Spam attack

[integraideas]

I have couple of our customers that have using outlook and have received around 100 emails (spam).

How to increase the level of spam protection in the server in order to reduce those emails?

[Matt]

Please see this thread
http://glowhost.com/forums/showthread.php?t=319
and let me know if you have any comments on it. I have found this to be the most effective spam reduction configuration. :fail: the default address being the most effective of the group.

[integraideas]

Matt,
the email address by default is pointing to one email address. The spam assasins was set up, but the rain of emails keep going in all the email accounts, and most of the computers have antivirus protection, so this take time to check the incoming email and slow the machine.

This situation was detected since last week. In other words, before last week everything was running smoothly, now it's a headache.

Any way to stop them directly in the server? more protection?

[Matt]

You are going to have to trust me when I say :fail: the default address. When I looked, they were all being forwarded to one email address or another. None of them were set to fail.

You will need to turn on Spam assassin, and disable the spam box, then turn the threshold down to 5 or lower, then have spam assassin re-write the subject lines. When you are comfortable no email is being flagged as a false positive, you can use the filter option described in the above link to automatically delete email flagged as spam.

As for at the server level, there is not much else we can do other than give you the tools for prevention. if you choose not to implement them, they do not do you any good.

We have Clam AntiVirus Installed
We have Spam Assassin Installed
We subscribe to several RBLs (remote block list, tells us to ignore delivery requests from problematic IP addresses and known spammers)
We have enabled several other customized features to our mail server including dictionary attack prevention.

The rest is up to you. It starts with the default address and spam assassin. It also requires safe distribution of your email addresses. Don't just give your best email addresses out to some random contest you saw on the Internet. Make a personal email address for your friend and family. Make a business address for your business contacts and make another address for when you make online purchases.

Those are my suggestions.

If you follow those guidelines, you should not get more than a few spam messages, if any, in a given day.

[integraideas]

Thanks Matt for your support, the only thing I'm missing is to threshold down to 5, where?

[Matt]

Great, you should see a considerable improvement.

Go into cPanel > mail > Spam Assassin > and click on the button right under "Enable Spam Assassin" it says:

"Configure Spam Assassin (required to rewrite subjects)"

Once you are in there, you will see "required_score" and that should default to 5. You can lower this number for more filtering or raise it for less filtering. Once you have done that, you can keep the default subject line next to "rewrite_header subject" as **SPAM** or you can get creative.

I used this one: Spam Hits _HITS_ / of _REQD_

The above would rewrite mail flagged as spam to have a subject like:
Spam Hits 6 / of 5 {the original subject here}

This told me that the email scored a 6 of 5 allowed, and would have been automatically trashed if i set the filter up for it. if it were a 4 of 5, it would not have been rewritten (or trashed should you configure it like that) it would have been delivered as normal.

I suggest using subject rewrites for a few days until you have a good threshold (required_score) that you like, then go apply the filter when you are comfortable with the way you have configured Spam Assassin.

Just make sure you keep the Spam box disabled unless you plan on checking and cleaning it periodically because all it does is collect junk. I am cosidering removing it as an option as 99% of the users never check it and it wastes their disk space.

[charlesh]

Matt,

Thanks for the info on tweaking spamassasin. One question, when we put the number of hits out of X allowed into our subject rewrites, do we have to further configure anything else in the options, such as redoing the scores, etc or is that all we have to really tweak?

And, when we are comfortable in the level of filter, how do we stop those messages from being delivered? Do I click the link on cPanel -> Mail -> SpamAssasin that says to "To simply have the server DELETE and NOT deliver emails that are tagged as spam by SpamAssassin click here now"?

Thanks,
Charles H.

[Matt]

Charles

Thanks for the info on tweaking spamassasin. One question, when we put the number of hits out of X allowed into our subject rewrites, do we have to further configure anything else in the options, such as redoing the scores, etc or is that all we have to really tweak?

The only reason I suggest doing that is because its quick and easy to see how an email was scored by spam assassin while you are getting used to how it scores junkmail.

You do not have to do this, you can just look at the email headers and Spam Assassin writes the score in there as well. I just think it saves a few clicks if you rewrite the subject lines and it is right there in front of you for speedy reference.

Once you are comfortable with how it scored you and adjust X up our down to the point where spam assassin with actually do something useful with emails flagged as spam.

When you like the numbers go into cPanel > mail > filters and there is a spam assassin hint which works well to discard email tagged as spam so you never see it, or, you can forward it to another email box instead of "Discard" if you want to manually process / check forwarded emails marked as spam for false positives.

And, when we are comfortable in the level of filter, how do we stop those messages from being delivered? Do I click the link on cPanel -> Mail -> SpamAssasin that says to "To simply have the server DELETE and NOT deliver emails that are tagged as spam by SpamAssassin click here now"?

I have had better luck with the filter previously described versus using the one you are talking about, either SHOULD work, I know the filter I discussed DOES work. haven't tried the one on the Spam Assassin page in a while though, at one point I know it was not properly discarding email.

[charlesh]

Matt,

I did try the link referred to above to stop the spam from getting through and it hasn't worked, so that is why I was asking. I will try the filter method, since that has better results. Thanks for the reply to the post. I will also try to delete the default E-mail address for the account to help things along as it not being the catch-all. Then, maybe I'll quit getting calls. The thing is, he is pulling the pop directly from his blackberry. I finally got my client to quit forwarding through Comcast, so this was the option and he told me that the level of spams he was getting on his handheld was totally irratating him (can't say that I blame him).

I'll update everyone who has read this topic on how the results come out.

CharlesH.

[Matt]

Main thing is don't pop the server with your cPanel username (won't work anyways after you :fail: the default address) in your mail programs. Use the full email address joe@whatever.com and make sure you setup an account for it in cpanel > mail > add remove accounts and you will cut the spam by no less than 90% is my guestimate.