SpamAssassin not marking as spam

[jfreak53]

My SpamAssassin is not marking messages as spam even though the Level is under my threshold, so I've tried running it from the CLI and it's the same deal even though obviously the message is spam:

/usr/local/cpanel/3rdparty/bin/spamassassin --cf="required_score 0.2" -e < 1482267752.M198593P664890.server1domain.com\,S\=16742\,W\=17060

It does not detect this message as spam even though it is:

X-Spam-Status: No, score=0.2
X-Spam-Score: 2
X-Spam-Bar: /
X-Ham-Report: Spam detection software, running on the system "server1.domain.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.

 Content preview:  Christmas is right around the corner and I'm 100% positive
   that you'll probably eat some less than healthy foods in the next week or
   two. However... What if you could eat all the peppermint bark and pecan pie
   and drink all the egg nog you want without gaining a pound? Well... I have
   an early christmas gift for you... => 27 Classic Holiday Treats Made Healthy
   "http://www.somespamdomain.us/click.html?x=a62e&lc=VT&c=j&s=AR2&u=p&y=j&" Enjoy!
   [...]

 Content analysis details:   (0.2 points, 5.0 required)

  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                            See
                            http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                             for more information.
                            [URIs: somespamdomain.us]
 -3.1 RP_MATCHES_RCVD        Envelope sender domain matches handover relay domain
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
                            domains are different
  2.5 RCVD_IN_MSPIKE_L3      RBL: Low reputation (-3)
                            [{IP} listed in bl.mailspike.net]
  0.0 HTML_MESSAGE           BODY: HTML included in message
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
  0.0 RCVD_IN_MSPIKE_BL      Mailspike blacklisted
  0.8 KAM_INFOUSMEBIZ        Prevalent use of .info|.us|.me|.me.uk|.biz domains in
                             spam/malware
X-Spam-Flag: NO

This user has been getting a massive amount of spam on my cPanel server.

Settings:

- Image Removed Please Attach Images to Your Posts -

 

[cPanelMichael]

Content analysis details: (0.2 points, 5.0 required)

Hello,

This suggests the message is not meeting the required 5.0 score. You may want to browse to WHM Home >> Service Configuration >> Exim Configuration Manager >> Basic Editor and ensure the following options are enabled under the Apache SpamAssassin Options tab:

Enable KAM Apache SpamAssassin™ ruleset
Enable the Apache SpamAssassin™ ruleset that cPanel uses on cpanel.net

If so, you may want to setup a filter that blocks that specific message, as it's possible that SpamAssassin won't detect all SPAM messages in every case. You can send a GTUBE test message to verify SpamAssassin is working via the instructions at:

SpamAssassin: The GTUBE

Thank you.

 

[jfreak53]

Yes, those are both on already. Problem is it's not just that one single email, it's a couple thousand a day that spamassassin is missing. I also don't have it set at 5.0, please read the top of my post, I have it at 2.0, meaning something should trip it.

 

[jfreak53]

I have also sent the GTUBE email, it never gets delivered so spamassassin is catching something, just not the 2k+ a day of real spam.

 

[jfreak53]

Here are my settings for this user as well:

- Removed -

- Removed -

 

[cPanelMichael]

Hello,

Feel free to open a support ticket using the link in my signature so we can take a closer look and see what's happening. You can post the ticket number here so we can update this thread with the outcome.

Thank you.