SpamCop on cPanel - do-able?

[Outernaut]

QUESTION:
May I set up some anti-spam system using SpamCop on my hosted accounts via cPanel that will scan incoming email and mark and/or delete/report known spam?

PRELUDE:
Assume:

• there are 20 domains under a shared-hosting reseller account. Each domain has anywhere between 1 to 10 email accounts.
• each domain has it's own cPanel
• each has a email system (see Image 1 below)
  
   
• spam Filters is powered by Apache SpamAssassin™
• Professional spam Filter is a separate charge many business-card size domains don't want to pay for.

SUMMARY:
As it is, there is a great amount of spam even with SpamAssassin set to 2.5. 
I know very little about automating SpamCop to detect, report, and delete spam on the server side; ego my question.
I seem to remember being told that SpamHause, and Assassin both use SpamCop somehow. How?

CONCLUSION:

I would like to have SpamCop working via the server to delete known spam before it gets to the client email, and/or report spam known by client. 

~O~

Edited July 22, 2020 by Outernaut
posted too soon by accident - slip of the hot-keys.

[gnarlymarley]

I am not familiar with cPanel, but I am with SpamAssassin.  I currently have version 3.4 and there is a a rule in it called RCVD_IN_BL_SPAMCOP_NET that brings in block list functionality.  I was looking at 

 and the version 2.6 appears to have the rule in it.  Later versions all seem to have it.  Is this the type of integration you are looking for?  I am not sure if you have a special score for it or would be using the default score.

[Outernaut]

On 7/23/2020 at 7:50 PM, gnarlymarley said:

 Is this the type of integration you are looking for?  I am not sure if you have a special score for it or would be using the default score.

Thank you @gnarlymarley  I very much appreciate your time.
I've no idea if that is what I'm looking for. If it would be accessible, which it is not, then maybe - IF it will let me block IP addresses - as in 170.###.###.###. That link-post has over 4,500 words to digest and most of it is geekinese. I traversed all of the cPanel>spam Filters (told by host that spam Assassin is spam Filters), but could not find any "rule" you allude to, or place to add it. I perused  "New SpamAssassin rules" and frankly, it's way over my head, not my forte, and time is not on my side.

As it is, if you look at my OP, under "Email" in the image, is all the Email functions available to us. I find it very odd that there is no ability to block/ban email from/to ip addresses. Since this spammer uses a few of the ip addresses range in 170.* and uses a new email address in each spam.

~O~

[gnarlymarley]

On 8/1/2020 at 1:24 PM, Outernaut said:

IF it will let me block IP addresses - as in 170.###.###.###.

I suspect you might be able to do that with the following but the manual is not completely clear on how:

blacklist_from [170.0.0.0/8]

Since I run my own name server, I setup my own black list there such as:

*.170.blacklist.local. IN A 127.0.0.1
*.170.blacklist.local. IN TXT "blocked whole range 20200802"

 

[Outernaut]

On 8/2/2020 at 2:59 PM, gnarlymarley said:

I suspect you might be able to do that with the following but the manual is not completely clear on how:

blacklist_from [170.0.0.0/8]

Since I run my own name server, I setup my own black list there such as:

*.170.blacklist.local. IN A 127.0.0.1
*.170.blacklist.local. IN TXT "blocked whole range 20200802"

 

spam Assassin/spam Filters seems stuck in the domain name/TLD groove when it comes to blocking senders. No where have I found a way to block IP addresses. Not without spending a great deal more time and money in a VPN I'll need 34 of them) and then, ~maybe'~ perhaps possibly block IP #'s.

It's no wonder that spammers get away using 173.44.201.16, and using real domain names as the sender/reply-to when all they want is for us click on the link in the email so they get their affiliate commission, or we open the Trojan.  This 173.44.201.16/18/20 ...  is ones that I receive with dozens a day all with different domain names. 

Assuming 173.#.#.# is on a shared host, then wouldn't blocking 173.*.*.* deny email from all the other domains on that shared host? If so - maybe the honest ones will rant enough that the Host will have to review their logs and do their job as landlords of some web lots-for-rent.

I can block 173.44.201.16, and same spammer uses 173.44.201.18 from visiting the web server, why not email? One day - maybe.

Today, I manually pasted the message sources to SpamCop, as I have this last week, and they still keep coming from the same yahoo. Today, about 20 of them - all with same IP, different domain names/TLD. Now I feel guilty for sending stuff that may block the innocent web domains!

BTW - The Forum topic you linked me to is 16 years old; the author said he made changes, but didn't say what, and the topic changed to chicken pox somehow. But thanks any way.

~0~

[gnarlymarley]

On 8/6/2020 at 1:25 AM, Outernaut said:

spam Assassin/spam Filters seems stuck in the domain name/TLD groove when it comes to blocking senders.

For TLD, I use the blacklist_from annd it works for me.

blacklist_from *.su
blacklist_from *.ga
blacklist_from *.cn

For the IP, it maybe it doesn't like too many wildcards, so you might want to try:

blacklist_from 170.*
blacklist_from 173.*

[gnarlymarley]

I was reading on https://cwiki.apache.org/confluence/display/SPAMASSASSIN/WhitelistingEverybody and see that one should be able to match the IP using the following:

header LOCAL_RCVD   Received =~ /from .*\[173\./
describe LOCAL_RCVD Received from a local machine
score LOCAL_RCVD   50

This will depend on how your mail server formats the Received: line.