SOLVED CPANEL-36792 - HAS_X_OUTGOING_SPAM_STAT when Scan outgoing messages is ON

[jmginer]

Hello, in the Exim configuration if we activate the option:

Scan outgoing messages for spam and reject based on defined Apache SpamAssassin™ score

This includes a header: X-OutGoing-Spam-Status

The problem is that this header is being catalogued by SpamAssassin with between 1 and 2 points depending on the configuration of the recipient.

 1.7 HAS_X_OUTGOING_SPAM_STAT Has header claiming outbound spam scan - why trust the results?

For example, when running mail-tester.com we have 1.5 points .

Does cPanel have a plan to fix this problem?

Thanks!

PS- At the moment we have massively deactivated the check on all our servers:

sed -i 's/^acl_outgoing_spam_scan_over_int=.*/acl_outgoing_spam_scan_over_int/' /etc/exim.conf.localopts;
sed -i 's/^no_forward_outbound_spam_over_int=.*/no_forward_outbound_spam_over_int/' /etc/exim.conf.localopts;
/scripts/buildeximconf;
/scripts/mailscannerupdate --force;
/usr/local/cpanel/scripts/restartsrv_exim;

 

[cPRex]

Hey there! Thanks for the details on this. So you're saying that just by activating the option, the presence of the header itself is increasing the spam score, no matter what content is in the message?

 

[Tony Antony]

Hey there! Thanks for the details on this. So you're saying that just by activating the option, the presence of the header itself is increasing the spam score, no matter what content is in the message?

Yes. Just activating this option adds the header and this increase the spam score. Is it possible to activate this option without adding the header?

 

[cPRex]

Interesting - let me do some testing with this and I'll post another reply here soon.

 

[cPRex]

I tested this on my end and couldn't confirm the behavior with cPanel as the recipient side. There was now X-OutGoing-Spam-Status header when I checked the full headers on my test message, although it did get scanned.

Is the recipient a non-cPanel machine in this case?

 

[jmginer]

Hello, you must have done the test incorrectly. cPanel is including 1.7 points to that rule. Obviously the sender and the recipient must be on different servers.

 1.7 HAS_X_OUTGOING_SPAM_STAT Has header claiming outbound spam scan - why trust the results?

Any server with updated spamassassin is including it.

You can also check it by running the mail-tester.com test.

 

[cPRex]

Me testing incorrectly is always a possibility - mail can always be tricky.

I did some additional research on this and found that SpamAssassin itself added this option last month:

svn commit: r1886129 - /spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

and you can see the score of 1.7 applied here:

https://svn.apache.org/repos/asf/spamassassin/trunk/rulesrc/scores/72_scores.cf

What's even more interesting, is that this rule is so new, I can't find any documentation from SpamAssassin about what the intended use is, so I'm not sure how that should be behaving in a normal system.

It might be worth asking the SpamAssassin forums directly at SpamAssassin for more details, as I'm not finding much about this with my current searches.

 

[jmginer]

I can tell you, a trick that spammers use is to introduce a header that indicates that the mail is not spam, in this way the antispam see that header and deliver the mail to the inbox without analyzing it.

 

[Tony Antony]

What is the use of the header HAS_X_OUTGOING_SPAM_STAT? There is no way to verify the validity of the header.

Let the outgoing mail be scanned. No need to announce it with header.

 

[jmginer]

Any plan to remove this header?

 

[cPRex]

I spoke with the development manager of our email team about this and he's currently looking into the options to see how they want to handle this. I don't have any specifics, but the process has at least been started. If I hear something, I'll be sure to share that update.

 

[Ldbeaudoin]

I have multiple servers with that issue. Can we expect a fix soon or should we just disable that feature ?

 

[cPRex]

If you're seeing issues I would recommend disabling that for now while we do our investigation.

 

[KhensU]

I can verify this issue. Sent from one cpanel server with X-OutGoing-Spam-Status: No, score=1.0, and received by another with
2.6 HAS_X_OUTGOING_SPAM_STAT Has header claiming outbound spam scan
- why trust the results?

Turning off for now.

 

[LoadFactor]

Any update on this 13 months later?

Scanning outbound mail is a significant tool in preventing spam from contact forms, yet adding that header now gets a SA score of 2.3 in a stock cPanel configuration, which causes much of our transactional messages to get classified as spam. Things you probably care about like "here's how to use your shiny new cPanel account".

The fact that the message was scanned when outbound has no significance to the recipient, so the X-OutGoing-Spam-Status header had no value in the first place. Surely there's a way to scan the message without adding a header in! I've set the score for the HAS_X_OUTGOING_SPAM_STAT rule to zero, but this doesn't solve the problem when the message is going to an account on another cPanel server.

 

[cPRex]

Any update on this 13 months later?

It looks like you may have read the date wrong as this was just opened last month :D I know, everything this year *feels* longer.......

I don't have any additional updates from my end at this point.

 

[d_t]

So, do we have to wait 13 months to solve a trivial problem?

Commenting the two add_header lines from exim.conf works fine for me.

# add_header = X-OutGoing-Spam-Status: No, score=$spam_score

Same header appears in
/usr/local/cpanel/etc/exim/acls/ACL_OUTGOING_NOTSMTP_CHECKALL_BLOCK/outgoing_spam_scan
/usr/local/cpanel/etc/exim/acls/ACL_OUTGOING_NOTSMTP_CHECKALL_BLOCK/outgoing_spam_scan_over_int
probably, used by buildexim, so these headers should also be commented/removed.

 

[cPRex]

I've talked with our email team again and they have created case CPANEL-36792 to get this resolved. It seems like they are leaning toward completely removing the header for outbound messages at this time, but I'll keep this thread updated as I get more details.

 

[LoadFactor]

It looks like you may have read the date wrong as this was just opened last month :D I know, everything this year *feels* longer.......

I swear I read that as 2020! Sorry about that.

I saw a thread about this on the SpamAssassin list and they've lowered the score a bit and are looking for more false positives before considering further adjustments.

If there's no specific reason to have the header in there, it achieves nothing.

 

[cPRex]

Update - the team is working on a fix for the header, although I'm not entirely sure what version it will be available in just yet. I'll post again once I know more.