Fighting Spam & Malware with Virtualmin

Some Blacklists will put a rate limit, that’s true.

In my setup Fail2Ban, bans those ips avoiding more requests in the ban time specified.
Also I use postscreen that eliminates those well know bad mail servers and UCE-Protect Level 1 that get rid of most spam, leaving very little to be checked for other lists.

Regarding UCE Protect, there is a confusion caused by level 2 & 3 where almost anyone can be listed there as it list IP blocks. Those two level should not be used to remove email at Postfix as they have a lot of false positives.

However Level 1 list only specific IP addresses.

Before using UCE Protect I read even the letter from the owner and checked some complains. I had to remove UCE Protect level 2 & 3 because they do block legit email but Level 1 is working great for 6 months now. Just checked again some of the complains and several are about L2 & L3, some are listed also in other well known BL.

Are they abusive? perhaps since innocent IPs are listed in L2 & L3. They should allow free delist to IPs that don’t send spam in L2 & L3. I’ll sugest that.

Checking the logs Level 1 block a lot of spammers and haven’t got any complaint from my users about it. Also checked some blocked sites/ips manually and the block was correct.

Just tested on Rocky Linux 9 and seems to work as you said and in CentOS 7. In both SpamAssasin was installed without ClamAV. I swear it did not work when I tried, perhaps something I was doing wrong.

postcreen does not log ips in maillog. If you want to see Postfix’s blocked IPs then do not use postscreen.

I’m not using postcreen in and seems to work, is it needed in Postfix 3?

postscreen_dnsbl_threshold = 2
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites =*2*1

In this case you need to use**2 so it blocks the ip if listed, otherwise it had no effect as it will never reach threshold=2 or add another BL like*1

not sure what postfix you’re using, it’s logging by default in debian.
example postscreen log entry :

postfix/postscreen[781836]: CONNECT from [ip]:57432 to [ip]:25

and an example filter for fail2ban :


_daemon = postfix/postscreen

failregex = ^%(__prefix_line)sPREGREET .* after .* from \[<HOST>\]:.*: EHLO \S+\\r\\n
            ^%(__prefix_line)sBLACKLISTED \[<HOST>\]:.*

1 Like

Please read the documentation on how to properly set up postscreen:
Turning on postscreen(8) without blocking mail

The following you are referring to is an example.

Yes you can see postscreen in the logs if it is set up correctly.

postfix/postscreen[233229]: DISCONNECT []:56744
postfix/postscreen[233229]: DNSBL rank 2 for []:56744
postfix/postscreen[233229]: PREGREET 11 after 0.11 from []:56744: EHLO User\r\n

Thanks it now logs as it should. I was missing the configuration.

so, postscreen wasn’t working at all. that’s why it didn’t log anything… if you didn’t pass anything to postscreen ( part), it would just be idle - not doing anything…

I’d like to share this stats from one domain they may be interesting.
Screenshot shows my first 3 summaries to monitor email blocked.

Using RBL in postfix blocked 1,843 emails in a week in one domain (

Top user with most spam (blocked) was sales with 430 emails. That email account is sent 5 other users so about 5 user will get all those spams plus their own if the blocking is removed.

Other two domains (more normal) have about 200 spam blocked per week but the main email accout got about 40% of them.

These results are not using fail2ban to block RBL but fail2ban was blocking unauth attempts to postifx. Also there a little filter before those servers that blocks more spam and it is not included in the report.
I will post later another stat with fail2ban blocking RBLs.

I was going to post the stats from the following weeks but let me resume what I’ve found in these weeks. Monitoring those numbers allow me to implement anti-spam and security measures that I’d like to see integrated in Virtualmin, some are quite easy to do.

smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, permit

  • Virtualmin shall add an option to manage black list and as a suggestion may work with Abusix to include in Virtualmin their black list. They do offer currently free 5,000 daily queries calculated from 7 day average which will give more than that. So far I’ve seen no false positive in some weeks using their service but it shall work with Fail2ban to block those ips for some time to reduce daily queries.
    Abusix Mail Intelligence - Abusix

  • Virtualmin shall add brute force protection with Fail2ban at least in pro licence to compete with other control panels in security right now it is up to the very technical user to set it up Fail2ban. It can be ever setup to report attacks automatically to which will help to reduce spam and hacking attempts. Abusix also has a reporting tool but I have not decided to implement it but Virtualmin may do so and help Abusix and they may do work in integrate their product with Virtualmin.

  • Another useful addition to virtualmin would be the ClamAV extra signatures from Securite Info, besides using on ClamAV on servers and desktops, they are available for devices not sure if it will work with Virtualmin the way it is right now but surely it can be added so normal user can add them easily without having to go to the terminal or file manager to edit config files. Right now those extra signatures are free for one IP but does not include 0-day malware detection just a 30 day malware detection. This can help avoid ransomware and may other malwares and even spam.
    Add 4.000.000 signatures to Clamav antivirus

Hopefully some of this is useful to improve Virtualmin security and reduce spam.

I’m missing info about Spamassasin to mark spam because I’m working on it however if anyone has a good configuration that may recommend I’d love to try it.

I find the ip list from Stop Forum Spam helps prevent a lot of spam emails and posts to wordpress sites etc.

1 Like