Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Lots of Spam not processed by SpamAssassin

Discussion in 'E-mail Discussion' started by rudolfl, Apr 15, 2019.

  1. rudolfl

    rudolfl Member

    Joined:
    Aug 3, 2015
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Melbourne
    cPanel Access Level:
    Root Administrator
    Hi all,

    Getting lots of spam messages and none of them have a SpamAssasin score. Is SpamAssassin bypassing some e-mails?

    Than only thing in common is that "From" address is tweaked to appear as if it comes from my own domain, although it is not.

    Here is an example header
    ([email protected] is a non-existant address that is being re-directed to a "catch-all" address on same domain)

    Code:
    Date:
    15 Apr 2019 14:27:38 +0400
    From:
    <[email protected]>
    To:
    <[email protected]>
    Subject:
    Caution! Attack hackers to your account!
    Content-Language:
    en-us
    Content-Transfer-Encoding:
    8bit
    Content-Type:
    text/plain;
    charset="cp-850"
    Delivered-To:
    [email protected]
    Delivery-date:
    Mon, 15 Apr 2019 15:09:47 +1000
    Envelope-to:
    [email protected]
    Message-ID:
    <[email protected]>
    MIME-Version:
    1.0
    Received:
    from main.example.net
    by main.example.net with LMTP
    id 5ulNAhsStFzHSAAAuGWEhg
    (envelope-from <[email protected]>)
    for <[email protected]>; Mon, 15 Apr 2019 15:09:47 +1000
    Received:
    from [14.142.xxx.xx] (port=29605 helo=14.142.xxx.xx.static-Bangalore.vsnl.net.in)
    by main.example.net with esmtp (Exim 4.91)
    (envelope-from <[email protected]>)
    id 1hFtro-0004nu-IS
    for [email protected]; Mon, 15 Apr 2019 15:09:47 +1000
    Return-Path:
    <[email protected]>
    Return-path:
    <[email protected]>
    Thread-Index:
    Acwrf55pdu98m2xmwrf55pdu98m2xm==
    X-Ham-Report:
    X-Mailer:
    Microsoft Outlook 15.0
    X-Spam-Bar:
    X-Spam-Flag:
    NO
    X-Spam-Score:
    X-Spam-Status:
    No, score=
    
    Thanks,
    Rudolf
     
    #1 rudolfl, Apr 15, 2019
    Last edited by a moderator: Apr 15, 2019
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,473
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @rudolfl

    SpamAssassin only scores remotely sent mail. Because the mail headers on this message have been modified to appear to come from a local source spam assassin is skipping it. You might try going to WHM>>Service Coniguration>>Exim Configuration manager and enabling the setting:
    EXPERIMENTAL: Rewrite From: header to match actual sender
    If you enabled this option, the From: header will be rewritten to be the email address of the actual message sender. If you choose the "remote" option, only messages that are being sent to remote destinations will be affected.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,356
    Likes Received:
    63
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Hi Lauren,

    I'm not doubting you. I'd like clarification though. Are you saying that SpamAssassin only scans and scores an email if the From: address does not contain a domain in /etc/localdomains? Or maybe a better way to phrase that is, "SpamAssassin does not scan emails if the From: address domain is in /etc/localdomains ?

    My customers have received a proliferation of threat / extortion emails lately (send me bitcoin), all with their own email address forged in the From: address. And I had noticed that SpamAssassin is not scanning/scoring any of these. Crazy. Emails that customers receive from their own [forged] are some of the very messages that catch unsavvy customers off guard / that customers seem to trust the most for some crazy reason.

    I consider it a flaw in SpamAssassin if SpamAssassin's sole determination of whether a message is locally sent vs remotely sent is based upon the From: address.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Jean Boudreau likes this.
  4. Jean Boudreau

    Jean Boudreau Member

    Joined:
    Mar 31, 2017
    Messages:
    19
    Likes Received:
    5
    Trophy Points:
    3
    Location:
    Caraquet, NB, Canada
    cPanel Access Level:
    Root Administrator
    I would like more information on this quote also. :)
     
  5. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,473
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    SpamAssassin checks the From header, then compares it to local domains. In the case of header forgery, that from header is manipulated to appear to be from a local domain so SpamAssassin's scanning is bypassed. The setting I'm asking you to enable will force the from header to be rewritten as coming from the actual sender.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Jean Boudreau likes this.
  6. Jean Boudreau

    Jean Boudreau Member

    Joined:
    Mar 31, 2017
    Messages:
    19
    Likes Received:
    5
    Trophy Points:
    3
    Location:
    Caraquet, NB, Canada
    cPanel Access Level:
    Root Administrator
    Hello,

    Thanks for the update. I've configured the above to "all".
     
  7. dandadude

    dandadude Active Member

    Joined:
    Apr 14, 2011
    Messages:
    32
    Likes Received:
    1
    Trophy Points:
    56
    Hi All!

    I have the same problem.

    I have configured the "EXPERIMENTAL: Rewrite From: header to match actual sender" option previously, but next day my customers started phoning that this is not good for them, since for technical reasons they don't always use the user/pass of the given FROM-address (although it is from the same @domain.tld), and they convinced me that I should turn it off (I wanted to force it, but it was not an option).

    Isn't there another tip for solving this irritating problem? Can't I just configure spamassassin to scan all local mails too? Or at least check if the origin is from remote and not just the from address to determine local vs remote?

    I really need a good solution to this, because recently all customers started to be afraid of these BTC e-mails.

    Thanks,
    Daniel
     
    mtindor likes this.
  8. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,356
    Likes Received:
    63
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    That's exactly why I cannot / would not even consider enabling this. I don't think any admin in their right mind would ever do this on a shared hosting box. there are simply way too many users who would suffer from this and also not appreciate that the account they authenticated in with is the one that shows up as the sending address on their outbound mails. ARgh.

    I'm not knocking cPanel -- this is a SpamAssassin thing, unless SpamAssassin has been modified by cPanel to behave in this way (not scan emails if the domain of the From address is in /etc/localdomains).

    There has to be some way to force spamassassin to scan everything that comes in, regardless. I'll be looking for a way.

    Mike
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,473
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    It's definitely just how SpamAssassin works though local deliveries just aren't subject to the same checks that other mail is, generally speaking, this is how exim functions as well.

    SpamAssassin won't do this but there are other 3rd party spam filtering plugins that may have features that are more in line with what you're looking for.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice