40,137 Spam were filterred out on a server per day, How well the solution protect yours Options

[arteryplanet]

ok, i did find the issue, for some reason the uct/pas from you instruction text it not pasting well....anyway, is done, just have only two questions....

I shoudl run DCC compilation every day by cron?

Second question...

>Multi-lingual supports (Most languages still not translated, if you want to do it. You can translate in Skin Manager / Message Editor.)

Im not finding where is this, im looking for spanish.

Thank you in advance Pairote for this great script!

[pairote]

To update DCC run /var/dcc/libexec/updatedcc. I am not sure if it should run on daily basis. Currently I run update on weekly basis. I just doesn't have time to monitor if it make different.

[graziano]

Hi


I installed this on my cpanel server
http://www.rvskin.com/index.php?page=public/antispam
and I applied the optimization indicated on the first post ,

1. Disable Spam scanning for outgoing email. http://forums.rvskin.com/index.php?s=&...post&p=4901
2. Rearrange the ACL for RBL and unknown user http://forums.rvskin.com/index.php?s=&...post&p=4788
3. Auto blacklist the Server sending high score spam mail to the server.
http://forums.rvskin.com/index.php?s=&...post&p=4739


Well now on the first WHM Exim Configuration Editor in the first textarea I have

CODE

# clamd scanner for email
av_scanner = clamd:/var/clamd

log_selector = -host_lookup_failed -lost_incoming_connection
# For debugging purpose add +subject  and +argument.
# It will show the subject of email and the folder of the script invoking sendmail !.
# 200c-04-22 00:50:19 cwd=/home/username/public_html/spamsource 3 args: /usr/sbin/sendmail -t -i
# You will find spammer on your server easier.
#log_selector = +subject +arguments -host_lookup_failed -lost_incoming_connection
#http://www.webhostgear.com/118.html

# How many bad receipients must fail before we drop the connection?
ALLOWEDRCPTFAIL=3

##################################
# Sender blacklist and remote mail server blacklist
# http://www.rvskin.com/index.php?page=public/antispam  POINT 4.1
##################################
acl_smtp_connect = acl_check_host
#acl_smtp_mail = acl_check_sender

# If you implement HELO test, skip these 3 lines.
# If you don't implement HELO test, you need to remove # in a line below to declare rv_relay_host.
#hostlist rv_relay_hosts = net-iplsearch;/etc/relayhosts

##################################
# HELO TEST
# http://www.rvskin.com/index.php?page=public/antispam  POINT 4.3
##################################
hostlist rv_relay_hosts = net-iplsearch;/etc/relayhosts


##################################
# RBL setting + Sender whitelist + receiver whitelist + Remote mail server whitelist
# http://www.rvskin.com/index.php?page=public/antispam  POINT 4.4
##################################
domainlist rv_rbl_receiver_domain_whitelist = lsearch;/usr/local/cpanel/base/eximacl/rv_rbl_receiver_domain_whitelist
  
hostlist rv_rbl_server_ip_whitelist = net-iplsearch;/usr/local/cpanel/base/eximacl/rv_rbl_server_ip_whitelist
  
addresslist rv_rbl_sender_address_whitelist= lsearch*@;/usr/local/cpanel/base/eximacl/rv_rbl_sender_address_whitelist


##################################
# spam protection
# http://www.rvskin.com/index.php?page=public/antispam  POINT 5
##################################
addresslist rv_spam_sender_address_whitelist= lsearch*@;/usr/local/cpanel/base/eximacl/rv_spam_sender_address_whitelist

on the 2th WHM Exim Configuration Editor in the first textarea I have

CODE

##################################
# Sender blacklist and remote mail server blacklist
# http://www.rvskin.com/index.php?page=public/antispam  POINT 4.1
##################################
#!!# This ACL is used at the start of an incoming connection.
#!!# The tests are run in order until the connection is
#!!# either accepted or denied.
acl_check_host:

##
# Reject email sent from mail server IP listed in the blacklist
##
deny message = Host $sender_host_address is blocked
hosts = /usr/local/cpanel/base/eximacl/rv_server_ip_blacklist


##
# Reject email sent from mail server IP listed in the blacklist
##
deny message = Connection temporary denied from $sender_host_address after spam attack
hosts = /usr/local/cpanel/base/eximacl/rv_server_ip_blacklist.abl
!hosts = @[]
!hosts = +rv_relay_hosts

accept

#!!# This ACL is used for the MAIL FROM: command in an
#!!# incoming SMTP transaction. The tests are run in order until the
#!!# sender address is either accepted or denied.
acl_check_sender:

##
# Reject email sent from sender listed in the blacklist
##
deny message = Sender $sender_address is blocked
senders = /usr/local/cpanel/base/eximacl/rv_sender_address_blacklist
#delay = 3s

on the 3th WHM Exim Configuration Editor in the first textarea I have

CODE

#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.


################ANTI DICTIONARY ATTACK
################ http://www.configserver.com/free/eximdeny.html
accept hosts = :

    drop hosts = /etc/exim_deny
        !hosts = /etc/exim_deny_whitelist
        message = Connection denied after dictionary attack
        log_message = Connection denied from $sender_host_address after dictionary attack
        !hosts = +relay_hosts
        !authenticated = *


    drop message = Appears to be a dictionary attack
        log_message = Dictionary attack (after $rcpt_fail_count failures)
        condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
        condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
        !verify = recipient
        !hosts = /etc/exim_deny_whitelist
        !hosts = +relay_hosts
        !authenticated = *

# Accept bounces to lists even if callbacks or other checks would fail


################ END ANTI DICTIONARY ATTACK
################ http://www.configserver.com/free/eximdeny.html



  # Accept bounces to lists even if callbacks or other checks would fail
  warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
           condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                {yes}{no}}

  accept   condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                {yes}{no}}


  # Accept bounces to lists even if callbacks or other checks would fail
  warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
           condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                {yes}{no}}

  accept   condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                {yes}{no}}

  #if it gets here it isn't mailman
                                                                                                                                          

##################################
# HELO TEST
# http://www.rvskin.com/index.php?page=public/antispam  POINT 4.3
##################################

#
# Be polite and say HELO. Reject anything from hosts that havn't given
# a valid HELO/EHLO to us.
##
deny message = Bad HELO: Empty HELO, please see RFC 2821 section 4.1.1.1
condition = ${if eq{$sender_helo_name}{}{yes}{no}}

##
#  Forged hostname -HELOs as one of my own IPs
##
# Forged HELO (our ip/hostname)
deny message = Forged HELO: you are not $sender_helo_name as that is our IP Address and you are not allowed to use it in HELO/EHLO as per RFC Standards.
!hosts = @[]
!hosts = +rv_relay_hosts
!authenticated = *
condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}

##
# Forged hostname - HELOs as my own hostname or domain
##
deny message = Forged HELO: you are not $sender_helo_name our local domain and you are not allowed to use as per RFC Standards.
# accept helo which is in local_domain if we relay or had smtp auth
!hosts = @[]
!hosts = +rv_relay_hosts
!authenticated = *
condition = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}

##
# Hacked HELO (DOMAIN.com) (constructed by viruses)
##
deny message = Hacked HELO: you are not $sender_helo_name
condition = ${if match {$sender_helo_name}{\N^[A-Z0-9]+\.[a-z]+$\N}{yes}{no}}
condition = ${if match {$sender_helo_name}{\N^[0-9]+\.[a-z]+$\N}{no}{yes}}
!hosts = @[]
!hosts = +rv_relay_hosts
!authenticated = *
################################## END
# HELO TEST
# http://www.rvskin.com/index.php?page=public/antispam  POINT 4.3
################################## END




##################################
# RBL setting + Sender whitelist + receiver whitelist + Remote mail server whitelist
# http://www.rvskin.com/index.php?page=public/antispam  POINT 4.4
##################################

# sender verifications are required for all messages that are not sent to lists
require verify = sender


##
# If the receiver domain is on this server, deny if the receiver email addresses doesn't exist.
# Default address for the receiver domain have to set to :fail: to work with this ACL.
# If the default address set to :blackhole: or /dev/null, Exim will always think that email exist
# and pass to lower ACL. Domains being attacked by dictionary attack spam are suggested to set
# default address to :fail:.
##
deny domains = +local_domains
       !verify = recipient
       log_message = unknown user
       message = "The recipient cannot be verified. Please check all recipients of this message to verify they are valid."

##
# Reject email sent from server listed in DNS blacklists.
##
deny message = Message rejected because $sender_fullhost is blacklisted at $dnslist_domain see $dnslist_text
!hosts = @[]
!hosts = +rv_relay_hosts
!authenticated = *
# RBL Bypass Local Domain List
!domains = +rv_rbl_receiver_domain_whitelist
# RBL Whitelist Incoming hosts
!hosts = +rv_rbl_server_ip_whitelist
# RBL Bypass Sender Domain List
!senders = +rv_rbl_sender_address_whitelist
# The following is a list of RBL to check for spam.
dnslists = list.dsbl.org : \
sbl.spamhaus.org : \
relays.ordb.org

accept domains = +local_domains
accept  domains = +relay_domains


##################################  END
# RBL setting + Sender whitelist + receiver whitelist + Remote mail server whitelist
# http://www.rvskin.com/index.php?page=public/antispam  POINT 4.4
##################################  END

                                                                                                                                    
  warn  message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
        hosts = +relay_hosts
  accept  hosts = +relay_hosts
                                                                                
  warn  message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
        condition = ${perl{checkrelayhost}{$sender_host_address}}
  accept  condition = ${perl{checkrelayhost}{$sender_host_address}}

  accept  hosts = +auth_relay_hosts
          endpass
          message = $sender_fullhost is currently not permitted to \
                        relay through this server. Perhaps you \
                        have not logged into the pop/imap server in the \
                        last 30 minutes or do not have SMTP Authentication turned on in your email client.
          authenticated = *

  deny    message = $sender_fullhost is currently not permitted to \
                        relay through this server. Perhaps you \
                        have not logged into the pop/imap server in the \
                        last 30 minutes or do not have SMTP Authentication turned on in your email client.



#http://www.rvskin.com/index.php?page=public/antispam
#!!# ACL that is used after the DATA command
check_message:
require verify = header_sender


##################################
# spam protection
# http://www.rvskin.com/index.php?page=public/antispam  POINT 5
##################################

# Accept Sender that usually send a lot of emails to minimize spamd load
accept senders = +rv_spam_sender_address_whitelist
accept hosts = @[]
accept hosts = +rv_relay_hosts
accept authenticated = *

# Messages larger than 50k are accepted without spam scanning to reduce spamd load
accept condition = ${if >{$message_size}{50k}{true}}


##
# Reject spam messages with score over 15.
# Keep in mind that $spam_score_int is the messages score multiplied by ten.
##
deny message = Spam score too high ($spam_score)
# Bypass Sender that usually send a lot of emails to reduce spamd load
    !senders = +rv_spam_sender_address_whitelist
    spam = mailnull:true/defer_ok

#http://forums.cpanel.net/showthread.php?p=233776#post233776
# If emails get high score coming into the server from the same host address
# more than 3 times within Last 60 seconds. Sender's server will be blocked for 1 hours
condition = ${run{/etc/eximSpamDeny.pl $sender_host_address $spam_score_int $sender_address }{yes}{yes}}

    condition = ${if >{$spam_score_int}{150}{1}{0}}

##
# Add a warning header if email scored between 12 and 15.
# Delete email in the System Filter File, if sender or receiver is not listed in the whitelists.
##
warn message = X-Exiscan-SA-Spam: Yes
# Bypass Sender that usually send a lot of emails to reduce spamd load
    !senders = +rv_spam_sender_address_whitelist
    spam = mailnull:true/defer_ok
    condition = ${if >{$spam_score_int}{120}{1}{0}}

##
# Rewrite subject if email scored between 9 and 15.
##
# Always put X-Spam-Score header in the message.
# It looks like this:
# X-Exiscan-SA-Score: 6.6 (++++++)
# When a MUA cannot match numbers, it can match for an
# equivalent number of '+' signs.
warn message = X-Exiscan-SA-Score: $spam_score ($spam_bar)\
# Put X-Spam-Report header in the message.
# This is a multiline header that informs the user
# which tests a message has "hit", and how much a
# test has contributed to the score.
               \nX-Exiscan-SA-Report: $spam_report\
# For the subject tag, we prepare a new subject header in the
# ACL, then swap it with the original Subject in the system filter.
               \nX-Exiscan-SA-New-Subject: *SPAM* $h_subject:
# Bypass Sender that usually send a lot of emails to reduce spamd load
    !senders = +rv_spam_sender_address_whitelist
    spam = mailnull:true/defer_ok
    condition = ${if >{$spam_score_int}{90}{1}{0}}


##################################
# virus protection
# http://www.rvskin.com/index.php?page=public/antispam  
##################################

##
# Reject messages with serious MIME container errors
##
deny message = This message contains malformed MIME ($demime_reason).
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}

##
# Reject messages attach illegal extension files
##
deny message = We do not accept ".$found_extension" attachments here. If you meant to send this file then please package it up as a zip file and resend it.
# You might need to remove some of these extensions if you want to allow your user get these files
demime = bat:cmd:com:cpl:pif:reg:scr

##
# Reject messages attach attach a file with a CLSID in the name
# which causes Windows to hide the file extension.
##
deny message = Hiding of file extensions(CLSID hidden) is not allowed.
regex = ^(?i)Content-Disposition::(.*?)filename=\\s*"+((\{[a-hA-H0-9-]{25,}\})|((.*?)\\s{10,}(.*?)))"+\$

##
# Add a warning header if email contains illegal extension files but acccept the message
##
warn message = X-Antivirus-Filetype: Infected - $found_extension
# You might need to remove some of these extensions if you want to allow your user get these files
demime = ade:adp:bas:bat:chm:cmd:com:cpl:crt:eml:exe:hlp:hta:inf:ins:isp:jse:lnk:mdb:mde:msc:msi:msp:pcd:pif:reg:scr:sct:shs:url:vbs:vbe:wsf:wsh:wsc

##
# Add a warning header if email contains Virus but acccept the message
##
warn message = X-Antivirus-Scanner: Infected - $malware_name
demime = *
malware = */defer_ok

accept

my problems

1) As can you see
#acl_smtp_mail = acl_check_sender

is commented . If I leave this uncommented I cannot send email , I receive and Admnistration deny error. Anyone can tell me why ?

2) also with the optimization applied , cpu goes at maximum very often !
I noticed that spamd is always on my top applications eating 30% cpu or more almost all time !
Is there any way to run spamd more light ?

I noticed that when I check a message from command line using spamassassin in this way

#cd /home/dreamli/mail/domain.com/domain/new/
#spamassassin -r -D < 1163586535.H878049P23358.hostname.myhostname.net

spamassassin loads and checks tons of plugins and most of them are not used .
What to do to configure spamassassin to run smoothly and to eat less cpu ?
Or is there any cache for spamassassin ?


3) I noticed that my /var/log/exim_rejectlog is getting bigger because it
now contains also full header of the email (!) . How to make the exim_rejectlog more more light ?


4) which is the utility of Razor, dcc and similar ... Only to report the spammer to their datacenter ?
Or they are useful also to identify the spammer ?

THANK YOU!

[pairote]

At the last line under acl_check_sender: ACL in the second box, you forgot accept .

2) also with the optimization applied , cpu goes at maximum very often !
I noticed that spamd is always on my top applications eating 30% cpu or more almost all time !
Is there any way to run spamd more light ?

You scan SPAM before VIRUS. I would suggest scan virus before spam. Move the virus scan in the third box to be executed before spam.

3) I noticed that my /var/log/exim_rejectlog is getting bigger because it
now contains also full header of the email (!) . How to make the exim_rejectlog more more light ?

I am not sure, It might be something related to logselector in the first box.

4) which is the utility of Razor, dcc and similar ... Only to report the spammer to their datacenter ?
Or they are useful also to identify the spammer ?

It is useful and help SA to indentify spam.

[graziano]

Thank you !

Regarding SPAM before VIRUS OR VIRUS before SPAM
and talking about cpu usage, i noticed better performance with
SPAM before VIRUS

Considering that 70% of email is spam , and only 5% virus , I see no reason to run
antivirus on 70% of my email (clamd uses cpu too!) .
If SP/RBL reject 70% of spam , then clamd should work only on 30% of free spam email .

Am I wrong ?

Another question/suggestion
1) I've read on chirpy website that "Mail::ClamAV perl module reduces server load and speeds up mail scanning dramatically " . As it seems your configuration doesn't use it . What do you think about Mail::ClamAV ?

2) my clients loves your cpanel frontend . But some user want still receive them email with high score on his mailbox with the subject **SPAM** (i.e.) and use at the same time server wide spam assassin.
Do you think it's possible to have server wide spam assassin with this possibility (receive the spam email with the spam tag subject) instead to reject it , and have it such as an option ?

3) Also if I selected /usr/local/cpanel/base/eximacl/antivirusandspam.exim on the exim configuration editor
on my exim.conf file I have this

CODE

#!!# message_filter renamed system_filter
system_filter = /etc/antivirus.exim
message_body_visible = 5000

Should I replace it with
/usr/local/cpanel/base/eximacl/antivirusandspam.exim too ?

4) on log_selector I have

log_selector = -host_lookup_failed -lost_incoming_connection

I noticed that onlyemail with
rejected after DATA: Spam score too high
and
for some rejected RCPT <goodman@email.net>: unknown user:

shows/return the full email header on exim_rejectlog
Don't you have this problem ?


5) I noticed little cpu improvements leaving on
/etc/mail/spamassassin/
only the file local.cf
because SA seems to load all conf files in /etc/mail/spamassassin/

[Solokron]

This seems to make sense to me. I would think clamav scanning would be more intensive than Spam checks.

Thank you !

Regarding SPAM before VIRUS OR VIRUS before SPAM
and talking about cpu usage, i noticed better performance with
SPAM before VIRUS

Considering that 70% of email is spam , and only 5% virus , I see no reason to run
antivirus on 70% of my email (clamd uses cpu too!) .
If SP/RBL reject 70% of spam , then clamd should work only on 30% of free spam email .

Am I wrong ?

Another question/suggestion
1) I've read on chirpy website that "Mail::ClamAV perl module reduces server load and speeds up mail scanning dramatically " . As it seems your configuration doesn't use it . What do you think about Mail::ClamAV ?

2) my clients loves your cpanel frontend . But some user want still receive them email with high score on his mailbox with the subject **SPAM** (i.e.) and use at the same time server wide spam assassin.
Do you think it's possible to have server wide spam assassin with this possibility (receive the spam email with the spam tag subject) instead to reject it , and have it such as an option ?

3) Also if I selected /usr/local/cpanel/base/eximacl/antivirusandspam.exim on the exim configuration editor
on my exim.conf file I have this

CODE

#!!# message_filter renamed system_filter
system_filter = /etc/antivirus.exim
message_body_visible = 5000

Should I replace it with
/usr/local/cpanel/base/eximacl/antivirusandspam.exim too ?

4) on log_selector I have

log_selector = -host_lookup_failed -lost_incoming_connection

I noticed that onlyemail with
rejected after DATA: Spam score too high
and
for some rejected RCPT <goodman@email.net>: unknown user:

shows/return the full email header on exim_rejectlog
Don't you have this problem ?


5) I noticed little cpu improvements leaving on
/etc/mail/spamassassin/
only the file local.cf
because SA seems to load all conf files in /etc/mail/spamassassin/

[Solokron]

Exim statistics from 2006-11-15 00:00:02 to 2006-11-15 23:59:06

Grand total summary
-------------------
At least one address
TOTAL Volume Messages Hosts Delayed Failed
Received 22GB 10279 4244 136 1.3% 177 1.7%
Delivered 22GB 10725 297

User Specified Patterns
-----------------------
Total
Total mail blocked:........................................................................
......... 11359
Verify sender at SMTP time:.......................................................................... 377
Spam mail blocked by manual blacklist sender at the SMTP time:....................................... 3
Spam mail blocked by manual blacklist host address at the SMTP time:................................. 0
Spam mail blocked by auto black list SA high score at the SMTP time:................................. 0
Spam mail blocked by invalid HELO at the SMTP time:.................................................. 0
Spam mail blocked by setting default address to :fail: at the SMTP time:............................. 1019
Spam mail blocked by auto black list after dictionary attack the SMTP time:.......................... 1146
Spam mail blocked by RBL at the SMTP time:........................................................... 6643
Spam mail blocked by illegal File extension at the SMTP time and discarded after recieving email:.... 27
Spam mail blocked by virus scanner at the SMTP time or discarded after recieving email:.............. 22
Spam mail blocked by SA at the SMTP time or discarded after recieving email:......................... 2122
Spam mail discared by SA high score (12-15) after recieving email:................................... 0

[WireNine]

root@server [~]# perl spamReport.pl 7 /var/log/exim_mainlog.1.gz
gunzip: /var/log/exim_mainlog.1.gz: No such file or directory
Cannot find /var/log/exim_mainlog.1

What's up ?

[Solokron]

I have had that same issue in fact.

root@server [~]# perl spamReport.pl 7 /var/log/exim_mainlog.1.gz
gunzip: /var/log/exim_mainlog.1.gz: No such file or directory
Cannot find /var/log/exim_mainlog.1

What's up ?

[pairote]

I have updated the script. Please try again.

[Yalla-One]

There are some optimization made on my server and is not updated in tutorial yet.
You may try it. It consume less CPU.
1. Disable Spam scanning for outgoing email. http://forums.rvskin.com/index.php?s=&...post&p=4901
2. Rearrange the ACL for RBL and unknown user http://forums.rvskin.com/index.php?s=&...post&p=4788
3. Auto blacklist the Server sending high score spam mail to the server.
http://forums.rvskin.com/index.php?s=&...post&p=4739
4. Auto disable spamd if the server is overloading. When the server is overloading, we should skip spam scanning to bring the load down. I am working on it.

Hi. I'm quite new to "advanced SPAM filtering", and have been lurking around here trying to build up the courage to implement the recommendations in your tutorial.

I have read the points above and contemplated integrating them into your tutorial, but I have a feeling they use different variables etc.

So to my question. Is there currently work in progress to update the tutorial to include these 4 steps, and maybe (if I'm really lucky) have a low-resource-consuming-version of the tutorial as well, for those of us who are on a shared VPS server with only 256MB RAM and not so many CPU cycles?

Thanks for a great script - I'm looking forward to finally daring to take the step to implement it!

-Y1

[pairote]

VPS server with only 256MB RAM

It is very limited for running Server-wide SpamAssassin. You can set other ACL such as HELO ACL, verify sender, RBL, and etc. But for SpamAssasin, it is too much resoource usage.

[Yalla-One]

VPS server with only 256MB RAM

It is very limited for running Server-wide SpamAssassin. You can set other ACL such as HELO ACL, verify sender, RBL, and etc. But for SpamAssasin, it is too much resoource usage.

Hi, and thanks for answering!

The server has 256MB RAM guaranteed, but a burst of 1GB. The average load of the server is 0.01 over the past 2 weeks according to the monitor, as it does only mail and *very* basic web-serving.
Spam Assassin is already running "individually" on the two accounts defined on the VPS, and I figure that running one server-wide spam-assassin is probably better than two account-individual spam-assassins?
The above mentioned average load of 0.01 is *with* spamassassin running on the two accounts...

Does that mean there's still hope, especially if the beforementioned 4 points are incorporated into an updated version of the tutorial? Any plans for updating the tutorial to make it even more streamlined and efficient?

Thanks again!

Edit: forgot to mention spam-assassin already runs in the account...

[pairote]

I will update it as fast as I can. No ETA.

[Yalla-One]

I will update it as fast as I can. No ETA.

Thank you so much!

Are there any major difference in performance from running server-wide spam assassin, compared to running it on individual accounts?

[slim]

I have modded the file to have the correct file path to the log file... I ran it and got some painful results (98.14% of all incoming mail is spam and rejected).

However now I have exicyclelog running via cron, and I get:
**** No valid log lines read

This is the exim log dir:
drwxr-x--- 12 exim staff 408 Sep 3 00:02 .
drwxr-x--- 9 exim staff 306 Aug 29 12:55 ..
-rw-r----- 1 exim staff 3586700 Sep 3 11:12 exim_main.log
-rw-r----- 1 exim staff 628573799 Jul 17 10:32 exim_main.log.001
-rw-r----- 1 exim staff 1242203 Sep 3 00:00 exim_main.log.01
-rw-r----- 1 exim staff 45587521 Sep 2 20:51 exim_main.log.02.gz
-rw-r----- 1 exim staff 395333 Sep 3 01:44 exim_panic.log
-rw-r----- 1 exim staff 2088144 Sep 3 11:12 exim_reject.log
-rw-r----- 1 exim staff 303323851 Jul 17 10:32 exim_reject.log.001
-rw-r----- 1 exim staff 739623 Sep 3 00:00 exim_reject.log.01
-rw-r----- 1 exim staff 30596922 Sep 2 20:51 exim_reject.log.02.gz
-rw------- 1 exim staff 20494 Jun 7 10:53 exim_vacation.log

using tail I can see that logging is happening to exim_main.log but not to exim_main.log.01, and yet am I right in assuming that the spamreport.pl is expecting to analyze spamreport.pl.01?

[pairote]

It looks for /var/log/exim_mainlog. If your log is in a different path, please edit the report script.