Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Configure SpamAssassin to block outgoing form mail

Discussion in 'E-mail Discussion' started by John Manning, Apr 13, 2018.

  1. John Manning

    John Manning Member

    Joined:
    Jun 23, 2017
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Charlotte, NC
    cPanel Access Level:
    Root Administrator
    • CENTOS 7.4
    • WHM v68.0.36
    • PHP 7.0.29

    The site that I'm working on (foobar.com) uses PHP Mail to send emails via a front-end contact form. Only an A record is pointed to this server, so MX records do not come into play as far as I know.

    Emails are sent using a from address of info@foobar.com and are sent to addresses on external domains.

    I would like to configure SpamAssassin to prevent outgoing spam emails. So far, I've done the following in WHM > Exim Configuration Manager.

    ACL:
    • Apache SpamAssassin reject spam score threshold - 1
    Apache SpamAssassin Options:
    • Apache SpamAssassin: Forced Global ON - enabled
    • Scan outgoing messages for spam and reject based on defined Apache SpamAssassin score - 2
    • Do not forward mail to external recipients based on the defined Apache SpamAssassin score - 2
    These settings seem to have some effect. All emails are logged in the database, and I can see that some are actually being blocked. However, we're still receiving emails that contain X-Spam-Scores that seem far outside of the acceptable range. Here's a recent example:

    Code:
    X-Spf-Status: internal_error
    X-Spam-Score: 100
    X-Ms-Exchange-Organization-Authas: Anonymous
    X-Authenticated-Sender: host.foobar.com: info@foobar.com
    Spam-Stopper-V2: Yes
    Return-Path: info@foobar.com
    X-Outgoing-Spam-Status: No, score=1.7
    X-Php-Script: www.foobar.com/index.php for 146.185.223.45
    X-Antiabuse: This header was added to track abuse, please include it with any abuse report
    X-Antiabuse: Primary Hostname - host.foobar.com
    X-Antiabuse: Original Domain - myagencydomain.com
    X-Antiabuse: Originator/Caller UID/GID - [1004 994] / [47 12]
    X-Antiabuse: Sender Address Domain - foobar.com
    X-Rdns-Status: pass
    X-Cmae-Analysis: v=2.2 cv=KdiiiUQD c=1 sm=1 tr=0 p=vunVSMQuAAAA:8 a=RlVqcaIcYrwspz6jv1/UUQ==:117 a=RlVqcaIcYrwspz6jv1/UUQ==:17 a=9+rZDBEiDlHhcck0kWbJtElFXBc=:19 a=IkcTkHD0fZMA:10 a=00susGKmFCUA:10 a=QG2GU6Tx0C0A:10 a=MuaeFusq_UQA:10 a=Kd1tUaAdevIA:10 a=voaReoZHVQIA:10 a=W0xnywqEAAAA:8 a=9Dx8fhRWlIe3BX9u-PUA:9 a=IvN1vS8p1NYsI4Zn:21 a=xwIu7TnLqA44iwvY:21 a=ebssT2Pg4LZiMCej:21 a=QEXdDO2ut3YA:10 a=kvi-aVvvx00A:10 a=k0ykbI1PaL3kEB8atyas:22 a=SsrFxdC4mYw4ZYkWcDDW:22
    X-Aes-Category: SPAM
    X-Spam-Reasons: Cause=gggruggvucftvghtrhhoucdtuddrgedtgedriedvgdektdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucdtuddrgedtgedrtddtpdfkpffvgfftoffgfffktedpggftfghnshhusghstghrihgsvgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepvffufffhkfggtgeshhdtjhdttddtjeenucfhrhhomhepjfgftffuvfculfgrfihsuchofhcunfhifhgvuceoihhnfhhosehjrgifshhofhhlihhfvgdrtghomheqnecuffhomhgrihhnpehoughlvghtvhdrrhhupdhrrhgrthhinhhghihfuhdrrhhunecukfhppeeigedrledurddvgeehrddvudehnecuvehluhhsthgvrhfuihiivgeptd To=Darth Vader <dvader@theempire.com>    From=Foo Bar <info@foobar.com>
    X-Source-Args: php-fpm: pool foobar_com                             
    Message-Id: <37710f0de0422aefb6f1229709212341@www.foobar.com>
    X-Spam-Category: LEGIT
    Mime-Version: 1.0
    X-Php-Originating-Script: 1004:class.phpmailer.php
    
    In the above example, the X-Spam-Score is 100, which is above the threshold of 20 (2x10). Have I misconfigured something, missed something entirely, or am I just not understanding what's going on?

    Thanks!
     
  2. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    276
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @John Manning

    There are actually two assigned spam scores, one when you receive the email locally and one that is assigned to it when it's scanned outbound.

    In this case Spam Score:

    X-Spam-Score: 100

    refers to the score assigned on delivery to the server.

    The score that is being assigned to the server when it is sent is the Outgoing Spam Score which in this case is below the threshold of 2:


    X-Outgoing-Spam-Status: No, score=1.7


    So with a spam score of 1.7 SpamAssassin isn't seeing this email as spam and sends it.

    Thank you,



     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. John Manning

    John Manning Member

    Joined:
    Jun 23, 2017
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Charlotte, NC
    cPanel Access Level:
    Root Administrator
    For some reason I can't edit my original post, but just wanted to mention that this reply specifically mentions the "Scan for outgoing messages..." setting, which is why I thought I was on the right track.
     
  4. John Manning

    John Manning Member

    Joined:
    Jun 23, 2017
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Charlotte, NC
    cPanel Access Level:
    Root Administrator

    Thanks @cPanelLauren. Somehow, all of the email that I'm receiving from this contact form has the same X-Outgoing-Spam-Status score of 1.7. I have submitted tests that have been scored 1.7. Legitimate submissions from other users have also received a 1.7. Even the emails that are very obviously spam have all received a 1.7.

    Does this have to do with the "Enable the Apache SpamAssassin™ ruleset that cPanel uses on cpanel.net" setting? It's currently set to On (default).
     
  5. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    276
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    That's ok! Thank you for linking it. The Outgoing Spam Score in this case still remains below the threshold of the outbound scan which you've set to 2 :

    Thank you,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    276
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    That's curious, have you tested sending a spam test like SpamAssassin: The GTUBE


    Thank you,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. John Manning

    John Manning Member

    Joined:
    Jun 23, 2017
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Charlotte, NC
    cPanel Access Level:
    Root Administrator
    Ok, I copied the GTUBE string and some text explaining the test to my client into one of the form fields and sent it. The submission was logged in the database but I didn't receive an email. Did I run the test correctly? What is the expected outcome?
     
  8. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    276
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @John Manning

    Can you check /var/log/exim_mainlog (you'd need to access via CLI) to see if it was sent? My assumption is that the spam score was flagged as being high and the mail was rejected.


    Thank you,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. John Manning

    John Manning Member

    Joined:
    Jun 23, 2017
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Charlotte, NC
    cPanel Access Level:
    Root Administrator
    I think this is the appropriate line:

    Code:
    2018-04-13 13:11:10 1f72EA-0005qm-57 F=<info@foobar.com> rejected by non-SMTP ACL: "SpamAssassin as cpaneleximscanner detected OUTGOING not smtp message as spam (1001.7/20)"
     
  10. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    276
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @John Manning

    So this confirms that SpamAssassin is rejecting outbound spam mail if it meets the necessary criteria. The preferences for this are stored in the following:
    Code:
    # cat /var/cpanel/userhomes/cpaneleximscanner/.spamassassin/user_prefs
    skip_rbl_checks 1      # No need to check our authenticated senders to see if they are in an
                   # an RBL as they likely will be.  We only care about RBLS for incoming
                           # spam scanning.
    internal_networks 0/0  # We treat all authenticated senders as internal because the ip checks
                           # are likely useless for outbound spam scanning.
    You could potentially add rules/directives here in the, in the same manner you would for one of your users


    Thank you,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. John Manning

    John Manning Member

    Joined:
    Jun 23, 2017
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Charlotte, NC
    cPanel Access Level:
    Root Administrator
    I'm surprised that I might need to manually update preferences. I've attached a screenshot of a spam email that made it past SA with an X-Outgoing-Spam-Status of 1.7.

    Are the default rules really not able to determine that this is spam? This page on apache.org makes it sound like manual editing is only needed in extreme situations.

    Anyway, thanks for your help. Obviously I'm new to this and I appreciate your patience and time.
     

    Attached Files:

  12. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    276
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Because it's a customization (outbound spam scanning) as opposed to the inbound scanning, the same interface doesn't exist. I would strongly urge you to open a feature request using the link in my signature if further customization options for outbound spam scanning is something you'd like to see in the product. Once you open the feature request please link it here so that we can see/vote/track the progress of it!

    Thank you,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice