The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Case 112257] Lots of spam making it past SpamAssassin

Discussion in 'E-mail Discussions' started by CraftyPanda, Aug 5, 2014.

  1. CraftyPanda

    CraftyPanda Well-Known Member

    Joined:
    Nov 15, 2012
    Messages:
    84
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Hi guys,

    All of a sudden every email account of one server is getting tons of spam.
    I have checked to see if spam assassin in running on individual accounts and it seems to be running fine, but i cant explain it. Possible server breach? Is there a way to check if the spam assasin service is actually running?

    Thank you
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Have you checked the messages and message headers to determine if the SPAM is coming from the same place, or if it's from multiple sources? You can review /var/log/exim_mainlog to see if SpamAssassin is scoring the messages and marking them as SPAM.

    Thank you.
     
  3. stormy

    stormy Well-Known Member

    Joined:
    Nov 22, 2003
    Messages:
    109
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    I'm getting a lot of spam that simply isn't getting a high enough score in SpamAssassin. It started 2-3 days ago.

    Is this what you are seeing?
     
  4. stormy

    stormy Well-Known Member

    Joined:
    Nov 22, 2003
    Messages:
    109
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Lots of spam making it past Apache SpamAssassin

    This is really weird. A couple days ago I started getting lots of very obvious spam (loans, credit score, etc) that seems to be fooling SpamAssassin, and getting really low scores.

    The servers sending spam belong to different companies, but the domains/subdomains used are all from - Removed -.

    Is there anyone else seeing this?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I've not seen any other reports of this issue. You may want to consider setting up an account level filter to block email from that domain name.

    Thank you.
     
  6. stormy

    stormy Well-Known Member

    Joined:
    Nov 22, 2003
    Messages:
    109
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    If only it were that easy! :)

    Spam is coming from multiple subdomains from multiple domains, scattered on different servers and providers. Only when running the emails through Spamcop I can see that the domains are all from rightside.co.

    Is it ok to post spam samples with headers here? Is there any info I should block?
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  8. stormy

    stormy Well-Known Member

    Joined:
    Nov 22, 2003
    Messages:
    109
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Here's one of the about 40 I received yesterday. Topics ranging from miracle cures to Russian brides to home loan to auto insurance. All of them get really low scores.

    - Removed -
     
    #8 stormy, Aug 8, 2014
    Last edited by a moderator: Aug 8, 2014
  9. sukrub

    sukrub Member

    Joined:
    Oct 25, 2011
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I have the same problem... Did anybody offered a solution yet?
     
  10. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    262
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    Spamassassin not updating the rules since April may have something to do with it.

    Vote to try and get cPanel to break from their delayed scheduled to update to the latest release of spamassassin so we can get the updated latest rules instead of going 4-6+ months without new rules.

    Update to SpamAssassin 3.4.0 | cPanel Feature Requests
     
  11. toshost

    toshost Member

    Joined:
    Dec 8, 2013
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bangladesh
    cPanel Access Level:
    Root Administrator
    You should try to use any other paid spam filter as Spamassassin not updating the rules since April or contact SpamAssassin to update it.
     
  12. Quick Strike

    Quick Strike Registered

    Joined:
    Aug 3, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Lots of spam making it past SpamAssassin

    Spam is really a headache.. Spammers have all their ways around.. I am also looking for a solution on this..
     
  13. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,480
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Multiple threads merged here.
     
  14. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    262
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    Let me clarify. Spamassassin is updating rules for Spamassassin 3.4, which we haven't been updated to with cPanel yet even though it was released in February. Sure, they need time to vet the release, but that probably should have been done during the 11.44 releases whereas right now it's not set to be included until the 11.46 release, whenever that's due.
     
  15. stormy

    stormy Well-Known Member

    Joined:
    Nov 22, 2003
    Messages:
    109
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Infopro: I did alter the headers when I posted the samples. My email and server information was kept off.

    Of course I didn't alter the spammer's header, because what would be the point then? It would be like posting nothing!

    What useful information can I post that you won't want to delete?
     
  16. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,480
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Domain, email, IP, modify all of it. We'll get the idea just fine.

    Plastering it all like that on these forums, you're helping the spammer get his email spam out to even more people. We don't need any more spam on these forums, we get enough as it is.

    FYI, we try our best to clean up posts similar, as they come up, look around. But, you had so much posted it was a waste of time on this end to clean up your posts, so I removed them.


    Help us out a little here, we're trying to help you.
     
  17. stormy

    stormy Well-Known Member

    Joined:
    Nov 22, 2003
    Messages:
    109
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    I don't get it. What idea you want to get? What use is an email header with all the email header information stripped?

    I already know it's spam, and I already see that SpamAssassin is assigning a very low score.

    I'll ask again: what useful information can you glean from email headers that don't have domains, email addresses or IPs? Tell me what you're looking for and I'll post it.

    I'm sorry but you are going to need to explain this to me, because I don't understand. I didn't post the spam. I posted the headers, and I edited them. How is this getting email spam out to more people?

    Actually you turned the effort I put in my post into a waste of time. I did take time digging up the headers, eliminating sensitive information, formatting it correctly with code tags, explaining what each email was, etc. There was helpful information posted that could have been used to find similarities between the spam headers, trace it to a known source, etc.

    Well, let me know what you need from me so you can help me.
     
  18. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,480
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    If I must, but this is silly to have to explain this to you. We're not Apache SpamAssassin, so posting the spammers real details is of no use. Modified it's still of use.

    One of your posts, modified proper.


    Code:
        Return-path: <username@domain.com>
        Envelope-to: XXXXX
        Delivery-date: Fri, 08 Aug 2014 12:46:54 +0200
        Received: from client.domain.com ([198.23.xx.x]:60784 helo=domain.com)
        by XXXXX with esmtp (Exim 4.82)
        (envelope-from <username@domain.com>)
        id 1XFhhF-0005s4-E9
        for XXXXX; Fri, 08 Aug 2014 12:46:54 +0200
        Date: Fri, 08 Aug 2014 03:45:03 -0700
        X-Mailer: Opera7.23/Win32 M2 build 3227
        Content-Type: text/plain; charset="utf-8"
        Message-ID: <2014.08.08.7718647.0e0fe9bf7ed4df17a7240215e42cc012.6164835.0@domain.com >
        From: Natural_Cures <username@domain.com>
        Mime-Version: 1.0
        Subject: Fwd: Spam Title here, Removed.
        To: XXXXX
        Content-Transfer-Encoding: 8bit
        X-Spam-Status: No, score=-0.9
        X-Spam-Score: -8
        X-Spam-Bar: /
        X-Ham-Report: Spam detection software, running on the system "XXXXX", has
        identified this incoming email as possible spam. The original message
        has been attached to this so you can view it (if it isn't spam) or label
        similar future email. If you have any questions, see
        root\@localhost for details.
    
        Content preview: Spam Content Preview Here, Removed.
        [...]
    
        Content analysis details: (-0.9 points, 5.5 required)
    
        pts rule name description
        ---- ---------------------- --------------------------------------------------
        -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
        -0.0 SPF_PASS SPF: sender matches SPF record
        -0.7 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
        -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
        [score: 0.0000]
        1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
        0.6 INVALID_MSGID Message-Id is not valid, according to RFC 2822
        X-Spam-Flag: NO
        
    From that we get the idea, you got a spam email.
     
  19. stormy

    stormy Well-Known Member

    Joined:
    Nov 22, 2003
    Messages:
    109
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    I'm sorry sir, have I done anything to offend you?

    Terribly sorry again, but what makes you say this? I've been using cPanel for 15 years, I know who cPanel is and which forum I'm on.

    That was never a doubt. I never asked for help so I could be sure if I got a spam email or not.

    The title of the thread -which you or some mod edited- was "Lots of spam making it past SpamAssassin". SpamAssassin, which is included with cPanel, but not developed by cPanel, is failing to filter very obvious spam, in large quantities. This has never happened before. Hence, the need to diagnose the problem:

    -Is it a SpamAssassin problem that can be solved?
    -Is there something in common with the spam received that can be filtered, or sheds some light into the problem? (this we can't do, because you've removed all information that could be used to trace the spam source).
    -Aren't you surprised that an obvious spam email is getting a negative SpamAssassin score?
     
  20. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    335
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    My SA rules update nightly just fine. It sounds like you're seeing a sudden change, which might indicate a corrupt Bayes database. Hard to say for sure without more information, but I would start there.

    I would strongly recommend installing ConfigServer's MailScanner package. It will rock your world. Installation is available for a very minimal fee, and it's worth it. MailScanner works very well with SA. If you go to his site and read the FAQs, there's a wealth of information, such as this one.
     
Loading...

Share This Page