Spam issues and request for script

[AudiAddict]

Hi everyone, I've been using directadmin for several years now and unfortunately some of my users got their e-mail accounts added to a spambot list.

They are receiving 10-30 spam e-mails per day, coming from random ips etc. Very annoying and we have managed to lower the amount of incoming spam by using the stop word function. See screenshot below.

The downside however is that we need to REPEAT this proces for every account. Is there a way to create a script to add stop words to all accounts? We don't want to drop the e-mail, but send to spam box (to make sure they can still very false positives, and also because we see that it increases the amount as the bot just uses other formats etc that are not blocked).

So in short: Is there a way to script something to add a single stop word with a value and have it applied to all users / domains on the DA server?

PS: Using Debian 6.1.67-1 (2023-12-12) x86_64 GNU/Linux, exim, with spamassasin, RBL list barracuda and zen.spamhaus

 

[Richard G]

It might be possible.
Create the configuration for 1 user. Then check the user's /etc/virtual/domainname/filter file.
Are the changes in there present?

In that case, copy that filter file to some directory for example /root/spamfilter

Then create a script called domain_create_post.sh in the /usr/local/directadmin/scripts/custom directory with for example this content:

#!/bin/sh
cp -f /root/spamfilter/filter /etc/virtual/$domain/filter >/dev/null 2>&1
chown mail:mail /etc/virtual/$domain/filter
chmod 640 /etc/virtual/$domain/filter

After that:

chmod 755 domain_create_post.sh
chown diradmin:direadmin domain_create_post.sh

You can do something similar with the filter.conf file if you want certain default content in there.

Now every time a domain is created, this file will be copied to the new domain with the values present in the filter file.

Keep the $domain in there, that's a variable which will automatically be replaced by the correct domain on domain creation.

 

[adam12]

I'd add a custom SpamAssassin rule for this. Here's an example from my custom ruleset.

body            LOCAL_SEO               /SEO packages|SEO proposal|SEO reseller|1st Page of google/i
score           LOCAL_SEO               10

It lives in /etc/mail/spamassassin/local.cf

 

[AudiAddict]

Hi both - appreciate your help here and @Richard G - nice to see you are also from the Netherlands .

It might be possible.
Create the configuration for 1 user. Then check the user's /etc/virtual/domainname/filter file.
Are the changes in there present?

In that case, copy that filter file to some directory for example /root/spamfilter

Then create a script called domain_create_post.sh in the /usr/local/directadmin/scripts/custom directory with for example this content:

#!/bin/sh
cp -f /root/spamfilter/filter /etc/virtual/$domain/filter >/dev/null 2>&1
chown mail:mail /etc/virtual/$domain/filter
chmod 640 /etc/virtual/$domain/filter

After that:

chmod 755 domain_create_post.sh
chown diradmin:direadmin domain_create_post.sh

You can do something similar with the filter.conf file if you want certain default content in there.

Now every time a domain is created, this file will be copied to the new domain with the values present in the filter file.

Keep the $domain in there, that's a variable which will automatically be replaced by the correct domain on domain creation.

I've checked the filter file and it looks like it's being edited and more info is being added than just the filter options. I have adult filter enabled to prevent viagra and related e-mails, this is an example of something it adds keywords to based on a single checkmark. Do you think this will still work? See code below.

cat filter
# Exim Filter

# created by DirectAdmin, version 1.663
# Do not modify this file as any changes will be
# overwritten when the user makes a change.
# (data is only written to this file, not read)




if
        $h_X-Spam-Level: contains "***************"
then
        seen finish
endif


if
    $h_X-Spam-Status: contains "Yes,"
then
    if
        $local_part is "exampleuser"
    then

        save /home/exampleuser/Maildir/.INBOX.spam/new/ 660
    else
        if "${if exists{/home/exampleuser/imap/${domain}/${local_part}}{yes}{no}}" is "yes"
        then
            save /home/exampleuser/imap/$domain/$local_part/Maildir/.INBOX.spam/new/ 660
        else
            save /home/exampleuser/Maildir/.INBOX.spam/new/ 660
        endif

    endif
    finish
endif


if error_message then finish endif

if      
        or $header_subject: contains "[email protected]" or $message_headers contains "[email protected]" or $message_body: contains "[email protected]"
     
then
    if
        $local_part is "exampleuser"
    then

        save /home/exampleuser/Maildir/.INBOX.spam/new/ 660
    else
        if "${if exists{/home/exampleuser/imap/${domain}/${local_part}}{yes}{no}}" is "yes"
        then
            save /home/exampleuser/imap/$domain/$local_part/Maildir/.INBOX.spam/new/ 660
        else
            save /home/exampleuser/Maildir/.INBOX.spam/new/ 660
        endif

    endif
    finish
endif



if
        $header_subject: contains " ass " or $message_headers contains " ass " or $header_from: contains " ass "
        or $header_subject: contains " bitch" or $message_headers contains " bitch" or $header_from: contains " bitch"
        or $header_subject: contains " cialis " or $message_headers contains " cialis " or $header_from: contains " cialis "
        or $header_subject: contains " cunt " or $message_headers contains " cunt " or $header_from: contains " cunt "
        or $header_subject: contains " fuck " or $message_headers contains " fuck " or $header_from: contains " fuck "
        or $header_subject: contains " sex " or $message_headers contains " sex " or $header_from: contains " sex "
        or $header_subject: contains " sexiest " or $message_headers contains " sexiest " or $header_from: contains " sexiest "
        or $header_subject: contains " sexy " or $message_headers contains " sexy " or $header_from: contains " sexy "
        or $header_subject: contains " shit " or $message_headers contains " shit " or $header_from: contains " shit "
        or $header_subject: contains " slut " or $message_headers contains " slut " or $header_from: contains " slut "
        or $header_subject: contains " slutty " or $message_headers contains " slutty " or $header_from: contains " slutty "
        or $header_subject: contains " viagra " or $message_headers contains " viagra " or $header_from: contains " viagra "
        or $header_subject: contains " whore " or $message_headers contains " whore " or $header_from: contains " whore "
        or $header_subject: contains "asshole" or $message_headers contains "asshole" or $header_from: contains "asshole"
then
    if
        $local_part is "exampleuser"
    then

        save /home/exampleuser/Maildir/.INBOX.spam/new/ 660
    else
        if "${if exists{/home/exampleuser/imap/${domain}/${local_part}}{yes}{no}}" is "yes"
        then
            save /home/exampleuser/imap/$domain/$local_part/Maildir/.INBOX.spam/new/ 660
        else
            save /home/exampleuser/Maildir/.INBOX.spam/new/ 660
        endif

    endif
    finish
endif

I'd add a custom SpamAssassin rule for this. Here's an example from my custom ruleset.

body            LOCAL_SEO               /SEO packages|SEO proposal|SEO reseller|1st Page of google/i
score           LOCAL_SEO               10

It lives in /etc/mail/spamassassin/local.cf

Can you provide a bit more detail on this? So edit the "master" file and have it apply to all users? That sounds like an easy solution

How would i add the word filters from the code example above? It looks like when you add a word filter in the GUI it adds :

    $header_subject: contains "[email protected]"

    $message_headers contains "[email protected]"

    $message_body: contains "[email protected]"

So I copy your body example, what is the 2nd and 3rd item in your example? Also how to not block it, but send to spam folder for these specific additions? If I block -> the spambot, just resends with different text (smart bot..)

 

[johannes]

For additional stop words I`d use the adult filter list template, https://docs.directadmin.com/other-...coming-spam.html#adult-filter-to-use-template , for all accounts. Just dont know how to push it to already existing accounts, maybe @Richard G have an idea.

And for changes in the exim filter its propably better to use a custom file which doesnt get overwritten , as ex. /usr/local/directadmin/custombuild/custom/exim/system_filter.exim

 

[adam12]

Can you provide a bit more detail on this? So edit the "master" file and have it apply to all users? That sounds like an easy solution

Everyone who has Spamassassin enabled. Where the email is delivered depends on the user's configuration.

How would i add the word filters from the code example above?

I don't normally use the rawbody filter but you could try it since it targets the entire email raw (I generally niche down to subject, body, etc).

rawbody LOCAL_SPAM_RULE_10 /[email protected]/
score LOCAL_SPAM_RULE_10 10

 

[johannes]

Everyone who has Spamassassin enabled.

Please, do you mayby know, if it works also with RSpamd instead of SA, as SpamAssassin is sharing the GUI with RSpamd ?

 

[Richard G]

Do you think this will still work?

If that is created via the user account then I don't see why it wouldn't work.

To push it to already existing accounts, well, for sure there will be a smart copy command for that, but nothing is coming up in my mind right now.
But if you don't have that many so I would just use Midnight Commander.

I've just found that the docs also have a domain_create_post.sh file, looks slightly different (maybe better) then mine, but you might want to use that:

#!/bin/sh
F=/etc/virtual/$domain/filter.conf
if [ -e $F ]; then
   echo "where=userspamfolder" >> $F
   echo "action=rewrite&value=filter&user=$username" >> /usr/local/directadmin/data/task.queue
fi

Everyone who has Spamassassin enabled. Where the email is delivered depends on the user's configuration.

But as stated, for this you can also create a default on domain creation. That is the filter.conf file I was talking about.
One can use it the same way as the filter file.

I did to and just added it to my script.

 

[adam12]

Please, do you mayby know, if it works also with RSpamd instead of SA, as SpamAssassin is sharing the GUI with RSpamd ?

I'm sure you could do similar with rspamd but the examples I provided would not work for rspamd.

 

[Stije]

You can edit the /etc/mail/spamassassin/local.cf and add your own rule there.

So if you want to block the word banana for everybody you can do this to give mails with the word banana (upper or lower case) a spam score of 8.0:
Add this to the file: /etc/mail/spamassassin/local.cf

body LOCAL_BAD_WORDS_RULE    /\banana\b/i
score LOCAL_BAD_WORDS_RULE 8.0

Or an other way is to use the template option

Filtering incoming spam | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

This will add the config to all users. So you can put this rule in the safe area of the template file

#SAFE AREA start
body LOCAL_BAD_WORDS_RULE    /\banana\b/i
score LOCAL_BAD_WORDS_RULE 8.0
#SAFE AREA end

 

[AudiAddict]

Thanks all for your help.

You can edit the /etc/mail/spamassassin/local.cf and add your own rule there.

So if you want to block the word banana for everybody you can do this to give mails with the word banana (upper or lower case) a spam score of 8.0:
Add this to the file: /etc/mail/spamassassin/local.cf

body LOCAL_BAD_WORDS_RULE    /\banana\b/i
score LOCAL_BAD_WORDS_RULE 8.0

Or an other way is to use the template option

Filtering incoming spam | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

This will add the config to all users. So you can put this rule in the safe area of the template file

#SAFE AREA start
body LOCAL_BAD_WORDS_RULE    /\banana\b/i
score LOCAL_BAD_WORDS_RULE 8.0
#SAFE AREA end

Sorry for being the newbie here, I will try both richard and your approach. Can you confirm how this template option works exactly? The documentation is not entirely clear for me. Should I be adding another file like other custom templates? or edit the file mentioned in the documentation?

 

[Richard G]

Sorry for being the newbie here

That's no problem because you ask questions, this way you can learn something, we don't mind questions.

As for the approach, I would suggest to use the local.cf approach to things you want to have blocked on the complete server anyway, is less work.
You can then use my approach for the words the customers are allowed to remove or change, or for the filter.conf to have default settinsg for the domains for the other settings.

 

[Hendrik]

We have added the AbuseIPDB API to the default firewall. Look for instructions on the way to instrall the API. It is for free with a limited amount of updates per day.
And perhaps you should check if all default blacklists are enabled. That was not the case in our DA installation.

 

[Richard G]

We have added the AbuseIPDB API to the default firewall.

We use that too and have a great script for it from @eva2000. And you can install and keep it updated via git.

GitHub - centminmod/centminmod-abuseipdb-reporter: CSF Firewall and AbuseIPDB API integration with specific focus on data privacy and prevention of sensitive data leaked to public AbuseIPDB database report

CSF Firewall and AbuseIPDB API integration with specific focus on data privacy and prevention of sensitive data leaked to public AbuseIPDB database report - centminmod/centminmod-abuseipdb-reporter

github.com

 

[floyd]

I despise spam filters. Lost too many legit emails with them. I do not trust any of them.

 

[zEitEr]

Is there a way to create a script to add stop words to all accounts?

If you want a single place for management STOP words you might consider using the system Exim's filter:

- /etc/system_filter.exim

As soon as you modify the file, you would need to copy it to /usr/local/directadmin/custombuild/custom/exim/system_filter.exim in order to protect changes from a loss during an update.

 

[Richard G]

consider using the system Exim's filter:

Could you give an example for that? Because I see header and content.

For header it's fairly easy, i presume this is comma and apostrophe seperated?:

if $header_from: contains "@sexyfun.net"

But for example for content it's like some code like this:

if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)>
then
  seen finish
endif

I don't understand that. Would be nice if it could be made easy like in spamfilters like something as:

if $messsage_body: contains "viagra", "other word", "spamword"

kind of like that.

So how should we be use words in the system_fitler.exim?

 

[zEitEr]

Sorry, I'd rather not explain how the system filter works in Exim. I would rather suggest that you read documentation and play with the filter settings in Directadmin interface on your own. Just choose a not-important or fake domain, e.g. domain.com and see how the changes go.

Go to an "E-mail Filters" page in Directadmin for domain.com and change the filter settings. Then see how the content of the file changes /etc/virtual/domain.com/filter. It will give you a basic understanding of the syntax and logic.

For header it's fairly easy, i presume this is comma and apostrophe seperated?:

You can even block words for your domain.com in DirectAdmin as usually, and then copy the block from /etc/virtual/[B]domain.com[/B]/filter to the file /etc/system_filter.exim. The syntax and logic is absolutely the same.

But for example for content it's like some code like this:

You picked the lines which are added for a different purpose. And you should not do anything with them.

I don't understand that. Would be nice if it could be made easy like in spamfilters like something as:

You might read the following articles if you really want to learn more:

- https://www.exim.org/exim-html-current/doc/html/spec_html/ch-systemwide_message_filtering.html
- https://www.exim.org/exim-html-current/doc/html/spec_html/filter_ch-exim_filter_files.html

Otherwise you might leave it as is, and simply copy/paste instructions from /etc/virtual/[B]domain.com[/B]/filter to the file /etc/system_filter.exim.

Should you have other questions other than requests for explaining things, then I would probably participate in it.

Thank you for understanding.

 

[Richard G]

The syntax and logic is absolutely the same.

Aha, that makes it a lot easier, thank you!

and simply copy/paste instructions from /etc/virtual/[B]domain.com[/B]/filter to the file /etc/system_filter.exim

Marvelous, that makes life real easy then. Kind of the same as how I created the domain_create_post.sh filter and filter.conf files, just create and copy.
But I will have a look at your links and try to learn from there too anyway.

Thank you @zEitEr !!