Inbound spam is the scourge of the modern internet and, the inconvenience to users aside, can cause serious performance and resource issues on the server. These can affect both the server overall and the timely deliver of clean email in particular.

The best way to tackle inbound spam is at the entry point into the server - the MTA, i.e. exim the SMTP server of choice for cPanel. By blocking spam before it has even entered the server you save both on server resources used when delivering the email in addition to 3rd party tools to help detect spam further along the email relay process.

To do this you need to do work at the RCPT stage of the SMTP protocol. This occurs during the transaction between the sender and recipient SMTP servers and comes before the actual body of an email arrives on a server. The primary form of spam attack is the Dictionary Attack:

A common technique for spammers to use is what is known as a dictionary attack on a domain. A dictionary attack, in our context, is a single SMTP connection that attempts to send email from a spam source to a random set of names on our domain, e.g. bob@ourdomain.com fred@ourdomain.com harry@ourdomain.com, in the hope that one of the many hundreds that we try will get a hit and deliver our spam.

This technique is used by spammers mainly because most people don’t advertise their email addresses (due to spam!) and they want to access this untapped market.

To prevent this type of spam getting through, it is essential that you do not use the Default Address (catchall) feature within cPanel to receive emails wherever possible. You should always setup specific Forwarders (aliases) for any email addresses you use and set the Default Address to :fail: for each domain.

By using :fail: exim will automatically reject email at the SMTP RCPT stage and make dictionary attacks redundant. Additionally, you can use exim ACLs to block such spammers who repeatedly perform dictionary attacks to further relieve the server of the load from dealing with them.

From a server performance perspective, it is essential that you use :fail: and not :blackhole: with email addresses or the Default Address to block such spam. Mor information about the reasoning for this is presented here.

Another preventative measure is to enable the WHM options:

WHM > Exim Configuration Editor > Verify the existance of email senders.
WHM > Exim Configuration Editor > Use callouts to verify the existance of email senders.

These two options have exim check that any server that attempts to relay email to your server can actually receive email in reply. This is part of the RFC requirements of an SMTP server and the inability of a server to do so indicates a likely spammer.

There are numerous other checks that you can also perform at the SMTP RCPT stage in exim ACLs. Examples are using RBL checks to reject email from IP addresses that originate from IP addresses that are know to harbour spammers, e.g.:

deny message = Message rejected - $sender_fullhost is in an RBL, see $dnslist_text
!hosts = +relay_hosts
!authenticated = *
dnslists = bl.spamcop.net : sbl-xbl.spamhaus.org

You can also check the format of email headers to ensure that they’re RFC compliant, which many spam servers are not. A typical example is checking the SMTP HELO/EHLO protocol command to ensure it’s correctly structured, e.g.:

deny message = HELO/EHLO set to my IP address
condition = ${if match {$sender_helo_name}{11.22.33.44} {yes}{no}}

(where 11.22.33.44 is your servers main IP address)

deny message = EHLO/HELO does not contain a dotted address
condition = ${if match{$sender_helo_name}{\\.}{no}{yes}}

Finally, once the email has passed through these hoops, you can implement a 3rd party application to scan emails and tag them as likely spam. cPanel has an inbuilt solution that uses SpamAssassin to score email likely to be spam. You can then have such emails filtered to a special account or the client can filter such emails based on the email header record modifications made by SpamAssassin.

An alternative is to use a more thorough tool such as MailScanner which can be very effective at scoring spam emails.

A free installation tool is available for cPanel servers from us here or as a paid service here.

However, a cPanel server using such a tool is not supported by cPanel and would have to be removed/disabled before cPanel would investigate any email related issues should you need support.

Outbound spam from compromised scripts

Outgoing spam is likely to come from two sources:

1. Indirectly from a compromised web script in a clients account
2. Directly from a client

The starting point for both will be the exim mainlog:

/var/log/exim_mainlog (Linux)
/var/log/exim/mainlog (FreeBSD)

For the purpose of this document I am going to assume a Linux OS.

The most laborious way to track messages down is to trawl the exim mainlog and to look for anomalous behaviour. This is actually very difficult to do and you really need to narrow down exactly what you are looking for.

Tracking down spammers is a difficult affair, but can be made easier with some preparation of your servers environment. I would strongly advise that you add the following to the exim configuration to enable some extended logging that greatly improves the ease in tracking down on-server spammers:

In WHM > Exim Configuration Editor > Switch to Advanced Mode > in the first textbox add the following line and then Save:

log_selector = +arguments +subject

This tells exim to log the path on disk from where the email was executed and the subject of the email. You can then interrogate the exim mainlog more easily.

The best way to do this is to obtain the original email header from the spam originating from your server. This you should receive either from the person reporting the spam, or from remnants of a spam attack in the exim mail queue.

The part required in the email is the exim message id in the Received: header line within the email header of the spam.

As an example, take the following email header:

Return-path: <bob@barfoo.com>
Received: from [11.22.33.44] (helo=barfoo.com)
by foobar.com with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.52)
id 1FZ8z3-0006M4-Do
for fred@foobar.com; Thu, 27 Apr 2006 17:04:49 +0100
Received: from forums by barfoo.com with local (Exim 4.43)
id 1FZ8zt-0005lz-E7
for fred@foobar.com; Thu, 27 Apr 2006 12:05:41 -0400
To: fred@foobar.com
Subject: Buy Me!
From: bob@barfoo.com

The Received: header lines are added to the email header, so the original Received: line that we’re interested in is:

Received: from forums by barfoo.com with local (Exim 4.43)
id 1FZ8zt-0005lz-E7
for fred@foobar.com; Thu, 27 Apr 2006 12:05:41 -0400

And the id we want is 1FZ8zt-0005lz-E7

This is the unique identifier for this email that has originated from the server. With this, we can follow the exim transaction on the server to see how it was processed using:

grep 1FZ8zt-0005lz-E7 /var/log/exim_mainlog

(be aware that the exim_mainlog files may have been rotated so you may have to expand compressed archives and search them instead)

This transaction may look something like this:

2006-04-27 17:43:41 1FZ8zt-0005lz-E7 <= bob@barfoo.com U=nobody P=local S=4001 T=”Buy Me!”
2006-04-27 17:43:50 cwd=/home/ClientX/public_html/phpBB/ 5 args: /usr/sbin/exim -Mc 1FZ8zt-0005lz-E7
2006-04-27 17:43:53 1FZ8zt-0005lz-E7 => fred@foobar.com R=lookuphost T=remote_smtp H=foobar.com [44.33.22.11] X=TLSv1:AES256-SHA:256
2006-04-27 17:43:53 1FZ8zt-0005lz-E7 Completed

In this example, we can see that the email originated from the nobody user locally on the server. This means that the likely spam was sent from a script on the server. The nobody user is used to run the Apache web server and is the default username and group that Apache will execute web scripts as. Two things can affect this:

1. suexec, if enabled, will run CGI scripts as the owner of the script file, typically the cPanel account name
2. phpsuexec, if enabled, will run PHP scripts in the same manner as CGI scripts

suexec is typically always enabled on web servers and phpsuexec may or may not be. If phpsuexec is not enabled, then in all likelihood, the script run under the nobody account will be a PHP script.

From the example above we can see that a script was run from with the /home/ClientX/public_html/phpBB/ directory on the server, which would suggest a compromised PHP script within that directory.

Here’s another example of a spam originating from a client instead of a script. This can happen either with malicious intent, or if the clients PC has been compromised by a virus or worm:

2006-04-27 17:54:51 1FZ9lT-000707-O2 <= bob@barfoo.com H=someisp.com ([192.168.254.2]) [11.22.33.44] P=esmtpa A=fixed_plain:bob@barfoo.com S=715 id=ABCDEFG T=”Buy Me!”
2006-04-27 17:54:51 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1FZ9lT-000707-O2
2006-04-27 17:54:51 1FZ9lT-000707-O2 => fred@foobar.com R=boxtraper_autowhitelist T=boxtrapper_autowhitelist
2006-04-27 17:54:52 1FZ9lT-000707-O2 => fred@foobar.com R=lookuphost T=remote_smtp H=foobar.com [44.33.22.11] X=TLSv1:AES256-SHA:256
2006-04-27 17:54:52 1FZ9lT-000707-O2 Completed

In this example, the key part is:

A=fixed_plain:bob@barfoo.com

This shows that the email was authenticated for relaying using SMTP AUTH (i.e. fixed_plain) and the username bob@barfoo.com from that clients PC.

As you can see, there is a great depth to the amount of work needed to track down spammers on a server, plus there’s the additional work of closing holes in insecure scripts if they are the cause. Some instances can be much more complex and require trawling through the Apache logs for domains in /usr/local/apache/domlogs/* which is not a trivial matter.

The best security from such exploitation is to keep your server secure and to be aware of who and what you allow on your server.

The Multi Router Traffic Grapher or just simply MRTG is free software for monitoring the traffic load on network links. It allows the user to see traffic load on a network over time in graphical form. MRTG generates HTML pages containing graphical images which provide a LIVE visual representation of this traffic. How does it work? MRTG uses the Simple Network Management Protocol (SNMP) to send requests with two object identifiers (OIDs) to a device. The device, which must be SNMP-enabled, will have a management information base (MIBs) to lookup the OID’s specified. After collecting the information it will send back the raw data encapsulated in an SNMP protocol. MRTG records this data in a log on the client along with previously recorded data for the device. The software then creates an HTML document from the logs, containing a list of graphs detailing traffic for the selected device.

This is a “How to” for installing MRTG (2.9.17) on a cpanel server. Let’s start:

# Download the software (http://SERVER_IP/mrtg) and move it to your download folder on your server. Or use the RPM installation information further down below.
cd /root/downloads

# Unninstall any older version in case we have an old/broken installation
rpm -e mrtg

# Get the latest rpm. The RPM might not reflect the latest available stand-alone version
wget http://SERVER_IP/mrtg
# Or grab a newer version from here: http://SERVER_IP/mrtg

# Installing the application
rpm -Uvh mrtg-2.9.17-1cpanel.i386.rpm

# Moving libpng
cd /usr/lib
mv libpng.so.2 libpng.so.2.OLD

# Creating the symlink
ln -s libpng.so.3 libpng.so.2

# Edit language at and specify only “en_US”
pico /etc/sysconfig/i18n

# Restarting MRTG
service mrtg restart

# Configure MRTG to allow only your local IP to see the reports at http://SERVER_IP/mrtg – Important: If your local IP changes due to DHCP very often, you should skip this step.
# This can be happening often when being on DSL.

pico /usr/local/apache/conf/httpd.conf

#Search for the line (CTRL+W):
# It should look like this:

Options Indexes FollowSymlinks MultiViews
AllowOverride None
Order allow,deny
Allow from all

#After the last line () paste this and change allowed IPs:

order deny,allow
allow from [ SERVER IP ]
allow from [YOUR LOCAL IP]
deny from all

# Restarting httpd
service httpd restart

# Let’s put MRTG to start with the system
chkconfig –level 0123456 mrtg on

# Important: Add MRTG to the up2date skip-list of your server. If you don’t do this, after the system updates your MRTG installation will be broken.
up2date –configure
# Select the skip-list option
# Add mrtg to the skip-list
“mrtg*”

Thats it….

We posted an ad on a very very popular web hosting form recently and our ad was rejected because we had a line that said – UnMetered 100Mbit Internet connection. – the next line read 2000GB (2TB) of data transfer. – THE REASON – the Moderator told me that they do not allow unlimited or unMetered offerings. So I told him we did not offer that, and asked if he knew the difference and the response I received, I released he did not. – So let me explain it so everyone can understand it.

Read the rest of this entry »

Hi guys, with working on cpanel servers most people ask me this question  What is the best way to move a complete site with out and data loss?

Read the rest of this entry »

Why Outsource your Web Infrastructure:

When choosing to build versus buy, or outsource the decision is never easy, particularly with web infrastructure and web based applications. Many factors are involved in this decision, both qualitative and quantitative. When making a decision about outsourcing Web applications and infrastructure or even simple web hosting, the following factors should be among the most important influencers on your decision:

• Cost
• Reliability
• Expertise
• Timing
• Support

This article discusses issues to consider in each of these areas and will show that, for the majority of companies, outsourcing web hosting is the best solution.

Cost

The cost of implementing the necessary steps required to host a web site is probably the biggest reason why 62% of companies outsource this activity. A web server is merely the first of many purchases and ongoing expenditures required for hosting a web site. In addition to the expected upfront and ongoing costs, upgrading hardware and software and replacing malfunctioning parts can create unexpected expenditures. When outsourcing, the hosting company takes care of these issues at no additional cost. When outsourcing, your site can be live in days, rather than in the weeks or months it may take to purchase equipment and hire technical personnel. A web hosting company has a server to meet your needs in stock now, and has the personnel on-staff to set your site up quickly. Figure 1 compares the operating costs in the first three years of an in-house operation versus outsourcing. Of course, these costs are estimates and may differ for any one specific situation. As well, this comparison is based on a Linux or a Windows 2000 solution.

The comparison makes the following assumptions:

• No upgrades of software or hardware are made in the first three years.
• Personnel recruiting costs are not included in the cost of this endeavor.
• No equipment failures or malfunctions requiring replacement.
• The company hosting its own site has a high-speed Internet connection and will not incur additional charges for the connection.

Figure 1 - Comparative Cost of Hosting
Year One	In-House	Outsourcing
Unix Web Server	$10,000	$15,000
Router/CSU/DSU/Firewalls etc	$10,000	$0
UPS Backup	$1,000	$0
Software Licensing	$4,000	$0
Hardware servicing fees (15% depreciation)	$1,500	$0
Staffing	$60,000	$0
DS-3/ Gig-E Internet Connectivity (Burstable)	$15,000	$0
Hydro – Power Requirements	$3,000	$0
Initial Configuration/Setup	$5,000	$1200
Total Expense for Year One	$109,500	$16,200
Year Two
Hardware servicing fees (15% depreciation)	$1,500	$0.00
Staffing	$60,000	$0.00
DS-3/ Gig-E Internet Connectivity (Burstable)	$15,000	$0.00
Total Expense for Year Two	$76,500	$16,200
Outsource Saving in Year one		$93,300
Outsourcing saving year after year		$60,300

Even this financial comparison, however, does not fully describe the greater value obtained by outsourcing. A web hosting company will have multiple ISP connections so that your site is less likely to go down from communications problems. A web hosting company will also have a connection that is closer to the internet backbone, thereby increasing the speed at which changes are reflected to end users. By outsourcing your web hosting, you get redundant power sources, a cooling system, a secure facility for the server (to secure your site from hackers and from those wishing to physically harm your server) and a backup system to decrease the probability of problems arising from power outages and natural disasters. Finally, when you outsource web hosting, you can pay for what you need when you need it. For example, if your site is small now, but you expect it to grow, you can purchase a smaller package now and upgrade as your site grows. If you were hosting in-house, you would likely purchase more power than you need now to defer the high cost of upgrading your system down the road.

Reliability

A web hosting company must have many redundant systems to stay in business. Because of the scale of a typical web hosting company, the cost of these systems to each individual client is minimal. Having these systems in place ensures that your web site will be live for a greater percentage of the time than if you hosted your site on your own servers without multiple redundant systems. At C I Host, there are no single points of failure. Every system, from telecommunications to our power supply, is backed up by a second system. Redundancy is built into every aspect of the data center network. No fewer than two Internet carriers connect each site to the Internet backbone. Service is delivered to our data center via multiple carriers. Routing and switching hardware is redundant throughout the C I Host network and a variety of protocols, such as BGP4, allow the network to operate flawlessly even in the event of a device failure. In addition to the redundant systems, C I Host has on-hand systems specialists at all times. These experts can resolve hardware and software problems, replace malfunctioning or broken parts and can anticipate problems to avoid downtime altogether. With spare parts and extra servers available at all times, even a hardware malfunction can be fixed quickly. For a company hosting its own web site, replacing malfunctioning parts can take a web site down for as long as it takes to order the required part and to install it. Outsourcing dramatically decreases such downtime.

Expertise

In this economy, hiring competent people is difficult, and hiring competent technical people is nearly impossible. Once hired, turnover among technical staff can be high. A web hosting company can offer technical people the types of challenges they desire due to the varied day-to-day requirements of each job. Because of this, a web hosting company develops expertise among its employees so there will be several people that can work with your company on your specific needs and can help you anticipate problems before they occur.

To properly maintain a web site, people are required for the following tasks:

• Hardware and software installation
• Hardware and software monitoring
• Server administration
• Server security (e.g., firewalls, watching for hackers, etc.)

A web hosting company will have many people to do each of these tasks so once again there is no single point of failure. Redundancies in people, in addition to the redundancies in technology, enhance the reliability of your system.

Support

Although, in a perfect world, problems never occur, it is important that there is a support system in place for those infrequent times that problems do occur. C I Host offers clients 24-hour support, seven days a week. This means that you can call our technical staff at any time to discuss a problem and we guarantee that the problem will be solved (see our service level agreement). Unlike some hosting companies, C I Host has technical support on-site all day, every day so if you have a problem after business hours, you’re not speaking to an answering service and paging someone. You speak to a live person who answers the phone on-site. As well, C I Host has 24/7 surveillance on-site. This means that security personnel are guarding the servers at all time. When hosting a web site, one not only must take precautions about on-line intruders, but also must prepare for people who want to physically damage the server hosting your site. C I Host’s surveillance systems dramatically decrease the likelihood of this type of problem.

Summary

When it comes to hosting your company’s web site, it is easy to know what to do, but knowing how to do it and implementing the plan is more difficult. Outsourcing web hosting allows you to concentrate on your core competencies and have someone else focus on what they do best - web hosting. When you outsource, you entrust your web site to a company with greater experience in web hosting. You partner with a company with the resources to have redundancies in both people and technology. This brings you peace of mind.