The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam bypassing Mailscanner w/Spamassassin.

Discussion in 'E-mail Discussions' started by TheDjinn, Dec 10, 2014.

  1. TheDjinn

    TheDjinn Member

    Joined:
    Dec 9, 2014
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Lately I've been having issues with spam coming through the with a clean bill of health by Spamassassin. Around 200-300 messages a day. I checked in Mailwatch and everything seemed to be working correctly. I used the self-serve spammer at Mayflower to test against Spamassassin and those were flagged correctly.

    I let about 1500 of the spam messages come in and then tried to manually train Spamassassin against them to no avail. Many of the messages contain the same body information, but they still aren't being flagged.

    I'm including some headers for you to look at as well as the scores they received.

    - Removed -

    Bayes always gives them a -1.90 for some reason. I disabled autolearn until I could get this figured out.

    Any help would be greatly appreciated.

    Thank you,
     
    #1 TheDjinn, Dec 10, 2014
    Last edited by a moderator: Dec 10, 2014
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Output removed from your post.

    We have no way of knowing whats spam or not spam here and there should be no need to post actual domains and email addresses on this forum. If you'd like to modify the output and repost it, you can, but please use the code tags to wrap the output, found on the advanced edit window, for your reply.

    Thanks!
     
  3. TheDjinn

    TheDjinn Member

    Joined:
    Dec 9, 2014
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Sorry about that, first post and all.

    Here are the headers from a few of the emails that came through.

    Code:
    Return-path: <spam@spam.com>
    Envelope-to: me@mydomain.com
    Delivery-date: Wed, 10 Dec 2014 10:53:17 -0500
    Received: from xx.xx.xx.xx] (port=39299 helo=solvent.spam.com)
    	by svr.domain.com with esmtp (Exim 4.84)
    	(envelope-from <spam@spam.com>)
    	id 1XyjZg-0000kT-UK
    	for me@mydomain.com; Wed, 10 Dec 2014 10:53:13 -0500
    Date: Wed, 10 Dec 2014 10:53:12 -0500
    To: me@mydomain.com
    From: Improve your vision <spam@spam.com>
    Reply-to: Improve your vision <spam@spam.com>
    Subject: Eyecare companies HATE this Lady
    Message-ID: <61c963bfcf49ce36566fb300ace958cc@l.spam.com>
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    	boundary="b1_61c963bfcf49ce36566fb300ace958cc"
    X-domain-MailScanner-Information: Please contact the ISP for more information
    X-domain-MailScanner-ID: 1XyjZg-0000kT-UK
    X-domain-MailScanner: Found to be clean
    X-domain-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
    	score=-1.095, required 5, autolearn=disabled, BAYES_00 -1.90,
    	HTML_FONT_LOW_CONTRAST 0.00, HTML_MESSAGE 0.00, RDNS_NONE 0.79,
    	T_REMOTE_IMAGE 0.01)
    X-domain-MailScanner-From: spam@spam.com
    X-Spam-Status: No
    
    Return-path: <spam@spam.com>
    Envelope-to: me@mydomain.com
    Delivery-date: Wed, 10 Dec 2014 10:22:25 -0500
    Received: from rate.spam.com ([xxx.xxx.xxx.xxx]:45052)
    	by svr.domain.com with esmtp (Exim 4.84)
    	(envelope-from <spam@spam.com>)
    	id 1Xyj5g-0007uw-RE
    	for me@mydomain.com; Wed, 10 Dec 2014 10:22:13 -0500
    DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=spam.com;
     h=MIME-Version:Content-Type:From:To:Subject:Message-Id:Date; i=globalwhos@spam.com;
     bh=QOM/s6LvhGIHex5bI8+5xRdfTCg=;
     b=TuBjr7OhHayXKtJrGo/efU2SHpev9jKwgt0cltnt818zpvlBepUiQNEocJsYJnQEn3m0Ujkt/tnn
       M7yHcUJwzDofyyymoGYZvEbf/hQ+NQMCgmeazopjS85zOAFPqNYZSQCEWW9FnMXOMJQUhFiqjerr
       dJiy3U0su/yXB2UG1K8=
    Received: by rate.spam.com id hh1iia0001gq for <me@mydomain.com>; Wed, 10 Dec 2014 10:21:18 -0500 (envelope-from <spam@spam.com>)
    MIME-Version: 1.0
    Content-Type: multipart/alternative; boundary="==============2241564209561175063=="
    From: Global Who's_Who <globalwhos@spam.com>
    To: me@mydomain.com
    Subject: You've Been Accepted by Who's_Who.
    Message-Id: <07b8124deb1612a11b0d7b8c78059936@spam.com>
    Date: Wed, 10 Dec 2014 10:21:18 -0500
    X-domain-MailScanner-Information: Please contact the ISP for more information
    X-domain-MailScanner-ID: 1Xyj5g-0007uw-RE
    X-domain-MailScanner: Found to be clean
    X-domain-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
    	score=-1.997, required 5, autolearn=disabled, BAYES_00 -1.90,
    	DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10,
    	HTML_MESSAGE 0.00, LOTS_OF_MONEY 0.00, URIBL_BLOCKED 0.00)
    X-domain-MailScanner-From: spam@spam.com
    X-Spam-Status: No
    
    Return-path: <spam@spam.com>
    Envelope-to: me@mydomain.com
    Delivery-date: Wed, 10 Dec 2014 09:00:53 -0500
    Received: from [xx.xx.xx.xx] (port=37906 helo=couple.spam.com)
    	by svr.domain.com with esmtp (Exim 4.84)
    	(envelope-from <spam@spam.com>)
    	id 1Xyhow-0004LF-Ds
    	for me@mydomain.com; Wed, 10 Dec 2014 09:00:50 -0500
    Date: Wed, 10 Dec 2014 09:00:50 -0500
    To: me@mydomain.com
    From: Walk in Bathtubs <spam@spam.com>
    Reply-to: Walk in Bathtubs <spam@spam.com>
    Subject: Safe Bathing for Your Mom or Dad
    Message-ID: <88ab9362bfdd2fbf5bde5201cd25f51e@m.spam.com>
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    	boundary="b1_88ab9362bfdd2fbf5bde5201cd25f51e"
    X-domain-MailScanner-Information: Please contact the ISP for more information
    X-domain-MailScanner-ID: 1Xyhow-0004LF-Ds
    X-domain-MailScanner: Found to be clean
    X-domain-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
    	score=-1.095, required 5, BAYES_00 -1.90,
    	HTML_FONT_LOW_CONTRAST 0.00, HTML_MESSAGE 0.00, RDNS_NONE 0.79,
    	T_REMOTE_IMAGE 0.01)
    X-domain-MailScanner-From: spam@spam.com
    X-Spam-Status: No
    Hope that works.

    Thanks,
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    It looks like the spammers are developing their messages to avoid detection by SpamAssassin. Have you considered enabling additional options beyond SpamAssassin to help combat these messages? For instance, you can browse to "WHM Home » Service Configuration » Exim Configuration Manager" and enable options such as RBL blacklisting and SPF record verification.

    These options are documented here:

    Exim Configuration Editor

    Thank you.
     
  5. TheDjinn

    TheDjinn Member

    Joined:
    Dec 9, 2014
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    I do have SPF record verification enabled, and I have Spamassassin handling the RBL blocks. Is it better to let Exim handle them directly?

    Thanks,
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You could enable the RBL blocking through Exim to see if it helps. If specific accounts are targeted, then "Account Level Filters" with rules to block messages with specific content might also help.

    Thank you.
     
  7. TheDjinn

    TheDjinn Member

    Joined:
    Dec 9, 2014
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    I do have some account level filters in place, but the spam is varied greatly. For instance I might get 200 messages, but only 2-5 will be debt consulting. Some are gibberish and have no coherency at all.

    - - - Updated - - -

    Sorry for the second reply, but the Bayes filter always seems to qualify the most obvious of spam as clean, while picking up on the obscure ones.
     
  8. TheDjinn

    TheDjinn Member

    Joined:
    Dec 9, 2014
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    I'm attempting to get DCC updated and working with Spamassassin. Do you have any information on how I can test that I'm using the latest DCC?

    Thanks,
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You can find a test SPAM message at:

    http://spamassassin.apache.org/gtube/gtube.txt

    This will allow you to test SpamAssassin with a message that is detected as SPAM and review the message headers to see what was checked.

    Thank you.
     
  10. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    From the command line run dccproc -V and compare the version here: Distributed Checksum Clearinghouses currently 1.3.155
     
  11. TheDjinn

    TheDjinn Member

    Joined:
    Dec 9, 2014
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Awesome I'm updated. Also I'm not getting the thread update alerts from Cpanel Forums oddly enough. Sorry for the late reply.

    Possibly stupid question, but I want to check and see if DCC is implemented correctly. I can't seem to find documentation on how to verify if Spamassassin is using DCC correctly. Any ideas?
     
  12. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Now try using Michael's suggestion for sending a spam message and check the MW interface to see whether SA scoring is including DCC.
     
  13. TheDjinn

    TheDjinn Member

    Joined:
    Dec 9, 2014
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Sorry for the delay in reply. I was out of town for a week. I tried that and all seems well. However I do have one other issue that has cropped up. Spamassassin seems to be refusin to enable bayes autolearn. I disabled it temporarily until I could retrain it and now I can't seem to re-enable it.

    Code:
    #   Use Bayesian classifier (default: 1)
    #
     use_bayes 1
    
    
    #   Bayesian classifier auto-learning (default: 1)
    #
     bayes_auto_learn 1
    Am I missing something?

    Thanks,
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  15. TheDjinn

    TheDjinn Member

    Joined:
    Dec 9, 2014
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    erased for idiocy
     
    #16 TheDjinn, Dec 23, 2014
    Last edited: Dec 23, 2014
  16. TheDjinn

    TheDjinn Member

    Joined:
    Dec 9, 2014
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    I used the /etc/mail/spamassassin/local.cf file. Same one I used to disable bayes and yes I restarted spamassassin and mailscanner.

    Thanks,
     
  17. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The issue might be isolated to MailScanner. Do you notice the change to the configuration if you temporarily disable MailScanner on your system?

    Thank you.
     
  18. TheDjinn

    TheDjinn Member

    Joined:
    Dec 9, 2014
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    I've elected to just disable bayes for now. It's never worked correctly for me and every message it flags is flagged incorrectly. Unless there is a solid argument for keeping bayes enabled, I think this is for the best.

    Last edit: I wanted to thank everyone for all the assistance. The spam levels have dropped significantly since enabling pyzor, razor2, and getting DCC working correctly. Now that i've disabled bayes, spam that was once being saved by the bayes system is now being caught so we are down to around 5 or so messages a day. Which is a huge improvement over the 300 that were bypassing it before.

    Thanks again,
     
    #19 TheDjinn, Dec 29, 2014
    Last edited: Dec 29, 2014
Loading...

Share This Page