Suggestions: Mail

[Jamyn]

Just documenting suggestions submitted by others so we don't lose them.

• something that reviews settings that may affect incoming and outgoing spam prevention and detection such as header additions and whether it's setup optimally. Especially the latter, as the headers of outgoing messages are often how I've caught account level AND root level compromises.

[HoustonDad]

I'm thinking of checking for a few things:

Checks for cPanel included DNS lists: (Spamcop, Zenhaus)
Checks for SpamAssassin dnslist
Checks for outgoing SpamAssassin routers in exim.conf

This area could cover a lot of ground. What header information were you suggesting to check?

[Jamyn]

We could expand this as you mentioned, but "Header additions" in the first comment mainly centered around:

1. Is DKIM enabled?
2. Is X-Source tracking enabled?
3. Is "Add X-PopBeforeSMTP header for mail sent via POP-before-SMTP" enabled?

These wouldn't hurt either:

1. Is "Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak)" enabled?
2. Is "Prevent “nobody” from sending mail [?]" enabled?
3. Is SpamAssassin enabled?
4. Has SpamAssassin been updated recently? (it should update nightly w/cPanel, but if they have custom rules that are blocking the update...)
5. Is "Max hourly emails per domain" set to something other than Unlimited? (anything > 100,000 would still generate a warning, perhaps)
6. Is "Maximum percentage of failed or deferred messages a domain may send per hour" set to something other than Unlimited? (anything > 25% would still generate a warning)

[HoustonDad]

I've gotten a few of these checks knocked out. Created Mail.pm. Any feedback and suggestions is welcome.

75b4dbb

[bdraco]

I'm not sure this really falls into the area of 'security'
On Sep 24, 2013, at 10:40 AM, Jacob P [email protected] wrote:

I'm thinking of checking for a few things:

Checks for cPanel included DNS lists: (Spamcop, Zenhaus)
Checks for SpamAssassin dnslist
Checks for outgoing SpamAssassin routers in exim.conf

This area could cover a lot of ground. What header information were you suggesting to check?

—
Reply to this email directly or view it on GitHub.

[Jamyn]

In one sense, it is security related, as there are two major use cases for (most of) these headers:

1. an account is compromised and the mail needs to be tracked back to the source account;
2. an account is spamming and attempting to hide the source. Typically they send using 'nobody' in this case.

Point 2 isn't really security related, but the value in raising these issues is that if they do have a problem with either, they can easily track back the account if they follow these recommendations. Without enabling many of these options what happens is:

1. a mailer is uploaded to an exploited account under an innocuous name. Sometimes they'll add an .htaccess to change the php handler to something like hotsauce.html or spacer.gif to throw off log analysis. Ex:

AddHandler application/x-httpd-php5 spacer.gif

1. batched destination addresses are uploaded via post to avoid log details;
2. the account is used to send mass-mail, usually as nobody;
3. the mailer script is deleted.
4. the admin logs in to look for the source but on high-volume servers, it's harder to find anything useful.

By forcing addition of the mail headers, analysis is greatly improved.

Additionally, by setting a max fail/hour and max mail/hour, they limit the total impact when the account (compromised or intentionally) tries to send millions of mails/hour. Without some sort of ratelimit for failed and overall mail, it's highly likely the entire server will be placed on a blacklist.

Enabling these features after the fact isn't useful, so it's a good idea to make the suggestion beforehand.