Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Emails Bypassing RBL Reject and SpamAssassin Bounce

Discussion in 'E-mail Discussion' started by DigitalEssence, Dec 6, 2018 at 3:44 AM.

  1. DigitalEssence

    DigitalEssence Active Member

    Joined:
    May 21, 2014
    Messages:
    32
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Hi,

    I'm trying to reduce the amount of spam my customers are receiving and have been digging around and noticed that emails appear to be bypassing the RBL reject and SpamAssassin bounce settings settings in Exim.

    In Home > Service Configuration > Exim Configuration Manager > basic editor > RBLs I have the following in custom RBLs

    Origin RBL name DNS list Info URL Action
    System spamcop bl.spamcop.net SpamCop.net - Blocking List ( bl.spamcop.net )
    System spamhaus zen.spamhaus.org The Spamhaus Project - ZEN
    System spamhaus_spamcop zen.spamhaus.org, bl.spamcop.net

    and

    RBL: bl.spamcop.net
    Reject mail at SMTP time if the sender host is in the bl.spamcop.net RBL

    RBL: zen.spamhaus.org
    Reject mail at SMTP time if the sender host is in the zen.spamhaus.org RBL.

    Both set to On.

    In Filters I have

    Apache SpamAssassin™: bounce spam score threshold set to 20.

    But emails are still being received to customers accounts which have a score over 20 and are in one of the above RBLs.

    An example mail is:

    SpamAssassin Rules

    AWL -0.71 Adjusted score from AWL reputation of From: address
    BAYES_99 5.00 Bayes spam probability is 99 to 100%
    BAYES_999 1.00 Bayes spam probability is 99.9 to 100%
    DCC_CHECK 1.10 Detected as bulk mail by DCC (dcc-servers.net)
    DIGEST_MULTIPLE 0.29 Message hits more than one network digest check
    DKIM_SIGNED 0.10 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID -0.10 Message has at least one valid DKIM or DK signature
    DKIM_VALID_AU -0.10 Message has a valid DKIM or DK signature from author's domain
    HTML_FONT_LOW_CONTRAST 0.00 HTML font color similar or identical to background
    HTML_MESSAGE 0.00 HTML included in message
    KAM_LOTSOFHASH 0.25 Emails with lots of hash-like gibberish
    KAM_VERY_BLACK_DBL 5.00
    RAZOR2_CF_RANGE_51_100 1.89 Razor2 gives confidence level above 50%
    RAZOR2_CHECK 0.92 Listed in Razor2 (Vipul's Razor: home)
    SPF_PASS -0.00 SPF: sender matches SPF record
    URIBL_BLACK 20.00 Contains an URL listed in the URIBL blacklist
    URIBL_DBL_SPAM 4.50 Contains a spam URL listed in the Spamhaus DBL blocklist

    SpamAssassin Score 39.14
    SpamAssassin Auto Learn spam

    Email Header

    Code:
    Received: from port.example.org ([51.68.xx.xx]:54492)
    by my.server.name with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256)
    (Exim 4.91)
    (envelope-from <newsletter@example.com>)
    id 1gUoAV-0007aK-Oz
    for enquiries@example.tld; Thu, 06 Dec 2018 07:33:55 +0000
    DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=example.com;
    h=Message-ID:Date:Subject:From:Reply-To:To:MIME-Version:Content-Type:List-Unsubscribe:List-Id; i=newsletter@example.com;
    bh=SPdhvDfi2QfWReaAE3SPzo2wStU=;
    b=YVdUn9Wxa2QJHSWrqrO3Sn8GhjKVePte1xhNrdAaHHitYVAwXcayoE2WiqM67LE3dqu016TkDze0
    i2aJ8Sksuxsm9j3cIG9BbxFY9Fo4xPXudvM1LO8pzNMoAPD7p9qgPCOetbq1LhILIWCg6r1+JbvP
    1e+6fAcDQo8+LtkLwSM=
    DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=example.com;
    b=Z1RLr+7feAhn1sSPqgcQJcjwyX4cadzz5g9opiPzFDF+fSk3jyll8/UVASeH6mJvyMCcnRpCFdEQ
    I5l+OWxppYy0o0X8Ez4thi/lboPYZv5OKGiY5y+0DIBfOPmPmk2bnSZNpcGb9J4lMgyIM0WAroaj
    kEIKQLe597X9fDuQn8A=;
    Message-ID: <87c7b638b8c624ce399446eaab1878b8@example.com>
    Date: Thu, 06 Dec 2018 07:33:14 +0000
    Subject: No need to pay in advance for the fuel with your fuel card !
    From: Fuel Card <newsletter@example.com>
    Reply-To: Fuel Card <info@example.net>
    To: "enquiries@example.tld" <enquiries@example.tld>
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="_=_swift_v4_1544081594_fada3c31d08731de7cf49efb2608ffa7_=_"
    X-Sender: newsletter@example.com
    X-Report-Abuse: Please report abuse for this campaign here:
    MailWizz | Please login
    X-Receiver: enquiries@example.tld
    X-Mw-Tracking-Did: 0
    X-Mw-Subscriber-Uid: aq9458j2chea1
    X-Mw-Mailer: SwiftMailer - @SWIFT_VERSION_NUMBER@
    X-Mw-Delivery-Sid: 4
    X-Mw-Customer-Uid: dk725e6ega1c5
    X-Mw-Customer-Gid: 0
    X-Mw-Campaign-Uid: oe2077he9a426
    List-Unsubscribe: <MailWizz>
    List-Id: dj838q17nwef1 <ZF_UK_CRPN1>
    Feedback-ID: oe2077he9a426:aq9458j2chea1:dj838q17nwef1:dk725e6ega1c5
    

    If I grep the message ID:

    grep 1gUoAV-0007aK-Oz /var/log/exim_mainlog

    I see:

    Code:
    2018-12-06 07:33:55.857 [29160] 1gUoAV-0007aK-Oz <= newsletter@example.com H=port.example.org [51.68.xx.xx]:54492 I=[92.68.56.62]:25 P=esmtps X=TLSv1:ECDHE-RSA-AES256-SHA:256 CV=no S=20253 M8S=8 RT=0.045s id=87c7b638b8c624ce399446eaab1878b8@example.com T="No need to pay in advance for the fuel with your fuel card !" from <newsletter@example.com> for enquiries@example.tld
    2018-12-06 07:34:06.216 [29495] cwd=/var/spool/MailScanner/incoming 5 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1gUoAV-0007aK-Oz
    2018-12-06 07:34:06.280 [29495] 1gUoAV-0007aK-Oz => enquiries <enquiries@example.tld> F=<newsletter@example.com> P=<newsletter@example.com> R=virtual_user T=dovecot_virtual_delivery S=21667 C="250 2.0.0 <enquiries@example.tld> YCNfDu7QCFw8cwAAn4SkQg Saved" QT=10s DT=0.056s
    2018-12-06 07:34:06.298 [29495] 1gUoAV-0007aK-Oz => |/usr/local/cpanel/bin/autorespond enquiries@example.tld /home2/customeraccount/.autorespond (enquiries@example.tld) <enquiries@example.tld> F=<newsletter@example.com> SRS=<SRS0=u8kQLu=OP=example.com=newsletter@example.tld> P=<SRS0=u8kQLu=OP=example.com=newsletter@example.tld> R=virtual_aliases_nostar T=jailed_virtual_address_pipe S=21158 QT=10s DT=0.017s
    2018-12-06 07:34:06.298 [29495] 1gUoAV-0007aK-Oz Completed QT=10s
    
    I may be totally misunderstanding this but I would have assumed that this email should have been rejected because it was in the Spamhaus DBL blocklist and bounced because the SpamAssassin score is above 20?

    If I can provide any further information, please shout.

    thanks.


    EDIT

    I've checked my exim_rejectlog and saw plenty of entries for both Spamcop and spamhuas so did some further digging and noticed that the Spamhaus DBL mentioned in the SpamAssassin Rules is not the same as the Spamhaus Zen list that is included in the default Exim configuration.

    So that explains why they aren't being rejected.

    So my only question now is why the Filter:

    Apache SpamAssassin™: bounce spam score threshold set to 20 isn't working and I'm still seeing the emails being delivered to accounts.
     
    #1 DigitalEssence, Dec 6, 2018 at 3:44 AM
    Last edited: Dec 6, 2018 at 11:56 AM
  2. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,817
    Likes Received:
    275
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    HI @DigitalEssence


    A couple things:

    1:
    20 is really high, this means that mail with a spamscore of 20 or lower you're allowing - personally I set mine to 2-3

    2: I see the following in your exim_mainlog output:
    Code:
    2018-12-06 07:34:06.216 [29495] cwd=/var/spool/MailScanner/incoming 5 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1gUoAV-0007aK-Oz
    
    This indicates to me that you're using mailscanner and mail isn't even being scanned by SpamAssassin it's all being handled through MailScanner


    There's nothing wrong with using this software but I do want to point out that configuration for spam needs to all be handled from within the application, and it's been known to be problematic with our Exim/Mail configurations.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. DigitalEssence

    DigitalEssence Active Member

    Joined:
    May 21, 2014
    Messages:
    32
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Hi Lauren,

    thanks for your reply.

    1) In Mailscanner, legitimate emails can have a score up to about 5 or 6 so 20 is a good threshold for High Probability spam.
    2) Doh! Yes, I'm using Mailscanner. But I thought that used Spamassassin hence me using that threshold setting.

    Let me go off and do some checking. Looks like that's the reason.

    I've actually been able to reduce the spam by adding a couple of extra RBLs. I've added Baracuda, SEMFresh from Spameatingmonkey (Gotta love the name) and uribl but this one isn't working yet. I used multi.uribl.com but that may be the wrong address.

    So far this has had a great impact on spam which hopefully should keep my customers happy.
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,817
    Likes Received:
    275
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @DigitalEssence

    If you're using the scores we use 1,2, 3 etc. that's really really high its = to 200. Spam Assassin's actual score for our 2 is 20(based on the scoring in the header). I'm really not sure if that's how MailScanner does it or not. The RBL's will be great because they reject/accept at SMTP time before MailScanner or anything else has a chance to process. The only one you want to be careful in my experience is Barracuda as they tend to be overly cautious and end I ended up with a lot of false positives.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. DigitalEssence

    DigitalEssence Active Member

    Joined:
    May 21, 2014
    Messages:
    32
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Thanks Lauren,

    I'm going to disable the bouncing based on the SA score as it seems that MailScanner is scoring these differently.

    I do though have an issue with emails listed on the URIBL not being blocked.

    I've got multi.uribl.com in my list of custom RBL's and then Custom RBL: URIBL [?] set to On but emails are still being received.

    There's also no sign of URIBL in the exim_reject log either.

    MailScanner is showing me the following SpamAssassin Score:

    URIBL_BLACK 20.00 Contains an URL listed in the URIBL blacklist

    And I see the following in the header:

    Code:
    Received: from mta53.mhmail.co.uk ([78.129.159.18]:52650)
       by hostname.domainname.net with esmtp (Exim 4.91)
       (envelope-from <rp-263798.53.2499506@mediaoctopusllp.co.uk>)
       id 1gWKeK-00087L-Qf
       for email@customeremail.co.uk; Mon, 10 Dec 2018 12:27:00 +0000
    If I look up this url at URIBL.COM - Realtime URI Blacklist it shows as listed.

    I'd quite like to get this resolved as URIBL has a 100% hit rate for spam senders so seems pretty robust. All of the other RBL's I've added to Exim Configuration Manager » Manage Custom RBLs are working and showing in the reject log except for URIBL.
     
  6. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,817
    Likes Received:
    275
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice