ASSP Deluxe for cPanel FAQs and Post Installation Steps

ASSP Deluxe for cPanel : ASSP post installation steps

It's strongly recommended you read and apply carefully following Post installation steps right after the ASSP installation ; these steps avoid troubles to you (administrator) and your users.

ASSP stands for Anti-Spam SMTP Proxy. ASSP is a Perl based transparent SMTP proxy server and spam filter which sits on SMTP listen ports, in front of a SMTP server. ASSP relays the SMTP dialog between an incoming client and your SMTP server (EXIM), intercepting the dialog as needed. ASSP performs a number of configurable spam checks (scoring mode) and on detecting a spam message provides an immediate 5xx SMTP error code back to the client. Non-spam messages are passed to EXIM for further processing and delivery. Spam messages are blocked from delivery and collected in spambox.
ASSP records every SMTP connection in following file log
/usr/local/assp/maillog.txt
You can see the log in action using this
# tail -f /usr/local/assp/maillog.txt
or if you prefer to use the ASSP WHM INTERFACE you can click the LOG button .
ASSP log file is flushed every 7 days and a backup is created in /usr/local/assp folder. ASSP log file could be useful for various purpouses. Some brief example; if you need to search all email sent by email@domain.com you can use
# grep "<email@domain.com>" /usr/local/assp/maillog.txt
If you need to search all email sent by email@domain.com and blocked
# grep "<email@domain.com>" /usr/local/assp/maillog.txt | grep "spam found"
If you need to search all email sent by email@domain.com and accepted
# grep "<email@domain.com>" /usr/local/assp/maillog.txt | grep "message ok"
If you need to search all email sent TO youruser@domain.com and blocked you may use
# grep " youruser@domain.com " /usr/local/assp/maillog.txt | grep "spam found"
and so on . You can search ips, email , domain and ASSP IDs too (such as the EXIM message id). ASSP set an ASSP ID for each SMTP connection and store it in the email header and in ASSP log. So if you get the ASSP ID (X-Assp-ID) in the email header as shown below
e.g. id-51826-08124 : you can search the ASSP ID in ASSP log in this way
# grep "id-51826-08124" /usr/local/assp/maillog.txt
it will return all the log history for id-51826-08124. If you can't find the ASSP ID in current log, you can try searching the ASSP id in old ASSP logs using this way
# grep "id-51826-08124" /usr/local/assp/*.maillog.txt
You can use the ASSP log to improve your ASSP antispam too, for example if you see that you have a lot of ASSP IDs passing because the Penalty limit is too low, you may increase the Penalty limit using ASSP WHM > Score Settings. Below you can see an example of email message blocked.
Mar-04-20 10:17:24 id-13442-12664 [Worker_2] [TLS-out] [MessageLimit] 155.94.129.2 <sender@send.com> to: user@domain.com [spam found] (MessageScore 110, limit 56) [Weapon Bad Guys] -> /usr/local/assp/spam/12664--10.eml;
Below you can see an example of email message not accepted because sent to a not existent email account (email dictionary spam)
Mar-04-20 10:25:27 id-13927-10218 [Worker_1] [TLS-in] [TLS-out] [InvalidAddress] 165.212.64.31 <email@usa.net> invalid address rejected: xyzxyzxyz@user.com
Below you can see an example of email message accepted.
Mar-03-20 12:16:41 id-34168-11174 [Worker_1] [TLS-in] [TLS-out] [MessageOK] 199.7.205.153 <email@china.net> to: eric@user.com message ok [Meeting note] -> /usr/local/assp/okmail/--585.eml

If you install ASSP using the HOW TO and you simply forget it, ASSP can reduce SPAM to a very good level and false positives will be rare. But if you want have outstanding results ( near zero SPAM or false positives ) you should teach your users to do some simple task to report SPAM received INBOX and false positives found in /spambox. You can find instructions in the steps below.

ASSP can learn day by day how to block SPAM and allow good email based on your user activity ( improving Bayesian and HMM spam filters ). Your users can correct ASSP errors forwarding as attachment the good email found in /spambox IMAP folder to assp-notspam@clientdomain.com and forwarding as attachment SPAM found in INBOX to assp-spam@clientdomain.com. When an email is forwarded to assp-spam@ the sender will be also added in a personal email blacklist. As administrator you can correct spam/notspam errors using the ASSP WHM INTERFACE Bayesian and HMM collections

and also using the ASSP WHM INTERFACE SPAM FINDER
Your users can find detailed instructions to use the ASSP email interface reporting ( assp-spam@ , assp-notspam@, assp-white@ , assp-notwhite@ ) in their cPanel Email ASSP and clicking over the HELP and SPAMBOX button as shown below.
Even if you can add email or domain in ASSP whitelist (using ASSP GUI WHITELIST whitedomains), using ASSP your users should not be worried by whitelist. Everytime an user send an email (send or reply) to someone the email contact will be automatically added in ASSP whitelist. An user can add an email in whitelist also by sending an email to assp-white@ , you can find a detailed explanation in user cPanel Email ASSP HELP . As alternative to /spambox IMAP, your users can receive a list of freshed blocked SPAM (anytime they want) by sending an email to asspblock@clientdomain.com (the received email includes possibilities to resend the blocked email too).
ASSP never blocks a local sender ( a local email sent from your server ) . If it happens it means that the local sender is sending email incorrectly (as a relayer, spoofer e.g.) . To fix the "issue" simply be sure your customer is sending email correctly using
SMTP mail.customerdomain.com (or the server hostname)
and one the available SMTP ports ( by default 25, 26 ,587 STARTTLS or 465 SSL ).
After the ASSP Deluxe for cPanel spam filter HOW TO installation, ASSP starts with pre-configured moderate antispam settings. These settings provide a good antispam performance and can reduce false positive (email blocked incorrectly) at the same time. If after some day of usage you need to increase antispam performance without changing your settings in ASSP GUI, simply go to ASSP WHM INTERFACE SCORE SETTINGS and decrease 1 max 2 steps the PenaltyMessageLimit . On the countrary if your users are reporting too much false positives (too much email good email blocked) increase some step the PenaltyMessageLimit . If your users want to have a custom relaxed or more aggressive anti SPAM setting restricted to their domain name, they can do it using the control panel as shown below by changing the SPAM Scoring threshold ( spam threshold score ) from normal to high,very high,highest or from normal to low/very low/lowest.
After the ASSP cPanel spam filter installation HOW TO the NO LOCAL filter is enabled by default for all users . It blocks all email dictionary attacks. When the NO LOCAL filter is enabled ASSP accepts email only to existent email addresses on your server ( POP3 and email forwarders ) stopping every kind of email dictionary attack ( email sent to random_word@domain.com ). Who send an email to a not existent email on your account ( random_word@clientdomain.com ) will receive following bounce error
550 5.1.1 User unknown: random_word@clientdomain.com
and ASSP will log the block in this way
Mar-04-20 10:25:27 id-13927-10218 [Worker_1] [TLS-in] [TLS-out] [InvalidAddress] 165.212.64.31 <email@usa.net> invalid address rejected: xyzxyzxyz@user.com

NO LOCAL filter disallows functionality of cPanel "default address". If you have an user which wants use "default address" he should first disable NO LOCAL filter using user cPanel Email ASSP and set DISABLED the NO LOCAL filter as shown in the image below. Or as administrator you can turn OFF the NO LOCAL filter using ASSP WHM INTERFACE ASSP DOMAIN CONFIG , and select the NO LOCAL tab . If you want set NO LOCAL filter default OFF for new hosting accounts, go to
ASSP WHM INTERFACE DEFAULT Settings FILTER STATUS DEFAULT SETTINGS and set NO LOCAL to OFF .
All email blocked by ASSP are collected. Your users can check blocked SPAM in multiple ways (all these ways are explained to your customer here user cPanel Email ASSP HELP )
- The main way to check for a blocked email is the IMAP /spambox folder. Using cPanel webmail (Horde,Roundcube) or any IMAP email client (as shown in the image below). Good email found in /spambox folder should be forwarded as attachment to assp-notspam@clientdomain.com, in this way ASSP will learn from error improving Bayesian and HMM filter performance ( and the sender will not be blocked again ). Spambox by default stores email for 7 days . If you want store SPAM for more or less days please read this .
  
  note: the /spambox IMAP folder will be created automatically after the first receive SPAM message. Only if you do not see the /spambox IMAP folder in Roundcube after receiving some SPAM try subscribing the folder using Roundcube :: Settings :: Folders .
- Any user email in the server can receive a list of all latest blocked email by sending an email to asspblock@clientdomain.com. The email must be sent from a @clientdomain.com email account using a correct SMTP authentication ( SMTP mail.clientdomain.com or the server hostname ) . The user will receive a response with a list of latest blocked emails. If there are good emails in this list the user can press the Resend link to receive/release the blocked email into his INBOX. The sender will be automatically whitelisted as well.
  
  note : asspblock@clientdomain.com resend the email getting it from /usr/local/assp/spam collection which contains max 14000 files ( MaxFiles ASSP GUI value , if the limit is reached new email replaces old email) ; so if the user tries to retrive an old email it could not be available ( in this case ASSP will reply the resend request with a "failed - request ASSP to resend blocked mail" ). For this reason asspblock@clientdomain.com should be used only to check fresh blocked email and should be considered a secondary way to check for blocked email. If you need to check older blocked email the primary way is the /spambox IMAP.
- A similar asspblock@clientdomain.com email report with a list of last blocked email will be sent DAILY to all email in the server. If you want disable this feature globally for ALL your users go to ASSP WHM INTERFACE and click DAILY BLOCKED EMAIL to change the status from ENABLED to DISABLED . If you want disable this feature only for a specific user or domain go to ASSP WHM INTERFACE DAILY BLOCKED EMAIL and click over "Click HERE to exclude email or domain from the report".
- Another way to collect and check for blocked email for the user is to create a spambox@customerdomain.com POP3 email account using cPanel. If ASSP Deluxe for cPanel will found the spambox@ POP3 account, all blocked email for @domain.com will be collected in spambox@customerdomain.com POP3 account too. This is altenative way to collect blocked email for users which cannot use IMAP protocol to check the /spambox folder. Such as with /spambox IMAP, it's a good user behavior if all good email found in spambox@customerdomain.com will be forwarded as attachment to assp-notspam@clientdomain.com; in this way ASSP will learn from error improving Bayesian and HMM filter performance ( and the sender will not be blocked again ).
- Your customer can whitelist a blocked email using one of these ways
  - The user can simply fordward as attachment the email to assp-notspam@clientdomain.com; in this way ASSP will learn from error improving Bayesian and HMM filter performance and the sender will be whitelisted as well.
  - The user can simply replies to the (good) email sender. Every time you send an email to someone new their email address will be whitelisted automatically (personal whitelist). For this reason, you should never reply to any spam mails as this will whitelist their addresses.
  - The user can whitelist an email by sending an email to assp-white@customerdomain and adding the email in the email subject (ASSPv1) or email body (ASSPv2). The user can enter also a list of email in the email body (ASSP v2) . The user cannot whitelist a domain name. Domain name can be whitelisted only ASSP administrator using ASSP GUI WHITELISTING and add the domain in whiteListedDomains.
If your user is not able to find an important blocked email using all the ways explained above at point .8 , you can support him as administrator using other solutions explained below.
- Open ASSP WEB INTERFACE SPAM FINDER
  Using this tool you can search all blocked email for a customer email directly from his spambox IMAP . You can release the email , whitelist the email sender and/or domain name using a web interface.
- As alternative you can search the customer email in spam collection . Open ASSP WHM INTERFACE SPAM ANALYZER , enter the blocked email and click SEARCH. If you find the emai in collection to you can release the email to your customer INBOX using the [R] link, and you can move the email from SPAM to NOTSPAM collection to correct ASSP and improve its perfomance .
- As alternative if you prefer the console, you can search the blocked email in ASSP log (e.g.)
  # grep "<blocked_email@domain.com>" /usr/local/assp/maillog.txt | grep "spam found"
  or
  # grep "<blocked_email@domain.com>" /usr/local/assp/maillog.txt" | grep "spam found"
  or if you do not find it in current log , grep it also in old ASSP logs
  # grep "<blocked_email@domain.com>" /usr/local/assp/*.maillog.txt | grep "spam found"
All email blocked by ASSP bounces to the sender with following error
554 5.7.1 Your email appears to be unsolicited and was not accepted. Please try using an alternative email or if you want your email accepted resend it with the code TY67H78H appended to your email subject, thank you.
The random code ( TY67H78H ) applied to the bounce message ( NOTSPAMTAG ) offers at the sender a chance to resend the email and have the email accepted, if the email was blocked incorrectly. Only if you do not like this behavior open ASSP WHM INTERFACE AUTOMATION SETIINGS and set OFF SpamError and PenaltyError . Now open the ASSP WEB INTERFACE (GUI) and customize SpamError in SPAM Control menu , and PenaltyError in PenaltyBox menu . For example you may set SpamError and PenaltyError as follows (without the resend code NOTSPAMTAG ).
554 5.7.1 Your email appears to be unsolicited and was not accepted. Please try using an alternative email.
After the installation HOW TO, ASSP is setup to listen and send email using following SMTP ports
- 25 ( ASSP GUI :: Network Setup menu :: listenPort )
- 26 and 587 ( ASSP GUI :: Network Setup menu :: listenPort2 )
- 465 ( ASSP GUI :: Network Setup menu :: listenPortSSL )
If you want add another SMTP port open the ASSP WEB INTERFACE (GUI) Network Setup and enter alternative SMTP ports separated by a pipe ( | ) in ListenPorts2. Be sure to apply and save ASSP settings.

note : Alternative SMTP ports MUST NOT configured in WHM cPanelService ConfigurationService Manager EXIM Mail Server (on another port) but only in ASSP Web interface .
You should have already opened the ASSP WEB INTERFACE (GUI). As you can see there are various settings here, most of them are preconfigured and controlled by ASSP Deluxe for cPanel.

note : All ASSP parameters controlled by ASSP Deluxe are listed in ASSP WHM INTERFACE AUTOMATION SETTINGS . If you are an experienced ASSP administrator and you want customize some of these ASSP parameters you should set OFF the parameter you want customize in AUTOMATION SETTINGS page.

You can find here ASSP core settings which are better you do not change ( for example SSL settings which are controlled using ASSP WHM INTERFACE ASSP SSL MENU, database settings controlled using ASSP WHM INTERFACE, Score/Penalty Box settings controlled by ASSP Deluxe for cPanel, and some other core settings) and ASSP antispam settings which probably you may use often . Most used administrative antispam settings can be found in following ASSP GUI menus :
- Noprocessing : if you need to bypass ASSP for email or domain.
- Whitelisting : if you need to whitelist domain,email,ips
- Validate HELO : if you want setup advanced HELO filtering
- Validate sender : if you want blacklist an email or domain ( blackListedDomains ) plus other actions
- IP blocking : if you want block an ip
- Senderbase : if you want activate Country checks for email
- Validate SPF : strictSPFRe and blockstrictSPFRe
- Perl Regular Expression Filter and Spambomb Detection : various ways to allow or block an email based on email content.
All ASSP GUI settings are saved in /usr/local/assp/assp.cfg (ASSP configuration file) . You should never edit manually this file, this file contains also crypted data , so you may risk to mess up your ASSP, always use the ASSP Web interface if you want change an ASSP setting. A backup of your configuration file /usr/local/assp/assp.cfg is saved daily in /usr/local/assp/backup_cfg , so if after doing some change in ASSP GUI your ASSP stops to work correctly , STOP your ASSP using the ASSP WHM INTERFACE , restore a working assp.cfg file from /usr/local/assp/backup_cfg to /usr/local/assp/assp.cfg and START ASSP again . You can also backup all the folder /usr/local/assp ( for example in /usr/local/assp_backup) and restore it in case your ASSP stops to working correctly after making a wrong setting in ASSP GUI or other issues.
If you need to disable temporarly ASSP fully and return to cPanel/EXIM only, you can do it instantly without uninstalling your ASSP, by following these simple automatic steps.
- Open ASSP WHM INTERFACE and click STOP. After some seconds you will receive following message shown in the image below
- Simply follow the instructions and click the link to fully disable ASSP. After pressing the link your ASSP will be fully stopped and disabled.
- If you need to start again ASSP , click the START button and ASSP should restart correctly.
ASSP uses DNS very often to execute various SPAM filter checks (RBL, MX records, PTR and so on). After installation HOW TO, ASSP will be preconfigured with default DNS settings which should be good for everyone. However if you want set best DNS settings for your ASSP you may follow these steps . It will improve SMTP connection speed and will make SMTP connections faster.
- First open your /etc/resolv.conf and check if you have a search command like this below
  search localdomain
  Search process may be slow and generate a lot of network traffic. So it's better to comment or remove this row as follow
  #search localdomain
  Also be sure you do not have a DNS 127.0.0.1 and replace it with a DNS provided by your Datacenter or use a public DNS such as 8.8.4.4 . Now restart your DNS in this way .
  # service named restart
- Now install namebench . Namebench hunts down the fastest DNS servers available for your server to use. Open your console and execute this
  
  # cd /usr/local/assp/deluxe;git clone https://github.com/catap/namebench.git;cd namebench
  now run it and wait few minutes
  # cd /usr/local/assp/deluxe/namebench;./namebench.py -s all --template=resolv.conf
  Now execute this to see the result
  # grep "" /tmp/resolv.conf
  You will receive a result like this, these are best DNS for your server and your ASSP.
  nameserver 156.154.71.1 # UltraDNS (2)
  nameserver 62.210.16.6 # SYS1-62.210.16.6
  nameserver 74.82.42.42 # Hurricane Electric
  ok now execute this
  # echo "DNSServers" >> /usr/local/assp/deluxe/no_auto_settings
  Now open ASSP WHM INTERFACE ASSP WEB INTERFACE (GUI) and open the DNS Client Setup and enter in DNS Name Servers* (DNSServers ) the nameservers above separated by a pipe ( | )
  156.154.71.1|62.210.16.6|74.82.42.42
  SAVE/APPLY ASSP settings in your ASSP GUI.
Whitelist server ips of all your servers. If you have more than one server whitelist the ips of all your other servers in your server running ASSP. Open ASSP WHM INTERFACE ASSP WEB INTERFACE (GUI) and open the Whitelisting menu and enter in Whitelisted IPs* (whiteListedIPs ) all the ips of your other servers (one ip per row). Be sure you never enter a local ip in this list.
ASSP deluxe for cPanel will send you various administrative email such as huge outgoing email notifications, daily spambox cleaning reports, ASSP restarts notifications, other. By default the email will be sent to the email(s) you set in WHM Server Configuration Basic WebHost Manager® Setup Email Contact Information . If you want use a different email open the file /usr/local/assp/deluxe/email_warnings and enter one or more email addresses to contact you (if you enter more than one email separate each email with a "," ) in the cex= row . For example
cex=myemail@domain.com,myemail2@domain.com

ASSP Deluxe for cPanel : FAQs

Which are required cronjobs to run ASSP Deluxe for cPanel ?
After installation HOW TO you should already have following cronjobs setup.
rebuildspamdb.pl cron . It's required only in ASSP v1 installation. It rebuilds the spamDB database each 24 hours.

10 7 * * * cd /usr/local/assp;/usr/local/perls/perl-5.14.4/bin/perl /usr/local/assp/rebuildspamdb.pl

ex_localdomains.php cron . It checks ASSP installation integrity and fix issues if required, generates local email and domains , update software if required, send the daily spam reports, plus various other minor tasks. It should run every 59 minutes.

*/59 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/ex_localdomains.php

update_email.php cron . It applies ASSP WHM interface default settings and checks for new cPanel email or new domain and add them to /usr/local/assp/deluxe/assp_local_email and /usr/local/assp/deluxe/assp_local_domains. It also records ASSP status running values (cpu, RAM) and show them in ASSP WHM INTERFACE

ASSP STATUS CHARTS , plus various other minor tasks. It should run every 3 minutes.

*/3 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/update_email.php

status.php cron . It checks ASSP status and restart it automatically if an ASSP crash is detected. It should run every 3 minutes. If you set a value under 3 minutes you may have ASSP false restarts.

*/3 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/status.php

find_abusers.php cron . It creates a list of bad ips and bad email which are sending continuos SPAM to your server . You can find more details related to find_abusers.php at this link . It should run every 20~30 minutes

*/20 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php sw=29 rl=50 sc=30 dc=30 on=1

signatures.php cron . It updates a list of clamAV Unofficial signatures plus grscripts YARA rules. It should run daily.

0 2 * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/signatures.php

spam_cronjob.php. It's a required cron if you want use spambox IMAP. It checks ASSP SPAM and deliver them to user spambox IMAP (if the user activated IMAP spambox for his account). It executes each 4 minutes.

*/4 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/spam_cronjob.php

clear_spambox.php. It's a required cronjob if you want use spambox IMAP . It executes daily. It removes spambox email older than 7 days (default) from all your user accounts /spambox folder (and from spambox@domain.com POP3 if it's used). It executes daily. You (administrator) will receive an email notification reporting you the spambox email which were removed. At the end of the cleaning process the script will send also a DAILY SPAM REPORT if you enabled this feature in ASSP WHM INTERFACE

DAILY SPAM REPORTS.
You can add following commands to the clear_spambox.php cronjob .

sday=n : it removes spam older than n days ( n is a numeric value between 3 and 100 ).
noemail=yes : stop daily email notification reporting you the number of email removed from old spamboxes
limitspace=n : n is a Kb numeric value. For example 10000 means 10000 Kb (10 MB). If you set limitspace=10000 , the cleaner will remove other 2 days of SPAM from all spambox accounts with a /spambox folder size over 10000 Kb.

Default cron

30 1 * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/clear_spambox.php

Following cron will remove spam older than 15 days and remove other 2 days of older SPAM if the spambox user is greater than 8000 Kb.

30 1 * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/clear_spambox.php sday=15 limitspace=8000

Optional cronjob to restart automatically your ASSP every day at 03:15 AM . Following cron (single cronjob row) restarts your ASSP freeing up RAM resources every day at 03:15 AM . You should setup it if server RAM is low.

3 15 * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/restart.php

note : ASSP Deluxe for cPanel can send two different Daily Report to your users. The DAILY BLOCKED EMAIL report and the DAILY SPAM REPORTS. The DAILY BLOCKED EMAIL is enabled by default after the HOW TO , send a daily email to all your users email with a list of latest 24 hours blocked email. The DAILY SPAM REPORTS is disabled by default after the HOW TO installation, send an email to the account owner only, reporting the number of email blocked by each email account in latest 24 hours. The DAILY BLOCKED EMAIL can be set enabled or disabled globally or per user/domain using the ASSP WHM INTERFACE. The DAILY SPAM REPORTS can be set can be set enabled or disabled globally using the ASSP WHM INTERFACE, or if it's enabled, can be set OFF by your customer using CPANEL EMAIL ASSP SPAMBOX.

How to install and enable ASSP Deluxe for cPanel spambox IMAP ?
If you didn't installed the SPAMBOX plugin in the installation HOW TO you can do it now . By using the sendAllSpam ASSP feature, ASSP Deluxe for cPanel collects all SPAM in a spammaster email account and using a spambox cronjob delivers automatically all these spam to the email owner. Spambox plugin can be easily installed using following steps.

spambox requirements :

ASSP SPAMBOX can work only with mail storage maildir . SPAMBOX imap collections is not possible using mdbox mail storage. If you want use SPAMBOX imap go to cPanel WHM Email Mailbox conversion and be sure all your accounts are using maildir mail storage.
note : By default your cPanel accounts should already be set to use maildir mail storage.
ASSP SPAMBOX imap cannot work if you enable IMAP email compression in cPanel WHM Email Mailserver configuration

disabled/unchecked

note :

disabled

Open cPanel WHM Account function Create a new account and create a fake account spamxyz.us owned by root (not a reseller) with CGI capabilities. Set all account Options to Unlimited, and set "Enable Apache SpamAssassin™" unchecked .

If adding a new account is an issue for you (e.g. you have a WHM license with single account limit) you can install the spambox over any existent domain . In this case follow the spambox how to for your domain name instead of fake domain spamxyz.us . In each case do NOT to install the spambox over the server hostname because it will NOT work.
Now execute this
# echo "#spammaster@spamxyz.us: \"|/usr/local/assp/deluxe/piping_b.php\"" > /etc/valiases/spamxyz.us
Now execute this and replace random_password with a random password of your choice. There is no need to remember or note this password but be sure it's a strong password.
# /scripts/addpop spammaster@spamxyz.us -password random_password
Open ASSP WHM Interface ASSP SPAMBOX@, enter spammaster@spamxyz.us in Spammaster email , and click ENABLE SPAMBOX .
Return to ASSP WHM Interface and click SPAMBOX DEFAULT . Set SPAMBOX@ IMAP to ON and click SAVE SPAMBOX DEFAULT SETTINGS . Your ASSP spambox is installed you can return to the ASSP WHM Interface .

note : the /spambox IMAP folder will be created after the email will receive the first SPAM email message. spambox IMAP folders are cleared automatically using the clear_spambox.php cronjob , read the FAQs section for more details.
After the spambox installation you'll see new spambox features in your ASSP WHM INTERFACE which allows you to check spamboxes (SPAM FINDER) , enable/disable spambox for your users, and set spambox IMAP default status for new accounts.

How to restart ASSP from console ?
You can STOP and START ASSP from console in this way

# /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/stop.php
# /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/start.php

# /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/restart.php

How to reduce RAM used by ASSP ?
You can apply following steps to reduce ASSP RAM usage

Restart your ASSP daily, it will freeup RAM resources . Set this cron to restart your ASSP daily at 03:15 AM .
3 15 * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/restart.php
If you are using ASSP v2 and SSL SNI be sure to set SNI for email account which are really using it.
Open ASSP WHM Interface SSL MENU and enable SNI using the SNI Table selector.
Check number of ASSP workers (ASSP v2) in your ASSP WHM Interface.

My ASSP v2 using BerkeleyDB refuses to start or restarts very often. How to solve this issue ?
If your ASSP refuses to start or restarts very often and you are using BerkeleyDB try this

Execute following commands to reinstall BerkeleyDB and restart your ASSP .
# /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/berk.php
# chmod 755 /usr/local/assp/deluxe/restart_assp_berkeley.sh
# /usr/local/assp/deluxe/restart_assp_berkeley.sh
# chmod 644 /usr/local/assp/deluxe/restart_assp_berkeley.sh
If ASSP restarts correctly at step 1. open your ASSP WHM Interface and rebuild the ASSP database using Rebuild SPAM DB.
If ASSP does not restart after step 1. or if the restart issue problem continues execute this
# /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/install_modules.php test=no reinstall=yes
to reinstall ASSP Perl modules. Once completed try to start your ASSP using the ASSP WHM Interface or repeat the step 1.
If your ASSP refuses to restart after the steps 1. and 2. restore an old backup ASSP installation of your /usr/local/assp folder (if you have a backup) or try restoring a working old assp.cfg from /usr/local/assp/backup_cfg in /usr/local/assp (overwriting current assp.cfg) ; you should restore the assp.cfg file when ASSP is stopped . If also these steps does not solve the problem you should reinstall your ASSP or switch to MySQL here or click here to receive professional root support .

My ASSP v2 using MySQL refuses to start or restarts very often. How to solve this issue ?
If your ASSP refuses to start and you are using MySQL try this

Open ASSP WHM Interface and STOP ASSP . Then open the MYSQL SETUP and clik the phpmyadmin link. Now click Empty in the hmmdb , spamdb and whitelist rows as shown below. After this step return to ASSP WHM Interface and START ASSP.
If ASSP restarts correctly at step 1. open your ASSP WHM Interface and rebuild the ASSP database using Rebuild SPAM DB.
If ASSP does not restart after step 1. execute this
# /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/install_modules.php test=no reinstall=yes
to reinstall ASSP Perl module. Once completed try to start your ASSP using the ASSP WHM Interface or repeat the 1.
If your ASSP refuses to restart after the steps 1. and 2. restore an old backup ASSP installation of your /usr/local/assp folder (if you have a backup) or try restoring an working old assp.cfg from /usr/local/assp/backup_cfg . If also these steps does not solve the problem you should reinstall your ASSP or switch to BerkeleyDB here or click here to receive professional root support .

How to fix ASSP Deluxe for cPanel license issues ?
Open your console and execute this

# wget -O /usr/local/assp/deluxe/license.php http://www.grscripts.com/assp150/deluxe/license.deluxe
# chmod 644 /usr/local/assp/deluxe/license.php

If the problem does not fix contact support here and provide your server ip.
You can find your server ip in this way

# curl -L https://myip.cpanel.net/v1.0

Can I change my ASSP Deluxe for cPanel licensed ip ?
You can change your licensed ip anytime. If you want change your licensed server ip simply contact support via email here and provide your OLD server ip and your NEW server ip. If you need an extension time (max 30 days) for OLD server ip please specify it in your email.

I added a new /home2 location , should I do something in ASSP Deluxe ?
You must follow this setup guide here if you have more than one /home location for your hosting accounts.

I have too much false positives (good email blocked), how to solve it ?

Every blocked email is not lost and it's collected in various ways , read here for more info .
Decrease anti SPAM settings sensibility for the user which is reporting the issue or decrease spam setting sensibility globally in your server , read here for more info .

If after applying the settings above, your user has still issue with false positives check in ASSP log the ASSP ID of the email (as explained here ) ; the email could be listed in a personal blackist or in your ASSP blacklist ( ASSP WEB INTERFACE (GUI) Validate Sender menu blackListedDomains ) , or the sender ip could be listed in ASSP WEB INTERFACE (GUI) IP Blocking menu denySMTPConnectionsFrom or denySMTPConnectionsFromAlways. In this case you should get actions to remove the blocked email from blackListedDomains and add the email in whitelist using ASSP WEB INTERFACE (GUI) Whitelisting menu whiteListedDomains or add the sender ip whiteListedIPs .

I have SPAMBOX enabled . Can I skip spambox collection for some sender ?
If you want drop an email without passing it to spambox , you can use ASSP WEB INTERFACE (GUI)

Collecting SPAM and HAM menu and enter a regular expression in noCollectRe . If the content of a collected email (incl. X-ASSP-... headers) matches this regular expression, it will be deleted from the spambox collection .
For example if you enter

[A-Za-z0-9._%+-]+@lop.ru

All email coming from *@lop.ru will not be collected in spambox.
Another example, if you enter

/[\p{Han}]/ug

all email with chinese chars will not be collected in spambox.
As alternative you may use ASSP WEB INTERFACE (GUI)

Copy Spam & Ham and enter a numeric value in ccMaxScore. All email whose score exceeds this ccMaxScore threshold will not be copied in spambox. For example: 90. The value must be much greater than the PenaltyMessageLimit (ASSP v2) set in AASSP WHM INTERFACE

SCORE SETTINGS page.

Some ASSP GUI fields allow to enter Regular Expressions, what do you recommend to validate Regular expressions ?
You can use https://regex101.com (e.g.) which is an excellent regex tester and debugger .

ASSP fields marked with two asterisk (**) accepts regular expressions (regex) and can accept a second weight value. Every weighted regex has to be followed by '=>' and the weight value. For example: Phishing\.=>1.45 . The multiplication result of the weight and the penaltybox valence value will be used for scoring, if the absolute value of weight is less or equal 6. Otherwise the value of weight is used for scoring. It is possible to define negative values to reduce the resulting message score.
note : Every weighted regex that contains at least one '|' has to begin and end with a '~' - inside such regexes it is not allowed to use a tilde '~', even it is escaped - for example: ~abc\~|def~=>23 or ~abc~|def~=>23 - instead use the octal (\126) or hex (\x7E) notation , for example ~abc\126|def~=>23 or ~abc\x7E|def~=>23

How to migrate ASSP from old server A to new server B ? If you need to migrate ASSP from server A (old) to server B (old) , you should first ask a change of license from server ip A to server ip B . You should simply contact support via email here and provide your OLD server ip and your NEW server ip. If you need an extension time (max 30 days) for OLD server ip please specify it in your email.

Do not copy /usr/local/assp folder or the ASSP configuration file ( /usr/local/assp/assp.cfg ) from an old server to a new server, it does NOT work. Please follow the instructions below to migrate ASSP data between two servers.

ASSP v1 data migration (ASSP v1 to

ASSP v1)

If you want use Grscripts.com professional service to migrate your ASSP from your old server to new server you can order this service.

Once you have changed your ASSP Deluxe for cPanel licensed ip as explained above, install ASSP v1 in your new server using this HOW TO . At the end of your ASSP v1 installation go to console and in the new server execute this

# cd /usr/local/assp
# mkdir /usr/local/assp/old

Now execute this in the old server replacing server_ip with the new server ip and ssh_port with the SSH port of new server ip .

# rsync -av -L -e "ssh -p ssh_port" /usr/local/assp/ root@server_ip:/usr/local/assp/old

You can close your old server now . Open ASSP WHM INTERFACE in your new server and STOP ASSP . Now execute this in new server.

# cd /usr/local/assp
# rsync -r /usr/local/assp/old/files/ /usr/local/assp/files
# rsync -r /usr/local/assp/old/notspam/ /usr/local/assp/notspam
# rsync -r /usr/local/assp/old/spam/ /usr/local/assp/spam
# rsync -r /usr/local/assp/old/okmail/ /usr/local/assp/okmail
# rsync /usr/local/assp/old/whitelist /usr/local/assp/whitelist
# rsync /usr/local/assp/old/persblack /usr/local/assp/persblack
# rsync /usr/local/assp/old/spamdb /usr/local/assp/spamdb

Now you can return to ASSP WHM INTERFACE and START ASSP. All should run correctly, ASSP main settings ( /files ), whitelist, personal blacklist, and ASSP spam database have been migrated. If everything is working correctly you can remove the /old folder in this way

# cd /usr/local/assp
# rm -fr /usr/local/assp/old

ASSP v1 data migration (ASSP v1 to

ASSP v2)

If you want use Grscripts.com professional service to migrate your ASSP from your old server to new server you can order this service.

Once you have changed your ASSP Deluxe for cPanel licensed ip as explained above, install ASSP v2 in your new server using this HOW TO but do NOT setup the ASSP database (skip the database BerkeleyDB/MySQL setup) . At the end of your ASSP v2 installation go to console and in the new server execute this

# cd /usr/local/assp
# mkdir /usr/local/assp/old

Now execute this in the old server replacing server_ip with the new server ip and ssh_port with the SSH port of new server ip .

# rsync -av -L -e "ssh -p ssh_port" /usr/local/assp/ root@server_ip:/usr/local/assp/old

You can close your old server now . Open ASSP WHM INTERFACE in your new server and STOP ASSP . Now execute this in new server.

# cd /usr/local/assp
# rm -fr /usr/local/assp/old

Now you can setup an ASSP Database using the BerkeleyDB HOW TO OR the MySQL HOW TO.

ASSP v2 data migration (ASSP v2 MySQL to

ASSP v2 MySQL)

If you want use Grscripts.com professional service to migrate your ASSP from your old server to new server you can order this service.

Once you have changed your ASSP Deluxe for cPanel licensed ip as explained above, install ASSP v2 in your new server using this HOW TO but do NOT setup the ASSP MySQL database (skip the database BerkeleyDB/MySQL setup) . At the end of your ASSP v2 installation go to console and in the new server execute this

# cd /usr/local/assp
# mkdir /usr/local/assp/old

Now open ASSP WHM INTERFACE and open MYSQL SETUP . Click the lick to Disable MySQL then return to ASSP WHM INTERFACE and STOP AND START ASSP . Now execute this in the old server replacing server_ip with the new server ip and ssh_port with the SSH port of new server ip .

# rsync -av -L -e "ssh -p ssh_port" /usr/local/assp/ root@server_ip:/usr/local/assp/old

You can close your old server now . Open ASSP WHM INTERFACE in your new server and STOP ASSP . Now execute this in new server.

# cd /usr/local/assp
# rm -fr /usr/local/assp/old

Now you can setup ASSP MySQL using this MySQLHOW TO.

ASSP v2 data migration (ASSP v2 BerkeleyDB to

ASSP v2 BerkeleyDB)

If you want use Grscripts.com professional service to migrate your ASSP from your old server to new server you can order this service.

Once you have changed your ASSP Deluxe for cPanel licensed ip as explained above, install ASSP v2 in your new server using this HOW TO but do NOT setup the ASSP BerkeleyDB database (skip the database BerkeleyDB/MySQL setup) . At the end of your ASSP v2 installation go to console and in the new server execute this

# cd /usr/local/assp
# mkdir /usr/local/assp/old

Now execute this in the old server replacing server_ip with the new server ip and ssh_port with the SSH port of new server ip .

# rsync -av -L -e "ssh -p ssh_port" /usr/local/assp/ root@server_ip:/usr/local/assp/old

You can close your old server now . Open ASSP WHM INTERFACE in your new server and STOP ASSP . Now execute this in new server.

# cd /usr/local/assp
# rm -fr /usr/local/assp/old

Now you can setup ASSP BerkeleyDB using this BerkeleyDB HOW TO.

How to backup and restore ASSP ?You can create a backup of your ASSP in this way

# cp -R /usr/local/assp /usr/local/assp_backup

If you need to restore your ASSP , you may follow the ASSP migration HOW TO and you should consider the /usr/local/assp_backup folder exactly as the /usr/local/assp/old folder .

If you want use Grscripts.com professional installation service to restore your ASSP from /usr/local/assp_backup you can order this service.

I messed up ASSP configuration file, how to fix it now ?If you do not have an ASSP backup as explained here , try this :
Open your ASSP WHM interface and STOP ASSP . Now restore from /usr/local/assp/backup_cfg an old assp.cfg configuration file
and restore it in /usr/local/assp overwriting current assp.cfg. Now START your ASSP . Your ASSP should restart correctly . If it does not restart it means you have other issues , not related with your ASSP configuration file.

How can I whitelist email or domain using ASSP GUI ?Your users can whitelist email simply repling the sender email or sending an emal to assp-white@ as explained here .
As administrator you can whitelist email , domain , or ip addresses using the ASSP WHM interface

ASSP WEB Internface (ASSP GUI)

Whitelisting menu . For example if you want whitelist all email sent by myoffice.net you should add

myoffice.net

in whiteListedDomains . You can whitelist ips using whiteListedIPs or you can whitelist email using a Regular Expression using whiteRe .

ASSP fully allows local email and local ips. You must never whitelist a local domain, email or ip . If you whitelist a local email, domain or ip all the incoming email will be whitelisted for the local email, domain or ip and all email included SPAM will pass. If you have a local user which is blocked by ASSP, it must not be whitelisted, only be sure that the local user is sending and authenticating his email correctly, using SMTP mail.userdomain.com .

note: If you have a domain or email blocked but listed in whiteListedDomains it could be still blocked due to :

Check if the domain or email is listed in ASSP Web Interface GUI Validate Sender blackListedDomains . If it's listed , remove it from this list.
Check if the sender ip is listed in ASSP Web Interface GUI IP Blocking denySMTPConnectionsFrom or denySMTPConnectionsFromAlways . You can get the sender ip by searching the ASSP ID in ASSP LOG (e.g.) .If the ip is listed you can remove the ip from one of these two lists and/or whitelist the ip by adding it in ASSP WEB Internface (ASSP GUI) Whitelisting whiteListedIPs .

How to block an email based on email content or attachment binary content ?
You have countless ways to block or score email based on email text content using ASSP, for example you can use Regular Expressions in ASSP Web Interface GUI, you can score or block an email if a particular word or Regular Expression is used in subject and/or email header, and/or email body. For example if you would block an email having the phrase "Brand World pharmaceuticals for Lovemaking" in the email body or email header open ASSP Web Interface GUI

Perl Regular Expression Filter menu and add the following in bombRe

Brand World pharmaceuticals for Lovemaking=>100

It will score the email addictional 100 points ( weight =>100 ) so that will be surely blocked. The addiction above will be case sensitive if you want case insensitive using Regular expression you may enter this

/Brand World pharmaceuticals for Lovemaking/gi=>100

On the countray you can use a negative score to allow an email . For example if you want allow an email with the subject "this is my important office email" you can add this in bombre or bombSubjectRe with a negative weight score

this is my important office email=>-100

These are only few examples, you have unlimited solutions using the Perl Regular Expression menu in ASSP.

ASSP fields marked with two asterisk (**)such as bombRe accepts regular expressions (regex) and can accept a second weight value. Every weighted regex has to be followed by '=>' and the weight value. For example: Phishing\.=>1.45 . The multiplication result of the weight and the penaltybox valence value will be used for scoring, if the absolute value of weight is less or equal 6. Otherwise the value of weight is used for scoring. It is possible to define negative values to reduce the resulting message score.
note : Every weighted regex that contains at least one '|' has to begin and end with a '~' - inside such regexes it is not allowed to use a tilde '~', even it is escaped - for example: ~abc\~|def~=>23 or ~abc~|def~=>23 - instead use the octal (\126) or hex (\x7E) notation , for example ~abc\126|def~=>23 or ~abc\x7E|def~=>23

User defined custom YARA rules are available too in ASSP Deluxe 10.x and above. YARA is a tool used mainly, but not exclusively, for identifying and classifying malware based on string or binary pattern matching. You can use YARA rules to manage and enhance detections, to stop latest threats.
You can introduce your own YARA rules to enhance your ASSP detection efficacy. Using YARA rule you can score and block email binary attachments too. You can add your own clamAV YARA rules in the file

/usr/local/cpanel/3rdparty/share/clamav/custom_spam.yara

You can find detailed info to start writing your own YARA rules here :

Briefly a YARA rule is a description based on textual or binary patterns. A rule’s description can be broken down into three sections:

Meta
Strings
Condition

Together, these sections determine a rule’s logic. At a minimum, every rule must have a condition section. You may omit the meta or strings section if not needed. After entering a YARA rule be sure to restart ClamAV in this way

# /usr/local/cpanel/scripts/restartsrv_clamd

if clamAV restarts correctly (without errors) the YARA rule was accepted and it's correct.
ASSP Deluxe for cPanel includes an updated (updated daily using signatures.php cronjob) YARA rule file located here

/usr/local/cpanel/3rdparty/share/clamav/grscripts_spam.yara

grscripts_spam.yara includes new SPAM patterns and it's continuosly updated with new rules by Grscripts.com . YARA rules can be used to detect and block various types of threats, and now with the capability available in ASSP Deluxe for cPanel, you can apply your own custom rules against attachments, email headers, and the body of emails to help detect threats. With this feature, you can gain more control to manage email flow and detect threats in custom and creative ways.

Do not edit the file grscripts_spam.yara. If you want use your own YARA rules you can edit the file custom_spam.yara.

Can I block or allow email from a domain extension ? One way to do this is using ASSP Web Interface GUI

Perl Regular Expression Filter

bombSenderRe . For example if you add a +100 score points to .club domain name extension in this way

\.club$=>+100

all email coming from .club will be scored an additional 100 points (and should be surely blocked if you have the PenaltyMessageLimit set to default 53 points in ASSP WHM INTERFACE

SCORE SETTINGS page ) .
On the countrary if you want be sure all the email coming from your country domain extension .no (e.g.) will not be blocked you can use this

\.no$=>-100

How to disable fully ASSP SPAM filtering for a single email or domain ?ASSP v1 Open ASSP Web Interface GUI

Validate Sender menu and add the local email or local domain which should be excluded by ASSP in noProcessingFrom . Now open the Validater Recipient menu and add the local email or local domain which should be excluded by ASSP in noProcessingTo. After these steps ASSP will be fully bypassed for the domain (or email). ASSP v2 Open ASSP Web Interface GUI

No Processing menu. Here you have various options to exclude ASSP for a domain or email or ip address too; the best way which works in all situations to bypass a local domain is by adding the email or domain in npRe using Regular Expression. For example if want fully disable ASSP for *@userdomain.com you can add

(.*?)\@userdomain\.com

in npRe . Or if you want disable ASSP antispam only for email user@userdomain.com you may use this

user\@userdomain\.com

Do Blacklisting Addresses and Domains for NoProcessing (DoBlackDomainNP)

note: Blacklisting Addresses set in ASSP WEB interface Validate Sender blackListedDomains will be blocked even if the local domain or email is listed in noprocessing. If you do not like this behaviour open ASSP WEB interface Validate Sender and disable DoBlackDomainNP . Also open ASSP WHM INTERFACE AUTOMATION SETTINGS and set OFF DoBlackDomainNP to preserve your ASSP GUI settings. After this step domain and email listed in noprocessing will be honored also if listed in Blacklisting Addresses .

How ASSP filters email attachments ? After installation HOW TO ASSP is preconfigured to do following attachment checks ;

By default following attachment will not be accepted and bounced to the sender
csv|ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]

Each attachment type is separated by a pipe (|) . ad[ep] means .ade and .adp .

If you want change them go to ASSP WEB interface Attachment Validation and Protection BadAttachL1 .At the same way you can modify allowed attachment extensions in GoodAttach .
If you enabled ASSP WHM INTERFACE ANTIVIRUS CHECK , all email attachments, compressed attachment included, will be checked for viruses using clamAV (only ASSP v2).

Does ASSP check email size ? After installation HOW TO ASSP is preconfigured to do following email size checks which are all set in ASSP WEB interface

SMTP Session limits (only ASSP v2)

maxRealSize : default 157286400 bytes (156 MB) . If the value of number of recipients to: (rcpt) * message size exceeds maxRealSize (in bytes) the transmission of the local message will be canceled.
maxRealSizeExternal : default 52428800 bytes (52 MB) . If the value of number of recipients to: (rcpt) * message size exceeds the transmission of the remote message will be canceled.
maxSize : default 52428800 bytes (52 MB) . If the value of message size exceeds maxSize (in bytes) the transmission of the local message will be canceled.
maxSizeExternal : default 52428800 bytes (52 MB) . If the value of message size exceeds maxSize (in bytes) the transmission of the remote message will be canceled.

note : ASSP maxSize and maxSizeExternal values does not change EXIM/cPanel message size limit ( default 50MB ) too. So if you set maxSize and maxSizeExternal to 100000000 Bytes ( 100 MB ) you should also set message_size_limit to 100M in WHM Service Configuration EXIM Configuration Manager Advanced Configuration Additional Configuration Settings .

note : If you set/change one or more size values above using the ASSP WEB INTERFACE (GUI), be sure to turn them OFF also in ASSP WHM INTERFACE AUTOMATION SETTINGS .

How does work the ASSP Delaying filter ?If you followed the installation HOW TO ASSP should be configured with delaying filter disabled for all your domain names. Your users can enable (and disable) Delaying filter using the ASSP Deluxe for cPanel frontend. Delaying is a method of blocking big amounts of SPAM at the mailserver level. This method is also called "Greylisting". Delaying works on the idea that a good mailserver is always configured to attempt a re-delivery of an email message, if it gets a soft failure. How does it work exactly ? When someone send an email to your mailserver running ASSP and your user has the Delaying filter enabled, ASSP will return a 451 error (soft failure) to the sender . If the sender mailserver is configured correctly it will reattempt to deliver the email in X number of minutes (it depends upon its configuration). If the sender mailserver waits and redelivers the email , the triplet (email address, domain,IP) gets whitelisted by ASSP (delaying whitelist) and the user receives the email . So your user receives the email after min 5 minutes (default embargo time) and max 28 hours (default wait time). If the remote mailserver doesn't reattempt the deliver (and the spammers often do not reattempt the deliver) the email will not be accepted after the wait time (28 hours). Can be lost valid good email ? Only if the good sender mailserver is not configured to reattempt the deliver.

Reasons not to use Delaying filter :

its behavior can create some confusion to unexperienced users.
SPAM SCORING is much more efficient to block SPAM than delaying filter.
un-received email due to delaying filter cannot be collected ( using SPAMBOX or other ways ) and rarely some good sender does not redeliver the email after a soft failure.
Bayesian and HMM SPAM/HAM database can't be populated using delaying.

Reasons to use Delaying filter :

If a domain or email is under a HUGE SPAM attack, delaying can easly reduce bad SMTP connections.

Does ASSP support SSL SNI ?ASSP v1 If you followed the ASSP v1 cpanel antispam installation HOW TO, and you enabled ASSP SSL your users can use SNI in their SMTP but using SMTP mail.userdomain.com with an SSL/TLS port they'll receive a "Domain warning" in the Certificate. ASSP v2After ASSP v2 cpanel antispam installation HOW TO ASSP SSL SNI is enabled and fully supported (without SSL warnings). You can enable SNI globally or per domain using ASSP WHM INTERFACE

SSL MENU .

How to allow an ip address to relay ? How to add a custom ip in ASSP ? Your server ip addresses are automatically added in ASSP ( myServerRe : /usr/local/assp/deluxe/assp_local_ips ) using the ASSP Deluxe ex_localdomains.php cronjob . If you want allow an ip address to relay which is not setup in your server you should follow these steps; Open your ASSP WHM INTERFACE and be sure ASSP relaying is set to /etc/relayhosts as below.

Now suppose you want add the ip address 130.10.10.10 , go to console and execute this

# echo "130.10.10.10" >> /usr/local/assp/deluxe/custom_assp_local_ips >> /etc/alwaysrelay

now execute

# /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/ex_localdomains.php force=yes
# /scripts/restartsrv_tailwatchd

Done, after this step the ip 130.10.10.10 should be listed in /etc/relayhosts and in /usr/local/assp/deluxe/assp_local_ips .

How to allow a custom domain to relay email ? Your server email and domain are automatically added in ASSP using the ASSP Deluxe ex_localdomains.php cronjob . If you want allow to relay a domain name which is not setup in your server you should follow these steps; Suppose you want add the domain domain.com , go to console and execute this

# echo "domain.com" >> /usr/local/assp/deluxe/custom_assp_local_domains

now execute

# /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/ex_localdomains.php force=yes

Done, after this step domain name domain.com should be listed in /usr/local/assp/deluxe/assp_local_domains .

How to allow a custom email to relay ? Your server email and domain are automatically added in ASSP using the ASSP Deluxe ex_localdomains.php cronjob . If you want allow to relay an email name which is not setup in your server you should follow these steps; Suppose you want add the email email@domain.com , go to console and execute this

# echo "email@domain.com" >> /usr/local/assp/deluxe/custom_assp_local_email

now execute

# /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/ex_localdomains.php force=yes

Done, after this step email email@domain.com should be listed in /usr/local/assp/deluxe/assp_local_email .

How to solve SSL and PCI issues ? ASSP handles SSL connections by using IO::Socket::SSL Perl module. Default cipher list and SSL version used by IO::Socket::SSL are the following .SSL Version

SSL_version = SSLv23:!SSLv3:!SSLv2 # consider both SSL3.0 and SSL2.0 as broken

SSL Cipher list

SSL_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP

This applies to IO::Socket::SSL version 2.067 ; if you are using an older or newer IO::Socket::SSL download and decompress the IO-Socket-SSL Perl module package and check the SSL_cipher_list an SSL_version contained in SSL.pm file . These are secure values which are compatible with the rest of the world and exclude broken ciphers and SSL versions that are clearly broken and dangerous. If your users are using an obsolete email client and you want offer them a wider SSL compatibility ( compatibility to most legacy/obsolete email clients ) be sure you have SSL Minimum Protocol set to TLSv1 (SSLv3 or below are not recommended!) in WHM

Service Configuration

Mailserver Configuration . On the countrary if you want a strong SSL security ( and SSL PCI compliance ) and you want allow only newer and updated email client (updated to latest TLS protocols) be sure you have SSL Minimum Protocol set to TLSv1.2 in WHM

Service Configuration

Mailserver Configuration .

TLS protocols and cypher strings here .
How to check your server allowed protocols and cypher strings here .

How to monitor SPAM sent from my server ( outgoing SPAM ) ?How do I stop SPAM being sent from my server ?My server is sending spam. What do I do ? Prevent Spam Complaints ASSP Deluxe for cPanel monitors outgoing email activity and send you an email notification if a condition is matched. If you take actions as soon you receive these email notifications you can avoid issues with outgoing SPAM blacklists. Currently ASSP Deluxe for cPanel can send three different email notifications :

Email sent using a script ( here )
Email sent using a script or SMTP authentication ( here )

Or you can activate Outgoing ASSP SPAM checks for local users . Open ASSP WHM INTERFACE

OUTGOING SPAM .

note: OUTGOING SPAM usage is not recommended because all ASSP DNS antispam checks cannot be applied locally and only a very limited number of ASSP filters can works locally ; you should enable this feature only if strictly required and only if you are an experienced ASSP administrator and you know what are you doing. If you enable OUTGOING SPAM Local users could be blocked incorrectly when they send email and you should take actions in ASSP GUI to allow them. For example if you find a good local email blocked incorrectly in ASSP log by Bayesian filter you should allow him using noBayesian_local in your ASSP WEB INTERFACE GUI.

Outgoing email notifications : email sent using a script ASSP Deluxe for cPanel checks your EXIM log ( /var/log/exim_mainlog ) during each ex_localdomains.php cron execution (by default each 59 minutes) and send you an email notification if the condition below is matched :

if in the latest 12 hours ( check_hours=hours ) any script in your server send more than 100 email ( top=100 ).

If the condition will be matched the next check will run after 6 ex_localdomains.php executions.
The email notification will be sent to the email set here.You can customize top, qu and check_hours by editing the file /usr/local/assp/deluxe/email_warnings , for example

top=100
check_hours=10

note :

For testing purpouses you can send the email report even if conditions are not satisfied by executing this
# /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/ex_localdomains.php gonow=1
If you want disable this feature and stop these email notifications execute this
# touch /usr/local/assp/deluxe/stop_script # chmode 644 /usr/local/assp/deluxe/stop_script

If you received the email notification above and you need Grscripts professional support to investigate and stop outgoing SPAM activity in your server, you may click here to order the ASSP mannaged service or here if you need a one time root check.

Outgoing email notifications : email sent using script or SMTP authentication ASSP Deluxe for cPanel checks your EXIM log ( /var/log/exim_mainlog ) each 3 hours and send you an email notification if the condition below is matched :

if in the latest 12 hours ( check_hours=hours ) any email or script in your server send more than 100 email ( top=100 ).

If the email notification will be exactly the same in the next 3 hours check, the email notification will not be sent again even if the condition is matched.
The email notification will be sent to the email set here.You can customize top, qu and check_hours by editing the file /usr/local/assp/deluxe/email_warnings , for example

top=100
check_hours=10

note :

email sent under the value of 15 are not shown in the email report.
For testing purpouses you can send the email report even if conditions are not satisfied by executing this
# /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/ex_localdomains.php gonow=1
If you want disable this feature and stop these email notifications execute this
# touch /usr/local/assp/deluxe/stop_queue # chmode 644 /usr/local/assp/deluxe/stop_queue

If you want ignore one or more users in this script email notification you should add the username in this list (one username per row)

# nano /usr/local/assp/deluxe/ignore_spamout

find_abusers.php If you followed the installation HOW TO you already have following cronjob setup

*/20 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php sw=29 rl=50 sc=30 dc=30 on=1

This cron analyzes current ASSP log ( /usr/local/assp/maillog.txt ) and collects ips and email which were repetitively abusing your mailserver as follows;

It collects ips that had more than 30 (sc=30) email blocked by ASSP Scoring ( PenaltyMessageLimit ) . Collected ips that have a value over 30 (sc=30) are added in denySMTPConnectionsFrom . Collected ips that have a value over 100 are added in denySMTPConnectionsFromAlways . From ASSP deluxe version 12.5.5, ips will be added only if in their history they failed min 3 checks (DKIM/SPF/RBL) in current ASSP log.
- ASSP WEB INTERFACE (GUI) IP BLOCKING denySMTPConnectionsFrom contains a list of IP's which should be blocked by ASSP. IP's which are listed in noDelay, acceptAllMail, ispip, whiteListedIPs, noProcessingIPs, whitebox (PBWhite) will pass even if listed here.
- ASSP WEB INTERFACE (GUI) IP BLOCKING denySMTPConnectionsFromAlways contains a list of IP's which should be always and strictly blocked by ASSP after address verification without other checks like noProcessingIPs or whiteListedIPs.
It collects ips that had more than 30 (dc=30) email blocked by email dictionary/No Local ( invalid address rejected ) . Collected ips that have a value over 30 (dc=30) are added in denySMTPConnectionsFrom . Collected ips that have a value over 70 are added in denySMTPConnectionsFromAlways .
It collects ips that had more than 50 (rl=50) email blocked by a RelayAttempt error. Collected ips that have a value over 50 (rl=50) are added in denySMTPConnectionsFrom.
It collects sender email Addresses that had more than 50 email blocked by ASSP Scoring ( PenaltyMessageLimit ). Collected email that have a value over 50 are added in blackListedDomains. If you want customize the value 50, you must add blockthis=n to find_abusers.php cron, for example blockthis=70. You can add blockthis=off if you want stop this kind of collection.

ASSP WEB INTERFACE (GUI) Validate Sender blackListedDomains contains a list of Addresses & Domains from which you always want to reject mail..
It collects ips that had more than 60 SMTP authentication failures. Collected ips that have a value over 60 are added in CSF firewall Deny list if you have CSF firewall installed and running and DENY_IP_LIMIT set to min 500 otherwise the ips are added in denySMTPConnectionsFromAlways ASSP list. If you want customize the value 60, you must add smtpc=n to find_abusers.php cron, for example smtpc=80. If you add csf=off , the ips will be always collected only in denySMTPConnectionsFromAlways ASSP list. If you want skip this kind of collection you should add smtpc=none ( or smtpc=off ).
It collects ips that had more than 60 invalidHeloRe failures. Collected ips that have a value over 60 are added in CSF firewall Deny list if you have CSF firewall installed and running and DENY_IP_LIMIT set to min 500 otherwise the ips are added in denySMTPConnectionsFromAlways ASSP list. If you want customize the value 60, you must add helor=n to find_abusers.php cron, for example helor=80. If you add csf=off , the ips will be always collected only in denySMTPConnectionsFromAlways ASSP list. If you want skip this kind of collection you should add helor=none ( or helor=off ).

If you execute find_abusers.php from console you can receive various information collected from your current ASSP log or old ASSP logs. For example

# /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php sw=10

sw=10 will return all data with a value above 10. If you want analyze an old log , for example /usr/local/assp/20-03-12.maillog.txt you should execute this

# /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/find_abusers.php sw=10 log=20-03-12.maillog.txt

Data returned by find_abusers.php is listed below ;

Local top senders list : a list of email sent by your local email.
invalid address rejected : number of invalid address email sent to your local domains. You can found instantly which local domain is under an email dictionary attack.
spam scoring attacks sent to local email : number of email blocked using ASSP Scoring ( PenaltyMesssageLimit ) by each local email. You can found instantly which local email are under a SPAM attack.
spam scoring attacks sent to local domain : number of email blocked using ASSP Scoring ( PenaltyMesssageLimit ) by each local domain. You can found instantly which local domain are under a SPAM attack.
list of remote IP Addresses blocked by ASSP scoring ( PenaltyMesssageLimit ) : you can use worst ips in this list in your firewall deny list (e.g.)
list of remote IP Addresses blocked by Invalid Address Rejected ( No local / email dictionary attack ) : you can use worst ips in this list in your firewall deny list (e.g.)
Top spammers : list of top spammers email
Top ip Addresses SMTP authentication failures : list of Ip Addresses that had an SMTP authentication failure.
Top ips invalidHeloRe : list of Ip Addresses that had an invalidHeloRe failure.
Top email subjects sent by spammers : the list can be used to block email based on email content for example using bombSubjectRe, YARA rules or other ways (some explained here ) .
clamAV Unofficial signatures detections
Top spammers email sending email dictionary attacks
Top ForgedHELO attacks
Top UnknownLocalSender attacks
Email sent from your server using a script

How to have a better mailserver reputation Ensure that your servers aren’t being blocked

Be sure your users are not sending outgoing SPAM. If you receive an email outgoing notiifcation from ASSP Deluxe for cPanel, open ASSP WHM INTERFACE EMAIL QUEUE and check the if you have local email activity. If you have it read the EXIM ID and check if the outgoing email is legitimate or SPAM. If it's SPAM get actions to stop it asap.
All your server Ip Addresses must have a ReverseDNS (PTR) record. You can check PTR record HERE
All your user domain must have an SPF record. You can check SPF record HERE
All your user domain must have a DKIM record. You can check DKIM record HERE
All your server Ip Addresses must have a Good or Neutral reputation on Talos Database
All your server Ip Addresses must not be listed in major RBLs lists HERE
All your user domain must have a DMARC record.
You can execute an excellent Email Deliverability check (which includes DMARC,DKIM,SPF checks)HERE

DMARC is short for Domain-based Message Authentication, Reporting, and Conformance. Its purpose is to make it harder for threat actors to conduct phishing attacks that spoof brands and get those messages delivered to inboxes. DMARC is used to determine whether emails are genuine and should be delivered or if the messages have been sent from an unauthorized user. DMARC will not stop all phishing emails from being delivered, but it is an important measure to implement to stop email spoofing and reduce the number of phishing emails that reach inboxes.
SPF (Sender Policy Framework) , DKIM (DomainKeys Identified Mail), and DNS records (A ,MX ,PTR records) are also used to determine whether the email server being used is authorized to send emails for the organization.
- The SPF record indicates which email servers are authorized to send mail on behalf of a domain. This would be the organization itself and any third parties, such as marketing companies. The SPF record is a DNS TXT record that includes IP addresses and hostnames that are allowed to send emails from a particular domain. The SPF record is the first thing checked by DMARC rules.
- DKIM is more advanced and uses a TXT record and asymmetric public-private key encryption. With DMARC enabled, the signature is encrypted with the public key and the key is published on DNS servers. The domain’s private key is then used at the recipient’s email server for verification. If DKIM is enabled, the public key-encrypted signature is compared with the message that is decrypted using a newly generated key to confirm that the message has not been altered. DKIM also confirms that the sender is from the listed domain and that the sender has not been spoofed.

How to add alternative SMTP ports in ASSP ? By default at the end of your ASSP installation you should have following SMTP ports

25 STARTTLS ( set in ASSP WEB INTERFACE (GUI) Network Setup listenPort )
26 and 587 STARTTLS ( set in ASSP WEB INTERFACE (GUI) Network Setup listenPort2 )
465 SSL ( set in ASSP WEB INTERFACE (GUI) Network Setup listenPortSSL)

If you want , you may add other SMTP ports by adding them in ASSP WEB INTERFACE (GUI)

Network Setup

listenPort2 . Be sure to separate each SMTP port with a pipe | , and be sure to allow each new SMTP port in your firewall.

When ASSP is running all alternative SMTP ports ( 26, 587, other ) must be set only in ASSP WEB INTERFACE (GUI) Network Setup listenPort2 as explained above. Be sure you do not add alternative SMTP ports in cPanel WHM Service Configuration Service Manager and always set OFF SMTP alternative port(s) as shown below.
Alaways add alternative SMTP ports only in listenPort2. Do not add alternative SMTP ports in listenPortSSL ( reserved to port 465 SSL ) or in listenPort ( reserved to port 25 ).

How to skip/bypass one or more ASSP SMTP port(s)
You can skip one or more ASSP SMTP port(s) by adding each SMTP port in the file (one SMTP port per row) /usr/local/assp/deluxe/smtp_skip. Edit the file with your preferred editor (e.g. nano),

# nano /usr/local/assp/deluxe/smtp_skip

then add the SMTP port you want exclude from ASSP for example if you want exclude 26 and 465 SSL you should enter

26465

Now save the file and open the ASSP WHM INTERFACE : STOP fully your ASSP ( as explained here ) and START it again . After this step SMTP port 26 and 465 will run EXIM only and will not pass for ASSP.

note : why should I provide my customers with an SMTP port bypassed by ASSP ?

You want an alternative dedicated outgoing SMTP port to use your email with remote POP3 or IMAP services or mobile App like Gmail, Outlook or other.
Your server is under a huge email attack, due to this reason your users are experiencing SMTP delay and you want provide them a dedicated and faster SMTP port to send email.

EXIM only SMTP ports cannot use ASSP email interface ( assp-spam@ , assp-white@, and so on ). For this reason it's not recommended to exclude SMTP port 587 which is used by cPanel Webmail (Roundcube and Horde). It's probably a good idea to setup an EXIM only SMTP port only for an alternative SMTP port like 58700 and then exclude it using the procedure explained above.
You cannot exclude main SMTP port 25. Avoid to exclude port 587 too for the reason explained above.
If you want reactivate an excluded ASSP SMTP port you must
- Remove the SMTP port from /usr/local/assp/deluxe/smtp_skip .
- STOP and START ASSP as explained above.
- Add the SMTP port in ASSP WEB INTERFACE (GUI) Network Setup listenPort2 or listenPortSSL if you are adding the SSL port 465.

Where are the old ASSP Deluxe for cPanel FAQs and other pages ?
You can found it HERE however note that there could be obsolete FAQs. Old changelog is available HERE, while old Tweaking page is available HERE . Old instructions to create a language pack for Deluxe frontend are still available HERE.

Special thanks to ASSP

Fritz Borgstedt : ASSP v1 developer
Thomas Eckardt : ASSP v2 developer [ ASSP ]

ASSP Deluxe for cPanel frontend

Manuel : spanish & french lang. pack [ plusplushosting.net ]
Horst Lederhaas : German lang. pack [ lederhaas.st ]
Safak Yavuzlar : beta tester [ aybilisim.com.tr ]
Willie Wu : beta tester [ ismile.com.tw ]
Remy Gardien : IMAP spambox collector [ e-dot.nl ]
Stephen Marley : beta tester [ nxds.com )
Elie P : fix_abuse_postmaster.php [ webdomain.com ]
Jan Lange : update_lang.php [ ARTADA GmbH ]
Cristina : translation support [ trcris.com ]
Konrad : polish language [ etop.pl ]
Tim Steffens : code support [ datacommus.com ]
and all the people which are supporting the ASSP Deluxe for cPanel project in any way .

ASSP Deluxe for cPanel : ASSP post installation and FAQs

ASSP Deluxe for cPanel : ASSP post installation steps

ASSP Deluxe for cPanel : FAQs