General

Outgoing Spam Monitor (osm)

We’ve been quiet of late on the development front, but only on the blog. We are currently working on a new product that has been frequently requested by customers. It is still in development, but will enter Beta testing shortly. So, what is it?

ConfigServer Outgoing Spam Monitor (osm)

ConfigServer Outgoing Spam Monitor (osm) has been designed to use multiple methods to monitor outgoing email and SMTP connections for activity that could indicate a spammer is active on a server.

With the proliferation of web scripts in shared hosting environments that are often poorly maintained or badly written, the chances of a hacker exploiting vulnerabilities in scripts is at an all time high. Additionally, end-user PC’s and other devices that send email through a server (relay) that have been compromised and used as a spam source has always been a problem. These issues along with spammers deliberately targeting hosting providers by purchasing accounts simply to send out spam have kept the diligence required to prevent spam from being sent from servers all the more difficult.

osm is for any server owner using cPanel that is concerned about future or active attempts to send out spam email through the server. It targets all the methods available to keep track of outgoing email and SMTP connections. It is designed to be used entirely from the cPanel WHM UI, which provides both configuration and viewing of reports generated by a daemon process running continuously on the server.

Features

  • Outgoing email sent via exim is tracked per cPanel account
  • Matching Subject headers for outgoing email sent via exim is tracked per cPanel account
  • Script path location (cwd) is tracked per cPanel account
  • Matching script path location (cwd) is tracked per cPanel account
  • Outgoing SMTP connections to remote servers (that bypass exim) are tracked
  • Matching script path location for outgoing SMTP connections to remote servers (that bypass exim) are tracked
  • Authenticated outgoing email is tracked by account and connecting IP address
  • osm uses real-time Packet Inspection to track SMTP connections, this is primarily useful if you cannot use the csf SMTP_BLOCK or cPanel provided equivalent feature
  • Configurable trigger levels for each type of tracking on a per email/connection per second basis
  • Apache Status used to link outgoing email with actual scripts being used
  • Multiple actions can be performed once a report is raised after a trigger level is reached:
    • Send an email report of the events
    • Store the report of events to view in the WHM UI
    • Hold outgoing email from the cPanel/email account in the exim queue
    • Discard outgoing email from the cPanel/email account
    • Suspend the whole cPanel account
    • Prevent the email account from logging in
    • Rename the reported path
    • Run the custom script configured in the WHM UI
    • Rename the file determined from the Apache Status
    • Block the IP address (AUTHRELAY, ALWAYSRELAY, POPRELAY, Apache Status) in csf
  • Custom action script is configurable and can be sent JSON, YAML, XML and PERL data structures to allow for client specific actions
  • Inheritance rules are used to configure all trigger levels for each cPanel account plus the default settings

We will provide more information once we enter Beta testing and will put out a call for limited slots for those that would like to help test at that time.

New cxs v9.13

Changes:

  • Improved Magento2 detection
  • Improved diagnostic output for support

New cxs v9.10

Changes:

  • File type detection improvements
  • Added version detection of Magento v1.*
  • Increased default –sizemax [size] to 1000000 to cater for larger exploits

New csf v12.03

Changes:

  • Make CC_IGNORE check case-insensitive
  • Improved TCP/UDP port inspection for IPv6 connections (affecting CT_*, PT_* and PT_SSHDKILL)
  • Updated cxs FontAwsome to v5
  • Added fixes for additional Include line processing
  • Fixed race condition when processing CC_* zip files that could sometimes prevent the csv files from being extracted
  • Updated HTTP::Tiny to v0.070

New cxs v9.09

Changes:

  • Modified privilege drop code to use defapache user setting before trying “nobody”
  • Removed redundant code from features not implemented
  • Fixed UI weekly scan description
  • Updated UI to FontAwesome v5 (keeping v4 for cPanel versions < 70.29)

New csf v12.02

Changes:

  • Removed CC_OLDGEOLITE and associated code so that all installations will now use the MaxMind GeoLite2 databases
  • Added more CLI options that work if csf is disabled
  • Added Include line support to 20 more /etc/csf/csf.* configuration files. See /etc/csf/readme.txt under “Include statement in configuration files” for the list of supported files
  • Added mangle and raw tables to csf –grep [IP] and modified output to show a new column with the table then the chain that a rule is in
  • Added mangle and raw tables to csf –status output and modified output to show a new header line with the table that a rule is in
  • Added new option USE_FTPHELPER. This enables the ftp helper via the iptables CT target on supporting kernels instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper and unrestricted use of RELATED state
  • Modified ICMP_IN/ICMP_OUT to only affect PING (echo-request), all other ICMP traffic is allowed (which can help network performance) unless otherwise blocked. This is for IPv4, it does not affect IPv6
  • Improved rule placement to prevent existing connections bypassing ICMP_IN_RATE/ICMP_OUT_RATE limits
  • Updated csf.conf documentation relating to the ICMP/PING settings
  • Added new option ICMP_TIMESTAMPDROP. For those with PCI Compliance tools that state that ICMP timestamps should be dropped, you can enable this option. Otherwise, there appears to be little evidence that it has anything to do with a security risk but can impact network performance, so should be left disabled by everyone else
  • csf and lfd now exit with status 1 on error or if disabled. However, this will not happen with csf if the CLI option used still works while disabled
  • USE_CONNTRACK is now enabled by default on new installations
  • Fixed DOCKER IPv6 warning message when DOCKER not enabled
  • Modified csf.blocklists for GREENSNOW to use https on existing and new installations

New cxs v9.08

Changes:

  • Fixed issue on cPanel servers where the shebang on cxsdbupdate.pl was incorrect which prevented it running on some systems

New cxs v9.07

Changes:

  • Added new option to cxsControl settings for statistics collection. This provides the ability to enable or disable the collection of statistical information for the cxsControl graphs. Existing and new installations will default to DISABLED to improve scanning performance
  • Database updates are now batch processed via cron (and when accessing the cxsControl UI) to improve scanning performance. The cronjob runs every 10 minutes from /etc/cron.d/cxsdb-cron
  • Added a check for Wnotify filechange to force flush the event buffer if it grows excessively
  • Modified –dbreport to be ignored if used in cxscgi.sh, cxsftp.sh and cxs Watch, updated docs to reflect the change