ASSP deluxe for cpanel : tweaking ASSP

Tweaking ASSP Deluxe for cPanel & ASSP

In this page you can find articles to tweaking ASSP and better usage of ASSP Deluxe for cPanel . If you would add an article please send an email here with your credits (your business url and full name). Use these tweaks at your risk .

This tweak can be applied with or without "ASSP Scoring mode" enabled .

1) If want use KarmaSphere RBL
Note that you must register a free account at KarmaSphere and provide to KarmaSphere all your server ip addresses .

Open the ASSP WEB interface , open DNSBL menu ;
- change RBL Service Providers with following (it's a single line without spaces)

- Set Maximum Replies to 9

- Set Maximum Hits to 2 (or set 1 for aggressive settings)

Save settings.

2) If you do not want use KarmaSphere RBL

- change RBL Service Providers with following (it's a single line without spaces)

- Set Maximum Replies to 8

- Set Maximum Hits to 2 (or set 1 for very aggressive settings)

Save settings.

Latest recommended ASSP usage (20 May 2008) #09

If you are using ASSP from min 4-5 months and over AND you followed/applied the post installation steps (especially ASSP scoring ON , no local enabled for most of your users, delaying off per user, spambox enabled) I invite everyone to use following settings .Following settings on 1.3.5 5.0 and 1.3.9 are giving extremely good spam detection and rare false positives .

a) upgrade everything (ASSP and ASSP Deluxe) to latest versions . Be sure you have ASSP 1.3.5 5.0 or 1.3.9 (recommended).

b) Open ASSP WHM ; disable and re-enable "assp scoring ON" to automatically load new recommended
scoring scores (included with latest ASSP Deluxe).

c) apply http://www.grscripts.com/tweaking.html#08 option 2 (with Maximum Hits set to 2)

d) open assp web interface > Penalty Box menu

Go down to Bayesian (baysValencePB) and set it to 37
Go down to Missing MX & A Record and set it to 38
Go down to DNSBL Failed (rblValencePB) and set it to 38

Save settings.

e) (optional , recommended) Set the "alternative Pb extreme" if you are not already using it . Click here to set the alternative PB

A powerful tool , find_abusers.php #06

ASSP Deluxe contains a useful tool which can be executed in this way

# /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php

It reports a lot of useful information, to undestand in a fast way what kind of email attack is receiving your server
, which are your accounts under heavy attack , which are bad ips attacking your server (sorted) , and much more.

Available commands

show=n
The command show=n will permit to show you only data over the number n . If you don't specify it a value of 30 will be used.

example

# /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php show=20

Requirements
To use this tool correctly you there are 2 requirements
a) ASSP SCORING MODE should be ON on your ASSP WHM Interface
b) logging options on ASSP Web Interface should not be changed from default.

using find_abusers.php as a cronjob
However it's not only a tool to receive information . You can execute it each 20 minutes (recommended) with several commands to create a better Penalty box extreme (collection of bad ips) or to use an alternative to Penalty box extreme collection of bad ip addresses . So , we can consider 2 situations , if you want collect bad ips with penalty box extreme (default) or you decided to collect bad ips using the alternative PB.

===================================================================
1) If you are using PB extreme
===================================================================
it means you have
- assp web interface > PB menu > PenaltyBox Extreme - IP Profiles (DoPenaltyExtreme)" set to 1 .
- assp web interface > PB menu "Use Exported Penalty BlackBox Extreme for SMTP Denying" checked.
- assp web interface > PB menu , "Use Exported Penalty BlackBox Extreme for SMTP Denying (exportExtremeFileDeny)" set to 1
If an ip address sends emails with repetitive errors (for example BlacklistedHelo) , also if assp scoring mode does not reject it (because BlacklistedHelo is only 5 points and required points fro assp scoring are 40 i.e.) , Penalty Box (PB) will count and sum BlacklistedHelo score errors on PenaltyBox Database , and when the Extreme Scoring Threshold (PenaltyExtreme) value will be reached the ip address will be added to /usr/local/assp/pb/exportedextreme.txt and blocked at smtp time generating following errror ;

554 5.7.1 Penalty Box error, please contact the server support to ensure delivery

By default assp 1.3.5 and 1.3.3.8 comes installed with PenaltyBox Extreme enabled .

Following commands are available

show=n
The command show=n will permit to show you only data over the number n . If you don't specify it a value of 30 will be used.

addpb=n
If you use for example addpb=20 spam messages rejected from an ip more than 20 times due to

"email dictionary attack"
"assp scoring mode"
"max errors"
"relay attempt blocked"
"limited connections"

will show you something like this

23 = > 88.247.124.222 (already on PB extreme file)

if the ip address is already listed on PB extreme or

28 = > 89.24.107.214 (added to PB because 28 greater than 20)

if the ip is still not listed on PB extreme file .

log=maillog
The log= command will permit you to enter and analyze an assp maillog different from current maillog.txt

example

from console
/usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php show=30 addpb=20

or as a cronjob

*/20 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php show=30 addpb=20

===================================================================
2) If you are not using PB extreme, or if you would NOT use PB extreme
===================================================================
If you are not using PB extreme, or if you would NOT use PB extreme simply follow this
http://www.grscripts.com/howtofaq.html#70 .

Compared with the ip collected by PB extreme , this way strongly reduces the risk to block a good/valid ip . If you install this cron , Penalty box extreme will be turned off automatically . Be sure you have latest assp deluxe version (2.8.0) to use it .
I strongly recommend you this usage if you had problems using PB extreme.

How to block a DDOS SMTP attack using ASSP and ASSP Deluxe for cPanel (#07)

first of all you should understand if your server is under ddos smtp attack.
You can understand it for example from these points

- Your mailserver is not usable or really sloww.
- If you analyze http://yourserverip:55555/shutdown_list you can see a lot of smtp sessiion (over 60 i.e) , and several smtp sessions
using the same ip, or you can't open http://yourserverip:55555/shutdown_list
- if you analyze tail -f /usr/local/assp/maillog.txt (assp maillog) you can see a LOT of email dictionary attacks
- ASSP crashes often or the ASSP cpu usage is high or very high (over 20%)
- server cpu usage is high or very high
- on ASSP STATUS CHART you can see a lot of exim/assp connections , much more than usual

Do not use this procedure to stop small mail attacks this procedure should be used only to stop ddos smtp attacks
which makes your mailserver and your server unusable.
If you are in this situation you can reduce and/or stop the attack in this way

0) edit your root cronjobs and remove any cron line which is using find_abusers.php ( in case you have it )

1) Open ASSP web interface http://yourserverip:55555 and be sure you have PB extreme enabled
- assp web interface > PB menu > PenaltyBox Extreme - IP Profiles (DoPenaltyExtreme)" set to 1 .
- assp web interface > PB menu "Use Exported Penalty BlackBox Extreme for SMTP Denying" checked.
- assp web interface > PB menu , "Use Exported Penalty BlackBox Extreme for SMTP Denying (exportExtremeFileDeny)" set to 1

Now go to smtp session menu (assp web interface) and set these aggressive values

maxerrors 2
maxsmtpipsessions 2
maxsmtpipconnects 2
maxsmtpipduration 60
maxsmtpdomainip 2
smtpidletimeout 80

Save settings on assp web interface
(all this operation could require time because the assp web interface under attack will be very slow)

2) go to console and set this aggressive cron

*/8 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php show=8 addpb=8
ore much more aggressive if the attack is really heavy
*/8 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php show=4 addpb=4

3) report to your clients that your server is under heavy ddos smtp attack , and they could have some problem
to send email . If during the attack the client can't send, ask his ip address and put it on
- assp web interface > PB menu > NoPB

After about 1 hour ASSP and find_abusers.php will collect hundred or thousand of bads ips ;
If you open http://yourserverip:55555/shutdown_list now should see reduced number of smtp sessions.

you can execute from console

# /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php

to see how many ips is rejecting ASSP using PB extreme

If you analyze the ASSP maillog in real time ( #tail -f /usr/local/assp/maillog.txt ) you should see several connections "denied by exportExtremeFile". ASSP is rejecting the smtp DDOS attack at smtp time. After about 45/60 minutes ASSP cpu load and server cpu
load should return to normal.

Only if you think the attack is stopped/terminated (if you are lucky it could stop after 12-24 hours) , you can
understand it looking the number of "denied by exportExtremeFile" on your assp maillog received per minute ,
you can return everything to standard values so ;

a) Open assp web interface go to smtp session menu (assp web interface) and return smtp values to standard

maxerrors changed 10
maxsmtpipsessions 10
maxsmtpipconnects 10
maxsmtpipduration 90
maxsmtpdomainip 10
smtpidletimeout 120

save settings

b) Now remove the cron you set above at step 2 .

c) Now clean the PB extreme file (if you are 100% sure the attack stopped) in this way (I reccomend to clean it because during the attack
some good ip could be collected)
# cd /usr/local/assp/pb;rm -f pbdb.*;/etc/init.d/assp stop;rm -f pbdb.*;/etc/init.d/assp start;echo "" > exportedextreme.txt

OR you may use the alternative PB http://www.grscripts.com/howtofaq.html#70 (which disable PB extreme automatically).

How to train the ASSP bayesian filter using ASSP NOTSPAM ANALYZER
(updated 11 Mar 2008) #01

Another way to training the ASSP Bayes algorithm is using ASSP NOT SPAM ANALYZER on ASSP WHM interface;
Open the ASSP NOT SPAM ANALYZER and look for naughty words with the search tool.
You will probably find some SPAM message inside your NOT SPAM collection. Move them to SPAM , and
rebuild the spam db . Each time you do this task , you make the bayesian database better .

for example you can search these keywords on your NOT SPAM ANALYZER

replica watches|MegaDik| cock | penis | pills | Original Viagra | better sex life | average penis | enlargement | orgasm | erections | Viagra | big dick | sperma | Sexual | Erectionsk | Stamina | sildenafil | citrate | Erectile

(note that there is a space before and after each keyword . Copy and paste the yellow section on
your search form field , then click search )

If you find some message , it's probably spam . Read the messages and move them to SPAM
if required . At the end of operation rebuild the spamdb (using the REBUILD SPAMDB button).

If you analyze the keywords above on your spamDB before and after this training operation
( cat /usr/local/assp/spamdb | grep "penis" ) , you will notice that ASSP has assigned more bayesian score to
all the keywords above . If ASSP will receive again an email with one of the keywords above , it will receive a
greater bayesian score with more probability to block the message. I suggest you to execute this training
once a week and searching different naughty words.

Note that if you are using assp scoring mode ON , and you do the bayesian corrrection operation explained above often
(weekly i.e.), after some week your bayesian filter will be much more great and very efficient , so you can consider to raise the
Bayesian score to 35-39 (from default 25) increasing considerably the percentuage to block spam using "assp scoring mode".

ASSP SSL support on port 465 using stunnel (#03)

(updated 10 June 2008 , compatible with 1.3.3.8 and 1.3.5)

unsupported & untested on VPS . If you would apply on VPS make it at your risk

This article has been written by Szymon Rybczynski (pro-net-hosting.com and prohost.pl)

HOW TO
All lines starting with # are commands to execute as root.

1. You need stunnel installed. Cpanel should have stunnel installed. To check:
# stunnel -version
If you get something like "stunnel 4.05 on i686-redhat-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.7a Feb 19 2003" you can continue.

2. You can make your own certificate for SSL or use Cpanel cert. This howto shows how to use Cpanel cert. To make your own cert just search google for instruction and change cert path in stunnel.conf to your cert.

3. Setting up stunnel user and config file:
# adduser stunnel
# passwd stunnel
Set password for user stunnel
# cd /etc/stunnel;nano -w stunnel.conf

copy and paste this:

cert = /etc/stunnel/cpanel.pem
chroot = /usr/local/cpanel/var/run/stunnel-assp/
pid = /stunnel.pid
setuid = stunnel
setgid = stunnel
output = /var/log/stunnel.log
[ssmtp]
accept = 465
connect = 127.0.0.2:26

Save the file.

4. Copy cpanel cert.

# cp /usr/local/cpanel/etc/cpanel.pem /etc/stunnel/

Note : if /usr/local/cpanel/etc/cpanel.pem does not exists you can find the cpanel certificate also here
/var/cpanel/ssl/cpanel/cpanel.pem , in this case execute this
# cp /var/cpanel/ssl/cpanel/cpanel.pem /etc/stunnel/

# chown stunnel.stunnel cpanel.pem

5. Create run dir.
# cd /usr/local/cpanel/var/run/;mkdir stunnel-assp;chown stunnel.stunnel stunnel-assp

6. Setup 127.0.0.2 - if you don't do this you will create open relay on SSL port.
# cp /etc/sysconfig/network-scripts/ifcfg-lo /etc/sysconfig/network-scripts/ifcfg-lo:1;
# nano -w /etc/sysconfig/network-scripts/ifcfg-lo:1
Change it to look like this:

DEVICE=lo:1
IPADDR=127.0.0.2
NETMASK=255.0.0.0
NETWORK=127.0.0.0
BROADCAST=127.255.255.255
ONBOOT=yes
NAME=myloop

Save.

7. Now bring lo:1 up.
# /etc/sysconfig/network-scripts/ifup-aliases lo

# ifconfig
It should now list 127.0.0.2

8. Login to assp web interface (ip:55555) and change:
Network Setup:
------------
Second SMTP Listen Port
26
------------
Second SMTP Destination
127.0.0.1:125
------------
Force SMTP AUTH on Second SMTP Listen Port
Checked
------------

Relaying:
------------
Accept All Mail
127.0.0.1

If you make a mistake here you can make your mail server open relay so double check the settings.

8. Open TCP port 465 on your frewall.

9. Now you are ready to start stunnel. Execute:
# stunnel /etc/stunnel/stunnel.conf

At this moment your SSL connection should work. Test it:
# openssl s_client -quiet -connect localhost:465

If you get error then something is wrong and you need to check /var/log/stunnel.log

If you get something like:
"depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=dom.host.com/emailAddress=ssl.net
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=dom.host.com/emailAddress=ssl.net
verify return:1
220-pol.nameserverus2.com ESMTP Exim 4.63 #1 Mon, 23 Jul 2007 15:42:14 +0200
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail."

Everything is ok and ready to use.

10. if you would monitor stunnel demon in case it goes down you can add checkssl=yes to your status.php cron in this way

*/2 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/status.php check_ssl=yes

Sanesecurity signatures (#04)

This article has been written by David Norelid (Houston Computer Repair )
This article is NOT supported .

You can use SaneSecurity and MSRBL clamAV definitions along with ASSP to improve spam detection.

What are the SaneSecurity definitions?

From the SaneSecurity site:
"Clam AntiVirus is a GPL anti-virus toolkit for UNIX and was coded to detect email viruses. ClamAV's scanning engine is quite flexible and so has also been used to scan for phishing signatures. The Official phishing signatures in ClamAV are great but I've seen a number of phishing attempts get past the Official ClamAV signatures, so I thought I'd try to produce my own signatures to stop these phishing attempts (phish.ndb.gz). I've also produced a small scam database (scam.ndb.gz) which will help detect some types of stock, lottery 419 and some image spams that are around at the moment."

In order to use them you will need to download and run an updater script to keep the definitions updated properly. There are several available here: http://www.sanesecurity.co.uk/clamav/usage.htm

Script 1 is recommended. To download it, you can run the following command:

cd /usr/local/assp/; wget http://www.sanesecurity.co.uk/clamav/UpdateSaneSecurity.sh

From there, we need to get it to run no more than 4 times a day to check for updates. Get into your crontab (crontab -e) and add this line:

10 */6 * * * /usr/local/assp/UpdateSaneSecurity.sh

That will have the script run every 6 hours on the 10th minute of the hour. The script automatically waits a random amount of time (3s-10m) to make sure everyone doesn't go and download the definitions at the top of the hour.

That's it! The script knows where to put the definition and ClamAV automatically reloads when the new definitions are installed, so there's nothing else you need to do!

You may optionally wish to disable antivirus notifications (assp web interface), since you will be getting a lot more hits now !

This article has been written by David Norelid (Houston Computer Repair )
This article is NOT supported .