Configure SpamAssassin to block outgoing form mail

[jnyr5478]

• CENTOS 7.4
• WHM v68.0.36
• PHP 7.0.29

The site that I'm working on (foobar.com) uses PHP Mail to send emails via a front-end contact form. Only an A record is pointed to this server, so MX records do not come into play as far as I know.

Emails are sent using a from address of [email protected] and are sent to addresses on external domains.

I would like to configure SpamAssassin to prevent outgoing spam emails. So far, I've done the following in WHM > Exim Configuration Manager.

ACL:

• Apache SpamAssassin reject spam score threshold - 1

Apache SpamAssassin Options:

• Apache SpamAssassin: Forced Global ON - enabled
  
• Scan outgoing messages for spam and reject based on defined Apache SpamAssassin score - 2
  
• Do not forward mail to external recipients based on the defined Apache SpamAssassin score - 2

These settings seem to have some effect. All emails are logged in the database, and I can see that some are actually being blocked. However, we're still receiving emails that contain X-Spam-Scores that seem far outside of the acceptable range. Here's a recent example:

X-Spf-Status: internal_error
X-Spam-Score: 100
X-Ms-Exchange-Organization-Authas: Anonymous
X-Authenticated-Sender: host.foobar.com: [email protected]
Spam-Stopper-V2: Yes
Return-Path: [email protected]
X-Outgoing-Spam-Status: No, score=1.7
X-Php-Script: www.foobar.com/index.php for 146.185.223.45
X-Antiabuse: This header was added to track abuse, please include it with any abuse report
X-Antiabuse: Primary Hostname - host.foobar.com
X-Antiabuse: Original Domain - myagencydomain.com
X-Antiabuse: Originator/Caller UID/GID - [1004 994] / [47 12]
X-Antiabuse: Sender Address Domain - foobar.com
X-Rdns-Status: pass
X-Cmae-Analysis: v=2.2 cv=KdiiiUQD c=1 sm=1 tr=0 p=vunVSMQuAAAA:8 a=RlVqcaIcYrwspz6jv1/UUQ==:117 a=RlVqcaIcYrwspz6jv1/UUQ==:17 a=9+rZDBEiDlHhcck0kWbJtElFXBc=:19 a=IkcTkHD0fZMA:10 a=00susGKmFCUA:10 a=QG2GU6Tx0C0A:10 a=MuaeFusq_UQA:10 a=Kd1tUaAdevIA:10 a=voaReoZHVQIA:10 a=W0xnywqEAAAA:8 a=9Dx8fhRWlIe3BX9u-PUA:9 a=IvN1vS8p1NYsI4Zn:21 a=xwIu7TnLqA44iwvY:21 a=ebssT2Pg4LZiMCej:21 a=QEXdDO2ut3YA:10 a=kvi-aVvvx00A:10 a=k0ykbI1PaL3kEB8atyas:22 a=SsrFxdC4mYw4ZYkWcDDW:22
X-Aes-Category: SPAM
X-Spam-Reasons: Cause=gggruggvucftvghtrhhoucdtuddrgedtgedriedvgdektdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucdtuddrgedtgedrtddtpdfkpffvgfftoffgfffktedpggftfghnshhusghstghrihgsvgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepvffufffhkfggtgeshhdtjhdttddtjeenucfhrhhomhepjfgftffuvfculfgrfihsuchofhcunfhifhgvuceoihhnfhhosehjrgifshhofhhlihhfvgdrtghomheqnecuffhomhgrihhnpehoughlvghtvhdrrhhupdhrrhgrthhinhhghihfuhdrrhhunecukfhppeeigedrledurddvgeehrddvudehnecuvehluhhsthgvrhfuihiivgeptd To=Darth Vader <[email protected]>    From=Foo Bar <[email protected]>
X-Source-Args: php-fpm: pool foobar_com                             
Message-Id: <[email protected]>
X-Spam-Category: LEGIT
Mime-Version: 1.0
X-Php-Originating-Script: 1004:class.phpmailer.php

In the above example, the X-Spam-Score is 100, which is above the threshold of 20 (2x10). Have I misconfigured something, missed something entirely, or am I just not understanding what's going on?

Thanks!

 

[cPanelLauren]

Hi @John Manning

There are actually two assigned spam scores, one when you receive the email locally and one that is assigned to it when it's scanned outbound.

In this case Spam Score:

X-Spam-Score: 100

refers to the score assigned on delivery to the server.

The score that is being assigned to the server when it is sent is the Outgoing Spam Score which in this case is below the threshold of 2:

X-Outgoing-Spam-Status: No, score=1.7


So with a spam score of 1.7 SpamAssassin isn't seeing this email as spam and sends it.

Thank you,

 

[jnyr5478]

For some reason I can't edit my original post, but just wanted to mention that this reply specifically mentions the "Scan for outgoing messages..." setting, which is why I thought I was on the right track.

 

[jnyr5478]

Hi @John Manning

There are actually two assigned spam scores, one when you receive the email locally and one that is assigned to it when it's scanned outbound.

In this case Spam Score:

X-Spam-Score: 100

refers to the score assigned on delivery to the server.

The score that is being assigned to the server when it is sent is the Outgoing Spam Score which in this case is below the threshold of 2:

X-Outgoing-Spam-Status: No, score=1.7


So with a spam score of 1.7 SpamAssassin isn't seeing this email as spam and sends it.

Thank you,

Thanks @cPanelLauren. Somehow, all of the email that I'm receiving from this contact form has the same X-Outgoing-Spam-Status score of 1.7. I have submitted tests that have been scored 1.7. Legitimate submissions from other users have also received a 1.7. Even the emails that are very obviously spam have all received a 1.7.

Does this have to do with the "Enable the Apache SpamAssassin™ ruleset that cPanel uses on cpanel.net" setting? It's currently set to On (default).

 

[cPanelLauren]

That's ok! Thank you for linking it. The Outgoing Spam Score in this case still remains below the threshold of the outbound scan which you've set to 2 :

• Scan outgoing messages for spam and reject based on defined Apache SpamAssassin score - 2

• Do not forward mail to external recipients based on the defined Apache SpamAssassin score - 2

Thank you,

 

[cPanelLauren]

Somehow, all of the email that I'm receiving from this contact form has the same X-Outgoing-Spam-Status score of 1.7. I have submitted tests that have been scored 1.7. Legitimate submissions from other users have also received a 1.7. Even the emails that are very obviously spam have all received a 1.7.

That's curious, have you tested sending a spam test like SpamAssassin: The GTUBE


Thank you,

 

[jnyr5478]

That's curious, have you tested sending a spam test like SpamAssassin: The GTUBE


Thank you,

Ok, I copied the GTUBE string and some text explaining the test to my client into one of the form fields and sent it. The submission was logged in the database but I didn't receive an email. Did I run the test correctly? What is the expected outcome?

 

[cPanelLauren]

Hi @John Manning

Can you check /var/log/exim_mainlog (you'd need to access via CLI) to see if it was sent? My assumption is that the spam score was flagged as being high and the mail was rejected.


Thank you,

 

[jnyr5478]

I think this is the appropriate line:

2018-04-13 13:11:10 1f72EA-0005qm-57 F=<[email protected]> rejected by non-SMTP ACL: "SpamAssassin as cpaneleximscanner detected OUTGOING not smtp message as spam (1001.7/20)"

 

[cPanelLauren]

Hi @John Manning

So this confirms that SpamAssassin is rejecting outbound spam mail if it meets the necessary criteria. The preferences for this are stored in the following:

# cat /var/cpanel/userhomes/cpaneleximscanner/.spamassassin/user_prefs
skip_rbl_checks 1      # No need to check our authenticated senders to see if they are in an
               # an RBL as they likely will be.  We only care about RBLS for incoming
                       # spam scanning.
internal_networks 0/0  # We treat all authenticated senders as internal because the ip checks
                       # are likely useless for outbound spam scanning.

You could potentially add rules/directives here in the, in the same manner you would for one of your users


Thank you,

 

[jnyr5478]

I'm surprised that I might need to manually update preferences. I've attached a screenshot of a spam email that made it past SA with an X-Outgoing-Spam-Status of 1.7.

Are the default rules really not able to determine that this is spam? This page on apache.org makes it sound like manual editing is only needed in extreme situations.

Anyway, thanks for your help. Obviously I'm new to this and I appreciate your patience and time.

 

[cPanelLauren]

Because it's a customization (outbound spam scanning) as opposed to the inbound scanning, the same interface doesn't exist. I would strongly urge you to open a feature request using the link in my signature if further customization options for outbound spam scanning is something you'd like to see in the product. Once you open the feature request please link it here so that we can see/vote/track the progress of it!

Thank you,