The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

X-Spam-Status: No, score= on obvious spam

Discussion in 'E-mail Discussions' started by GoWilkes, Aug 19, 2015.

  1. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I have a hosting client that's getting hundreds of spam emails a day. I looked in her Webmail at some of the obvious spam, and it looks like they're not getting a spam-status or spam-score rating.

    For example:

    Code:
    Return-path: <ILMG@oxik.faith>
    Envelope-to: example@example.com
    Delivery-date: Wed, 19 Aug 2015 16:45:02 -0400
    Received: from pcx6tu.prela.faith ([198.52.224.238]:51534 helo=1ttkwvo.oxik.faith)
            by ip-12-34-56-78 with esmtp (Exim 4.85)
            (envelope-from <ILMG@oxik.faith>)
            id 1ZSAEI-0005Dj-Hx
            for example@example.com; Wed, 19 Aug 2015 16:45:02 -0400
    Received: from 001fefcc.1ttkwvo.oxik.faith ([127.0.0.1]:13771 helo=1ttkwvo.oxik.faith)
            by 1ttkwvo.oxik.faith with ESMTP id 00SUCKQPCF1FEFIRKCBNFKCC;
            for <example@example.com>; Wed, 19 Aug 2015 13:45:00 -0700
    Date: Wed, 19 Aug 2015 13:45:00 -0700
    Message-ID: <5771257208723357712002018631830@1ttkwvo.oxik.faith>
    X-Priority: 2087233 normal
    From: "IL MG" <ILMG@oxik.faith>
    Subject: shocking images exposed {PICS}
    To: <example@example.com>
    Content-Language: en-us
    MIME-Version: 1.0
    Content-Transfer-Encoding: 8bit
    Content-Type: multipart/alternative;
            boundary="----=Part.250.4581.1440017100"
    X-Spam-Status: No, score=
    X-Spam-Score:
    X-Spam-Bar:
    X-Ham-Report:
    X-Spam-Flag: NO
    
    I've checked in cPanel that SpamAssassin is definitely enabled, and it has the default setting of 5. Exim Configuration Manager has all default settings, except that "SpamAssassin Forced Global ON" is changed to "On".

    Any suggestions on why it doesn't appear to be working?
     
  2. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Update.

    I tried to view the status of SpamAssassin, then restart via SSH, and had the following response:

    Code:
    # /scripts/restartsrv_spamd --status
    The âspamdâ
               root@ip-12-34-56-78 [~]# /scripts/restartsrv_spamd
    Waiting for âspamdâspamdâ
                             â¦finished.
    
    Startup Log
            setlogsock(): type='tcp': TCP service unavailable at /usr/local/cpanel/3rdparty/perl/514/lib64/perl5/cpanel_lib/Mail/SpamAssassin/Logger/Syslog.pm line 121.
            logger: failed to add syslog method: logger: syslog initialization failed
    
    spamd started successfully.
    

    Now, though, I do get a value in the spam status fields, so restarting KIND OF worked. But since then, she's gotten 210 spam mails in her Inbox, so it didn't seem to change anything.

    One issue is that the score is very low, even on obvious spam. For example:

    Code:
    Return-path: <Stop-Herpes-Outbreaks@lawnherpescleansenew.website>
    Envelope-to: example@example.com
    Delivery-date: Wed, 19 Aug 2015 21:27:24 -0400
    Received: from [172.103.95.27] (port=34829 helo=lawnherpescleansenew.website)
            by ip-12-34-56-78 with esmtp (Exim 4.85)
            (envelope-from <Stop-Herpes-Outbreaks@lawnherpescleansenew.website>)
            id 1ZSEdI-00038S-4p
            for example@example.com; Wed, 19 Aug 2015 21:27:24 -0400
    Date: Wed, 19 Aug 2015 18:34:37 -0700
    Lj-Gpsx: 2a80c7a4200bfbf606006aa60f6a75fdo-n2a80c7a4200bfbf606006aa60f6a75fd.i7363355
    Subject: Herpes is no longer incurable- You can eradicate it in only 2 weeks
    Content-Type: text/plain
    From: Stop-Herpes-Outbreaks <Stop-Herpes-Outbreaks@lawnherpescleansenew.website>
    Mime-Version: 1.0
    To: <example@example.com>
    Mi-Voz: 2a80c7a4200bfbf606006aa60f6a75fdp.7363355tn7363355
    Message-ID: <2a80c7a4200bfbf606006aa60f6a75fd.7363355.7346894@lawnherpescleansenew.website>
    X-Spam-Status: No, score=1.4
    X-Spam-Score: 14
    X-Spam-Bar: +
    X-Ham-Report: Spam detection software, running on the system "ip-12-34-56-78",
         has NOT identified this incoming email as spam. The original
         message has been attached to this so you can view it or label
         similar future email. If you have any questions, see
         root\@localhost for details.
        
         Content preview: Medical Breakthrough: Treatment Plan Discovered That Ends
         Herpes Outbreaks Medical Notice ID #7363355 Wednesday, August 19, 2015. [...]
        
        
         Content analysis details: (1.4 points, 5.0 required)
        
         pts rule name description
         ---- ---------------------- --------------------------------------------------
         0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
         See
         http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
         for more information.
         [URIs: lawnherpescleansenew.website]
         2.5 URIBL_DBL_SPAM Contains a spam URL listed in the DBL blocklist
         [URIs: lawnherpescleansenew.website]
         -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
         -0.0 SPF_PASS SPF: sender matches SPF record
         -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
         [score: 0.0000]
         0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
    X-Spam-Flag: NO
    
    I don't understand why the "query to URIBL was blocked (the documentation wasn't clear), but I also don't understand why the email would "contain a spam URL listed in the DBL blocklist" but still only have a spam score of 1.4. So even though SpamAssassin is working now, it doesn't appear to be working correctly.

    I reinstalled Mail: DKIM, but that didn't seem to help any.

    Seriously, any help would be appreciated! Just one email account has gotten 560 spam mails in the Inbox in the last 10 hours!
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  4. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Thanks for the reply, Michael. I understand the concept with URIBL a bit better now, but there doesn't seem to be a great solution. It's a shared server, so it's going to make a lot of queries no matter what. Rate limiting kind of makes URIBL useless, IMHO.

    I did enable Greylist several months ago, but that didn't seem to have much of an impact. And I enabled both Spamcop and Spamhaus a long time ago.

    I'm not sure that I understand how Bayes works. If I understand correctly from the headers above, the email had a score of:

    +2.5 because the body contained a spam URL
    +0.8 because there was no rDNS
    -1.9 because Bayes spam probability was 0-1%

    Giving the total score of 1.4. When I look through the emails, though, I see that ALL of them have the same -1.9 from Bayes.

    Reading /etc/mail/spamassassin/local.cf, though, it looks like Bayes isn't turned on:

    # use_bayes 1
    # bayes_auto_learn 1

    However, at /home/$user/.spamassassin, I see that bayes_journal, bayes_seen, and bayes_toks have all been modified within the last 30 minutes.

    So is it working? If not, then why am I getting a negative score instead of 0? Shouldn't it just not change anything?

    Is this something I should just uncomment in local.cf to turn on? Or is there a place in WHM to turn on Bayes serverwide? Or should I even turn it on at all?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page