SOLVED [CPANEL-20345] eximstats_spam_check cron job always sends root notification

swbrains

Well-Known Member
Sep 13, 2006
202
27
178
Hi, I have checked in WHM contact manager, and this notification is set to disabled, yet I receive several of them every day (I have one legitimate customer who sends a lot of emails throughout the day). Still I'd like to disable it (or be able to configure it to a higher threshold). But why does it still send the notification if I've disabled it?screencapture_000481.png
 

63bus

Active Member
Mar 31, 2007
35
0
156
Yes, disabling the above turned off one message but I'm getting the email below all the time since my site sends out tons of legitimate email.

warn [eximstats_spam_check] The system has detected an unusually large amount of outbound email. The following sender(s) may be sending spam: <removed>
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello @63bus and @swbrains,

There's an internal case (CPANEL-20345) open to address an issue where the server's root contact email address receives a notification from crond when eximstats_spam_check runs as part of the following root cron job:

5,20,35,50 * * * * /usr/local/cpanel/scripts/eximstats_spam_check 2>&1

This is independent of the Large Amount of Outbound Email Detected notification type. It's tentatively planned for inclusion with cPanel & WHM version 74.

In the meantime, one workaround is to setup an email filter for the email account that receives root notifications with a rule that delete emails matching the contents of the subject or message body. Then, once the case is published, remove the email filter.

Thank you.

Edit: CPANEL-20345 is now scheduled for inclusion with cPanel & WHM version 74.
 
Last edited:

swbrains

Well-Known Member
Sep 13, 2006
202
27
178
Thanks. Did this change recently? I checked my trash (where these are being filtered) and these notifications only started as of 3/29/2018.

Oh great. I just mistyped crontab -r instead of crontab -e and deleted my crontab file. Now I have bigger problems. Why does crontab -r NOT prompt for confirmation, especially since the E and R keys are right next to each other on the keyboard?

Any ideas how to locate a backup of this file or regenerate a default crontab file?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Thanks. Did this change recently? I checked my trash (where these are being filtered) and these notifications only started as of 3/29/2018.
Yes, the following case was included in the most recent cPanel & WHM version 68 build:

Fixed case CPANEL-19455: New crontab breaking update on upgrade.

This added the cron job on systems where it was missing.

Any ideas how to locate a backup of this file or regenerate a default crontab file?
Here's the default root crontab for cPanel & WHM version 68:

Code:
0 6 * * * /usr/local/cpanel/scripts/exim_tidydb > /dev/null 2>&1
30 5 * * * /usr/local/cpanel/scripts/optimize_eximstats > /dev/null 2>&1
@reboot /usr/local/cpanel/bin/onboot_handler
26 22 * * * /usr/local/cpanel/whostmgr/docroot/cgi/cpaddons_report.pl --notify
12 3 * * * /usr/local/cpanel/scripts/upcp --cron
0 1 * * * /usr/local/cpanel/scripts/cpbackup
0 2 * * * /usr/local/cpanel/bin/backup
35 * * * * /usr/bin/test -x /usr/local/cpanel/bin/tail-check && /usr/local/cpanel/bin/tail-check
5,20,35,50 * * * * /usr/local/cpanel/scripts/eximstats_spam_check 2>&1
45 */4 * * * /usr/bin/test -x /usr/local/cpanel/scripts/update_mailman_cache && /usr/local/cpanel/scripts/update_mailman_cache
30 */4 * * * /usr/bin/test -x /usr/local/cpanel/scripts/update_db_cache && /usr/local/cpanel/scripts/update_db_cache
30 */2 * * * /usr/local/cpanel/bin/mysqluserstore >/dev/null 2>&1
15 */2 * * * /usr/local/cpanel/bin/dbindex >/dev/null 2>&1
15 */6 * * * /usr/local/cpanel/scripts/autorepair recoverymgmt >/dev/null 2>&1
*/5 * * * * /usr/local/cpanel/scripts/dcpumon-wrapper >/dev/null 2>&1
09,39 * * * * /usr/local/cpanel/scripts/clean_user_php_sessions > /dev/null 2>&1
8,23,38,53 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1
Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
> X where x is some adjustibla limit.
Hello @dfkern

We plan to expand upon this feature in cPanel & WHM version 72 by adding the Number of unique recipients per hour to trigger potential spammer notification. option in the Mail tab of WHM >> Home >> Server Configuration >> Tweak Settings. This setting will allow you to specify the number of emails that any account may send in one hour before the system sends an alert notification.

Thank you.
 

petersphilo

Member
Nov 14, 2016
22
6
3
Paris
cPanel Access Level
Reseller Owner
In the meantime, one workaround to disable these notifications would be to modify this root cron job with the "crontab -e" command so that it's configured to only run once per year.
Sorry for reviving this thread..
One of the servers i manage is running WHM 70.x, and sends somewhat large mailers a couple of times a week, so this notification is driving me bonkers...
if i simply remove the line below from the root cron file, will it be re-added by the updater once the server is updated to v72.x (where it is allegedly fixed)?
Code:
5,20,35,50 * * * * /usr/local/cpanel/scripts/eximstats_spam_check 2>&1
Also, does this command perform other kinds of checks?
if so, i don't want to give up any chance of catching illicit spam behavior..

Thank you!
 
  • Like
Reactions: kamm

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello @petersphilo,

Can you verify that Large Amount of Outbound Email Detected is set to Disabled under the Notifications tab in WHM >> Contact Manager? That's the supported method of disabling the notification.

The issue referenced on this thread (CPANEL-19455) isn't regarding the notification itself, but instead relates to the
eximstats_spam_check cron job using the warning output instead of the info output. Rather than modifying the cron job itself, a better approach is to simply setup a temporary email filter that deletes this particular email for your email account that receives root notifications. Then, once the case is published, remove the email filter. I've modified the earlier post to reflect this workaround instead of the cron job modification steps.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello @JanKrohn,

A request to backport internal case CPANEL-20345 into cPanel & WHM version 72 is still open at this time, but at the moment it's currently scheduled for inclusion with cPanel & WHM version 74. I've modified the earlier response to reflect this, and I'll update this thread again if that changes. In the meantime, the recommended workaround is to setup an email filter for the email account that receives root notifications with a rule that delete emails matching the contents of the subject or message body. Then, once the case is published, remove the email filter.

Thank you.