The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How do I prevent EXIM from sending non-delivery messages for SPAM emails

Discussion in 'E-mail Discussions' started by MindStar, May 13, 2007.

  1. MindStar

    MindStar Member

    Joined:
    Mar 29, 2007
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    Hi,

    Since upgrading to CP 11.xxx I've noticed that EXIM is now sending replies to emails that SPAMASSASIN has identified as SPAM. The reply email contains the original email plus the SPAM report from SPAMASSASIN.

    Question: How do I stop these "non delivery" messages being sent. I want SPAM to be silently discarded. I've configured SPAM assassin to discard emails in the CP, but they're still being sent?!?!?

    FYI, here's a sample header from a reply that's currently sat in the outbound mail queue on my server.

    Code:
    This message was created automatically by mail delivery software.
    
    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:
    
      xxxxxxxxx@XXXXXXXXX.com
        The mail server detected your message as spam and has prevented delivery (200).
    ------ This is a copy of the message, including all the headers. ------
    
    Return-path: <hlqgeddes@XXXXXXX.co.uk>
    Received: from 81.203.11.213.dyn.user.XXXXX.com ([XXXX203.11.213] helo=XXXXXXXco.uk)
    	by vps.thumbtribe.co.uk with smtp (Exim 4.66)
    	(envelope-from <hlqgeddes@XXXXXXXco.uk>)
    	id 1HnAvb-0001QS-JK
    	for cunningham@vectra-sport.com; Sun, 13 May 2007 11:03:48 +0100
    Message-ID: <001601c79557$2bc199f0$0019b584@pc1>
    From: "Liza Pike" <hlqgeddes@XXXXX.co.uk>
    To: "cunningham" <XXXXX@XXXXXXX.com>
    Subject: Or whoever larrabee
    Date: Sun, 13 May 2007 12:06:43 +0200
    MIME-Version: 1.0
    Content-Type: text/plain;
            format=flowed;
            charset="windows-1252";
            reply-type=original
    Content-Transfer-Encoding: 7bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.2962
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.1409
    X-Spam-Subject: ***SPAM*** Or whoever larrabee
    X-Spam-Status: Yes, score=27.1
    X-Spam-Score: 271
    X-Spam-Bar: +++++++++++++++++++++++++++
    X-Spam-Report: Spam detection software, running on the system "XXXXXXXXX", has
    	identified this incoming email as possible spam.  The original message
    	has been attached to this so you can view it (if it isn't spam) or label
    	similar future email.  If you have any questions, see
    	the administrator of that system for details.
    	Content preview:  HXPN IS MAKING GREAT PROGRESS! GET ON THIS TRAIN NOW! WATCH
    	IT ON MONDAY MAY 14TH! . . . . Company: Harris Exploration Inc Symbol: HXPN
    	Price: 0.50 5-day Target: $3 Rating: Strong Buy [...] 
    	Content analysis details:   (27.1 points, 5.0 required)
    	pts rule name              description
    	---- ---------------------- --------------------------------------------------
    	3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
    	[score: 1.0000]
    	0.0 STOX_REPLY_TYPE        STOX_REPLY_TYPE
    	2.1 TVD_FINGER_02          TVD_FINGER_02
    	0.2 FH_HOST_EQ_D_D_D_DB    Host is d-d-d-d
    	1.2 FH_HOST_EQ_D_D_D_D     Host starts with d-d-d-d
    	1.9 TVD_RCVD_IP            TVD_RCVD_IP
    	2.5 STRONG_BUY             BODY: Tells you about a strong buy
    	3.8 TVD_STOCK1             BODY: TVD_STOCK1
    	0.9 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP address
    	[81.203.11.213 listed in dnsbl.sorbs.net]
    	3.0 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
    	[81.203.11.213 listed in zen.spamhaus.org]
    	0.9 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
    	2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
    	[Blocked - see <http://www.spamcop.net/bl.shtml?81.203.11.213>]
    	1.0 RCVD_IN_DSBL           RBL: Received via a relay in list.dsbl.org
    	[<http://dsbl.org/listing?81.203.11.213>]
    	0.1 RDNS_DYNAMIC           Delivered to trusted network by host with
    	dynamic-looking rDNS
    	4.0 FM_DOESNT_SAY_STOCK    It's a stock spam but doesn't say stock
    X-Spam-Flag: YES
    
    Cheers,

    Mark.
     
  2. forlinuxsupport

    forlinuxsupport Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2004
    Messages:
    386
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    hmm. i want to know this too :)
     
  3. tweakservers

    tweakservers Well-Known Member

    Joined:
    Mar 30, 2006
    Messages:
    379
    Likes Received:
    0
    Trophy Points:
    16
    the following lines exist in the /etc/cpanel_exim_system_filter which causes the bounce back:

    remove the above line and it should be alright for you.
     
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    If you are running cPanel 11, try logging into the WHM and using the Exim Configuration Editor link.

    You probably have:

    Enable System filter option: fail_spam_score_over_200

    checked or perhaps one of the other options (there are different boxes for spam scores of 100, 125, 150, and 200).

    Uncheck those and that should remove the line from the /etc/cpanel_exim_system_filter and stop the messages.

    From the looks of it and through what I have tested with these options, I would not recommend using these options, as it can cause your server to become blacklisted.
     
  5. MindStar

    MindStar Member

    Joined:
    Mar 29, 2007
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    Thanks for the info, I've updated the EXIM Config in WHM.

    Mark.
     
  6. karl.frank

    karl.frank Registered

    Joined:
    Feb 23, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    What a stupid idea trying to inform a potentional spammer (who is using a faked sender address) that his mail was classified as spam.

    This causes two etxra emails for every spam email

    - first one email from our server, trying to inform the spammer

    - second a bounce message to our server, because our notice could not be delivered to a faked email address

    Karl-Uwe
     
  7. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    I'm am not using the new configuration yet, so I don't know....but

    I was under the assumption that "Enable System filter option: fail_spam_score_over_200
    " was going to reject_during_SMTP the message if its spam score was over 200. If that's the case, this shouldn't be causing bounces.

    I thought the whole idea with the new configuration with Exim/Spamassassin in Cpanel 11 was to do have the filtering happen before the message is accepted so that the system can decide to reject_during_SMTP if the message is too spammy.

    Is this not the case?

    Mike
     
  8. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I think this was changed in the WHM sometime after I made my post concerning this.

    I think if you check the option:

    Reject mail at SMTP time if the spam score from spamassassin is greater than 20.0.

    Exim will just reject a message if its spam score is greater than 20.

    If you check:

    Reject mail with a failure message if the spam score from spamassassin is greater than 20.0.

    this is when a rejection notice is sent back to the sender. I would not recommend checking this option.
     
  9. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Ok, I do see that in there now - Mine is in a half-@$$ state right now because I had a modified exim.conf - Ill be using new style next week. I'll remember not to check the rejection ntoice ones.

    Mike
     
  10. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I might caution that you test this before putting it out into production. You can test SpamAssassin by using the Gtube spam string at:

    http://spamassassin.apache.org/gtube

    I would enable the

    Reject mail at SMTP time if the spam score from spamassassin is greater than 20.0.

    or whatever spam score you prefer and then send a message with the gtube string to an address on the server and see if your server sends a bounce notice. Keep in mind that you may receive a bounce notice at the address you sent the message from, but was the bounce notice from your server or from the mail server that you were using to send the message? If the bounce message comes from the sending server you were using to send the spam test message, then this is OK. You just don't want your server sending any bounce notices regarding this.

    Also from my experience in working with cPanel 11 and the new Exim set up, it is best if you completely reset the exim config after you upgrade to cPanel 11 and then re-add any custom exim configuration options.
     
  11. erinspice

    erinspice Well-Known Member

    Joined:
    Feb 12, 2006
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    16
    Argh. I'm pulling my hair out here. I keep trying to uncheck this checkbox, but WHM is doing some fancy-shmancy DHTML that disables every line under "Filters" except the "Text to add to the subject header" line. How the hell can I uncheck it if WHM keeps making it disappear? I click the "Exim Configuration Editor" link, and I can see the lines while the page is loading, however, after the page loads, those lines grey out and slide up into oblivion. What gives?
     
  12. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    The way it should behave is: as soon as you uncheck the "... 20.0" option, the other options will appear, once you select another option, all other options but the one you selected disappear.
     
  13. erinspice

    erinspice Well-Known Member

    Joined:
    Feb 12, 2006
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    16
    The -20.0 option isn't viewable. It's checked, but it's hidden along with all the other options. The only option under Filters that is visible is the "Text to add to the subject header" one.
     
  14. mambovince

    mambovince Well-Known Member

    Joined:
    Jan 15, 2005
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    London, UK
    Many thanks for that tip.
    Now I know why user cpanel is the top email relayer with hundreds of messages sent in a few days, and over 100MB :(

    - Vince
     
  15. erinspice

    erinspice Well-Known Member

    Joined:
    Feb 12, 2006
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    16
    Can someone tell me how to do this manually in the config file, then?
     
  16. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16

    Yes that´s true, imagine a spammer sending spam with real forged addresses, all the bounces back with the notification will return to the poor user.

    I recommend to have this option off, also It´ll save bandwidth and cpu time.
     
  17. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    That's not supposed to happen. Considering the nature of your problem, I'd recommend submitting a support ticket regarding this issue so it can be determined why that is happening.
     
  18. tweakservers

    tweakservers Well-Known Member

    Joined:
    Mar 30, 2006
    Messages:
    379
    Likes Received:
    0
    Trophy Points:
    16
    What version of cPanel 11 and exim you are running on your server?
     
Loading...

Share This Page