Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Lots of Spam not processed by SpamAssassin

Discussion in 'E-mail Discussion' started by rudolfl, Apr 15, 2019.

  1. rudolfl

    rudolfl Member

    Joined:
    Aug 3, 2015
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Melbourne
    cPanel Access Level:
    Root Administrator
    Hi all,

    Getting lots of spam messages and none of them have a SpamAssasin score. Is SpamAssassin bypassing some e-mails?

    Than only thing in common is that "From" address is tweaked to appear as if it comes from my own domain, although it is not.

    Here is an example header
    (bray@example.com is a non-existant address that is being re-directed to a "catch-all" address on same domain)

    Code:
    Date:
15 Apr 2019 14:27:38 +0400
From:
<bray@example.com>
To:
<bray@example.com>
Subject:
Caution! Attack hackers to your account!
Content-Language:
en-us
Content-Transfer-Encoding:
8bit
Content-Type:
text/plain;
charset="cp-850"
Delivered-To:
admin@example.com
Delivery-date:
Mon, 15 Apr 2019 15:09:47 +1000
Envelope-to:
bray@example.com
Message-ID:
<003501d4f377$05244e16$c8e5029c$@example.com>
MIME-Version:
1.0
Received:
from main.example.net
by main.example.net with LMTP
id 5ulNAhsStFzHSAAAuGWEhg
(envelope-from <bray@example.com>)
for <admin@example.com>; Mon, 15 Apr 2019 15:09:47 +1000
Received:
from [14.142.xxx.xx] (port=29605 helo=14.142.xxx.xx.static-Bangalore.vsnl.net.in)
by main.example.net with esmtp (Exim 4.91)
(envelope-from <bray@example.com>)
id 1hFtro-0004nu-IS
for bray@example.com; Mon, 15 Apr 2019 15:09:47 +1000
Return-Path:
<bray@example.com>
Return-path:
<bray@example.com>
Thread-Index:
Acwrf55pdu98m2xmwrf55pdu98m2xm==
X-Ham-Report:
X-Mailer:
Microsoft Outlook 15.0
X-Spam-Bar:
X-Spam-Flag:
NO
X-Spam-Score:
X-Spam-Status:
No, score=
    Thanks,
    Rudolf
     
    #1 rudolfl, Apr 15, 2019
    Last edited by a moderator: Apr 15, 2019
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,810
    Likes Received:
    443
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @rudolfl

    SpamAssassin only scores remotely sent mail. Because the mail headers on this message have been modified to appear to come from a local source spam assassin is skipping it. You might try going to WHM>>Service Coniguration>>Exim Configuration manager and enabling the setting:
    EXPERIMENTAL: Rewrite From: header to match actual sender
    If you enabled this option, the From: header will be rewritten to be the email address of the actual message sender. If you choose the "remote" option, only messages that are being sent to remote destinations will be affected.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelLauren, Apr 16, 2019
  3. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,350
    Likes Received:
    62
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Hi Lauren,

    I'm not doubting you. I'd like clarification though. Are you saying that SpamAssassin only scans and scores an email if the From: address does not contain a domain in /etc/localdomains? Or maybe a better way to phrase that is, "SpamAssassin does not scan emails if the From: address domain is in /etc/localdomains ?

    My customers have received a proliferation of threat / extortion emails lately (send me bitcoin), all with their own email address forged in the From: address. And I had noticed that SpamAssassin is not scanning/scoring any of these. Crazy. Emails that customers receive from their own [forged] are some of the very messages that catch unsavvy customers off guard / that customers seem to trust the most for some crazy reason.

    I consider it a flaw in SpamAssassin if SpamAssassin's sole determination of whether a message is locally sent vs remotely sent is based upon the From: address.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 mtindor, Apr 17, 2019
    Jean Boudreau likes this.
  4. Jean Boudreau

    Jean Boudreau Member

    Joined:
    Mar 31, 2017
    Messages:
    16
    Likes Received:
    4
    Trophy Points:
    3
    Location:
    Caraquet, NB, Canada
    cPanel Access Level:
    Root Administrator
    I would like more information on this quote also. :)
     
    #4 Jean Boudreau, Apr 17, 2019
  5. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,810
    Likes Received:
    443
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    SpamAssassin checks the From header, then compares it to local domains. In the case of header forgery, that from header is manipulated to appear to be from a local domain so SpamAssassin's scanning is bypassed. The setting I'm asking you to enable will force the from header to be rewritten as coming from the actual sender.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 cPanelLauren, Apr 22, 2019
    Jean Boudreau likes this.
  6. Jean Boudreau

    Jean Boudreau Member

    Joined:
    Mar 31, 2017
    Messages:
    16
    Likes Received:
    4
    Trophy Points:
    3
    Location:
    Caraquet, NB, Canada
    cPanel Access Level:
    Root Administrator
    Hello,

    Thanks for the update. I've configured the above to "all".
     
    #6 Jean Boudreau, Apr 22, 2019
  7. dandadude

    dandadude Active Member

    Joined:
    Apr 14, 2011
    Messages:
    32
    Likes Received:
    1
    Trophy Points:
    56
    Hi All!

    I have the same problem.

    I have configured the "EXPERIMENTAL: Rewrite From: header to match actual sender" option previously, but next day my customers started phoning that this is not good for them, since for technical reasons they don't always use the user/pass of the given FROM-address (although it is from the same @domain.tld), and they convinced me that I should turn it off (I wanted to force it, but it was not an option).

    Isn't there another tip for solving this irritating problem? Can't I just configure spamassassin to scan all local mails too? Or at least check if the origin is from remote and not just the from address to determine local vs remote?

    I really need a good solution to this, because recently all customers started to be afraid of these BTC e-mails.

    Thanks,
    Daniel
     
    #7 dandadude, Apr 23, 2019
    mtindor likes this.
  8. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,350
    Likes Received:
    62
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    That's exactly why I cannot / would not even consider enabling this. I don't think any admin in their right mind would ever do this on a shared hosting box. there are simply way too many users who would suffer from this and also not appreciate that the account they authenticated in with is the one that shows up as the sending address on their outbound mails. ARgh.

    I'm not knocking cPanel -- this is a SpamAssassin thing, unless SpamAssassin has been modified by cPanel to behave in this way (not scan emails if the domain of the From address is in /etc/localdomains).

    There has to be some way to force spamassassin to scan everything that comes in, regardless. I'll be looking for a way.

    Mike
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #8 mtindor, Apr 24, 2019
  9. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,810
    Likes Received:
    443
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    It's definitely just how SpamAssassin works though local deliveries just aren't subject to the same checks that other mail is, generally speaking, this is how exim functions as well.

    SpamAssassin won't do this but there are other 3rd party spam filtering plugins that may have features that are more in line with what you're looking for.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #9 cPanelLauren, Apr 24, 2019
(You must log in or sign up to post here.)
Loading...
Similar Threads - Lots Spam processed
  1. Matheus

    Getting lots of undetected SPAM

    Matheus, Dec 27, 2017, in forum: E-mail Discussion
    Replies:
    3
    Views:
    543
    cPanelMichael
    Dec 27, 2017
  2. Gareth-AWD

    Lots of hanging Apache processes

    Gareth-AWD, Aug 30, 2018, in forum: EasyApache
    Replies:
    4
    Views:
    372
    Gareth-AWD
    Sep 12, 2018
  3. MichaelLoungeIT

    Disable spamd / clamav rule for outgoing spamcheck

    MichaelLoungeIT, May 21, 2019 at 9:56 AM, in forum: E-mail Discussion
    Replies:
    1
    Views:
    131
    cPanelLauren
    May 21, 2019 at 4:42 PM
  4. martin MHC

    SOLVED How to find the version of Spam Assassin?

    martin MHC, May 16, 2019, in forum: E-mail Discussion
    Replies:
    2
    Views:
    229
    martin MHC
    May 16, 2019
  5. MedMax

    Command to test message score with spamassassin

    MedMax, May 14, 2019, in forum: E-mail Discussion
    Replies:
    3
    Views:
    371
    cPanelLauren
    May 20, 2019 at 2:08 PM

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice