MaRiOsGR66

Well-Known Member
Feb 18, 2011
111
1
68
cPanel Access Level
Root Administrator
I've notices lately many bounce emails which actually have the message:
SMTP error from remote mail server after end of data:
421-4.7.0 [ IP 15] Our system has detected that this message is
421-4.7.0 suspicious due to the very low reputation of the sending IP address.
421-4.7.0 To protect our users from spam, mail sent from your IP address has
421-4.7.0 been temporarily rate limited. Please visit
421 4.7.0 Why has Gmail blocked my messages? - Gmail Help for more information. m21si7321721wrb.455 - gsmtp

H=(csrd.com) [114.234.57.84]:1756 Warning: Message has been scanned: no virus or other harmful content was found
<= [email protected] H=(removed.com) [114.234.57.84]:1756 P=esmtp S=1792 T="Re: New refitting business to make your turnover increasing 30% in 1 month" for [email protected]
SMTP connection identification D=mycustomersdomain.gr [email protected] [email protected] M=1ehF5X-001yUB-Pz U=magrizos ID=1323 B=redirect_resolver
Sender identification U=magrizos D=mycustomersdomain.gr [email protected]
SMTP connection outbound 1517492380 1ehF5X-001yUB-Pz mycustomersdomain.gr [email protected]

So a customer of mine, with the email account [email protected] has setup a forwarding email to a gmail account [email protected]

The above email is ofcourse spam and gmail is responding to that.
If I check in the cPanel -> Track Delivery -> Show Deferred I can see many many emails like that, all spam that recieve SMTP error from google.

The REAL problem here is that wondered , if I'm I've setup many RBL's what does spam get through ? so I did check the ip of the spam email: H=(removed.com) [114.234.57.84]
and it is blacklisted in many RBLs including CBL and Spamhaus where I allready use in this server,
so why did the spam got through ?

So if I change to cPanel -> Track Delivery -> Show Failures
I can see that the email above was allready rejected!!!!:
[email protected] Feb 1, 2018 3:38:15 PM 0 [email protected] JunkMail rejected - (csrd.com) [49.68.127.146]:1048 is in an RBL: Client host blocked using Barracuda Reputation, see BarracudaCentral.org - Technical Insight for Security Pros

So the real problem here is that if a spam is received and it's ip exist in one of the blacklists,
the local email user will not get that email, but if that local email user has a forwarding email setup, the spam email will be forwarded, thats getting the server's ip reputation to a terrible place.

How can I fix that ?
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
So the real problem here is that if a spam is received and it's ip exist in one of the blacklists,
the local email user will not get that email, but if that local email user has a forwarding email setup, the spam email will be forwarded, thats getting the server's ip reputation to a terrible place.

How can I fix that ?
Hello,

The following options are available under the "Apache SpamAssassin Options" tab in "WHM >> Exim Configuration Manager >> Basic Editor" and can help protect against the situation you have described:

Do not forward mail to external recipients if it matches the Apache SpamAssassin™ internal spam_score setting
Do not forward mail to external recipients based on the defined Apache SpamAssassin™ score

Note the description for both options:

This option requires that each user enable Apache SpamAssassin™ or the “Apache SpamAssassin™: Forced Global ON” is enabled.

Thank you.
 

MaRiOsGR66

Well-Known Member
Feb 18, 2011
111
1
68
cPanel Access Level
Root Administrator
So this solution wouldn't be a solution, because the existence in an RBL that is installed in the server is 100% guaranteed block of the spam email, but using spamassasin isn't.
 

MaRiOsGR66

Well-Known Member
Feb 18, 2011
111
1
68
cPanel Access Level
Root Administrator
I did try to enable both options (after enabling Spamassassin for the previous mentioned account)
but only the first one is...available.
Any idea why ?

cpanel_spamassassin_forward.png
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hello,

You can only use one or the other. Both options do the same thing, but one uses the internal spam_score setting and the other allows you to define a specific SPAM score (so you can be more aggressive or conservative when blocking outgoing SPAM specifically sent via forwarders).

Thank you.