Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

sending from webmail triggers Spamassassin rules

Discussion in 'E-mail Discussion' started by EneTar, May 9, 2018.

  1. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    137
    Likes Received:
    9
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    Hi I noticed today using those 2 services
    Newsletters spam test by mail-tester.com
    Is Not Spam - Online Spam checker for newsletters and email marketing

    that when I send from webmail (I tried both Horde and Roundcube)

    there is a line which I think triggers a couple of rules in Spamassassin. Please note that when sending from an email client this doesn't happen

    So I noticed that there are 2 lines

    First:
    Code:
    Received: from my.hostname.eu ([server.public.ip.here] helo=accountuser.com)
    The line above seems to be correct however I have that the following line is to be questioned:
    Code:
    Received: from [127.0.0.1] (port=48342 helo=my.hostname.eu)
    I may be mistaken but it seems to trigger
    FSL_HELO_BARE_IP_2 (IP used in the HELO request The hostname should be a domain name, not an IP address)

    and

    RCVD_NUMERIC_HELO (Received: contains an IP address used for HELO)

    I think it should be localhost or the hostname instead of [127.0.0.1]

    Can you try to see if you have the same issue? I have already tried with 3 servers. All have the same result. All servers have the Send mail from account’s dedicated IP address enabled in Exim Configuration.
     
  2. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,804
    Likes Received:
    133
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @EneTar

    Can you tell me what you have (if anything) in /etc/mailhelo?

    This may be a false positive but I will attempt to replicate on our side as well, I'll update here once complete.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    137
    Likes Received:
    9
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    Hi @cPanelLauren. On one of my servers the /etc/mailhelo has the domains and subdomains of the dedicated ips. On the other 2 servers the file is empty. (All servers though have the same behavior I described in my first post.) However please note that all servers have the Send mail from account’s dedicated IP address enabled in Exim Configuration which as far as I know when enabled the system doesn't use the /etc/mailhelo file.

    Did you replicate this on your end?
     
  4. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,804
    Likes Received:
    133
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @EneTar

    I attempted to replicate with a testing server with 2 IP's and send from account's dedicated IP address enabled on the server. Unfortunately, I did not get the same results as you did there was no reference to FSL_HELO_BARE_IP_2.

    Please keep in mind this is a testing server and I didn't have a DKIM added nor did I have rDNS implemented. With that being said the errors I received seem to be accurate.


    Code:
    The famous spam filter SpamAssassin. Score: -2.6.
    A score below -5 is considered spam.
    -0.8    DKIM_ADSP_NXDOMAIN    No valid author signature and domain not in DNS
    -0.1    DKIM_SIGNED    Message has a DKIM or DK signature, not necessarily valid
    This negative score will become positive if the signature is validated. See immediately below.
    -0.379    NO_DNS_FOR_FROM    Envelope sender has no MX or A DNS records
    -1.274    RDNS_NONE    Delivered to internal network by a host with no rDNS
    This may be a false-positive, please check the reverse DNS test below to confirm or not this issue
    -0.01    T_DKIM_INVALID    Your DKIM signature is not valid
    Have a look at our DKIM test below to know why
    Re-looking at your earlier response:
    127.0.0.1 is fine. When looking at our test email it's received from the ipv6 equivalent:

    Code:
    Received: from [::1] (port=48760 helo=server.example.com)
        by server.example.com with esmtpa (Exim 4.90_1)
    Though we haven't made modifications to /etc/mailhelo in our case - just what was added automatically with enabling "send mail from account's dedicated IP."

    What's your rDNS set to currently? Which webmail client are you sending from? I wonder if the issue is specific to one of the clients as noted in this forum post: SOLVED - OP address used for HELO

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    137
    Likes Received:
    9
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    please try the isnotspam.com it outputs the headers of the received email.

    In my case there is this output from Spamassassin (Please ignore the Bayes because it was just a test message with bogus content)
    Code:
    X-Spam-Report:
    * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
    * [score: 1.0000]
    * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
    * -0.0 SPF_PASS SPF: sender matches SPF record
    * 1.2 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
    * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
    * [score: 1.0000]
    * 0.1 HTML_MESSAGE BODY: HTML included in message
    * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
    * domain
    * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
    * valid
    * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
    * 1.5 FSL_HELO_BARE_IP_2 No description available.
    X-Spam-Status: Yes, hits=6.4 required=-20.0 tests=BAYES_99,BAYES_999,
    DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FSL_HELO_BARE_IP_2,HTML_MESSAGE,
    RCVD_NUMERIC_HELO,SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no
    rDNS is set up correctly and I have no issues with that.
    I tried both Horde or Roundcube. It's the same. I wish I had access on another server's webmail as well to try once more or perhaps somebody else with a real server could try the isnotspam.com service to give us some more feedback about webmail messages.

    Question: when you see the headers from isnotspam.com how many lines starting with

    Code:
    Received: from ....
    do you see? Can you post them here and hide any private data?
     
  6. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,804
    Likes Received:
    133
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @EneTar

    Actually, I'd really like to see if you can provide me the full headers of the message. I think you might be on to something but I would need to see your full headers to know for sure.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    137
    Likes Received:
    9
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    @cPanelLauren Do you want me to post here by hiding any private data (Hiding data in email headers sometimes confuses and is harder to understand) or is there any way to contact you privately and provide all data?
     
  8. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,804
    Likes Received:
    133
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @EneTar

    You can hide the private data, just ensure that it's clear which entries are domains, the hostname and IP addresses
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    137
    Likes Received:
    9
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    Ok I've hidden some ids usernames and IPs which I think it is obvious what they mean and I scrambled some base64 encoding I wasn't sure about

    The important stuff is:
    user@domain.com
    server.public.ip.here
    my.hostname.eu
    home.user.ip.here


    here are the full headers

    Code:
    From user@domain.com Wed May 09 10:21:10 2018
    Return-path: <user@domain.com>
    X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
    localhost.localdomain
    X-Spam-Flag: YES
    X-Spam-Level: ******
    X-Spam-Report:
    * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
    * [score: 1.0000]
    * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
    * -0.0 SPF_PASS SPF: sender matches SPF record
    * 1.2 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
    * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
    * [score: 1.0000]
    * 0.1 HTML_MESSAGE BODY: HTML included in message
    * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
    * domain
    * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
    * valid
    * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
    * 1.5 FSL_HELO_BARE_IP_2 No description available.
    X-Spam-Status: Yes, hits=6.4 required=-20.0 tests=BAYES_99,BAYES_999,
    DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FSL_HELO_BARE_IP_2,HTML_MESSAGE,
    RCVD_NUMERIC_HELO,SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no
    version=3.4.0
    Envelope-to: hiddenisnotspamid@isnotspam.com
    Delivery-date: Wed, 09 May 2018 10:21:10 +0000
    Received: from my.hostname.eu ([server.public.ip.here] helo=domain.com)
    by localhost.localdomain with esmtp (Exim 4.84_2)
    (envelope-from <user@domain.com>)
    id 1fGMDe-000Aha-1j
    for hiddenisnotspamid@isnotspam.com; Wed, 09 May 2018 10:21:10 +0000
    DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=domain.com;
    s=default; h=MIME-Version:Content-Type:Subject:To:From:Message-ID:Date:
    Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
    Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
    In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
    List-Post:List-Owner:List-Archive;
    ....hidden.....
    Received: from [127.0.0.1] (port=48342 helo=my.hostname.eu)
    by my.hostname.eu with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
    (Exim 4.90_1)
    (envelope-from <user@domain.com>)
    id 1fGMDY-0002OC-Bj
    for hiddenisnotspamid@isnotspam.com; Wed, 09 May 2018 13:21:04 +0300
    Received: from home.user.ip.here ([home.user.ip.here]) by domain.com (Horde Framework)
    with HTTPS; Wed, 09 May 2018 10:21:04 +0000
    Date: Wed, 09 May 2018 10:21:04 +0000
    Message-ID: <20180509102104.Horde.evgfTHyASiJAsjeBgfy@domain.com>
    From: My Name <user@domain.com>
    To: hiddenisnotspamid@isnotspam.com
    Subject: test email from Horde
    User-Agent: Horde Application Framework 5
    Content-Type: multipart/alternative; boundary="=_WDUa34dfdGFFY2PJxGrrFbf"
    MIME-Version: 1.0
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - my.hostname.eu
    X-AntiAbuse: Original Domain - isnotspam.com
    X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
    X-AntiAbuse: Sender Address Domain - domain.com
    X-Get-Message-Sender-Via: my.hostname.eu: authenticated_id: user@domain.com
    X-Authenticated-Sender: my.hostname.eu: user@domain.com
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    X-DKIM-Status: pass (domain.com)
    This message is in MIME format.
    
    --=_WDUa34dfdGFFY2PJxGrrFbf
    Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes
    Content-Description: Plaintext Message
    Content-Disposition: inline
    
    .....Hi there message content here....
    Do you see anything wrong?
    please let me know if you need any further details
     
  10. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,804
    Likes Received:
    133
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    What I'm looking for is one of these lines:

    To have an IP address and neither of them does.

    Looking through threads here and elsewhere on this issue it's one of a few things

    • A false positive from Spam Assassin - the threads here indicate a false positive with Mail-Tester but I'm more inclined to lean on SpamAssassin since it occurs with the SA rules through multiple testing products - The hostname should be a domain name, not an IP
    • The rDNS is incorrect - While I don't know what your rDNS is currently you did note that it was correct. This originates from the following Mailing List Archive: FSL_HELO_BARE_IP_2 rule?
    • There is actually an IP in the line helo= - There were some cases where the mail client was using the IP as the helo but I'm not seeing that occurring here.


    Now what I am curious about is if it's reporting (incorrectly) an invalid helo because it assigns the mailhelo as the domain name rather than the hostname.

    Code:
    # cat /etc/mailhelo
    example.com: example.com
    To test that though, I'd like to see if it would be possible for you to do the following:

    1. Disable (temporarily) "Send mail from account's dedicated IP"
    2. Enable Reference /etc/mailhelo for outgoing SMTP HELO
    3. Enable Reference /etc/mailips for outgoing SMTP connections
    4. Modify /etc/mailhelo to the following:
      Code:
      *: <yourhostnamehere>
    5. Modify /etc/mailips to the following:
      Code:
      domain: <DedicatedIPAddressHere>
    6. Test sending again
    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    137
    Likes Received:
    9
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    Hi @cPanelLauren


    Isn't 127.0.0.1 still an IP although it is the localhost IP?

    Code:
    Received: from [127.0.0.1] (port=48342 helo=my.hostname.eu)
    Furthermore I ran 2 more tests from one cPanel server to another cPanel server and vice versa. This is the result from the 2

    Code:
    0.9 RCVD_NUMERIC_HELO      Received: contains an IP address used for HELO
    Code:
    1.2 RCVD_NUMERIC_HELO      Received: contains an IP address used for HELO
    Please note that I don't see the rule FSL_HELO_BARE_IP_2 This specific rule is not documented in spamassassin and it seems to overlap with a couple of other rules. Mailing List Archive: FSL_HELO_BARE_IP_2 rule?

    FALSE POSITIVE
    Anyway from the point that RCVD_NUMERIC_HELO is triggered when sending from one cpanel server to the other then it's not a false positive of the mailtester software. It's either a flase positive of spamassasin or a real issue.

    rDNS
    About the rDNS. What test do you want me to run to exclude any rDNS issue? Although i think that in case of malconfigured rDNS spamassassin triggers a few rules which I don't see on any of my tests.


    The outcome of this thread The hostname should be a domain name, not an IP is that

    However I 've just shown that this happens on multiple sources even from a cPanel server to another.

    Continuing to the test you specified

    Here are all Received: headers from top to bottom of the message

    Code:
    Received: from recipients.hostname.here
    ....
    Received: from sender.hostname.here ([sender.server.ip.here]:44190)
    ...
    Received: from [127.0.0.1] (port=39202 helo=sender.hostname.here)
    ....
    Received: from public.user.ip.here ([public.user.ip.here]) by senderdomain.com (Horde Framework) with
    ...
      1.2 RCVD_NUMERIC_HELO      Received: contains an IP address used for HELO
      ....
    

    So it's the same. Can't you find 2 cPanel server properly set up so that you run this test?
     
  12. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,804
    Likes Received:
    133
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Yes, but this is normal and we can clearly see on my test server that it does the IPv6 equivalent with no matching of that rule - ::1

    Code:
    Received: from [::1] (port=48760 helo=server.example.com)
        by server.example.com with esmtpa (Exim 4.90_1)
    
    This is saying Received: from [127.0.0.1] and in context of what you're looking for is irrelevant. The concern should be the helo= field which clearly states a domain in all cases.

    The servers I'm setting up are using cPanel and are properly configured and don't encounter this issue which is why I'm experiencing difficulty replicating this, I've used internal testing servers and my own personal servers. At this point, I'd like to see if it would be possible for you to open a ticket using the link in my signature so we can take a closer look at your configuration specifically. Please update this post with the ticket ID once it's open.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    137
    Likes Received:
    9
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    Thank you I didn't know this. So it seems that there is an issue with my particular setup on all servers. I will open a ticket for this and update this thread.
     
  14. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,804
    Likes Received:
    133
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @EneTar

    Great, hopefully we can help you get it sorted.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice