Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED Problems with spam when redirect emails

Discussion in 'E-mail Discussions' started by Tatchan, Feb 17, 2017.

Tags:
  1. Tatchan

    Tatchan Member

    Joined:
    Sep 13, 2010
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    51
    Hi!!

    I have a problem with spamassassin. Y have 2 servers with 2 domains. In server A I have an email redirection to real email in server B, for example:

    user1@serverA.com -> user1@serverB.com

    When I write an email to user1@serverA.com, spamassassin put correct score in server A, but when server B receive this email, classify email as spam.

    Example with spamassassin log with same email, receiveing in server A and then, redirect to server B:
    Code:
    Server A:
    2017-02-17 12:46:14 1cegzF-0002xxxxx H= [xxx.xxx.xxx.xxx]:33894 Warning: "SpamAssassin as xxxxx detected message as NOT spam (0.4)"
    
    Server B:
    2017-02-17 12:47:05 1ceh06-000Mxxxxx H=xxxxxxx [xxx.xxx.xxx.xxx]:44600 Warning: "SpamAssassin as dogopets detected message as NOT spam (5.3)"
    
    Almost 5 more score points!! How I can fix this problem?

    Thanks for all!! =)
     
    #1 Tatchan, Feb 17, 2017
    Last edited by a moderator: Feb 17, 2017
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you elaborate on how you are redirecting the email? Is this via a forwarder or a custom Exim configuration?

    Thank you.
     
  3. Tatchan

    Tatchan Member

    Joined:
    Sep 13, 2010
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    51
    The email is redirecting with cpanel option "Forwaders"
     
  4. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    599
    Likes Received:
    92
    Trophy Points:
    153
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    You should check the email headers as well to see what is being triggered to cause the score to be so high, that may help to figure out whats going on.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Also, please post the output from /var/log/exim_mainlog for the affected messages on each system. EX:

    Code:
    exigrep MSGID /var/log/exim_mainlog
    Thank you.
     
  6. Tatchan

    Tatchan Member

    Joined:
    Sep 13, 2010
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    51
    I have done a test sending an email from hotmail to the server A redirection and receiving it in an email in server B. This time hasn't detected as spam, since the original message only had score -3.2, but has almost added 5 score points on server B.

    This is the log and headers from a test:

    Server A:

    2017-02-21 08:27:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1cg4qg-0002sk-ES



    +++ 1cg4qg-0002sk-ES has not completed +++

    2017-02-21 08:27:02 1cg4qg-0002sk-ES H=col004-omc2s4.hotmail.com [65.55.34.78]:51187 Warning: "SpamAssassin as xxxxxx detected message as NOT spam (-3.2)"

    2017-02-21 08:27:02 1cg4qg-0002sk-ES <= xxxxxx@hotmail.com H=col004-omc2s4.hotmail.com [65.55.34.78]:51187 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 CV=no S=6857 id=HE1PR0801MB18353D9695A378CC8E7D9409F8510@HE1PR0801MB1835.eurprd08.prod.outlook.com T="Test message" for xxxxx@serverA.com

    2017-02-21 08:27:02 1cg4qg-0002sk-ES SMTP connection identification D=serverA.com O=xxxxx@serverA.com E=xxxxx@serverB.com M=1cg4qg-0002sk-ES U=xxxxx ID=504 B=redirect_resolver

    2017-02-21 08:27:02 1cg4qg-0002sk-ES SMTP connection outbound 1487662022 1cg4qg-0002sk-ES serverA.com xxxxx@serverB.com

    2017-02-21 08:27:02 1cg4qg-0002sk-ES => xxxxx <xxxxx@serverA.com> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <xxxxx@serverA> D4QsFcbrq1hbKwAAUZY67A Saved"



    Server B:

    2017-02-21 08:27:50 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1cg4rT-0008db-54



    2017-02-21 08:27:50 1cg4rT-0008db-54 H=xxx.xxxxx.eu (xxxxxx.ovh.net) [xxx.xxx.160.164]:53230 Warning: "SpamAssassin as usergrup detected message as NOT spam (2.1)"

    2017-02-21 08:27:50 1cg4rT-0008db-54 H=xxx.xxxxx.eu (xxxxxx.ovh.net) [xxx.xxx.160.164]:53230 Warning: Message has been scanned: no virus or other harmful content was found

    2017-02-21 08:27:50 1cg4rT-0008db-54 <= xxxxx@hotmail.com H=xxx.xxxxx.eu (xxxxx.ovh.net) [xxx.xxx.160.164]:53230 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=7667 id=HE1PR0801MB18353D9695A378CC8E7D9409F8510@HE1PR0801MB1835.eurprd08.prod.outlook.com T="Test message" for xxxxx@serverB.com

    2017-02-21 08:27:50 1cg4rT-0008db-54 => xxxxx<xxxxx@serverB.com> R=virtual_user T=dovecot_virtual_delivery_no_batch C="250 2.0.0 <xxxxx@serverB.com> VZwWJPbrq1gEggAAUeMStQ Saved"

    2017-02-21 08:27:50 1cg4rT-0008db-54 Completed







    Headers received:

    X-Exchange-Antispam-Report-Cfa-Test: BCL:0;PCL:0;RULEID:(432015087)(444000031);SRVR:HE1EUR01HT195;BCL:0;PCL:0;RULEID:;SRVR:HE1EUR01HT195;

    X-Incomingheadercount: 37

    X-Spam-Score: 21

    X-Ms-Exchange-Crosstenant-Originalarrivaltime: 21 Feb 2017 07:26:18.2862 (UTC)

    X-Originatororg: hotmail.com

    X-Ms-Exchange-Transport-Crosstenantheadersstamped: HE1EUR01HT195

    X-Forefront-Antispam-Report: EFV:NLI;SFV:NSPM;SFS:(10019020)(98900012);DIR:OUT;SFP:1102;SCL:1;SRVR:HE1EUR01HT195;H:HE1PR0801MB1835.eurprd08.prod.outlook.com;FPR:;SPF:None;LANG:ca;

    X-Authenticated-Sender: xxxxxx.ovh.net: xxxxx@serverA.com

    Authentication-Results: serverA.com; dkim=none (message not signed) header.d=none;serverA.com; dmarc=none action=none header.from=hotmail.com;

    X-Ham-Report: Spam detection software, running on the system “xxxxxxxx.ip-5-196-86.eu", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: Això és una prova Això és una prova [...] Content analysis details: (2.1 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.5 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (xxxxxx[at]hotmail.com) -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 2.6 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS

    Return-Path: <xxxxx@hotmail.com>

    Return-Path: <xxxxx@hotmail.com>

    X-Ms-Exchange-Crosstenant-Fromentityheader: Internet

    Spamdiagnosticoutput: 1:99

    X-Ms-Tnef-Correlator:

    X-Ms-Exchange-Crosstenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa

    X-Spam-Bar: ++

    Spamdiagnosticmetadata: NSPM

    Envelope-To: xxxxx@serverB.com

    Delivery-Date: Tue, 21 Feb 2017 08:27:50 +0100

    X-Antiabuse: This header was added to track abuse, please include it with any abuse report

    X-Antiabuse: Primary Hostname - xxxxxxx.ovh.net

    X-Antiabuse: Original Domain - serverA.com

    X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12]

    X-Antiabuse: Sender Address Domain - hotmail.com

    X-Spam-Flag: NO

    X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(201702061074)(5061506556)(5061507331)(1603103135)(1601125237)(1603101406)(1701031045);SRVR:HE1EUR01HT195;

    Thread-Index: AQHSjBPKzU7Ywqx8mUmqdvSm0iWaqA==

    Accept-Language: es-ES, en-US

    X-Spam-Status: No, score=2.1

    Message-Id: <HE1PR0801MB18353D9695A378CC8E7D9409F8510@HE1PR0801MB1835.eurprd08.prod.outlook.com>

    Content-Language: es-ES

    X-Source-Args:

    Mime-Version: 1.0

    X-Originalarrivaltime: 21 Feb 2017 07:26:21.0524 (UTC) FILETIME=[CCCA4140:01D28C13]

    X-Ms-Office365-Filtering-Correlation-Id: 3ae84d8e-4aef-4daf-611d-08d45a2aed67

    Received: from xxxxxxxx.ip-5-196-86.eu by xxxxxxx.ip-5-196-86.eu (Dovecot) with LMTP id VZwWJPbrq1gEggAAUeMStQ for <xxxxx@serverBc.com>; Tue, 21 Feb 2017 08:27:50 +0100

    Received: from xxxxxx.xxxxx.eu ([xxx.xxx.160.164]:53230 helo=xxxxxxx.ovh.net) by xxxxxx.ip-5-196-86.eu with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.87) (envelope-from <xxxxxx@hotmail.com>) id 1cg4rT-0008db-54 for xxxxx@serverB.com; Tue, 21 Feb 2017 08:27:50 +0100

    Received: from col004-omc2s4.hotmail.com ([65.55.34.78]:51187) by xxxxxxx.ovh.net with esmtps (TLSv1.2:ECDHE-RSA-AES256-SHA384:256) (Exim 4.87) (envelope-from <xxxxx@hotmail.com>) id 1cg4qg-0002sk-ES for xxxxx@serverA.es; Tue, 21 Feb 2017 08:27:02 +0100

    Received: from EUR01-HE1-obe.outbound.protection.outlook.com ([65.55.34.73]) by COL004-OMC2S4.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Mon, 20 Feb 2017 23:26:21 -0800

    Received: from HE1EUR01FT038.eop-EUR01.prod.protection.outlook.com (10.152.0.52) by HE1EUR01HT195.eop-EUR01.prod.protection.outlook.com (10.152.1.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.919.10; Tue, 21 Feb 2017 07:26:18 +0000

    Received: from HE1PR0801MB1835.eurprd08.prod.outlook.com (10.152.0.58) by HE1EUR01FT038.mail.protection.outlook.com (10.152.1.93) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.919.10 via Frontend Transport; Tue, 21 Feb 2017 07:26:18 +0000

    Received: from HE1PR0801MB1835.eurprd08.prod.outlook.com ([10.168.150.143]) by HE1PR0801MB1835.eurprd08.prod.outlook.com ([10.168.150.143]) with mapi id 15.01.0919.018; Tue, 21 Feb 2017 07:26:18 +0000

    Content-Type: multipart/alternative; boundary="_000_HE1PR0801MB18353D9695A378CC8E7D9409F8510HE1PR0801MB1835_"
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    This is the part of the message header that will help you to determine why SpamAssassin detects a message as SPAM.

    Could you enable the "Enable Sender Rewriting Scheme (SRS) Support" option in "WHM >> Service Configuration >> Exim Configuration Manager >> Basic Editor" and let us know if this helps to address the issue?

    Thank you.
     
  8. Tatchan

    Tatchan Member

    Joined:
    Sep 13, 2010
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    51
    Yesterday I try to activate "Enable Sender Rewriting Scheme (SRS) Support", and it seems that now works well. I see that now the mails that come from the other server spamassassin adds -100 points.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm happy to see that helped to address the "SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0" message that appeared in the header.

    Thank you for updating us with the outcome.
     
Loading...

Share This Page