Spam and Anti-Virus Scanning

Spam and Virus Scanning

Virtualmin allows you to enable spam and virus scanning for email on a per-virtual-server basis, and to configure what happens to email classifies as spam or virus-laden. Under the hood, it scans email using the popular SpamAssassin http://spamassassin.apache.org/ package for spam detection, and ClamAV http://www.clamav.net/ for viruses.

SpamAssassin assigns each message it scans a score indicating how spammy it is, based on the content and servers it was sent from. Typically, anything with a score above 5 is regarded as most likely spam. ClamAV however just compares the message contents with a database of know virus signatures, and reports if any were found or not.

Turning On Spam and Virus Scanning

In a typical Virtualmin installation, you can enable filtering for a new or existing virtual server by just selecting the Spam filtering enabled? and Virus filtering enabled? checkboxes in the features section of the Create or Edit Virtual Server page.

If they do not appear, make sure that these features are enabled globally on your system. This can be done as follows :

  1. Login as root, open the System Settings category on the left menu, and click on Features and Plugins.
  2. Check the boxes next to Spam filtering and Virus filtering.
  3. Click Save. If you see any error messages about SpamAssassin or ClamAV not being installed, you'll need to install their packages on your system first.

Spam and Virus Filtering and Procmail

Internally, Virtualmin creates an /etc/procmailrc file that in turn runs a Procmail include file under /etc/webmin/virtual-server/procmail, depending on the domain to which each email received is sent. This then invokes the spamassassin and clamscan commands, then uses their output to decide if email should be delivered to a special folder or deleted.

SpamAsssassin is run with command-line parameters that tell it to use configuration files under /etc/webmin/virtual-server/spam, which can be different for each domain. This way, domain owners can customize their own SpamAssassin rules, spam levels and message modification settings.

Changing Delivery Destinations

By default, email classified as spam as delivered to the ~/Maildir/.spam file under each user's home directory. This shows up as a folder named spam in users' mail clients, and in Usermin. Email that is detected as containing viruses is deleted by default, as virus detection is almost 100% accurate.

However, you can change these destinations on a per-domain basis using Virtualmin. Some users may prefer that spam be deleted outright, or delivered normally so that it can be filtered by their mail clients. To change the delivery rules, the steps to follow are :

  1. Login to Virtualmin as root or as the domain owner.
  2. Select the domain from the left menu.
  3. Open the Server Configuration category, and click on Spam and Virus Delivery.
  4. Change the Destination for spam emails and for virus emails to whatever you want.
  5. Click Save. The changes will take effect for email delivered from now on.

In Virtualmin versions 3.54 and above, you can select to have email whose virus score is above some threshold deleted instead of being delivered to a spam folder. This can be used to stop the delivery of messages that are obviously spam, saving on disk spam and the bandwidth used to download them.

To delete high-scoring spam, just follow the steps above and set the Delete spam if score is above field to some number like 10.

Default Delivery Destinations

If you have spam and virus delivery destinations that you want used for all new domains, you can set them as follows :

  1. Login to Virtualmin as root.
  2. Open the System Settings category on the left menu, and click on Module Config.
  3. Select the Spam filtering options section.
  4. Change the Default delivery for spam and for viruses to whatever you want.
  5. Click Save.

To make changes for all existing domains, use the modify-spam.pl command-line API script.

Automatic Spam Clearing

If Virtualmin is configured to deliver spam to a separate folder for each user, this can end up consuming a lot of disk space and disk quotas. To keep usage down, it is possible have Virtualmin automatically delete users' spam that is more than a certain number of days old, or is taking up more than some amount of disk space.

To set this up for a single domain, the steps to follow are :

  1. Select the domain from Virtualmin's left menu.
  2. Open the Server Configuration category, and click on Spam and Virus Delivery.
  3. In the Automatically delete spam? field, select Yes, if older than and enter a number of days into the adjacent text box. I suggest 5 days, which is more than enough time for users to periodically check their spam folders for false positives.
  4. Click Save.

If you prefer to delete based on disk usage, select Yes, when mailbox exceeds instead and enter a maximum size for the spam folder. When this is exceeded, messages will be deleted oldest first until it is smaller than the specified size.

The default setting for new virtual servers can be set on the Module Config page in the Spam filtering options section. To make changes for all existing domains, use the modify-spam.pl command-line API script.

Speeding Up ClamAV on Debian Etch

By default, Debian 4.0 (Etch) comes with ClamAV packages that are out of date and buggy. The most common symptom of this is very slow virus scanning, and high CPU load from clamscan or clamd. However, there is a fix - you can update to a newer ClamAV version from the Debian volatile repository, at http://www.debian.org/volatile/

To use the volatile repository, SSH into your system as root and edit /etc/apt/sources.list. At the bottom, add the line :

deb http://volatile.debian.org/debian-volatile etch/volatile main contrib non-free

Then update ClamAV packages with the commands:

apt-get update
apt-get install clamav clamav-base clamav-daemon clamav-freshclam

Reducing CPU Load with Clamd

In the default Virtualmin configuration, each email received is processed with the clamscan command to check if it contains viruses. Unfortunately, this can take anywhere from seconds to minutes to run, particularly on VPS systems that have limited IO bandwidth or CPU resources. Most of this time is spent loading the virus database, which is continually growing as new viruses are found by the ClamAV authors.

Slowness running clamscan can cause email delivery to be delayed by several minutes, during which messages stay in the Postfix mail queue. It can also lead to high CPU load on the system, which then slows down other services like Apache or MySQL.

Fortunately, there is a fix - the clamd server process, which loads the virus database just once and then stays running. When email arrives, the clamdscan command connects to it, passes over the message to be scanned, then reads back the results. This typically only takes a seconds, even on a system with limited resources.

If your system is receiving a large amount of email, I recommend the use of clamd. It probably isn't worth running on a system used primarily as a web server though, as it consumes about 750MB of RAM at all times. ClamAV is not suitable for use on a low-memory system.

To enable the use of the ClamAV server process, follow these steps :

  1. Login to Virtualmin as root.
  2. Open the Email Messages category on the left menu, and click on Spam and Virus Scanning.
  3. At the bottom of the page you should see a button labelled Enable ClamAV Server - click it. If the button isn't visible, this means that Virtualmin doesn't know how to configure clamd on your operating system, and you will need to do it manually.
  4. After clicking, check the messages that appear to make sure that no errors were reported. If all went well, return to the Spam and Virus Scanning page.
  5. Change the Virus scanning program to Server scanner (clamdscan) , and click Save.

Virtualmin will check if clamd and clamdscan are working properly, and if so configure all virtual servers to use it for virus classification from now on.

Common ClamAV Problems

If Virtualmin reports that the clamscan command is not working on your system, here are some things to try :

  • Run freshclam to download the virus database. On some systems, the standard ClamAV packages do not include any virus data files, so clamscan cannot run.
  • Remove the Example line from /etc/freshclam.conf. On some systems this line exists by default, to intentionally prevent freshclam from running!
  • Make sure that the virus database path in /etc/clamd.conf matches the directory updated by freshclam. If not, clamd will not start due to the lack of data files.

Moving Spam and Virus Scanning to Another System

SpamAssassin and ClamAV can use up a lot of CPU time, which on a system that receives a lot of email can significantly slow down email processing. However, it is possible to move some of this load to a separate system, by making use of spamd and clamd, the SpamAssassin and ClamAV server processes.

These can be run on one or two other systems on your network, and Virtualmin on the master system that actually receives email configured to offload scanning to them.

In the instructions below, serverip is the IP address of the system that will be running spamd, and virtualminip is the IP of the Virtualmin machine.

Setting up Spamd on CentOS, Fedora or Redhat

  1. Login to the system you want to run spamd on as root
  2. Install SpamAssassin with : yum install spamassassin
  3. Edit the file /etc/sysconfig/spamassassin and add the following to the SPAMDOPTIONS line : -i serverip -A virtualminipAn example file would look like :
# Options to spamd
SPAMDOPTIONS="-d -c -m5 -H -i 193.9.101.242 -A 193.9.101.104"
  1. Run the following commands to start spamd :
/etc/init.d/spamassassin restart
chkconfig spamassassin on
  1. If you are using a firewall on this system, open up port 783 to enable connections to SpamAssassin

Setting up Spamd on Debian or Ubuntu

  1. Login to the system you want to run spamd on as root
  2. Install SpamAssassin with : apt-get install spamassassin
  3. Edit the file /etc/default/spamassassin , and change the line ENABLED=0 to ENABLED=1.
  4. In the same file, add the following to the OPTIONS line : -i serverip -A virtualminipAn example completed line would look like : OPTIONS="--create-prefs --max-children 5 --helper-home-dir -i 193.9.101.120 -A 193.9.101.104"
  5. Run the following commands to start spamd :
/etc/init.d/spamassassin restart
update-rc.d -f spamassassin defaults
  1. If you are using a firewall on this system, open up port 783 to enable connections to SpamAssassin

Configuring Virtualmin to Use a Remote Spamd

Once spamd is running on the remote system, you can configure Virtualmin to use it as follows. Note that this will prevent domains and mailboxes from having their own SpamAssassin rules, unless you setup spam to fetch them from a MySQL or LDAP database .

  1. Login to Virtualmin as root, and go to Email Messages -> Spam and Virus Scanning.
  2. Change the SpamAssassin client program menu to spamc.
  3. Set the Server host for spamc to the IP address of the remote server you setup above.
  4. Click Save.

Now try sending email to a mailbox in one of the domains with spam filtering enabled on your Virtualmin server, and check if SpamAssassin X-Spam headers are added. If not, check /var/log/mail* on both the Virtualmin and spam scanning systems for error messages, and /var/log/procmail.log.

Setting up Clamd on a Remote System

The easiest way to setup clamd is to use Virtualmin's built-in support for configuring it. The steps to do this are :

  1. Install Virtualmin GPL or Pro on the system to be used for running clamd. You don't need to create any domains, or run any other servers like MySQL or Postfix.
  2. Login to the new Virtualmin, and go to Email Messages -> Spam and Virus Scanning.
  3. Click the Enable ClamAV Server button.
  4. SSH into the system as root, and edit the file /etc/clamd.conf and make sure the line TCPSocket 3310 exists and is not commented out.
  5. Also make sure the line TCPAddr 127.0.0.1 does not exist or is commented out.
  6. Run the command /etc/init.d/clamd-virtualmin restart or /etc/init.d/clamd restart to apply the configuration changes.
    1. If you are using a firewall on this system, open up port 3310 to enable connections to ClamAV

Configuring Virtualmin to Use a Remote Clamd

Unfortunately, the executables provided as part of the ClamAV package do not seem to support connecting to a remote server. However, the clamd-stream-client program can do this, and can be used by Virtualmin versions 3.63 and later. You can download it from : https://sourceforge.net/projects/clamd-stream-cl/

Once you have the clamd-stream-client-1.3.tar.gz file on your Virtualmin system, it can be compiled and installed with the commands :

tar xvzf clamd-stream-client-1.3.tar.gz
cd clamd-stream-client-1.3
./configure
make
make install

You can now configure Virtualmin 3.63 or later to use it as follows :

  1. Login to Virtualmin as root, and go to Email Messages -> Spam and Virus Scanning.
  2. Change the Virus scanning program to Remote server scanner
  3. In the Server host for clamd-stream-client field, enter the hostname of the system running Clamd that you setup in the previous section.
  4. Click Save.

Assuming that clamd-stream-client works and can contact the remote system, it will be enabled and used for virus scanning for all domains.