Aug 17, 2018
8
1
1
Bristol
cPanel Access Level
Root Administrator
Over the past few weeks we've been getting lots of trouble with out going spam. We currently use Amazon AWS server to send emails anyway. Me and my colleagues have been receiving emails that are from our accounts e.g. from [removed - please exclude real domain names and IP addresses from the output]

Here's an example of the headers of a typical SPAM email we're receiving:

[removed - please exclude real domain names and IP addresses from the output]

Obviously each time we get these SPAM emails, their IP is switched so it's hard to try and block it that way. We've reset email account passwords and also the main cPanel account. Also we have SpamAssassin setup and slightly tweaked to try and prevent this, but obviously aren't having much luck. I've tried doing the usual stuff recommended by cPanel.

I'd appreciate if someone could help me out as this is happening for at least another 5/6 accounts.
 
Last edited by a moderator:
Aug 17, 2018
8
1
1
Bristol
cPanel Access Level
Root Administrator
exim_mainlog

Code:
2018-08-17 11:07:06 1fqbeo-0004Di-Gm H=([154.113.98.8]) [154.113.98.8]:15256 Warning: "SpamAssassin as example detected message as NOT spam (-69.2)"
2018-08-17 11:07:06 1fqbeo-0004Di-Gm <= [email protected] H=([154.113.98.8]) [154.113.98.8]:15256 P=esmtp S=2971 [email protected] T="Let's have fun?" for [email protected]
2018-08-17 11:07:06 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1fqbeo-0004Di-Gm
2018-08-17 11:07:06 SMTP connection from ([154.113.98.8]) [154.113.98.8]:15256 closed by QUIT
2018-08-17 11:07:07 1fqbeo-0004Di-Gm => name <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> uOksMUqedltCNgAAPb2kjA Saved"
2018-08-17 11:07:07 1fqbeo-0004Di-Gm Completed
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
7,995
645
263
Houston
cPanel Access Level
DataCenter Provider
Hi @Elliot Hagerty


This doesn't look like outbound spam based on what you're providing it looks like inbound spam (you're receiving the spam not sending it)

But it does look like there is some trickery occurring due to the fact the message is being marked as being from your user (which it isn't) The reason why it's getting marked as NOT spam is detailed in the scoring:

Code:
Content analysis details:   (-56.3 points, 6.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -100 USER_IN_WHITELIST      From: address is in the user's white-list
  5.0 BAYES_99               BODY: Bayes spam probability is 99 to 100%
                             [score: 1.0000]
  0.8 KAM_COUK               Scoring .co.uk emails higher due to poor registry security.
  1.3 RCVD_IN_RP_RNBL        RBL: Relay in RNBL,
                             https://senderscore.org/blacklistlookup/
                            [113.189.99.245 listed in bl.score.senderscore.com]
  6.2 RCVD_IN_MSPIKE_L5      RBL: Very bad reputation (-5)
                             [113.189.99.245 listed in bl.mailspike.net]
  3.3 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                             [113.189.99.245 listed in zen.spamhaus.org]
  3.3 RCVD_IN_SBL_CSS        RBL: Received via a relay in Spamhaus SBL-CSS
  4.4 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
  1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
               [Blocked - see <http://www.spamcop.net/bl.shtml?113.189.99.245>]
  1.5 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
  1.9 DATE_IN_FUTURE_06_12   Date: is 6 to 12 hours after Received: date
  1.0 BAYES_999              BODY: Bayes spam probability is 99.9 to 100%
                             [score: 1.0000]
  1.8 PYZOR_CHECK            Listed in Pyzor (https://pyzor.readthedocs.io/en/latest/)
  1.9 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                             [cf: 100]
  0.9 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
  0.0 HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam
                             (FTSDMCXX/boundary variant) direct-to-MX
  2.0 RDNS_NONE              Delivered to internal network by a host with no rDNS
  0.0 RCVD_IN_MSPIKE_BL      Mailspike blacklisted
  0.3 DIGEST_MULTIPLE        Message hits more than one network digest check
  1.5 HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam

specifically:
Code:
 -100 USER_IN_WHITELIST      From: address is in the user's white-list
Basically what's happening here is the spammer is taking advantage of users who whitelist their own domains if your own domain wasn't in the whitelist there the message would have received a spam score of over 30 and been marked as such (deleted if you had autodelete enabled)

Because spam scoring isn't done on local domains (local -> local) meaning if your MX records for this domain are hosted locally I would suggest removing the domain from the whitelist so you'll stop receiving this type of spam.

The only way I can think of to workaround this reliably otherwise would be to increase the points match on the SPF failure rule as right now it's set to add 1.5 to the score:
Code:
  1.5 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)

That is set here Globally:
Code:
grep SPF /usr/local/cpanel/etc/mail/spamassassin/CPANEL.cf
# SPF failures and information
ifplugin Mail::SpamAssassin::Plugin::SPF
score SPF_NONE 0
score SPF_HELO_NONE 0
score SPF_PASS -0.001
score SPF_HELO_PASS -0.001
score SPF_FAIL 4.0
score SPF_HELO_FAIL 4.0
score SPF_HELO_NEUTRAL 0
score SPF_HELO_SOFTFAIL 1.5
score SPF_NEUTRAL 0
score SPF_SOFTFAIL 1.5
To modify this per account through cPanel you'd go to cPanel >> Email >>Spam Filters -> Show Additional Configurations -> Configure Calculated Spam Scores Settings

If you wanted to modify it per account via CLI you can do so as follows:

Code:
cat /home/$user/.spamassassin/user_prefs

score SPF_SOFTFAIL 100
 
Last edited: