search

bdraco / addon_securityadvisor

Old Security Advisor for cPanel 11.40 (upstream repo) -- Use CPANELINC/addon_securityadvisor
Other
16 stars 56 forks source link

Suggestions: Mail #25

Open Jamyn opened 11 years ago

Jamyn commented 11 years ago

Just documenting suggestions submitted by others so we don't lose them.

HoustonDad commented 10 years ago

I'm thinking of checking for a few things:

Checks for cPanel included DNS lists: (Spamcop, Zenhaus) Checks for SpamAssassin dnslist Checks for outgoing SpamAssassin routers in exim.conf

This area could cover a lot of ground. What header information were you suggesting to check?

Jamyn commented 10 years ago

We could expand this as you mentioned, but "Header additions" in the first comment mainly centered around:

  1. Is DKIM enabled?
  2. Is X-Source tracking enabled?
  3. Is "Add X-PopBeforeSMTP header for mail sent via POP-before-SMTP" enabled?

These wouldn't hurt either:

  1. Is "Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak)" enabled?
  2. Is "Prevent “nobody” from sending mail [?]" enabled?
  3. Is SpamAssassin enabled?
  4. Has SpamAssassin been updated recently? (it should update nightly w/cPanel, but if they have custom rules that are blocking the update...)
  5. Is "Max hourly emails per domain" set to something other than Unlimited? (anything > 100,000 would still generate a warning, perhaps)
  6. Is "Maximum percentage of failed or deferred messages a domain may send per hour" set to something other than Unlimited? (anything > 25% would still generate a warning)
HoustonDad commented 10 years ago

I've gotten a few of these checks knocked out. Created Mail.pm. Any feedback and suggestions is welcome.

75b4dbb12404b6de94361ce180911d068c26e385

bdraco commented 10 years ago

I'm not sure this really falls into the area of 'security' On Sep 24, 2013, at 10:40 AM, Jacob P notifications@github.com wrote:

I'm thinking of checking for a few things:

Checks for cPanel included DNS lists: (Spamcop, Zenhaus) Checks for SpamAssassin dnslist Checks for outgoing SpamAssassin routers in exim.conf

This area could cover a lot of ground. What header information were you suggesting to check?

— Reply to this email directly or view it on GitHub.

Jamyn commented 10 years ago

In one sense, it is security related, as there are two major use cases for (most of) these headers:

  1. an account is compromised and the mail needs to be tracked back to the source account;
  2. an account is spamming and attempting to hide the source. Typically they send using 'nobody' in this case.

Point 2 isn't really security related, but the value in raising these issues is that if they do have a problem with either, they can easily track back the account if they follow these recommendations. Without enabling many of these options what happens is:

  1. a mailer is uploaded to an exploited account under an innocuous name. Sometimes they'll add an .htaccess to change the php handler to something like hotsauce.html or spacer.gif to throw off log analysis. Ex:

AddHandler application/x-httpd-php5 spacer.gif

  1. batched destination addresses are uploaded via post to avoid log details;
  2. the account is used to send mass-mail, usually as nobody;
  3. the mailer script is deleted.
  4. the admin logs in to look for the source but on high-volume servers, it's harder to find anything useful.

By forcing addition of the mail headers, analysis is greatly improved.

Additionally, by setting a max fail/hour and max mail/hour, they limit the total impact when the account (compromised or intentionally) tries to send millions of mails/hour. Without some sort of ratelimit for failed and overall mail, it's highly likely the entire server will be placed on a blacklist.

Enabling these features after the fact isn't useful, so it's a good idea to make the suggestion beforehand.