Lots of Spam not processed by SpamAssassin

[rudolfl]

Hi all,

Getting lots of spam messages and none of them have a SpamAssasin score. Is SpamAssassin bypassing some e-mails?

Than only thing in common is that "From" address is tweaked to appear as if it comes from my own domain, although it is not.

Here is an example header
([email protected] is a non-existant address that is being re-directed to a "catch-all" address on same domain)

Date:
15 Apr 2019 14:27:38 +0400
From:
<[email protected]>
To:
<[email protected]>
Subject:
Caution! Attack hackers to your account!
Content-Language:
en-us
Content-Transfer-Encoding:
8bit
Content-Type:
text/plain;
charset="cp-850"
Delivered-To:
[email protected]
Delivery-date:
Mon, 15 Apr 2019 15:09:47 +1000
Envelope-to:
[email protected]
Message-ID:
<[email protected]>
MIME-Version:
1.0
Received:
from main.example.net
by main.example.net with LMTP
id 5ulNAhsStFzHSAAAuGWEhg
(envelope-from <[email protected]>)
for <[email protected]>; Mon, 15 Apr 2019 15:09:47 +1000
Received:
from [14.142.xxx.xx] (port=29605 helo=14.142.xxx.xx.static-Bangalore.vsnl.net.in)
by main.example.net with esmtp (Exim 4.91)
(envelope-from <[email protected]>)
id 1hFtro-0004nu-IS
for [email protected]; Mon, 15 Apr 2019 15:09:47 +1000
Return-Path:
<[email protected]>
Return-path:
<[email protected]>
Thread-Index:
Acwrf55pdu98m2xmwrf55pdu98m2xm==
X-Ham-Report:
X-Mailer:
Microsoft Outlook 15.0
X-Spam-Bar:
X-Spam-Flag:
NO
X-Spam-Score:
X-Spam-Status:
No, score=

Thanks,
Rudolf

 

[cPanelLauren]

Hi @rudolfl

SpamAssassin only scores remotely sent mail. Because the mail headers on this message have been modified to appear to come from a local source spam assassin is skipping it. You might try going to WHM>>Service Coniguration>>Exim Configuration manager and enabling the setting:
EXPERIMENTAL: Rewrite From: header to match actual sender
If you enabled this option, the From: header will be rewritten to be the email address of the actual message sender. If you choose the "remote" option, only messages that are being sent to remote destinations will be affected.

 

[mtindor]

Hi @rudolfl

SpamAssassin only scores remotely sent mail. Because the mail headers on this message have been modified to appear to come from a local source spam assassin is skipping it. You might try going to WHM>>Service Coniguration>>Exim Configuration manager and enabling the setting:
EXPERIMENTAL: Rewrite From: header to match actual sender
If you enabled this option, the From: header will be rewritten to be the email address of the actual message sender. If you choose the "remote" option, only messages that are being sent to remote destinations will be affected.

Hi Lauren,

I'm not doubting you. I'd like clarification though. Are you saying that SpamAssassin only scans and scores an email if the From: address does not contain a domain in /etc/localdomains? Or maybe a better way to phrase that is, "SpamAssassin does not scan emails if the From: address domain is in /etc/localdomains ?

My customers have received a proliferation of threat / extortion emails lately (send me bitcoin), all with their own email address forged in the From: address. And I had noticed that SpamAssassin is not scanning/scoring any of these. Crazy. Emails that customers receive from their own [forged] are some of the very messages that catch unsavvy customers off guard / that customers seem to trust the most for some crazy reason.

I consider it a flaw in SpamAssassin if SpamAssassin's sole determination of whether a message is locally sent vs remotely sent is based upon the From: address.

 

[Jean Boudreau]

I consider it a flaw in SpamAssassin if SpamAssassin's sole determination of whether a message is locally sent vs remotely sent is based upon the From: address.

I would like more information on this quote also.

 

[cPanelLauren]

SpamAssassin checks the From header, then compares it to local domains. In the case of header forgery, that from header is manipulated to appear to be from a local domain so SpamAssassin's scanning is bypassed. The setting I'm asking you to enable will force the from header to be rewritten as coming from the actual sender.

 

[Jean Boudreau]

Hello,

Thanks for the update. I've configured the above to "all".

 

[dandadude]

Hi All!

I have the same problem.

I have configured the "EXPERIMENTAL: Rewrite From: header to match actual sender" option previously, but next day my customers started phoning that this is not good for them, since for technical reasons they don't always use the user/pass of the given FROM-address (although it is from the same @domain.tld), and they convinced me that I should turn it off (I wanted to force it, but it was not an option).

Isn't there another tip for solving this irritating problem? Can't I just configure spamassassin to scan all local mails too? Or at least check if the origin is from remote and not just the from address to determine local vs remote?

I really need a good solution to this, because recently all customers started to be afraid of these BTC e-mails.

Thanks,
Daniel

 

[mtindor]

Hi All!

I have the same problem.

I have configured the "EXPERIMENTAL: Rewrite From: header to match actual sender" option previously, but next day my customers started phoning that this is not good for them, since for technical reasons they don't always use the user/pass of the given FROM-address (although it is from the same @domain.tld), and they convinced me that I should turn it off (I wanted to force it, but it was not an option).

Isn't there another tip for solving this irritating problem? Can't I just configure spamassassin to scan all local mails too? Or at least check if the origin is from remote and not just the from address to determine local vs remote?

I really need a good solution to this, because recently all customers started to be afraid of these BTC e-mails.

Thanks,
Daniel

That's exactly why I cannot / would not even consider enabling this. I don't think any admin in their right mind would ever do this on a shared hosting box. there are simply way too many users who would suffer from this and also not appreciate that the account they authenticated in with is the one that shows up as the sending address on their outbound mails. ARgh.

I'm not knocking cPanel -- this is a SpamAssassin thing, unless SpamAssassin has been modified by cPanel to behave in this way (not scan emails if the domain of the From address is in /etc/localdomains).

There has to be some way to force spamassassin to scan everything that comes in, regardless. I'll be looking for a way.

Mike

 

[cPanelLauren]

I'm not knocking cPanel -- this is a SpamAssassin thing, unless SpamAssassin has been modified by cPanel to behave in this way (not scan emails if the domain of the From address is in /etc/localdomains).

It's definitely just how SpamAssassin works though local deliveries just aren't subject to the same checks that other mail is, generally speaking, this is how exim functions as well.

There has to be some way to force spamassassin to scan everything that comes in, regardless. I'll be looking for a way.

SpamAssassin won't do this but there are other 3rd party spam filtering plugins that may have features that are more in line with what you're looking for.