Trouble with SpamAssassin Spambox

sneader

Well-Known Member
Aug 21, 2003
1,193
61
178
La Crosse, WI
cPanel Access Level
Root Administrator
We are having problems enabling and using the SpamAssassin Spambox for, at least, one particular user (example1).

As a test, I have added a certain email address of mine as a Blacklisted email address ([email protected]) in the user's SpamAssassin Configuration. Then, when I send him an email from that blacklisted email address, Exim reports:

2011-05-04 15:19:57 1QHiY9-0007Wk-4c H=mail963c35.redacted.com [123.123.123.123] Warning: "SpamAssassin as example1 detected message as spam (100.1)"
2011-05-04 15:19:57 1QHiY9-0007Wk-4c H=mail963c35.redacted.com [123.123.123.123] Warning: "Increment Connection Ratelimit - mail963c35.redacted.com [123.123.123.123] because mail server detected a message with a spam score integer greater or equal to 100"
2011-05-04 15:19:57 1QHiY9-0007Wk-4c H=mail963c35.redacted.com [123.123.123.123] F=<[email protected]> rejected after DATA: "The mail server detected your message as spam and has prevented delivery (100)."

Instead of delivering the spam into his Spambox, it bounces the message back to the sender.

Exim Configuration editor has "SpamAssassin™: Bounce mail when the spam score is above this number." DISABLED.

Tweak Settings has "Enable SpamAssassin spam filter" and "Enable SpamAssassin Spam Box delivery for messages marked as spam" ENABLED

Why is known spam bounced instead of delivered into the spambox?

There is no Spam folder being created, which is understandable since we haven't yet accepted a spam to create that directory.

What are we doing wrong? I did also open a ticket with cPanel, and will report back the findings.

- Scott
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
First of all, what is the ticket number? If opening up a ticket, it's normally best to wait to post on the forum until the matter has been resolved. Otherwise, it would be a duplication of efforts to have us investigate.

Next, can you check the filters the account happens to have? A filter could cause this to happen:

Code:
cat /etc/vfilters/domain.com
Please replace domain.com with the domain name for the email recipient. To check the cPanel > User Level Filtering filters, you would want to check this file:

Code:
cat /home/example1/etc/domain.com/emailuser/filter
Where example1 is the cPanel account username, domain.com is the domain name, and emailuser is the email account user. You can do a find for all filter files in /home/example1/etc using this command:

Code:
find /home/example1/etc -name filter
Again, example1 would be the cPanel account username in that path.
 

sneader

Well-Known Member
Aug 21, 2003
1,193
61
178
La Crosse, WI
cPanel Access Level
Root Administrator
Thanks for the quick reply, Tristan. Usually forum responses don't come so fast, so the likelihood of duplication of effort is slim to none... but in the future I will not do both at the same time.

Ticket #1452170

I *did* find that there was an Account Level filter that was taking messages marked as SPAM and deleting them (i.e. the "Spam Auto Delete" filter), even though "Spam Auto Delete" was "Disabled" in their SpamAssassin cPanel settings. I have removed that filter via cPanel > Account Level Filtering.

However, this did not change the outcome. Spam messages are still bounced, rather than accepted and delivered into the Spam folder.

I'll let the tech working this ticket log in and see what I'm missing. Thanks again!

- Scott
 

sneader

Well-Known Member
Aug 21, 2003
1,193
61
178
La Crosse, WI
cPanel Access Level
Root Administrator
OK, I think we have this all straightened out.

We were testing the routing of spam by adding a known email address in the user's SpamAssassin settings cPanel as "Black Listed". This way, when we send the user a message, we knew it would be classified as spam. This turned out to be a bad way to test!

When the user adds a full or partial email address to the SpamAssassin Black List, this gives any matching messages an immediate SA score of 100. If Exim has "SpamAssassin™: Reject mail at SMTP time if the spam score is greater than this number." set to a number such as 10, then since 100 is greater than 10, the message is rejected at SMTP time! I did not know this was possible.

Mystery solved, and I learned something new. :)

- Scott