Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Outgoing SPAM Email Problems

Discussion in 'E-mail Discussion' started by Elliot Hagerty, Aug 17, 2018.

  1. Elliot Hagerty

    Elliot Hagerty Member

    Joined:
    Aug 17, 2018
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    Bristol
    cPanel Access Level:
    Root Administrator
    Over the past few weeks we've been getting lots of trouble with out going spam. We currently use Amazon AWS server to send emails anyway. Me and my colleagues have been receiving emails that are from our accounts e.g. from [removed - please exclude real domain names and IP addresses from the output]

    Here's an example of the headers of a typical SPAM email we're receiving:

    [removed - please exclude real domain names and IP addresses from the output]

    Obviously each time we get these SPAM emails, their IP is switched so it's hard to try and block it that way. We've reset email account passwords and also the main cPanel account. Also we have SpamAssassin setup and slightly tweaked to try and prevent this, but obviously aren't having much luck. I've tried doing the usual stuff recommended by cPanel.

    I'd appreciate if someone could help me out as this is happening for at least another 5/6 accounts.
     
    #1 Elliot Hagerty, Aug 17, 2018
    Last edited by a moderator: Aug 17, 2018
  2. Elliot Hagerty

    Elliot Hagerty Member

    Joined:
    Aug 17, 2018
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    Bristol
    cPanel Access Level:
    Root Administrator
    Here's a snippet from the exim_mainlog

    [removed - please exclude real domain names and IP addresses from the output]
     
  3. Elliot Hagerty

    Elliot Hagerty Member

    Joined:
    Aug 17, 2018
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    Bristol
    cPanel Access Level:
    Root Administrator
    exim_mainlog

    Code:
    2018-08-17 11:07:06 1fqbeo-0004Di-Gm H=([154.113.98.8]) [154.113.98.8]:15256 Warning: "SpamAssassin as example detected message as NOT spam (-69.2)"
    2018-08-17 11:07:06 1fqbeo-0004Di-Gm <= name@example.com H=([154.113.98.8]) [154.113.98.8]:15256 P=esmtp S=2971 id=219918524.201808171105@example.co.uk T="Let's have fun?" for name@example.com
    2018-08-17 11:07:06 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1fqbeo-0004Di-Gm
    2018-08-17 11:07:06 SMTP connection from ([154.113.98.8]) [154.113.98.8]:15256 closed by QUIT
    2018-08-17 11:07:07 1fqbeo-0004Di-Gm => name <name@example.com> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <name@example.com> uOksMUqedltCNgAAPb2kjA Saved"
    2018-08-17 11:07:07 1fqbeo-0004Di-Gm Completed
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,161
    Likes Received:
    474
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Elliot Hagerty


    This doesn't look like outbound spam based on what you're providing it looks like inbound spam (you're receiving the spam not sending it)

    But it does look like there is some trickery occurring due to the fact the message is being marked as being from your user (which it isn't) The reason why it's getting marked as NOT spam is detailed in the scoring:

    Code:
    Content analysis details:   (-56.3 points, 6.0 required)
     
      pts rule name              description
     ---- ---------------------- --------------------------------------------------
     -100 USER_IN_WHITELIST      From: address is in the user's white-list
      5.0 BAYES_99               BODY: Bayes spam probability is 99 to 100%
                                 [score: 1.0000]
      0.8 KAM_COUK               Scoring .co.uk emails higher due to poor registry security.
      1.3 RCVD_IN_RP_RNBL        RBL: Relay in RNBL,
                                 https://senderscore.org/blacklistlookup/
                                [113.189.99.245 listed in bl.score.senderscore.com]
      6.2 RCVD_IN_MSPIKE_L5      RBL: Very bad reputation (-5)
                                 [113.189.99.245 listed in bl.mailspike.net]
      3.3 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                                 [113.189.99.245 listed in zen.spamhaus.org]
      3.3 RCVD_IN_SBL_CSS        RBL: Received via a relay in Spamhaus SBL-CSS
      4.4 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
      1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
                   [Blocked - see <http://www.spamcop.net/bl.shtml?113.189.99.245>]
      1.5 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
      1.9 DATE_IN_FUTURE_06_12   Date: is 6 to 12 hours after Received: date
      1.0 BAYES_999              BODY: Bayes spam probability is 99.9 to 100%
                                 [score: 1.0000]
      1.8 PYZOR_CHECK            Listed in Pyzor (https://pyzor.readthedocs.io/en/latest/)
      1.9 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                                 [cf: 100]
      0.9 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
      0.0 HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam
                                 (FTSDMCXX/boundary variant) direct-to-MX
      2.0 RDNS_NONE              Delivered to internal network by a host with no rDNS
      0.0 RCVD_IN_MSPIKE_BL      Mailspike blacklisted
      0.3 DIGEST_MULTIPLE        Message hits more than one network digest check
      1.5 HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam

    specifically:
    Code:
     -100 USER_IN_WHITELIST      From: address is in the user's white-list
    
    Basically what's happening here is the spammer is taking advantage of users who whitelist their own domains if your own domain wasn't in the whitelist there the message would have received a spam score of over 30 and been marked as such (deleted if you had autodelete enabled)

    Because spam scoring isn't done on local domains (local -> local) meaning if your MX records for this domain are hosted locally I would suggest removing the domain from the whitelist so you'll stop receiving this type of spam.

    The only way I can think of to workaround this reliably otherwise would be to increase the points match on the SPF failure rule as right now it's set to add 1.5 to the score:
    Code:
      1.5 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)

    That is set here Globally:
    Code:
    grep SPF /usr/local/cpanel/etc/mail/spamassassin/CPANEL.cf
    # SPF failures and information
    ifplugin Mail::SpamAssassin::Plugin::SPF
    score SPF_NONE 0
    score SPF_HELO_NONE 0
    score SPF_PASS -0.001
    score SPF_HELO_PASS -0.001
    score SPF_FAIL 4.0
    score SPF_HELO_FAIL 4.0
    score SPF_HELO_NEUTRAL 0
    score SPF_HELO_SOFTFAIL 1.5
    score SPF_NEUTRAL 0
    score SPF_SOFTFAIL 1.5
    To modify this per account through cPanel you'd go to cPanel >> Email >>Spam Filters -> Show Additional Configurations -> Configure Calculated Spam Scores Settings

    If you wanted to modify it per account via CLI you can do so as follows:

    Code:
    cat /home/$user/.spamassassin/user_prefs
    
    score SPF_SOFTFAIL 100
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 cPanelLauren, Aug 17, 2018
    Last edited: Aug 17, 2018
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice