Looking for Outbound spam
Log files where we can look for more details are.
The following to the exim configuration to enable some extended logging that greatly improves the ease in tracking down on-server spammers:
In WHM > Exim Configuration Editor > Switch to Advanced Mode > in the first textbox add the following line and then Save:
log_selector = +arguments +subject
This tells exim to log the path on disk from where the email was executed and the subject of the email.
suexec, if enabled, will run CGI scripts as the owner of the script file, typically the cPanel account name.
phpsuexec, if enabled, will run PHP scripts in the same manner as CGI scripts.
Howto fix Spam Assassin Ruleset Bug
This bug can result in legitimate mail being flagged as spam.
The cPanel Development team has issued a hot fix that will address this issue and will automatically update the SpamAssassin ruleset to resolve this issue. If you have automatic cPanel updates enabled, no further action is required.
If you do not have automatic cPanel updates enabled, you can manually update the SpamAssassin ruleset by executing the following commands in a root shell:
/scripts/autorepair spamd_y2010_fix
csf LF_SCRIPT_ALERT option
This option will notify you when a large amount of email is sent from a particular script on the server, helping track down spam scripts.
Spam Protection Alerts
If you want to add some spam protection, CSF can help. Look in the configuraiton for the following:
LF_SCRIPT_ALERT = 0 change this to 1. This will send an email alert to the system administrator when the limit configured below is reached within an hour.
LF_SCRIPT_LIMIT = 100 change this to 250. This will alert you when any scripts sends out 250 email messages in an hour.
This setting will then send an alert email if more than LF_SCRIPT_LIMIT lines appear with the same cwd= path in them within an hour. This can be useful in identifying spamming scripts on a server, especially PHP scripts running under the nobody account. The email that is sent includes the exim log lines and also attempts to find scripts that send email in the path that may be the culprit.
The limit after which the email alert for email scripts is sent. Care should be taken with this value if you allow clients to use web scripts to maintain pseudo-mailing lists which have large recipients.
Reference: http://www.configserver.com
hotmail and yahoo mail spam flagging issue
If you have more than one domain on your server it is better to use our SPF Record to fix this issue.
For example:
Server is sending mail as mail.serverbuddies.com but when the receiving mail server performs a reverse PTR lookup, it finds serverbuddies.com MISMATCH The solution would then be to tell qmail that it is sending mail as domain.com instead of mail.serverbuddies.com.
Here is the fix.
echo serverbuddies.com > /var/qmail/control/me
Spam whitelist limited to 100 addresses in Plesk Control Panel
By default Plesk only allows you to have 100 email addresses listed in your whitelist and blacklists.
It was done to limit CPU usage by spamassassin, because by adding several hundreds of mail addresses into one of the lists user can decrease server performance. Or user can advisedly, add a lot of addresses into list, send a lot of mails and all server will be very slow.
In Plesk CP user can see how many addresses he can add into list(100 minus already added quantity of addresses). If before upgrade to 8.1 (this limit doesn’t exists in earlier version) there were added more than 100 addresses user will see negative number.