Configure SpamAssassin to block outgoing form mail

jnyr5478

• April 13, 2018 11:51

• CENTOS 7.4
• WHM v68.0.36
• PHP 7.0.29

The site that I'm working on (foobar.com) uses PHP Mail to send emails via a front-end contact form. Only an A record is pointed to this server, so MX records do not come into play as far as I know. Emails are sent using a from address of info@foobar.com and are sent to addresses on external domains. I would like to configure SpamAssassin to prevent outgoing spam emails. So far, I've done the following in WHM > Exim Configuration Manager. ACL:

• Apache SpamAssassin reject spam score threshold - 1

Apache SpamAssassin Options:

• Apache SpamAssassin: Forced Global ON - enabled
• Scan outgoing messages for spam and reject based on defined Apache SpamAssassin score - 2
• Do not forward mail to external recipients based on the defined Apache SpamAssassin score - 2

These settings seem to have some effect. All emails are logged in the database, and I can see that some are actually being blocked. However, we're still receiving emails that contain X-Spam-Scores that seem far outside of the acceptable range. Here's a recent example: X-Spf-Status: internal_error X-Spam-Score: 100 X-Ms-Exchange-Organization-Authas: Anonymous X-Authenticated-Sender: host.foobar.com: info@foobar.com Spam-Stopper-V2: Yes Return-Path: info@foobar.com X-Outgoing-Spam-Status: No, score=1.7 X-Php-Script: www.foobar.com/index.php for 146.185.223.45 X-Antiabuse: This header was added to track abuse, please include it with any abuse report X-Antiabuse: Primary Hostname - host.foobar.com X-Antiabuse: Original Domain - myagencydomain.com X-Antiabuse: Originator/Caller UID/GID - [1004 994] / [47 12] X-Antiabuse: Sender Address Domain - foobar.com X-Rdns-Status: pass X-Cmae-Analysis: v=2.2 cv=KdiiiUQD c=1 sm=1 tr=0 p=vunVSMQuAAAA:8 a=RlVqcaIcYrwspz6jv1/UUQ==:117 a=RlVqcaIcYrwspz6jv1/UUQ==:17 a=9+rZDBEiDlHhcck0kWbJtElFXBc=:19 a=IkcTkHD0fZMA:10 a=00susGKmFCUA:10 a=QG2GU6Tx0C0A:10 a=MuaeFusq_UQA:10 a=Kd1tUaAdevIA:10 a=voaReoZHVQIA:10 a=W0xnywqEAAAA:8 a=9Dx8fhRWlIe3BX9u-PUA:9 a=IvN1vS8p1NYsI4Zn:21 a=xwIu7TnLqA44iwvY:21 a=ebssT2Pg4LZiMCej:21 a=QEXdDO2ut3YA:10 a=kvi-aVvvx00A:10 a=k0ykbI1PaL3kEB8atyas:22 a=SsrFxdC4mYw4ZYkWcDDW:22 X-Aes-Category: SPAM X-Spam-Reasons: Cause=gggruggvucftvghtrhhoucdtuddrgedtgedriedvgdektdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucdtuddrgedtgedrtddtpdfkpffvgfftoffgfffktedpggftfghnshhusghstghrihgsvgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepvffufffhkfggtgeshhdtjhdttddtjeenucfhrhhomhepjfgftffuvfculfgrfihsuchofhcunfhifhgvuceoihhnfhhosehjrgifshhofhhlihhfvgdrtghomheqnecuffhomhgrihhnpehoughlvghtvhdrrhhupdhrrhgrthhinhhghihfuhdrrhhunecukfhppeeigedrledurddvgeehrddvudehnecuvehluhhsthgvrhfuihiivgeptd To=Darth Vader From=Foo Bar X-Source-Args: php-fpm: pool foobar_com Message-Id: <37710f0de0422aefb6f1229709212341@www.foobar.com> X-Spam-Category: LEGIT Mime-Version: 1.0 X-Php-Originating-Script: 1004:class.phpmailer.php
In the above example, the X-Spam-Score is 100, which is above the threshold of 20 (2x10). Have I misconfigured something, missed something entirely, or am I just not understanding what's going on? Thanks!

• 

  cPanelLauren

  • April 13, 2018 16:57

  Hi @John Manning There are actually two assigned spam scores, one when you receive the email locally and one that is assigned to it when it's scanned outbound. In this case Spam Score: X-Spam-Score: 100 refers to the score assigned on delivery to the server. The score that is being assigned to the server when it is sent is the Outgoing Spam Score which in this case is below the threshold of 2: X-Outgoing-Spam-Status: No, score=1.7 So with a spam score of 1.7 SpamAssassin isn't seeing this email as spam and sends it. Thank you,

  0
• 

  jnyr5478

  • April 13, 2018 16:59

  For some reason I can't edit my original post, but just wanted to mention that

  0
• 

  jnyr5478

  • April 13, 2018 17:04

  Hi @John Manning There are actually two assigned spam scores, one when you receive the email locally and one that is assigned to it when it's scanned outbound. In this case Spam Score: X-Spam-Score: 100 refers to the score assigned on delivery to the server. The score that is being assigned to the server when it is sent is the Outgoing Spam Score which in this case is below the threshold of 2: X-Outgoing-Spam-Status: No, score=1.7 So with a spam score of 1.7 SpamAssassin isn't seeing this email as spam and sends it. Thank you,

  
  Thanks @cPanelLauren. Somehow, all of the email that I'm receiving from this contact form has the same X-Outgoing-Spam-Status score of 1.7. I have submitted tests that have been scored 1.7. Legitimate submissions from other users have also received a 1.7. Even the emails that are very obviously spam have all received a 1.7. Does this have to do with the "Enable the Apache SpamAssassin" ruleset that cPanel uses on cpanel.net" setting? It's currently set to On (default).

  0
• 

  cPanelLauren

  • April 13, 2018 17:04

  That's ok! Thank you for linking it. The Outgoing Spam Score in this case still remains below the threshold of the outbound scan which you've set to 2 :

  • Scan outgoing messages for spam and reject based on defined Apache SpamAssassin score - 2

  • Do not forward mail to external recipients based on the defined Apache SpamAssassin score - 2

  
  Thank you,

  0
• 

  cPanelLauren

  • April 13, 2018 17:06

  [QUOTE] Somehow, all of the email that I'm receiving from this contact form has the same X-Outgoing-Spam-Status score of 1.7. I have submitted tests that have been scored 1.7. Legitimate submissions from other users have also received a 1.7. Even the emails that are very obviously spam have all received a 1.7.
  That's curious, have you tested sending a spam test like SpamAssassin: The GTUBE Thank you,

  0
• 

  jnyr5478

  • April 13, 2018 17:14

  That's curious, have you tested sending a spam test like

  0
• 

  cPanelLauren

  • April 13, 2018 17:20

  Hi @John Manning Can you check /var/log/exim_mainlog (you'd need to access via CLI) to see if it was sent? My assumption is that the spam score was flagged as being high and the mail was rejected. Thank you,

  0
• 

  jnyr5478

  • April 13, 2018 17:37

  I think this is the appropriate line: 2018-04-13 13:11:10 1f72EA-0005qm-57 F= rejected by non-SMTP ACL: "SpamAssassin as cpaneleximscanner detected OUTGOING not smtp message as spam (1001.7/20)"
  

  0
• 

  cPanelLauren

  • April 13, 2018 17:50

  Hi @John Manning So this confirms that SpamAssassin is rejecting outbound spam mail if it meets the necessary criteria. The preferences for this are stored in the following: # cat /var/cpanel/userhomes/cpaneleximscanner/.spamassassin/user_prefs skip_rbl_checks 1 # No need to check our authenticated senders to see if they are in an # an RBL as they likely will be. We only care about RBLS for incoming # spam scanning. internal_networks 0/0 # We treat all authenticated senders as internal because the ip checks # are likely useless for outbound spam scanning.
  You could potentially add rules/directives here in the, in the same manner you would for one of your users Thank you,

  0
• 

  jnyr5478

  • April 13, 2018 18:14

  I'm surprised that I might need to manually update preferences. I've attached a screenshot of a spam email that made it past SA with an X-Outgoing-Spam-Status of 1.7. Are the default rules really not able to determine that this is spam?

  0
• 

  cPanelLauren

  • April 13, 2018 18:33

  Because it's a customization (outbound spam scanning) as opposed to the inbound scanning, the same interface doesn't exist. I would strongly urge you to open a feature request using the link in my signature if further customization options for outbound spam scanning is something you'd like to see in the product. Once you open the feature request please link it here so that we can see/vote/track the progress of it! Thank you,

  0

Please sign in to leave a comment.