Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Pending Publication [CPANEL-26054] SpamAssassin forwards locally delivered SPAM

Discussion in 'General Discussion' started by LBJ, Mar 6, 2019.

Tags:
  1. LBJ

    LBJ Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    82
    Likes Received:
    4
    Trophy Points:
    158
    G'day All,

    I can never find an obvious place to lodge bug reports other than by raising a support ticket, so I'll try it here.

    On all our 76.0.20 servers, the option to scan outgoing and forwarded email is not detecting definite spam created on-server and sent to an external address via a forwarder.

    Only email sent directly to an external address is being correctly handled.

    This makes it very easy to spam from a compromised account on cPanel servers.


    Steps to reproduce:

    1. Enable the following Exim options...

    Scan outgoing messages for spam and reject based on defined Apache SpamAssassin™ score

    Do not forward mail to external recipients based on the defined Apache SpamAssassin™ score

    2. Generate a spam message from the server (PHP mailto() for example) to a forwarder pointing to an external address. Use the SpamAssassin GTUBE string for spam.

    The spam will be delivered without issue.

    Outgoing spam is only blocked if sent directly to the external address. Using a forwarder completely bypasses the security.

    Best regards,

    LBJ
     
    akust0m likes this.
  2. LBJ

    LBJ Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    82
    Likes Received:
    4
    Trophy Points:
    158
    Confirmed bug and case submitted to cPanel developers as CPANEL-26054.

    Best regards,

    LBJ
     
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    46,991
    Likes Received:
    2,122
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi @LBJ,

    As you noted, internal case CPANEL-26054 was opened to report an issue where the option to scan outgoing and forwarded email is not detecting definite SPAM created on-server and sent to an external address via a forwarder. I'll monitor this case and update this thread with more information on it's status as it becomes available.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. LBJ

    LBJ Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    82
    Likes Received:
    4
    Trophy Points:
    158
    G'day Michael,

    Is there any update on this, or at least a likely time-frame?

    We're still forced to add complex code to fully block webform spam where users have opted to email out via a configured forwarder to an external email address.

    Best regards,

    LBJ
     
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    46,991
    Likes Received:
    2,122
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @LBJ,

    This case is fixed in cPanel & WHM version 82 (this version is not yet available to the public). You should see this version published to the EDGE release tier some time after version 80 reaches STABLE.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. LBJ

    LBJ Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    82
    Likes Received:
    4
    Trophy Points:
    158
    G'day Michael,

    Thanks very much for that.

    Best regards,

    LBJ
     
    cPanelMichael likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice