPanel&WHM

           โดยปัจจุบันแล้วพื้นฐานของการป้องกัน Email Spam บน cPanel&WHM หลักๆก็จะเป็นการป้องกันโดยใช้ ApacheSpamassasin เป็นโปรแกรมที่พัฒนาภายใต้ Apache License ใช้สำหรับการกรองสแปมโดยอาศัยหลักการ Content-matching rule.ปัจจุบันเป็นส่วนหนึ่งของ Apache Foundation SpamAssassin ใช้เทคนิคการป้องกันสแปมหลากหลายทั้งแบบ DNS Base ,Bayesian , RBL ตัวโปรแกรม SpamAssassin นั้นสามารถที่จะทำการ Integrated เข้ากับ MailServer เพื่อทำการกรองสแปมหรือจะทำการใช้งานกับ User ในระดับ Mailbox ก็ได้ทั้งนี้ขึ้นกับ Mail Server ที่ใช้งาน

           Basic Configuration for Email Spam Protection on cPanel&WHM

        โดยปกติแล้ว ApacheSpamassasin จะถูกติดตั้งมากับการติดตั้ง cPanel&WHM แต่จะไม่ถูก Enable การใช้งานโดยค่าเริ่มต้น หากต้องการ Enable สามารถดำเนินการได้ 4 ขั้นตอนดังนี้

1. EnableApacheSpamAssassin™ ​at WHM » Server Configuration »Tweak Settings

2. Enable ApacheSpamAssassin™ Service and Monitor at WHM » Service Configuration » Service Manager 

3. Go to WHM » Service Configuration » Exim Configuration Manager 

4. Setup Spamd Startup Configuration at WHM »Email »Spamd Startup Configuration

            Example ApacheSpamassasin Rules

  • BAYES_POISON_DEFENSE Rules

  • CPANEL Rules

#CPANEL.cf - SpamAssassin Rules
#
#Author: cPanel, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# NetSol thought it was a great idea to give away tons of
# .xyz domains. In practice the primary consumers are spammers
# http://domaingang.com/domain-news/chinese-registrar-iisp-hk-sends-xyz-spam-harvested-whois-emails/
header CPANEL_XYZ From =~ /\@.*?\.xyz/i
describe CPANEL_XYZ .XYZ domain mostly used by spammers
score CPANEL_XYZ 2.1

meta CPANEL_LOTS_OF_EMPTY_LINE !HTML_MESSAGE
rawbody CPANEL_LOTS_OF_EMPTY_LINE /(?:[\t ]*[\r\n]){14,}/i
describe CPANEL_LOTS_OF_EMPTY_LINE Spam that has large block of empty lines
score CPANEL_LOTS_OF_EMPTY_LINE 0.8

meta CPANEL_LOTS_OF_EMPTY_LINE_HTML HTML_MESSAGE
rawbody CPANEL_LOTS_OF_EMPTY_LINE_HTML /(?:\s*<+\s*(?:p|br)\s*>+){10,}/i
describe CPANEL_LOTS_OF_EMPTY_LINE_HTML Spam that has large block of empty html lines
score CPANEL_LOTS_OF_EMPTY_LINE_HTML 0.8

#
# SPF failures and information
#
ifplugin Mail::SpamAssassin::Plugin::SPF
score SPF_NONE 0
score SPF_HELO_NONE 0
score SPF_PASS -0.001
score SPF_HELO_PASS -0.001
score SPF_FAIL 4.0
score SPF_HELO_FAIL 4.0
score SPF_HELO_NEUTRAL 0
score SPF_HELO_SOFTFAIL 1.5
score SPF_NEUTRAL 0
score SPF_SOFTFAIL 1.5
endif

#
# SURBL for foreign language content
#
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
score URIBL_AB_SURBL 4.5
score URIBL_JP_SURBL 1.9
score URIBL_WS_SURBL 1.7
score URIBL_MW_SURBL 1.3

urirhssub URIBL_BLACK multi.uribl.com. A 2
body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
describe URIBL_BLACK Contains an URL listed in the URIBL blacklist
tflags URIBL_BLACK net
score URIBL_BLACK 5.0

urirhssub URIBL_GREY multi.uribl.com. A 4
body URIBL_GREY eval:check_uridnsbl('URIBL_GREY')
describe URIBL_GREY Contains an URL listed in the URIBL greylist
tflags URIBL_GREY net
score URIBL_GREY 1.0

urirhssub URIBL_GOLD multi.uribl.com. A 4
body URIBL_GOLD eval:check_uridnsbl('URIBL_GOLD')
describe URIBL_GOLD Contains an URL listed in the URIBL GOLDlist
tflags URIBL_GOLD net
score URIBL_GOLD 0.5
endif

# No "Message-Id:" header
score MISSING_MID 1.6

#
# Spam coming from dynamic IPs
#
ifplugin Mail::SpamAssassin::Plugin::DNSEval
score RCVD_IN_SORBS_HTTP 0
score RCVD_IN_SORBS_SOCKS 0
score RCVD_IN_SORBS_MISC 2.6
score RCVD_IN_SORBS_SMTP 2.6
score RCVD_IN_SORBS_WEB 0
score RCVD_IN_SORBS_BLOCK 0
score RCVD_IN_SORBS_ZOMBIE 1.0
score RCVD_IN_SORBS_DUL 4.0

#
score RCVD_IN_XBL 0 4.724 0 4.375
score RCVD_IN_CBL 0 4.724 0 4.375
score RCVD_IN_PSBL 0 2.700 0 2.700
#
score RCVD_IN_BRBL_LASTEXT 0 4.644 0 4.449
score URIBL_DBL_SPAM 0 4.5 0 4.5
#
endif

#
# Mailspike bad reputations
#
if (version >= 3.004000)
score RCVD_IN_MSPIKE_L2 0.001 1.001 0.001 0.001
score RCVD_IN_MSPIKE_L3 0.001 2.498 0.001 2.498
score RCVD_IN_MSPIKE_L4 0.001 4.497 0.001 4.497
score RCVD_IN_MSPIKE_L5 0.001 6.196 0.001 6.196
endif

#
# RDNS problems
#
score RDNS_DYNAMIC 2.6
score RDNS_LOCALHOST 1.0
score RDNS_NONE 2.0

#
# Increase Pyzor score
#
score PYZOR_CHECK 0 1.985 0 1.792 # n=0 n=2

# Some shortcircuiting, if the plugin is enabled
#
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
# if you have taken the time to correctly specify your "trusted_networks",
# this is another good way to save CPU
#
# shortcircuit ALL_TRUSTED on

endif # Mail::SpamAssassin::Plugin::Shortcircuit

# Increase Bayes
score BAYES_80 4.2
score BAYES_99 5.0
score BAYES_999 1.0

  • KAM Rules

#RE[#] SPAM
#NOTE: Thanks to Jason Haar" <Jason.Haar@trimble.co.nz> for pointing out that I was only doing >=1!
header KAM_RE Subject =~ /^Re(?:\s)*\[\d\]+(?:\s)*:?$/i
describe KAM_RE Subject of Re[0]: etc prevalent in Spam
score KAM_RE 2.0

meta KAM_RE_PLUS (HTML_IMAGE_ONLY_08+KAM_RE >= 2)
describe KAM_RE_PLUS Bad Subject and Image Only rule hit == SPAM!
score KAM_RE_PLUS 4.0

#HOODIA
#RE-WEIGHTING - Thanks to Martin Kaempf and Gareth Blades for pointing out the False Positives!!
#Changed to escape + for 920\+ and changed to rawbody because we don't want to check the subject twice.
#thansk to Michael Denney for the FP report
header __KAM_HOODIA1 Subject =~ /(hoodia|920\+|serotonin|reduce your appetite)/i
rawbody __KAM_HOODIA2 /(?:hoodia|920\+)/i
body __KAM_HOODIA3 /(?:fat loss product|sur?p?press appetite|Reduce Your Appetite)/is

meta KAM_HOODIA (__KAM_HOODIA1 + __KAM_HOODIA2 + __KAM_HOODIA3 >= 2)
describe KAM_HOODIA Hoodia / Weight Loss Product Promotion Spam
score KAM_HOODIA 3.0

  •  local Rule

meta KAM_DEBT2 ((__KAM_DEBT1 + __KAM_DEBT2 + __KAM_DEBT3 + __KAM_ADVERT2) >= 2)
describe KAM_DEBT2 Likely Debt eradication spams
score KAM_DEBT2 1.0

#XtraSize+ Penis Enlargement Scam
header __KAM_SILD1 Subject =~ /Sildenafil Citrate/i
body __KAM_SILD2 /(XtraSize\+|Sildenafil Citrate)/i

meta KAM_SILD (__KAM_SILD1 + __KAM_SILD2 >= 1)

describe KAM_SILD Simple rule to block one more enhancement message
score KAM_SILD 5.0

#if (version < 3.002000)
# #HTML_SHORT_LENGTH DEPENDENCY RULE REMOVED FROM SA 3.2.X
# #KAM NUMBER EMAILS - Thanks to Mark Damrose for the NUMBER3 idea & Jan-Pieter Cornet
# header __KAM_NUMBER1 Subject =~ /^\d+$/
# body __KAM_NUMBER2 /\d{1,6}/
# header __KAM_NUMBER3 Message-ID =~ /\<[a-z]{19}\@/i
#
# meta KAM_NUMBER ((__KAM_NUMBER1 + __KAM_NUMBER2 + MIME_HTML_ONLY + HTML_SHORT_LENGTH + __KAM_NUMBER3) >= 5)
# describe KAM_NUMBER Silly Number Emails
# score KAM_NUMBER 1.0
#endif

#KAM MEDICATION KAM_OVERPAY
body KAM_OVERPAY /O . V . E . R . P . A . Y/i
describe KAM_OVERPAY Common Medicinal Ad Trick
score KAM_OVERPAY 3.5

#VIAGRA AD - CHANGED DUE TO FPS on 2010-05-06 - Replaced [VACLXPSI] with separate rules space separated
body KAM_VIAGRA1 /V I A G R A|C I A L I S|V A L I U M|X A N A X/i
describe KAM_VIAGRA1 Common Viagra and Medicinal Table Trick
score KAM_VIAGRA1 3.0

           การตรวจสอบ log mail การทำงานของ ApacheSpamassasin สามารถตรวจสอบได้ที่

  • /var/log/maillog
Apr 24 07:23:39 jtest spamd[162756]: spamd: identified spam (23.4/5.0) for thaibanner:1023 in 4.1 seconds, 816 bytes.
Apr 24 07:23:39 jtest spamd[162756]: spamd: result: Y 23 - DOS_OE_TO_MX,FORGED_MUA_OUTLOOK,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,FROM_EXCESS_BASE64,FSL_BULK_SIG,PYZOR_CHECK,RDNS_NONE,SPF_FAIL,SPF_HELO_FAIL,TO_NO_BRKTS_MSFT,TVD_SPACE_RATIO_MINFP scantime=4.1,size=816,user=thaibanner,uid=1023,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=56790,mid=(unknown),autolearn=no autolearn_force=no,shortcircuit=no
  •  /var/log/exim_mainlog
2019-04-24 07:23:39 1hJ5hG-000lYh-T4 H=(qq.com) [49.69.89.164]:55635 Warning: "SpamAssassin as thaibanner detected message as spam (23.4)"
2019-04-24 07:23:39 1hJ5hG-000lYh-T4 H=(qq.com) [49.69.89.164]:55635 Warning: Message has been scanned: no virus or other harmful content was found
2019-04-24 07:23:39 1hJ5hG-000lYh-T4 H=(qq.com) [49.69.89.164]:55635 F=<46825158@qq.com> rejected after DATA: "The mail server detected your message as spam and has prevented delivery (130)."

 

           สำหรับตัวอย่างการทำงานทั้งหมดของ ApacheSpamassasin เห็นไหมครับว่าช่วยลดภาวะของปัญหา Spam Email ไปได้ในระดับหนึ่งเลยนะครับ

 

          download_100_25_pix.png