SpamBlocker 4.3.0, BlockCracking, Easy Spam Figther, and new exim.pl

Thanks John. Since I'm still on CB1, what does this mean for my install? It seems to be working fine, will I be missing major functionalities or just the ability to fine tune by installing it like I have?
 
I think No. You should use Akismet 3.1.1 or similar wp plugin.

Badly enough not all my clients want to install such a plugin or they have infected files. There are also other websites that are not running on Wordpress but send email. I want to filter all that email.

Thanks for your suggestion!
 
Well SB is for incoming mails, not for outgoing from sites hosted on your server...

If your customer websites get hacked, tell them to update their WP installation and use, if you're not yet doing it, at least mod_ruid2 and also mod_secuirity on your server to improove security and decrease hack issue.

Regards
 
  • BlockCracking for vastly better outbound spam detection and blocking. It counts the number of failed recipients to block a User or script, without affecting other Users or other scripts.
  • DA will give much more detailed reports on the offending script, and even parses the /home/user/.php/php-mail.log to tell you which script is the likely offender (ability to automatically chmod to 0, disabled by default)

How/where to set the default to chmod the spamming file to 0 ?
 
BlockCracking will block a php script path that get's hacked, based on a few conditions, but should really help prevent things like that.

Say, for example, a bad script ends up in the /home/user/domains/domain.com/public_html/uploads/badscript.php, and starts to spam.
BlockCracking will start counting how many non-resolving destinations are being sent to per "path" (/home/.../uploads) and if more than "X" destinations fails in "Y" time, then the entire /home/..../uploads path is added to a block script.
This will block anything from that path to send anything, directly from the /usr/sbin/sendmail - command line - level. A path that is blocked cannot get anything in the queue at all.
Same effect when a DA account is at the limit by SB4.3, nothing gets into the queue at all (unlike older SB which only blocks it from leaving the server, after it's already in the queue)

I won't say "don't use blocking WP plugins", as more layers of security would be much better, but BlockCracking is going to be a fairly heavy-duty layer of protection.

------

I also highly recommend blocking outbound port 25, and only allow it for "mail" and "root"... aka: exim always uses mail.
http://www.directadmin.com/features.php?id=1427
the block_ip/iptables already does this by default.. not sure if CSF does, but if not, add in those rules if you can.
I've noticed more reports of direct port 25 outbound sends, bypassing exim, and all of the exim tools, hence the need to only allow mail/root to use 25 out.

------

For a CB1 install, it is in theory possible to install SB/BC/ESF, but does require manual setup of various files, like the variables.conf, since they are assembled by CB2.
But SB 4 uses LMTP (can be changed back), but LMTP requires dovecot to be setup a certain way, which CB1 might not be doing (I can't recall 100%)

In any case, I highly recommend using CB2, as it does everything for you.
Unless you need php 5.2, you should be able to switch over to CB2 without much shock to your setup.. php can run however it ran, etc.. but you get all the new goodies :)

-------

For the chmod to 0, this is the related feature:
http://www.directadmin.com/features.php?id=1636

you'd set the value to "2"... but read the entire feature carefully.
I personally think it might be a bit heavy-handed, so use it lightly... and possibly set the limits on the higher-end of forgiveness. Up to you :)
Many layers of protection mean that no one layer needs to be ridiculous.

John
 
oh,

So BC actually checks if a script is sending out spam (by counting the amount of non-existing destination email addresses)
1) Does BC run this check before it sends out the email, or does it count destination-mail-server responses saying "this email address doesn't exist" when it sends the email ?
2) And what happens when the amount of no-existing email addresses hit the BC_LIM limit ?
does the script gets ignored by exim, like the DA-blockscript does ?
or do we need to add extra code, like this post suggested in the past ?

3) And DA has a block script that purely counts the amount of emails being sent from it, regardless of the emails being spam or a mailing ?
(untill it integrates with BC)

4) I don't see a way to unblock the script in DA panel (see attached image: Untitled-7.png)


Thanks John
 
Last edited:
Hello John,

is there an easy way to keep

Code:
require verify = sender

uncommented without making exim.conf not writeable? Probably I miss something...
 
I have a problem with BlockCracking.
On 1 side, I would like to anticipate on spam-scripts that should be killed a.s.a.p. So I would like to use a BC_LIM == 10.

Now I have a client who wants to send out a mailing, and has no idea which email addresses are invalid...
I also think that somehow Exim tries to send it again and again, as I've seen the same invalid email address in the mainlog multiple times..

questions:
1: is there an option to treat (block-leven & unblock-level) scripts different from auth-users ?
2: how can the client know (s)he has been blocked if (s)he's been blocked from the email box ?
(I got a question from a client that couldn't log into her email box anymore)
3: Is there a different way to get deblocked, as most of my clients don't tend to remember their email-address-passwords.
(I know we are supposed to educate & change our customers to fit our systems, but...)
4: Can I add a username to the BC_UNLIMITED_USERNAMES ?
will that whitelist auth-users sending through exim ?
will that also allow all spam-scripts to not get blocked ?


Thanks
 
Last edited:
oh,

So BC actually checks if a script is sending out spam (by counting the amount of non-existing destination email addresses)
1) Does BC run this check before it sends out the email, or does it count destination-mail-server responses saying "this email address doesn't exist" when it sends the email ?
2) And what happens when the amount of no-existing email addresses hit the BC_LIM limit ?
does the script gets ignored by exim, like the DA-blockscript does ?
or do we need to add extra code, like this post suggested in the past ?

3) And DA has a block script that purely counts the amount of emails being sent from it, regardless of the emails being spam or a mailing ?
(untill it integrates with BC)

4) I don't see a way to unblock the script in DA panel (see attached image: View attachment 2049)


Thanks John

Hello,

1) I believe the count is done at the lookup stage of the send. It's an ACL, so exim will return a denied message to the caller (not a bounce)
2) They'll be refused entrance into the queue. BUT the 9 emails before would likely have already made it to the queue, so they'll eventually timeout.
The whole sending path gets blocked (or the calling smtp-auth user). It's not a "specific file" based blocking.
DA's chmod 0 script is triggered by the send limit, and DA can figure out the script name based on the ~/.php/php-mail.log. Exim doesn't know about this.
You shouldn't need to link the 2 together.. as both the chmod 0 and BlockCracking path block are "hard", in that neither would allow sends.
Our implementation of BlockCracking is based on that same guide, we already have scripts in place to tell DA about it (DA sends a message to the Admin and User, if my memory is correct)

3) Yes, DA's limit itself just counts sends. Note that DA is integrated with BC already, in that DA will tell the User about the BC report, and will also allow unblocking but whatever level applies, through DA.

John
 
I have a problem with BlockCracking.
On 1 side, I would like to anticipate on spam-scripts that should be killed a.s.a.p. So I would like to use a BC_LIM == 10.

Now I have a client who wants to send out a mailing, and has no idea which email addresses are invalid...
I also think that somehow Exim tries to send it again and again, as I've seen the same invalid email address in the mainlog multiple times..

questions:
1: is there an option to treat (block-leven & unblock-level) scripts different from auth-users ?
2: how can the client know (s)he has been blocked if (s)he's been blocked from the email box ?
(I got a question from a client that couldn't log into her email box anymore)
3: Is there a different way to get deblocked, as most of my clients don't tend to remember their email-address-passwords.
(I know we are supposed to educate & change our customers to fit our systems, but...)
4: Can I add a username to the BC_UNLIMITED_USERNAMES ?
will that whitelist auth-users sending through exim ?
will that also allow all spam-scripts to not get blocked ?


Thanks

1) Not at this time.. but you could manually add another variable to the BC variables.conf, and swap out the limit check in the related conf files.
This would let you control the path block vs the smtp-auth block at different levels.

2) DA should be notifying everyone via the Message System.

3) It depends on exactly what method they were using, but anyone one level higher, and above, has the ability to unblock something.

4) Yes, that's what it's for. Just be sure to start with this default, and add onto it:
Code:
BC_UNLIMITED_USERNAMES = root : cron : mail : diradmin
It's not a full exim whitelist, it's just a BlockCracking whitelist.. so they can bypass the failed recipient count. Other limits are still enforced. Double checking the documentation, the BC_UNLIMITED_USERNAMES variable ONLY applies to scripts, not smtp-auth sends. So this will only work if your client is using script-based sends, eg php mail();

John
 
2015-03-30 15:42:52 H=([127.0.0.1]) [server-ip] incomplete transaction (connection lost) from <[email protected]> for [email protected]
2015-03-30 15:42:52 unexpected disconnection while reading SMTP command from ([127.0.0.1]) [server-ip]

Any idea how to resolve this issue ?
 
somehow all these block scripts are not active or triggered...

I'm receiving LOCALRELAY warning mails from CSF/LFD that 100 emails have been sent...
While the user limit in DA is set to 15.
While the BlockCracking wrong email count is set to 50 (okay, all those 100 mails could have been correct)
While the path from the spam-script is actually already in the BlockCracking-block-scripts-list..

What can I do / test ?
I have 2 user accounts which are hacked every few days with spam scripts..
 
@JFOC: I'm not sure that's related to ESF/BC.. may need to figure out what script is doing the connection to exim.

@Duboux:
1) If you're using mod_php, ensure you're using mod_ruid2 as well. The exim.pl does a much better job at figuring out the sender if php run as the User, and not as "apache". (suPhp, php-fpm, fastcgi, are also good)

2) Can you include the exact relay warning? Need to know what it's referring to (comment out any identifying bits with example values like localdomain.com, externaldomain.com, etc..).

3) I recommend shutting off the pophosts file in the exim.conf (created by popb4smtp), so we can narrow down the entry point of any send.

4) Note that BlockCracking only counts the number of failed destination recipients. If email deliveries are valid, then BC is not going to block anything.

5) The word "relay" may imply that it's a port 25 delivery from outside.. make sure the whitelist files have nothing in them.
Code:
cd /etc/virtual
ls -la *whitelist*
they should all be 0 bytes.

6) General spam detection guide:
http://help.directadmin.com/item.php?id=455

John
 
What can I do / test ?
I have 2 user accounts which are hacked every few days with spam scripts..
If that is the case, most probably either more then 1 script or php file is infected so the hackers can start over again every time, or the password is known by the hackers.
Have your 2 users at least clean their pc's from malware and trojans (use ADWcleaner and Malware bytes in that order) and after that change all passwords.
Have them keep sites (especially CMS systems) up 2 date. And then some other security stuff.
 
Also in CB, do:
Code:
./build secure_php
to set the disable_functions. It will prevent the use of some of the more commonly abused functions.However, depending on the script (like WordPress), they use "eval", meaning the hacked code ends up in the database, and is "eval"-ed (run)... You can change the password to prevent future logins, but if the site is already hacked, you'll have a hard time tracking it down./home/username/.php/*may show you which script is sending the email, and would also include the line number. (usually points to eval($str); or something like that, which isn't a smoking gun)John
 
Hi,

Is it posible that these new functions/settings somehow block pipe emails?

It all worked fine first but now i can't get it working again.

I think i did everything correctly but i keep getting errors. Not from PHP but from cagefs.

I run cloudlinux with cagefs with CB 2.0 and lsphp 5.4

I have chmod the pipe file 755
I have put #!/usr/local/bin/php -q on the first line of pipe.php
I have created a forwarder with the full path to my file: "|/home/user/domains/domain.nl/public_html/pipe.php"

I just keep on getting this error:

Code:
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

  pipe to |/home/user/domains/domain.nl/public_html/pipe.php
    generated by [email protected]
    local delivery failed

The following text was generated during the delivery attempt:

------ pipe to |/home/user/domains/domain.nl/public_html/pipe.php
       generated by [email protected] ------

Usage: cagefs_enter <command> <command_arguments>...

Exim error:
Code:
2015-04-04 16:00:31 1YeOch-001Jtf-Ch ** |/home/user/domains/domain.nl/public_html/pipe.php ([email protected]) <[email protected]> F=<[email protected]> R=virtual_aliases_nostar T=virtual_address_pipe: Child process of virtual_address_pipe transport returned 255 (could mean shell command ended by signal 127 (Unknown signal 127)) from command: /bin/cagefs_enter
 
"cagefs_enter" seems to be getting in there somehow... I have a feeling it hijacks php to lock it down, and it's somehow not handling this case.
 
Back
Top