"Do not forward email to external recipients" for SpamAssassin score over X

JamesOakley

Well-Known Member
Apr 15, 2011
83
2
58
cPanel Access Level
Root Administrator

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hello :)

Our documentation elaborates some more on these options:

Do not forward mail to external recipients if it matches the Apache SpamAssassin™ internal spam_score setting
This option allows Apache SpamAssassin to scan and reject messages in the forwarder queue which have a higher spam score than Apache SpamAssassin's internal spam_score setting of 5. This option is disabled by default.
Do not forward mail to external recipients based on the defined Apache SpamAssassin™ score
This option allows you to set the spam_score threshold that Apache SpamAssassin will use to determine whether it will reject messages forwarded to non-local domains. This option is disabled by default. To enable this option, select the empty text box and enter the number for Apache SpamAssassin to use as a minimum spam score for forwarded mail. The number that you enter must be between 0.1 and 99.9 , and can use up to two decimal places.
To clarify, are you asking if email is forwarded to multiple addresses (local and external), if it still delivers to the local forwarded address? Could you setup a scenario like this in a test account and let me know the steps I can take to reproduce the issue?

Thank you.
 

JamesOakley

Well-Known Member
Apr 15, 2011
83
2
58
cPanel Access Level
Root Administrator
Thanks Michael

I looked for that documentation this morning, and nearly found it. I was on the right page, but then "search within page" didn't find it because I was on the wrong tab. :(

Anyway, I've read it now, but it doesn't elaborate much beyond the tooltip help within WHM.

I'll try and set up a test case if I get a few minutes. I was asking generally about what's supposed to happen (as I assume it's implemented as you intended).

There are probably two questions rolled into one: (i) How does it fail - (a) silently, (b) at SMTP time, or (c) with a bounce message sent back after the message has been initially accepted? (ii) What happens if there are two forwarders for one address, or a forwarder for an address that also has a mailbox attached - (a) the message reaches neither recipient, (b) the message reaches the internal recipient but is not forwarded?

Those two aspects of the question play off each other. If the answer to the second part is that the internal recipient will get the message while the external forwarder will not fire, then anything other than silent failure will be problematic. You can't bounce a message saying that the email address the message was sent to has failed delivery, if it has half succeeded.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hello :)

I've not been able to reliably test this behavior. Could you open a support ticket so we can test this on your environment and verify it's working as intended? You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

LDHosting

Well-Known Member
Jan 19, 2008
93
2
58
cPanel Access Level
Root Administrator
Currently it seems to fire off a bounce to the sender. The message is delivered to the main recipient (or sent to the spambox/deleted based on Spamassassin settings), it is not forwarded, but a bounce is sent to the sender regarding the forward.

[email protected]
(ultimately generated from [email protected])
This mail cannot be forwarded because it was detected as spam.

Since a lot of spam messages will have spoofed sender addresses, this just creates a backscatter issue instead of a spam forwarding issue.

Ticket 6112775
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Internal case number 167765 is open to address an issue where when the new Exim option "Do not forward mail to external recipients if it matches the Apache SpamAssassinô internal spam_score setting" is enabled, email sent to a forward address which is detected as spam is bounced instead of rejected, potentially resulting in backscatter. Our development team has yet to make a decision on this case, but you can monitor our change log in the event a resolution is published:

cPanel - Change Logs

Thank you.
 

Tom Risager

Well-Known Member
Jul 10, 2012
116
6
18
Copenhagen, Denmark
cPanel Access Level
Root Administrator
Currently it seems to fire off a bounce to the sender. The message is delivered to the main recipient (or sent to the spambox/deleted based on Spamassassin settings), it is not forwarded, but a bounce is sent to the sender regarding the forward.
We were looking forward to finally being able to use Spamassassin on forwarders, but generating backscatter is no improvement. I really hope this turns out to be a design error that can be corrected.
 
Last edited:

JamesOakley

Well-Known Member
Apr 15, 2011
83
2
58
cPanel Access Level
Root Administrator
... verify it's working as intended?
Sorry - it seems I wasn't clear.

I wasn't reporting that my installation wasn't working as intended. I was simply asking what is supposed to happen.

[email protected]
(ultimately generated from [email protected])
This mail cannot be forwarded because it was detected as spam.
Ouch.

The backscatter isn't the big issue there - it's privacy.

Suppose someone wishes to give out [email protected] to senders, but keep their personal gmail address private. This is currently possible. But if the bounce message you reported is what goes back to the sender, the target email addresses in the forwarders is being disclosed to the senders.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
The initially suggested resolution in this case is to ensure that an SMTP-time error is generated for this event instead of a bounce email. However, the case has not yet been investigated by our development team, so no decision has been made on the expected behavior at this time.

Thank you.
 

LDHosting

Well-Known Member
Jan 19, 2008
93
2
58
cPanel Access Level
Root Administrator
The initially suggested resolution in this case is to ensure that an SMTP-time error is generated for this event instead of a bounce email. However, the case has not yet been investigated by our development team, so no decision has been made on the expected behavior at this time.

Thank you.
By "SMTP-time error" do you mean that the message would just be rejected at SMTP time? If so, wouldn't that override the user's Spamassassin settings, for example to deliver mail to their spambox?

I could understand a reject if there was no local mailbox, but if there is both a local mailbox and a forwarder, should it not still deliver to the local mailbox and just ignore the forward?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
By "SMTP-time error" do you mean that the message would just be rejected at SMTP time? If so, wouldn't that override the user's Spamassassin settings, for example to deliver mail to their spambox?
This is in regards to email sent to a forward address which is detected as SPAM, not the local address. The forwarded message is handled separately from the local message.

Thank you.
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
We were looking forward to finally being able to use Spamassassin on forwarders, but generating backscatter is no improvement. I really hope this turns out to be a design error that can be corrected.
Ouch.

The backscatter isn't the big issue there - it's privacy.

Suppose someone wishes to give out [email protected] to senders, but keep their personal gmail address private. This is currently possible. But if the bounce message you reported is what goes back to the sender, the target email addresses in the forwarders is being disclosed to the senders.
I've updated the internal case with my thoughts, but to help encourage a faster resolution, I recommend submitting a support request to further express your concerns while explicitly mentioning Case 167765. We track the number of support requests linked to internal cases and this may help influence the direction and speed at which the issue is considered.
 
  • Like
Reactions: Feemish

Feemish

Active Member
Oct 26, 2005
25
0
151
I agree with the comments above. This a real shame, been waiting for this feature for over a year!
Is there any news regarding it?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
I agree with the comments above. This a real shame, been waiting for this feature for over a year!
Is there any news regarding it?
Hello,

There's no update to report at this time. I will update this thread with more information as it becomes available.

Thank you.
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
Status Update: Progress has been made with Case 167765 in that it now has a change proposed for cPanel&WHM 11.52. The proposed changes will still have to be reviewed and tested, but the issue is now much closer to resolution.

As cPanel&WHM version 11.52 is a ways out, if you have not already done so and this issue is affecting you or your business, I encourage you to submit a support request to express your concerns and thoughts while explicitly mentioning Case 167765, which may influence whether or not the resolution is back-ported to a future 11.50 update (e.g., 11.50.1.x or 11.50.2.x, etc.).