phisher attached rDNS protection 2019, where is setting "require verify = reverse_host_lookup"?

eugenevdm.host

Well-Known Member
Oct 21, 2019
53
6
8
Cape Town
cPanel Access Level
DataCenter Provider
I have a particularly aggressive phisher sending messages from IPs that don't have rDNS. We're an ISP to our Spamassassin threshold is 8. I've left some evidence below whereby Spamassassin picked up a message, as it's score was 8.2. I leave another report where Spamassassin did not pick it up, as threshold was 7.9.

For now my only recourse is that block messages where no rDNS is set up. I've googled to death and articles on this forum from 2014 and 2015 refers to a setting in the Exim Configuration Editor that I simply cannot find. This setting is:

Section:
custom_begin_check_message_pre

Setting:
require verify = reverse_host_lookup

I cannot find either Section or requisite Setting. Please help.

Evidence #1 SA score of 8.2

`X-Spam-Report: Spam detection software, running on the system "REDACTED",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: Dear manager, We are deactivating all mailbox users that are
still using the old Version of kingsley.co.za Mailbox , And your email [email protected]
is still using old version, Please tap the blue button below to upgrade your
mailbox to the latest version,
Content analysis details: (8.2 points, 8.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.4693]
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
Blocklist Lookup | Sender Score | Return Path
[REDACTED.252.172.96 listed in bl.score.senderscore.com]
0.1 URI_HEX URI: URI hostname has long hexadecimal sequence
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
identical to background
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
anti-forgery methods
2.0 RDNS_NONE Delivered to internal network by a host with no rDNS
1.2 PDS_FROM_2_EMAILS No description available.
1.6 NORDNS_LOW_CONTRAST No rDNS + hidden text
X-Spam-Flag: YES`

Evidence #2 SA score of 7.9:

`X-Ham-Report: Spam detection software, running on the system "mail.kingsley.co.za",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: Dear manager, We are deactivating all mailbox users that are
still using the old Version of kingsley.co.za Mailbox , And your email [email protected]
is still using old version, Please tap the blue button below to upgrade your
mailbox to the latest version,
Content analysis details: (7.9 points, 8.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.4693]
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
Blocklist Lookup | Sender Score | Return Path
[REDACTED.252.172.96 listed in bl.score.senderscore.com]
0.1 URI_HEX URI: URI hostname has long hexadecimal sequence
0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
identical to background
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
anti-forgery methods
2.0 RDNS_NONE Delivered to internal network by a host with no rDNS
1.1 PDS_FROM_2_EMAILS No description available.
1.5 NORDNS_LOW_CONTRAST No rDNS + hidden text
X-Spam-Flag: NO`
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Hello,

If you're using SpamAssassin you could modify the rule scoring for the RDNS_NONE rule:


Code:
2.0 RDNS_NONE Delivered to internal network by a host with no rDNS
Right now it's set to 2.0 but if you wanted to ensure it was blocked you could bump that up.


In regard to the ACL setting you're referencing, it's in the acl_smtp_data category of Exim Configuration Manager -> Advanced Editor the 5th section from what I'm seeing. Here' a screenshot:

custom_beign_check_message_pre.png