How do I prevent EXIM from sending non-delivery messages for SPAM emails

MindStar

Member
Mar 29, 2007
19
0
151
UK
Hi,

Since upgrading to CP 11.xxx I've noticed that EXIM is now sending replies to emails that SPAMASSASIN has identified as SPAM. The reply email contains the original email plus the SPAM report from SPAMASSASIN.

Question: How do I stop these "non delivery" messages being sent. I want SPAM to be silently discarded. I've configured SPAM assassin to discard emails in the CP, but they're still being sent?!?!?

FYI, here's a sample header from a reply that's currently sat in the outbound mail queue on my server.

Code:
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  [email protected]
    The mail server detected your message as spam and has prevented delivery (200).
------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from 81.203.11.213.dyn.user.XXXXX.com ([XXXX203.11.213] helo=XXXXXXXco.uk)
	by vps.thumbtribe.co.uk with smtp (Exim 4.66)
	(envelope-from <[email protected]>)
	id 1HnAvb-0001QS-JK
	for [email protected]; Sun, 13 May 2007 11:03:48 +0100
Message-ID: <[email protected]>
From: "Liza Pike" <[email protected]>
To: "cunningham" <[email protected]>
Subject: Or whoever larrabee
Date: Sun, 13 May 2007 12:06:43 +0200
MIME-Version: 1.0
Content-Type: text/plain;
        format=flowed;
        charset="windows-1252";
        reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2962
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.1409
X-Spam-Subject: ***SPAM*** Or whoever larrabee
X-Spam-Status: Yes, score=27.1
X-Spam-Score: 271
X-Spam-Bar: +++++++++++++++++++++++++++
X-Spam-Report: Spam detection software, running on the system "XXXXXXXXX", has
	identified this incoming email as possible spam.  The original message
	has been attached to this so you can view it (if it isn't spam) or label
	similar future email.  If you have any questions, see
	the administrator of that system for details.
	Content preview:  HXPN IS MAKING GREAT PROGRESS! GET ON THIS TRAIN NOW! WATCH
	IT ON MONDAY MAY 14TH! . . . . Company: Harris Exploration Inc Symbol: HXPN
	Price: 0.50 5-day Target: $3 Rating: Strong Buy [...] 
	Content analysis details:   (27.1 points, 5.0 required)
	pts rule name              description
	---- ---------------------- --------------------------------------------------
	3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
	[score: 1.0000]
	0.0 STOX_REPLY_TYPE        STOX_REPLY_TYPE
	2.1 TVD_FINGER_02          TVD_FINGER_02
	0.2 FH_HOST_EQ_D_D_D_DB    Host is d-d-d-d
	1.2 FH_HOST_EQ_D_D_D_D     Host starts with d-d-d-d
	1.9 TVD_RCVD_IP            TVD_RCVD_IP
	2.5 STRONG_BUY             BODY: Tells you about a strong buy
	3.8 TVD_STOCK1             BODY: TVD_STOCK1
	0.9 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP address
	[81.203.11.213 listed in dnsbl.sorbs.net]
	3.0 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
	[81.203.11.213 listed in zen.spamhaus.org]
	0.9 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
	2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
	[Blocked - see <http://www.spamcop.net/bl.shtml?81.203.11.213>]
	1.0 RCVD_IN_DSBL           RBL: Received via a relay in list.dsbl.org
	[<http://dsbl.org/listing?81.203.11.213>]
	0.1 RDNS_DYNAMIC           Delivered to trusted network by host with
	dynamic-looking rDNS
	4.0 FM_DOESNT_SAY_STOCK    It's a stock spam but doesn't say stock
X-Spam-Flag: YES
Cheers,

Mark.
 

tweakservers

Well-Known Member
Mar 30, 2006
379
0
166
the following lines exist in the /etc/cpanel_exim_system_filter which causes the bounce back:

if ($h_X-Spam-Score: does not begin "-" and $h_X-Spam-Score: is not "" and $h_X-Spam-Score: is above 200)
then
fail text "The mail server detected your message as spam and has prevented delivery (200)."
endif
remove the above line and it should be alright for you.
 

sparek-3

Well-Known Member
Aug 10, 2002
1,983
218
343
cPanel Access Level
Root Administrator
If you are running cPanel 11, try logging into the WHM and using the Exim Configuration Editor link.

You probably have:

Enable System filter option: fail_spam_score_over_200

checked or perhaps one of the other options (there are different boxes for spam scores of 100, 125, 150, and 200).

Uncheck those and that should remove the line from the /etc/cpanel_exim_system_filter and stop the messages.

From the looks of it and through what I have tested with these options, I would not recommend using these options, as it can cause your server to become blacklisted.
 

karl.frank

Registered
Feb 23, 2006
2
0
151
What a stupid idea trying to inform a potentional spammer (who is using a faked sender address) that his mail was classified as spam.

This causes two etxra emails for every spam email

- first one email from our server, trying to inform the spammer

- second a bounce message to our server, because our notice could not be delivered to a faked email address

Karl-Uwe
 

mtindor

Well-Known Member
Sep 14, 2004
1,363
65
178
inside a catfish
cPanel Access Level
Root Administrator
I'm am not using the new configuration yet, so I don't know....but

I was under the assumption that "Enable System filter option: fail_spam_score_over_200
" was going to reject_during_SMTP the message if its spam score was over 200. If that's the case, this shouldn't be causing bounces.

I thought the whole idea with the new configuration with Exim/Spamassassin in Cpanel 11 was to do have the filtering happen before the message is accepted so that the system can decide to reject_during_SMTP if the message is too spammy.

Is this not the case?

Mike
 

sparek-3

Well-Known Member
Aug 10, 2002
1,983
218
343
cPanel Access Level
Root Administrator
I think this was changed in the WHM sometime after I made my post concerning this.

I think if you check the option:

Reject mail at SMTP time if the spam score from spamassassin is greater than 20.0.

Exim will just reject a message if its spam score is greater than 20.

If you check:

Reject mail with a failure message if the spam score from spamassassin is greater than 20.0.

this is when a rejection notice is sent back to the sender. I would not recommend checking this option.
 

mtindor

Well-Known Member
Sep 14, 2004
1,363
65
178
inside a catfish
cPanel Access Level
Root Administrator
I think this was changed in the WHM sometime after I made my post concerning this.

I think if you check the option:

Reject mail at SMTP time if the spam score from spamassassin is greater than 20.0.

Exim will just reject a message if its spam score is greater than 20.

If you check:

Reject mail with a failure message if the spam score from spamassassin is greater than 20.0.

this is when a rejection notice is sent back to the sender. I would not recommend checking this option.
Ok, I do see that in there now - Mine is in a [email protected]$$ state right now because I had a modified exim.conf - Ill be using new style next week. I'll remember not to check the rejection ntoice ones.

Mike
 

sparek-3

Well-Known Member
Aug 10, 2002
1,983
218
343
cPanel Access Level
Root Administrator
I might caution that you test this before putting it out into production. You can test SpamAssassin by using the Gtube spam string at:

http://spamassassin.apache.org/gtube

I would enable the

Reject mail at SMTP time if the spam score from spamassassin is greater than 20.0.

or whatever spam score you prefer and then send a message with the gtube string to an address on the server and see if your server sends a bounce notice. Keep in mind that you may receive a bounce notice at the address you sent the message from, but was the bounce notice from your server or from the mail server that you were using to send the message? If the bounce message comes from the sending server you were using to send the spam test message, then this is OK. You just don't want your server sending any bounce notices regarding this.

Also from my experience in working with cPanel 11 and the new Exim set up, it is best if you completely reset the exim config after you upgrade to cPanel 11 and then re-add any custom exim configuration options.
 

erinspice

Well-Known Member
Feb 12, 2006
99
0
166
Reject mail with a failure message if the spam score from spamassassin is greater than 20.0.
Argh. I'm pulling my hair out here. I keep trying to uncheck this checkbox, but WHM is doing some fancy-shmancy DHTML that disables every line under "Filters" except the "Text to add to the subject header" line. How the hell can I uncheck it if WHM keeps making it disappear? I click the "Exim Configuration Editor" link, and I can see the lines while the page is loading, however, after the page loads, those lines grey out and slide up into oblivion. What gives?
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,216
11
313
Houston, TX
cPanel Access Level
Root Administrator
Argh. I'm pulling my hair out here. I keep trying to uncheck this checkbox, but WHM is doing some fancy-shmancy DHTML that disables every line under "Filters" except the "Text to add to the subject header" line. How the hell can I uncheck it if WHM keeps making it disappear? I click the "Exim Configuration Editor" link, and I can see the lines while the page is loading, however, after the page loads, those lines grey out and slide up into oblivion. What gives?
The way it should behave is: as soon as you uncheck the "... 20.0" option, the other options will appear, once you select another option, all other options but the one you selected disappear.
 

erinspice

Well-Known Member
Feb 12, 2006
99
0
166
The way it should behave is: as soon as you uncheck the "... 20.0" option, the other options will appear, once you select another option, all other options but the one you selected disappear.
The -20.0 option isn't viewable. It's checked, but it's hidden along with all the other options. The only option under Filters that is visible is the "Text to add to the subject header" one.
 

mambovince

Well-Known Member
Jan 15, 2005
193
0
166
London, UK
I think if you check the option:

Reject mail at SMTP time if the spam score from spamassassin is greater than 20.0.

Exim will just reject a message if its spam score is greater than 20.

If you check:

Reject mail with a failure message if the spam score from spamassassin is greater than 20.0.

this is when a rejection notice is sent back to the sender. I would not recommend checking this option.
Many thanks for that tip.
Now I know why user cpanel is the top email relayer with hundreds of messages sent in a few days, and over 100MB :(

- Vince
 

bsasninja

Well-Known Member
Sep 2, 2004
527
0
166
the following lines exist in the /etc/cpanel_exim_system_filter which causes the bounce back:



remove the above line and it should be alright for you.

Yes that´s true, imagine a spammer sending spam with real forged addresses, all the bounces back with the notification will return to the poor user.

I recommend to have this option off, also It´ll save bandwidth and cpu time.
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,216
11
313
Houston, TX
cPanel Access Level
Root Administrator
The -20.0 option isn't viewable. It's checked, but it's hidden along with all the other options. The only option under Filters that is visible is the "Text to add to the subject header" one.
That's not supposed to happen. Considering the nature of your problem, I'd recommend submitting a support ticket regarding this issue so it can be determined why that is happening.
 

tweakservers

Well-Known Member
Mar 30, 2006
379
0
166
What version of cPanel 11 and exim you are running on your server?