Anti-spam artillery for your multi-user web and mail servers.
This project consists of a handful of tools that, once combined, provide a good enough solution to two unsolvable problems.
- Spammers sending spam through compromised PHP web applications on shared hosting environments
- Spammers sending spam using stolen SMTP credentials
cd /usr/local/share/
git clone
- Log analysis tools - Identify and stop spammers by looking at log files
- Filesystem scan tools - Detect and remove malicious code from your system
- full-scan - Wrapper for clamd-client and php-shell-detector
- clamd-client - Python client for Clamd
- php-shell-detector - Rewrite of Shell-Detector
- Utils - Miscellaneous directory
- emergency-mail - SMTP client for sending emails outside
- - Nagios black list checker
- - full-scan wrapper for modsecurity
Prevent CGI execution on upload directories
<DirectoryMatch ".*upload.*/.*"> Options -ExecCGI <Files *.php> deny from all </Files> </DirectoryMatch> # PHP-FPM <LocationMatch ".*upload.*/.*.php"> deny from all </LocationMatch>
Disable security sensitive PHP functions
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,show_source,pcntl_exec,proc_close,proc_get_status,proc_nice,proc_terminate,ini_alter,virtual,openlog,dl,fsockopen,pfsockopen,stream_socket_client,getmxrr
Monitor for unusual activity. Perl scripts running on a web hosting environment are usually a security breach symptom.
*/5 * * * * ps aux|grep ' perl '|grep -v ' grep '
Don't use your primary mail server for sending webusers mail
Use fail2ban, and ban failed attemps at
endpoints# /etc/fail2ban/filter.d/php-login.conf [Definition] failregex = ^<HOST> .* "POST .*login.php ignoreregex = # /etc/fail2ban/jail.local [php-login] enabled = true filter = php-login action = iptables-multiport[name=NoAuthFailures, port="http,https"] logpath = /home/*/logs/apache/access_*.log bantime = 1200 maxretry = 8
Use Apache ModSecurity
Inspect uploaded files with ModSecurity and spam-gear
# modsecurity.conf SecRule FILES_TMPNAMES "@inspectFile /usr/local/share/spam-gear/utils/" \ "id:159,phase:2,t:none,log,deny,msg:'Malicious Code Detected, access denied'"
Run CGIs with Apache SuEXEC
Scan for recently upload malicious files every day and the entire home filesystem once a week.
30 4 * * 0-5 find /home/ -type f -mtime -2 -iname "*php" | full-scan -q --notify-user -c /usr/local/share/spam-gear/conf/ 30 1 * * 6 find /home/ -type f -size -5M | full-scan --quarantine --notify-user -c /usr/local/share/spam-gear/conf/
Real-time scanning of scripts that send mail
*/10 * * * * { php-sendmail2relay-spam-check 10 10 && php-spam-check 500; } | full-scan -q --notify-user -c /usr/local/share/spam-gear/conf/
Periodically update php-shell-detector and spam-gear fingerprints.txt and
0 0 * * * php-shell-detector --update 0 0 * * * wget -q -O /usr/local/share/spam-gear/scans/fingerprints.txt 0 0 * * * wget -q -O /usr/local/share/spam-gear/scans/
Periodically monitor logfiles for users that send large ammount of mail, using local SMTP, roundcube or Horde IMP. Tunne thresholds for automatically disable users based on the number of IPs, networks and emails they send.
*/20 * * * * postfix-spam-check -p 1hour -m 90 -d 5,5 -w, | emergency-mail 3000 */20 * * * * exim-spam-check -p 1hour -m 90 | emergency-mail 2000 */20 * * * * roundcube-spam-check -p 1hour -m 60 -d 10,10 -l /home/pangea/logs/roundcube/sendmail | emergency-mail 3000 */20 * * * * imp-spam-check -p 1hour -m 60 -d 10,10 -l /home/pangea/logs/horde/horde3.log | emergency-mail 3000
Periodically check for DNSBL inclusion, using Nagios or a cronjob.
Monitor and analyse your spam patterns with Baruwa, and create MailScanner rules accordingly.
Use Postfix header checks to relay bad-reputation users to secondary mail servers
/^Received:.*\(Authenticated sender: (baduser1|baduser2|baduser3)\)\s*by\b/ FILTER
Check outgoing mail for spam
Develop custom MailScanner rules for phishing attacks
Use Postfix check_recipient_access to block known phishing return addresses
# recipient_access [email protected] REJECT Don't reply to spammers [email protected] REJECT Don't reply to spammers