The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Some emails aren't scanned by SA

Discussion in 'E-mail Discussions' started by sehh, Dec 1, 2008.

  1. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    How is it possible that a few emails are not scanner by SA?

    When an email has been properly scanned, it contains the following header lines:
    X-Spam-Status: No, score=1.3
    X-Spam-Score: 13
    X-Spam-Bar: +
    X-Spam-Flag: NO

    Unfortunately, a rare number of emails comes through without those lines, and recently we found some spam that should have been automatically deleted in our inbox.

    There are no errors in the logs, the exim_main shows that the email came through and it was properly delivered to the email address.

    Please help.
     
  2. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Are these emails originating from the same server as your mail is hosted on?
     
  3. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    No, i checked to make sure, the emails came from another server and the email contains the proper Received lines with esmtps (TLSv1:AES256-SHA:256) connections and the IP addresses of the originating servers.

    I also traced the IP address of the sending server and i discovered that spam from that server had always been blocked by SA previously. Actually, thats how i got suspicious, normal emails without the SA headers didn't raise any alarms, until some spam came through.

    I believe that Exim's protection is fully working and that blocks about 80% of spam, so SA scans only the 20% that isn't blocked by Exim, which makes it hard to trace the problem for so few emails.

    Does it make a difference if the delivery email address is actually a forwarder?
     
    #3 sehh, Dec 1, 2008
    Last edited: Dec 1, 2008
  4. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Yes, because emails sent to forwarders on the latest builds of cPanel/WHM are not scanned by SpamAssassin.
     
  5. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    This is a problem, we have 10 forwarders that go to a single email address, we use this to frequently add/remove/change email addresses while keeping the pop3/imap settings constant.

    Is there a way to enable scanning of emails coming through forwarder addresses?

    PS:
    i forgot to add that all emails (forwarders and the real email addresses) are all in the same server.
     
  6. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    cPanelDavidG, are you sure that SA doesn't scan incoming emails for forwarders?

    because i checked my emails and those emails are scanned! They all contain the SA headers.

    maybe it makes a difference that i'm running the latest STABLE?
     
  7. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    I think what DavidG meant is that email coming into the forwarders themselves is not run through spamassasin. However, if that forwarder forwards mail to a local POP3 account that that _is_ spam filtered, then spamassassin will be run on the message after it is forwarded.

    But if the forwarder is pointing to an account that doesn't have spam filtering on it, then it will not be spam filtered.

    For instance:

    mike@test123.com - local cpanel POP3 account with spamassassin enabled
    mike@test456.com - nonlocal domain somewhere else
    bob@test789.com - local POP3 account on a domain with spamassassin DISABLED

    forwarder - forwardme@test123.com set to forward to mike@test123.com and mike@test456.com and bob@test789.com

    result:

    The mail will be spam filtered after it is forwarded to mike@test123.com, because mike@test123.com is a spam-filtered pop3 account.

    The mail will go unfiltered into mike@test456.com because mike@test456.com is on an external machine that does not have spam filtering.

    The mail will go unfiltered into bob@test789.com because spamassassin is turned off for that domain.

    Mike
     
  8. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    Then we have a problem, because the forwarder is pointing to a local email address which has SA enabled, and almost always the emails are scanned because they contain the SA headers.

    Just sometimes, very rarely, i'm picking up emails without the SA headers.

    I'm thinking that Exim, due to some unknown reason, delivers the email without scanning the email. Maybe due to excessive cpu usage? or too many connections to SA? or maybe SA failed in some way and Exim delivered the email anyway?

    I know that postfix won't do that, it will keep the email in the queue until the email is properly scanned, or the cpu load is back to normal.

    Any ideas please?
     
Loading...

Share This Page