The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

At My Wit's End with SpamAssassin

Discussion in 'E-mail Discussions' started by wcs2, Jun 21, 2015.

  1. wcs2

    wcs2 Member

    Joined:
    Apr 11, 2014
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Either I'm doing something wrong or spam loves me. I have 4 email addresses on my server (1 on one domain, 3 on another) that get pummeled by spam that is not caught as spam (there are 6 other domains on this server that are not reporting this problem, but they might just not be telling me).

    I have been through every discussion on the topic I could find and followed instructions as much as they were applicable and I still get hundreds of spam mails every day. I'm running CentOS 6.6 and WHM 11.50.0.12. My SA is set to 3.

    I've attached a header below (which seems to have been removed - not sure why). Does anyone have any suggestions for how I can resolve this? I'd really appreciate any help.

    Thanks.

    - Removed -
     
    #1 wcs2, Jun 21, 2015
    Last edited: Jun 21, 2015
  2. Mark McManus

    Mark McManus Registered

    Joined:
    Jun 24, 2015
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Australia
    cPanel Access Level:
    Website Owner
    Hi, Like you I got inundated with spam about 6 months ago, from nothing to a flood. I rarely use my email for anything but important emails, so to have an odd email drowned in 100 spam a day was too much to handle. I spent the last 6 months making filter rules every day to try and clean the mail box, and in some ways I think I am wasting less time going through manually killing 100 emails a day rather than sit and write new rules all the time that work, because even the rules are a daily task.

    Why can't spam assassin work?

    I started looking at the emails that made it through and those that got filtered out and realised that spam assassin was filtering the exact same spam message sent at different times either into the spam folder or the real mail box. The only difference between the two? A variation of the sender so that one might be abc@def.com while another was cba@def.com, and a variation in the spam URL link so that it changed between spamdomain.com/abc to spamdomain.com/def. Every other part of the mail trail was the same, same postmaster, same body text (except URL), same subject line - everything was the same but the send users email name and a variant of the spam URL link.

    However, spam assassin treated the two messages in totally different ways.

    On day 1 it flagged the email as a spam because the fields

    1.6 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
    [URIs: impocure.com]
    2.5 URIBL_DBL_SPAM Contains a spam URL listed in the DBL blocklist
    [URIs: impocure.com]

    combined with others to throw the spam score over 5.

    On day 2 it didn't flag it as spam because it only picked up
    1.6 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
    [URIs: impocure.com]

    and therefore the score with others only came up to 2.9

    So why did it only pick
    2.5 URIBL_DBL_SPAM Contains a spam URL listed in the DBL blocklist
    [URIs: impocure.com]

    on day 1 and ignore it on day 2?

    I have no idea, but therein probably lies part of the reason why it's failing. Someone knowledgeable will probably figure it out straight away, but it's beyond what you and I can do. Frankly I am sick of writing new rules, because some of the spam it's letting through these days has scores of -1.8 and it never calculates it as obvious spam. My fix, I log in Horde html, read the messages I want, and then set it to delete all the unread messages. I am over it, and after 15 years I'll probably shut my email account down and make a new one in frustration.

    Sorry I can't help, I'm as frustrated as you are, you are not alone.
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I've got several email accounts roughly the same age as yours. What helped me out long ago was, when I stopped posting it online for email scrapers to pick up on. I still get an occasional spam email of course, but nothing like I used to get.

    Google your email address, if you find it, so can the scrapers. If you can get it removed from wherever you found it via google, the better off you'll be.

    I've got one account that gets hit with, according to Mail Scanner, roughly 3,000 emails a month. My system stops most of those, but they just keep coming and some get through.

    Searching for his email address, I can find it on many websites including in footer on every page of his website.

    There are ways to post your email address on your webpage that can help, like obfuscating it. One example:
    http://www.albionresearch.com/misc/obfuscator.php

    CloudFlare also provides options for this sort of thing:
    https://support.cloudflare.com/hc/en-us/articles/200170016-What-is-Email-Address-Obfuscation-


    Not the answer you're looking for of course, but I thought it might be of some use here to mention all the same.
     
  4. Mark McManus

    Mark McManus Registered

    Joined:
    Jun 24, 2015
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Australia
    cPanel Access Level:
    Website Owner
    You are right, making your address less accessible to harvesting is a good strategy.
     
  5. wcs2

    wcs2 Member

    Joined:
    Apr 11, 2014
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks. That is definitely good advice in general and I expect things like admin@ and info@ for any domain to get slammed. That said, two of the email addresses that are getting slammed aren't anywhere on the Net that I can find (just went through 15 pages of Google results that only had combinations of what's before and after the @ and they weren't on any of the pages).

    Frustrating.
     
  6. wcs2

    wcs2 Member

    Joined:
    Apr 11, 2014
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks, I appreciate that. At least I'm not banging my head in a vacuum.
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    The only thing you should see with those types of emails is, cPhulk blocks from attempted logins to those sorts of email addresses. Lots and lots of those. You can disable that email for those in cPHulk, untick this setting:
    "Send a notification when the system detects a brute force user "

    If you have no admin@ or info@ email addresses, setting the "Default Address" in your cPanel can help there.
    cPanel > Email section > Default Address, select:

    "Discard the email while your server processes it by SMTP time with an error message."

    Message: No Such User here

    That's the preferred setting for unrouted (non existent) email addresses.
     
  8. traypup

    traypup Member

    Joined:
    Sep 15, 2005
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    wcs2 -- I am totally with you. It's ridiculously ineffective. I've moved almost all of my mail to google for work, which has its own set of issues, but I never see spam anymore and I am grateful every day.

    Yes, the suggestions about protecting your email accounts are helpful --- before the spam starts. But once it starts, the game is over, in my mind.

    What I'm looking for is a replacement solution to SpamAssassin. I have a couple of hosting clients and they are not willing to move to a Google solution. So I'm off to find something other than SA. Good luck to you!
     
  9. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I'm under the impression that some blacklists will only allow a certain amount of connections from an IP before saying "that's it, you filled your quota, come back tomorrow".
    This IP is more to do with your data centre than your own server.

    So for instance if your datacentre has 500 other servers all connecting to one of these blacklists, it doesn't take long before your datacentre has reached it's allocated maximum connections and no more are allowed.
    In this case, SpamAssasin would no longer be able to check against that blacklist and ignore that part of the rule, thus giving a lower spam score.

    I got around this limitation by installing Bind and running my own DNS resolver cache.

    If you have csf installed, there are additional blacklist that you could employ.
    Also in Home »Service Configuration »Exim Configuration Manager >>RBL's you can add addition RBL's

    I also have a mailbox that should only ever recieve customer orders.
    Anything else to this mailbox, we have no interest in.

    So I set a filter based on "if body or any header contains unsubscribe" send to spam.

    This works really efectively for this mailbox. I still have to scan it periodically, but this takes like 10 seconds.
     
    #9 keat63, Jun 25, 2015
    Last edited: Jun 25, 2015
  10. Mark McManus

    Mark McManus Registered

    Joined:
    Jun 24, 2015
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Australia
    cPanel Access Level:
    Website Owner
    To the person that mentioned gmail, thank you. I used one of my rarely used gmail accounts to test import my main domain emails into as a secondary email account. Gmail has successfully filtered out all but 1 spam email message, while spam assassin has let through over 200 of them. While it's not a particularly elegant solution, I'll run my mail box from the gmail account from now on so I don't have to wade through a horde of spam to find my real mail on the Horde web page.
     
  11. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I would love to find another replacement for SpamAssassin, something that can act as a dropin replacement for SpamAssassin.

    I agree, SpamAssassin appears to have lost its effectiveness. That could just be spammers becoming more effective or the SpamAssassin filters not being updated enough to combat spam.

    I would prefer to find something that is free and can just be dropped in as SpamAssassin replacement. I know ASSP is out there, but it's not really a drop in replacement. It's more for server-wide spam filtering. I would prefer something that gives end users a bit more control.

    I would not be opposed to having a paid solution available to customers or something we can pay for and upsell to our clients, as long as it is cost effective.
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page