Hi
@Elliot Hagerty
This doesn't look like outbound spam based on what you're providing it looks like inbound spam (you're receiving the spam not sending it)
But it does look like there is some trickery occurring due to the fact the message is being marked as being from your user (which it isn't) The reason why it's getting marked as NOT spam is detailed in the scoring:
Code:
Content analysis details: (-56.3 points, 6.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-100 USER_IN_WHITELIST From: address is in the user's white-list
5.0 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 1.0000]
0.8 KAM_COUK Scoring .co.uk emails higher due to poor registry security.
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
https://senderscore.org/blacklistlookup/
[113.189.99.245 listed in bl.score.senderscore.com]
6.2 RCVD_IN_MSPIKE_L5 RBL: Very bad reputation (-5)
[113.189.99.245 listed in bl.mailspike.net]
3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[113.189.99.245 listed in zen.spamhaus.org]
3.3 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
4.4 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?113.189.99.245>]
1.5 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
1.9 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date
1.0 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 1.0000]
1.8 PYZOR_CHECK Listed in Pyzor (https://pyzor.readthedocs.io/en/latest/)
1.9 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.0 HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam
(FTSDMCXX/boundary variant) direct-to-MX
2.0 RDNS_NONE Delivered to internal network by a host with no rDNS
0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted
0.3 DIGEST_MULTIPLE Message hits more than one network digest check
1.5 HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam
specifically:
Code:
-100 USER_IN_WHITELIST From: address is in the user's white-list
Basically what's happening here is the spammer is taking advantage of users who whitelist their own domains if your own domain wasn't in the whitelist there the message would have received a spam score of over 30 and been marked as such (deleted if you had autodelete enabled)
Because spam scoring isn't done on local domains (local -> local) meaning if your MX records for this domain are hosted locally I would suggest removing the domain from the whitelist so you'll stop receiving this type of spam.
The only way I can think of to workaround this reliably otherwise would be to increase the points match on the SPF failure rule as right now it's set to add 1.5 to the score:
Code:
1.5 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
That is set here Globally:
Code:
grep SPF /usr/local/cpanel/etc/mail/spamassassin/CPANEL.cf
# SPF failures and information
ifplugin Mail::SpamAssassin::Plugin::SPF
score SPF_NONE 0
score SPF_HELO_NONE 0
score SPF_PASS -0.001
score SPF_HELO_PASS -0.001
score SPF_FAIL 4.0
score SPF_HELO_FAIL 4.0
score SPF_HELO_NEUTRAL 0
score SPF_HELO_SOFTFAIL 1.5
score SPF_NEUTRAL 0
score SPF_SOFTFAIL 1.5
To modify this per account through cPanel you'd go to cPanel >> Email >>Spam Filters -> Show Additional Configurations -> Configure Calculated Spam Scores Settings
If you wanted to modify it per account via CLI you can do so as follows:
Code:
cat /home/$user/.spamassassin/user_prefs
score SPF_SOFTFAIL 100
