The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Blocking inbound spam issue

Discussion in 'E-mail Discussions' started by amitkalra, Mar 4, 2016.

  1. amitkalra

    amitkalra Member

    Joined:
    Mar 9, 2006
    Messages:
    13
    Likes Received:
    1
    Trophy Points:
    3
    Hi
    Our Dedicated Server is exl.example.com and we are facing the same problem.
    SPF Check is enabled on our server, still spam mails not originating from our server but spoofing the from field as an address of a domain on our server (support@example.com) are coming in. Both the from and to address are this.

    I turned SPF check off, and back on and exim was restarted to makesure the SPF check is enabled.
    Any idea why this could be happening and what I can do to reject such mails.

    Here is the header of the mail:

    Code:
    From - Fri Mar  4 08:10:03 2016
    X-Account-Key: account1
    X-UIDL: UID68912-1300251171
    X-Mozilla-Status: 1001
    X-Mozilla-Status2: 00000000
    X-Mozilla-Keys: 
    Return-path: <support@example.com>
    Envelope-to: support@domain.com
    Delivery-date: Fri, 04 Mar 2016 15:41:50 +0530
    Received: from 122x214x46x194.ap122.ftth.example.com ([122.214.46.194]:60794 helo=example.com)
      by exl.exlsystems.com with smtp (Exim 4.86_1)
      (envelope-from <support@example.com>)
      id 1abmi2-0001fA-Gl
      for support@domain.com; Fri, 04 Mar 2016 15:41:49 +0530
    Message-ID: <000101d17630$71151892$c0a80001@example.com>
    To: <support@domain.com>
    Subject:
    From: <support@domain.com>
    Importance: High
    MIME-Version: 1.0
    Content-Type: text/html; charset="utf-8"
    Content-Transfer-Encoding: 8bit
    X-Spam-Status: No, score=-73.5
    X-Spam-Score: -734
    X-Spam-Bar: ---------------------------------------------------
    X-Ham-Report: Spam detection software, running on the system "exl.exlsystems.com",
    has NOT identified this incoming email as spam.  The original
    message has been attached to this so you can view it or label
    similar future email.  If you have any questions, see
    root\@localhost for details.
    
    Content preview:  Welcome to AnastasiaDate! support, You have new messages from
      Alla, Olga, Olga and 15 other Ladies. [...]
    
    Content analysis details:  (-73.5 points, 5.0 required)
    
      pts rule name  description
    ---- ---------------------- --------------------------------------------------
      0.0 URIBL_BLOCKED  ADMINISTRATOR NOTICE: The query to URIBL was blocked.
      See
      DnsBlocklists - Spamassassin Wiki
      for more information.
      [URIs: domaintoo.com]
      4.5 URIBL_DBL_SPAM  Contains a spam URL listed in the DBL blocklist
      [URIs: domaintoo.com]
      0.1 URIBL_SBL_A  Contains URL's A record listed in the SBL blocklist
      [URIs: domaintoo.com]
      1.6 URIBL_SBL  Contains an URL's NS IP listed in the SBL blocklist
      [URIs: domaintoo.com]
    -100 USER_IN_WHITELIST  From: address is in the user's white-list
      1.2 URIBL_ABUSE_SURBL  Contains an URL listed in the ABUSE SURBL blocklist
      [URIs: domaintoo.com]
      1.7 URIBL_WS_SURBL  Contains an URL listed in the WS SURBL blocklist
      [URIs: domaintoo.com]
      0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
      domains are different
    -0.0 RP_MATCHES_RCVD  Envelope sender domain matches handover relay domain
    -0.0 BAYES_40  BODY: Bayes spam probability is 20 to 40%
      [score: 0.3257]
      0.0 HTML_MESSAGE  BODY: HTML included in message
      0.7 MIME_HTML_ONLY  BODY: Message only has text/html MIME parts
      1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
      above 50%
      [cf: 100]
      0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
      [cf: 100]
      0.9 RAZOR2_CHECK  Listed in Razor2 (Vipul's Razor: home)
      1.8 PYZOR_CHECK  Listed in Pyzor (http://pyzor.sf.net/)
      0.3 DIGEST_MULTIPLE  Message hits more than one network digest check
      3.0 RATWARE_OUTLOOK_NONAME Bulk email fingerprint (Outlook no name) found
      2.1 RATWARE_MS_HASH  Bulk email fingerprint (msgid ms hash) found
      2.6 RDNS_DYNAMIC  Delivered to internal network by host with
      dynamic-looking rDNS
      2.0 HTML_TITLE_SUBJ_DIFF  No description available.
      1.4 MISSING_DATE  Missing Date: header
      0.1 TO_IN_SUBJ  To address is in Subject
    X-Spam-Flag: NO
    
    <?xml version="1.0" encoding="utf-8"?>
    
    
     
    #1 amitkalra, Mar 4, 2016
    Last edited by a moderator: Mar 5, 2016
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Could you verify that you are referring to the "Reject SPF failures" option in "WHM >> Exim Configuration Manager >> Basic Editor"? Also, what's the entry for one of these messages in /var/log/exim_mainlog when it makes it through? EX:

    Code:
    exigrep user@domain /var/log/exim_mainlog
    Thank you.
     
  3. amitkalra

    amitkalra Member

    Joined:
    Mar 9, 2006
    Messages:
    13
    Likes Received:
    1
    Trophy Points:
    3
    Thanks for looking at this Michael.
    1.Yes WHM-EXIM-Exim configuration Manager >> Basic Editor is exactly where I have turned SPF checking on.
    2. We received another mail to our domain support@spectral-dt.com
    I think the mails dont get rejected as spam because spam-assasin gives it -100 for spoofing the from address to be from the same local domain.

    Here is what I found about this in in /var/log/exim_mainlog
    root@exl [~]# 2016-03-11 21:19:36 [23309] 1aePJj-00063x-BR H=cm-84.211.31.93.getinternet.no [84.211.31.93]:36406 I=[148.251.254.252]:25 Warning: Message has been scanned: no virus or other harmful content was found
    -bash: 2016-03-11: command not found
    root@exl [~]# 2016-03-11 21:19:36 [23309] 1aePJj-00063x-BR <= support@cm-84.211.31.93.getinternet.no H=cm-84.211.31.93.getinternet.no [84.211.31.93]:36406 I=[148.251.254.252]:25 P=smtp S=4964 M8S=0 id=000101d17bdf$cbb006f4$c0a80001@cm-84.211.31.93.getinternet.no T="support Your Electricity Bill 1202$" from <support@cm-84.211.31.93.getinternet.no> for support@spectral-dt.com
    -bash: =: No such file or directory


    Here is the header of this mail that came in:

    From - Fri Mar 11 10:50:26 2016
    X-Account-Key: account1
    X-UIDL: UID69308-1300251171
    X-Mozilla-Status: 0001
    X-Mozilla-Status2: 00000000
    X-Mozilla-Keys:
    Return-path: <support@cm-84.211.31.93.getinternet.no>
    Envelope-to: support@spectral-dt.com
    Delivery-date: Fri, 11 Mar 2016 21:19:36 +0530
    Received: from cm-84.211.31.93.getinternet.no ([84.211.31.93]:36406)
    by exl.exlsystems.com with smtp (Exim 4.86_1)
    (envelope-from <support@cm-84.211.31.93.getinternet.no>)
    id 1aePJj-00063x-BR
    for support@spectral-dt.com; Fri, 11 Mar 2016 21:19:36 +0530
    Message-ID: <000101d17bdf$cbb006f4$c0a80001@cm-84.211.31.93.getinternet.no>
    From: support@spectral-dt.com
    To: "support" <support@spectral-dt.com>
    Reply-To: support@spectral-dt.com
    Subject: support Your Electricity Bill 1202$
    Date: Thu, 11 Mar 2016 21:48:49 0000
    MIME-Version: 1.0
    Content-Type: multipart/related;
    boundary="----=_NextPart_000_0001_01D17BDF.CBB008A2"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.3138
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
    X-Spam-Status: No, score=-86.0
    X-Spam-Score: -859
    X-Spam-Bar: ---------------------------------------------------
    X-Ham-Report: Spam detection software, running on the system "exl.exlsystems.com",
    has NOT identified this incoming email as spam. The original
    message has been attached to this so you can view it or label
    similar future email. If you have any questions, see
    root\@localhost for details.

    Content preview: [...]

    Content analysis details: (-86.0 points, 5.0 required)

    pts rule name description
    ---- ---------------------- --------------------------------------------------
    -100 USER_IN_WHITELIST From: address is in the user's white-list
    1.1 INVALID_DATE Invalid Date: header (not RFC 2822)
    0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
    domains are different
    -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
    3.0 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
    0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
    [score: 0.4994]
    1.8 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
    2.6 RDNS_DYNAMIC Delivered to internal network by host with
    dynamic-looking rDNS
    0.2 HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP)
    2.0 MIME_NO_TEXT No (properly identified) text body parts
    2.5 DOS_OE_TO_MX Delivered direct to MX with OE headers
    X-Spam-Flag: NO

    This is a multi-part message in MIME format.


    ------=_NextPart_000_0001_01D17BDF.CBB008A2
    Content-Type: application/zip; name="INVOICE_support.zip"
    Content-Transfer-Encoding: base64


    I am also attaching the screen shot of the Exim Configuration page, with SPF enabled.
     

    Attached Files:

    #3 amitkalra, Mar 11, 2016
    Last edited: Mar 11, 2016
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
Loading...

Share This Page