Spam and Anti-Virus Scanning

# Spam and Virus Scanning

Virtualmin allows you to enable spam and virus scanning for email on a per-virtual-server basis, and to configure what happens to email classifies as spam or virus-laden. Under the hood, it scans email using the popular SpamAssassin http://spamassassin.apache.org/ package for spam detection, and ClamAV http://www.clamav.net/ for viruses.

SpamAssassin assigns each message it scans a score indicating how spammy it is, based on the content and servers it was sent from. Typically, anything with a score above 5 is regarded as most likely spam. ClamAV however just compares the message contents with a database of know virus signatures, and reports if any were found or not.

## Turning On Spam and Virus Scanning

In a typical Virtualmin installation, you can enable filtering for a new or existing virtual server by just selecting the **Spam filtering enabled?** and **Virus filtering enabled?** checkboxes in the features section of the **Create** or **Edit Virtual Server** page.

If they do not appear, make sure that these features are enabled globally on your system. This can be done as follows :

1. Login as `root`, open the **System Settings** category on the left menu, and click on **Features and Plugins**.
1. Check the boxes next to **Spam filtering** and **Virus filtering**.
1. Click **Save**. If you see any error messages about SpamAssassin or ClamAV not being installed, you'll need to install their packages on your system first.

## Spam and Virus Filtering and Procmail

Internally, Virtualmin creates an `/etc/procmailrc` file that in turn runs a Procmail include file under `/etc/webmin/virtual-server/procmail`, depending on the domain to which each email received is sent. This then invokes the `spamassassin` and `clamscan` commands, then uses their output to decide if email should be delivered to a special folder or deleted.

SpamAsssassin is run with command-line parameters that tell it to use configuration files under `/etc/webmin/virtual-server/spam`, which can be different for each domain. This way, domain owners can customize their own SpamAssassin rules, spam levels and message modification settings.

## Changing Delivery Destinations

By default, email classified as spam as delivered to the `~/Maildir/.spam` file under each user's home directory. This shows up as a folder named `spam` in users' mail clients, and in Usermin. Email that is detected as containing viruses is deleted by default, as virus detection is almost 100% accurate.

However, you can change these destinations on a per-domain basis using Virtualmin. Some users may prefer that spam be deleted outright, or delivered normally so that it can be filtered by their mail clients. To change the delivery rules, the steps to follow are :

1. Login to Virtualmin as `root` or as the domain owner.
1. Select the domain from the left menu.
1. Open the **Server Configuration** category, and click on **Spam and Virus Delivery**.
1. Change the **Destination for spam emails** and **for virus emails** to whatever you want.
1. Click **Save**. The changes will take effect for email delivered from now on.

In Virtualmin versions 3.54 and above, you can select to have email whose virus score is above some threshold deleted instead of being delivered to a `spam` folder. This can be used to stop the delivery of messages that are obviously spam, saving on disk spam and the bandwidth used to download them.

To delete high-scoring spam, just follow the steps above and set the **Delete spam if score is above** field to some number like _10_.

## Default Delivery Destinations

If you have spam and virus delivery destinations that you want used for all new domains, you can set them as follows :

1. Login to Virtualmin as `root`.
1. Open the **System Settings** category on the left menu, and click on **Module Config**.
1. Select the **Spam filtering options** section.
1. Change the **Default delivery for spam** and **for viruses** to whatever you want.
1. Click **Save**.

To make changes for all existing domains, use the `modify-spam.pl` command-line API script.

## Automatic Spam Clearing

If Virtualmin is configured to deliver spam to a separate folder for each user, this can end up consuming a lot of disk space and disk quotas. To keep usage down, it is possible have Virtualmin automatically delete users' spam that is more than a certain number of days old, or is taking up more than some amount of disk space.

To set this up for a single domain, the steps to follow are :

1. Select the domain from Virtualmin's left menu.
1. Open the **Server Configuration** category, and click on **Spam and Virus Delivery**.
1. In the **Automatically delete spam?** field, select **Yes, if older than** and enter a number of days into the adjacent text box. I suggest _5_ days, which is more than enough time for users to periodically check their spam folders for false positives.
1. Click **Save**.

If you prefer to delete based on disk usage, select **Yes, when mailbox exceeds** instead and enter a maximum size for the spam folder. When this is exceeded, messages will be deleted oldest first until it is smaller than the specified size.

The default setting for new virtual servers can be set on the **Module Config** page in the **Spam filtering options** section. To make changes for all existing domains, use the `modify-spam.pl` command-line API script.

## Speeding Up ClamAV on Debian Etch

By default, Debian 4.0 (Etch) comes with ClamAV packages that are out of date and buggy.
The most common symptom of this is very slow virus scanning, and high CPU load from `clamscan` or `clamd`. However, there is a fix - you can update to a newer ClamAV version from the Debian volatile repository, at http://www.debian.org/volatile/

To use the volatile repository, SSH into your system as `root` and edit `/etc/apt/sources.list`. At the bottom, add the line :

deb http://volatile.debian.org/debian-volatile etch/volatile main contrib non-free

Then update ClamAV packages with the commands:

apt-get update
apt-get install clamav clamav-base clamav-daemon clamav-freshclam

## Reducing CPU Load with Clamd

In the default Virtualmin configuration, each email received is processed with the `clamscan` command to check if it contains viruses. Unfortunately, this can take anywhere from seconds to minutes to run, particularly on VPS systems that have limited IO bandwidth or CPU resources. Most of this time is spent loading the virus database, which is continually growing as new viruses are found by the ClamAV authors.

Slowness running `clamscan` can cause email delivery to be delayed by several minutes, during which messages stay in the Postfix mail queue. It can also lead to high CPU load on the system, which then slows down other services like Apache or MySQL.

Fortunately, there is a fix - the `clamd` server process, which loads the virus database just once and then stays running. When email arrives, the `clamdscan` command connects to it, passes over the message to be scanned, then reads back the results. This typically only takes a seconds, even on a system with limited resources.

If your system is receiving a large amount of email, I recommend the use of `clamd`. It probably isn't worth running on a system used primarily as a web server though, as it consumes about 750MB of RAM at all times. ClamAV is not suitable for use on a low-memory system.

To enable the use of the ClamAV server process, follow these steps :

1. Login to Virtualmin as `root`.
1. Open the **Email Messages** category on the left menu, and click on **Spam and Virus Scanning**.
1. At the bottom of the page you should see a button labelled **Enable ClamAV Server** - click it. If the button isn't visible, this means that Virtualmin doesn't know how to configure `clamd` on your operating system, and you will need to do it manually.
1. After clicking, check the messages that appear to make sure that no errors were reported. If all went well, return to the **Spam and Virus Scanning** page.
1. Change the **Virus scanning program** to **Server scanner (clamdscan)** , and click **Save**.

Virtualmin will check if `clamd` and `clamdscan` are working properly, and if so configure all virtual servers to use it for virus classification from now on.

## Common ClamAV Problems

If Virtualmin reports that the `clamscan` command is not working on your system, here are some things to try :

* Run `freshclam` to download the virus database. On some systems, the standard ClamAV packages do not include any virus data files, so `clamscan` cannot run.
* Remove the `Example` line from `/etc/freshclam.conf`. On some systems this line exists by default, to intentionally prevent `freshclam` from running!
* Make sure that the virus database path in `/etc/clamd.conf` matches the directory updated by `freshclam`. If not, `clamd` will not start due to the lack of data files.

## Moving Spam and Virus Scanning to Another System

SpamAssassin and ClamAV can use up a lot of CPU time, which on a system that receives a lot of email can significantly slow down email processing. However, it is possible to move some of this load to a separate system, by making use of `spamd` and `clamd`, the SpamAssassin and ClamAV server processes.

These can be run on one or two other systems on your network, and Virtualmin on the master system that actually receives email configured to offload scanning to them.

In the instructions below, _serverip_ is the IP address of the system that will be running `spamd`, and _virtualminip_ is the IP of the Virtualmin machine.

### Setting up Spamd on CentOS, Fedora or Redhat

1. Login to the system you want to run `spamd` on as `root`
1. Install SpamAssassin with : yum install spamassassin
1. Edit the file `/etc/sysconfig/spamassassin` and add the following to the `SPAMDOPTIONS` line : -i serverip -A virtualminipAn example file would look like : # Options to spamd
SPAMDOPTIONS="-d -c -m5 -H -i 193.9.101.242 -A 193.9.101.104"

1. Run the following commands to start `spamd` : /etc/init.d/spamassassin restart
chkconfig spamassassin on

1. If you are using a firewall on this system, open up port 783 to enable connections to SpamAssassin

### Setting up Spamd on Debian or Ubuntu

1. Login to the system you want to run `spamd` on as `root`
1. Install SpamAssassin with : apt-get install spamassassin
1. Edit the file `/etc/default/spamassassin` , and change the line `ENABLED=0` to `ENABLED=1`.
1. In the same file, add the following to the `OPTIONS` line : -i serverip -A virtualminipAn example completed line would look like : OPTIONS="--create-prefs --max-children 5 --helper-home-dir -i 193.9.101.120 -A 193.9.101.104"
1. Run the following commands to start `spamd` : /etc/init.d/spamassassin restart
update-rc.d -f spamassassin defaults

1. If you are using a firewall on this system, open up port 783 to enable connections to SpamAssassin

### Configuring Virtualmin to Use a Remote Spamd

Once `spamd` is running on the remote system, you can configure Virtualmin to use it as follows. Note that this will prevent domains and mailboxes from having their own SpamAssassin rules, unless you setup `spam` to fetch them from a MySQL or LDAP database .

1. Login to Virtualmin as `root`, and go to **Email Messages** -> **Spam and Virus Scanning**.
1. Change the **SpamAssassin client program** menu to **spamc**.
1. Set the **Server host for spamc** to the IP address of the remote server you setup above.
1. Click **Save**.

Now try sending email to a mailbox in one of the domains with spam filtering enabled on your Virtualmin server, and check if SpamAssassin `X-Spam` headers are added. If not, check `/var/log/mail*` on both the Virtualmin and spam scanning systems for error messages, and `/var/log/procmail.log`.

### Setting up Clamd on a Remote System

The easiest way to setup `clamd` is to use Virtualmin's built-in support for configuring it. The steps to do this are :

1. Install Virtualmin GPL or Pro on the system to be used for running `clamd`. You don't need to create any domains, or run any other servers like MySQL or Postfix.
1. Login to the new Virtualmin, and go to **Email Messages** -> **Spam and Virus Scanning**.
1. Click the **Enable ClamAV Server** button.
1. SSH into the system as `root`, and edit the file `/etc/clamd.conf` and make sure the line `TCPSocket 3310` exists and is not commented out.
1. Also make sure the line `TCPAddr 127.0.0.1` does **not** exist or is commented out.
1. Run the command `/etc/init.d/clamd-virtualmin restart` or `/etc/init.d/clamd restart` to apply the configuration changes.
1. If you are using a firewall on this system, open up port 3310 to enable connections to ClamAV

### Configuring Virtualmin to Use a Remote Clamd

Unfortunately, the executables provided as part of the ClamAV package do not seem to support connecting to a remote server. However, the `clamd-stream-client` program can do this, and can be used by Virtualmin versions 3.63 and later. You can download it from : https://sourceforge.net/projects/clamd-stream-cl/

Once you have the `clamd-stream-client-1.3.tar.gz` file on your Virtualmin system, it can be compiled and installed with the commands :

tar xvzf clamd-stream-client-1.3.tar.gz
cd clamd-stream-client-1.3
./configure
make
make install

You can now configure Virtualmin 3.63 or later to use it as follows :

1. Login to Virtualmin as `root`, and go to **Email Messages** -> **Spam and Virus Scanning**.
1. Change the **Virus scanning program** to **Remote server scanner**
1. In the **Server host for clamd-stream-client** field, enter the hostname of the system running Clamd that you setup in the previous section.
1. Click **Save**.

Assuming that `clamd-stream-client` works and can contact the remote system, it will be enabled and used for virus scanning for all domains.