Not all incoming mails have a SPAM score

[serg499]

Hi!
I've configured a new blacklist rule "*.cam" (see attached), it's working, but some emails from .cam still coming to the Inbox. I've checked Delivery Report (attached) and you can see that some emails doesn't have a spam score and goes directly to the inbox. Why is it happening?
Thank you!

 

[cPRex]

Hey there! Can you search the Exim log for that specific mail ID to see if there were any issues scanning the messages? You would use a command like this to get more details:

grep xx-xxxxx-xxx /var/log/exim_mainlog

where "xx-xxxxx-xxx" is the specific mail ID of that message.

 

[serg499]

Thank you for reply. Grep command gave me this:

[[email protected] /]# grep UEM2-0008O7-KC /var/log/exim_mainlog
2021-04-07 16:00:46 1lUEM2-0008O7-KC H=atl4mhob21.registeredsite.com [209.17.115.115]:56000 Warning: Message has been scanned: no virus or other harmful content was found
2021-04-07 16:00:46 1lUEM2-0008O7-KC <= [email protected] H=atl4mhob21.registeredsite.com [209.17.115.115]:56000 P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=4433 id=kvceNceoyRqBkaNsoeC4xPCU[email protected]customerhorseshoe.cam T="Spray on your head and never go bald" for [email protected]
2021-04-07 16:00:46 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1lUEM2-0008O7-KC
2021-04-07 16:00:47 1lUEM2-0008O7-KC => info <[email protected]> R=virtual_user T=dovecot_virtual_delivery_no_batch C="250 2.0.0 <[email protected]> ggd7CG8PbmD+fQAAVCkTyw Saved"
2021-04-07 16:00:47 1lUEM2-0008O7-KC Completed

 

[cPDavidL]

Thank you for your update!

Now you're going to want to check /var/log/maillog for spamd runs coinciding with the submission of that message, that were executed by the username that owns the recipient domain.

grep spamd /var/log/maillog | grep 'Apr  7 16:00' | grep $username

Be sure to replace $username with the cPanel account username that owns the recipient domain. This should show you the spam processes that handled the scanning. If it doesn't, then use your preferred pager(i use the 'less' command) to check the maillog file for errors related to spamd during that time frame.

 

[serg499]

Grep hasn't worked for me for unknown reason, but here's /var/log/maillog on similar email (a lot of our emails skips spam check due to the error in the first post):

Apr  8 15:15:52 vps spamc[24292]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused
Apr  8 15:15:52 vps spamd[4266]: spamd: connection from localhost [127.0.0.1]:36332 to port 783, fd 5

Another e-mail:

Apr  8 15:16:49 vps spamd[4266]: spamd: connection from localhost [127.0.0.1]:37674 to port 783, fd 5
Apr  8 15:16:49 vps spamd[4266]: spamd: setuid to ouruser succeeded
Apr  8 15:16:49 vps spamd[4266]: config: not parsing, 'allow_user_rules' is 0: meta FROM_TLD ( __FROM_TLDFROM + __FROM_TLDFROMA >= 1 )
Apr  8 15:16:49 vps spamd[4266]: config: failed to parse line, skipping, in "/home/ouruser/.spamassassin/user_prefs": meta FROM_TLD ( __FROM$
Apr  8 15:16:49 vps spamd[4266]: config: not parsing, 'allow_user_rules' is 0: header __FROM_TLDFROM From =~ /\.(cf|ga|cyou|ml|tk|bid|book|cl$
Apr  8 15:16:49 vps spamd[4266]: config: failed to parse line, skipping, in "/home/ouruser/.spamassassin/user_prefs": header __FROM_TLDFROM $
Apr  8 15:16:49 vps spamd[4266]: config: not parsing, 'allow_user_rules' is 0: header __FROM_TLDFROMA From:address =~ /\.(cf|cyou|ga|ml|tk|bi$
Apr  8 15:16:49 vps spamd[4266]: config: failed to parse line, skipping, in "/home/ouruser/.spamassassin/user_prefs": header __FROM_TLDFROMA$
Apr  8 15:16:49 vps spamd[4266]: spamd: checking message <[email protected]> for ouruser:1000
Apr  8 15:16:51 vps spamd[4266]: spamd: clean message (0.2/5.0) for ouruser:1000 in 1.5 seconds, 29857 bytes.
Apr  8 15:16:51 vps spamd[4266]: spamd: result: . 0 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,SPF_HEL$
Apr  8 15:16:51 vps spamd[11787]: prefork: child states: II

Also today I've got an email from cPanel - FAILED : tailwatchd
Don't know if it's a related issue, here's the log it gave me:

Service Name    tailwatchd
Service Status    failed ⛔
Notification    The service “tailwatchd” appears to be down.
Service Check Raw Output    Use of uninitialized value in string eq at /usr/local/cpanel/Cpanel/RestartSrv/Systemd.pm line 138.
(XID 286yy9) The “tailwatchd” service is down.
Startup Log    
Apr 08 17:54:38 (our server) spamc[6149]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused
Apr 08 17:59:40 (our server) spamc[6563]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused
Apr 08 18:04:42 (our server) spamc[7002]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused
Apr 08 18:09:43 (our server) spamc[7483]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused
Apr 08 18:14:45 (our server) spamc[7941]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused
Apr 08 18:19:45 (our server) spamc[8420]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused
Apr 08 18:24:48 (our server) spamc[8869]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused
Apr 08 18:29:50 (our server) spamc[9319]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused
Apr 08 18:36:46 (our server) spamc[9802]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused
Apr 08 18:36:57 (our server) spamc[9877]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused
Memory Information   
Used    4.72 GB
Available    1.71 GB
Installed    4 GB
Load Information    2.62 1.16 0.47
Uptime    47 days, 35 minutes, and 23 seconds
IOStat Information    avg-cpu:  %user   %nice %system %iowait  %steal   %idle
           7.33    0.08    1.34    0.00    0.00   91.24
Device:            tps    kB_read/s    kB_wrtn/s    kB_read    kB_wrtn
ploop21186       47.28       411.70      4309.74 1672701230 17510141220
Top Processes   
PID    Owner    CPU %    Memory %    Command
9982    root    30.16    0.32    cpgreylistd - processing request
10861    root    20.84    30.11    /usr/local/cpanel/3rdparty/bin/clamd
9983    mailnull    6.38    0.20    /usr/sbin/exim -odi -Mc 1lUdH1-0002Xn-PC
9987    mailnull    3.45    0.17    /usr/sbin/exim -odi -t -oem -oi -f <> -E1lUdH1-0002Xn-PC
9836    ouruser     0.49    0.22    dovecot/lmtp

 

[cPDavidL]

Thank you for your update.

Honestly, the fact that grep does not work, and the error shown in the tailwatchd notification, are absolutely causes for concern, and need to be investigated accordingly.

Those maillog entries definitely show an issue with the connection to spamd failing. A message cannot be scanned, if the spamd service cannot be reached. I would encourage you to reach out to our support staff(at support.cpanel.net) for a more detailed investigation into why the spamd daemon is refusing connections.