Skip to main content

sending from webmail triggers Spamassassin rules

EneTar
Hi I noticed today using those 2 services Newsletters spam test by mail-tester.com Is Not Spam - Online Spam checker for newsletters and email marketing that when I send from webmail (I tried both Horde and Roundcube) there is a line which I think triggers a couple of rules in Spamassassin. Please note that when sending from an email client this doesn't happen So I noticed that there are 2 lines First: Received: from my.hostname.eu ([server.public.ip.here] helo=accountuser.com)
The line above seems to be correct however I have that the following line is to be questioned: Received: from [127.0.0.1] (port=48342 helo=my.hostname.eu)
I may be mistaken but it seems to trigger FSL_HELO_BARE_IP_2 (IP used in the HELO request The hostname should be a domain name, not an IP address) and RCVD_NUMERIC_HELO (Received: contains an IP address used for HELO) I think it should be localhost or the hostname instead of [127.0.0.1] Can you try to see if you have the same issue? I have already tried with 3 servers. All have the same result. All servers have the Send mail from account"s dedicated IP address enabled in Exim Configuration.

Comments

13 comments

Date Votes
  • cPanelLauren
    Hi @EneTar Can you tell me what you have (if anything) in /etc/mailhelo? This may be a false positive but I will attempt to replicate on our side as well, I'll update here once complete. Thanks!
    0
  • EneTar
    Hi @cPanelLauren. On one of my servers the /etc/mailhelo has the domains and subdomains of the dedicated ips. On the other 2 servers the file is empty. (All servers though have the same behavior I described in my first post.) However please note that all servers have the Send mail from account"s dedicated IP address enabled in Exim Configuration which as far as I know when enabled the system doesn't use the /etc/mailhelo file. Did you replicate this on your end?
    0
  • cPanelLauren
    Hi @EneTar I attempted to replicate with a testing server with 2 IP's and send from account's dedicated IP address enabled on the server. Unfortunately, I did not get the same results as you did there was no reference to FSL_HELO_BARE_IP_2. Please keep in mind this is a testing server and I didn't have a DKIM added nor did I have rDNS implemented. With that being said the errors I received seem to be accurate. The famous spam filter SpamAssassin. Score: -2.6. A score below -5 is considered spam. -0.8 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in DNS -0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid This negative score will become positive if the signature is validated. See immediately below. -0.379 NO_DNS_FOR_FROM Envelope sender has no MX or A DNS records -1.274 RDNS_NONE Delivered to internal network by a host with no rDNS This may be a false-positive, please check the reverse DNS test below to confirm or not this issue -0.01 T_DKIM_INVALID Your DKIM signature is not valid Have a look at our DKIM test below to know why
    Re-looking at your earlier response:
    I think it should be localhost or the hostname instead of [127.0.0.1]

    127.0.0.1 is fine. When looking at our test email it's received from the ipv6 equivalent: Received: from [::1] (port=48760 helo=server.example.com) by server.example.com with esmtpa (Exim 4.90_1)
    Though we haven't made modifications to /etc/mailhelo in our case - just what was added automatically with enabling "send mail from account's dedicated IP." What's your rDNS set to currently? Which webmail client are you sending from? I wonder if the issue is specific to one of the clients as noted in this forum post: Thanks!
    0
  • EneTar
    please try the isnotspam.com it outputs the headers of the received email. In my case there is this output from Spamassassin (Please ignore the Bayes because it was just a test message with bogus content) X-Spam-Report: * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% * [score: 1.0000] * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record * -0.0 SPF_PASS SPF: sender matches SPF record * 1.2 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% * [score: 1.0000] * 0.1 HTML_MESSAGE BODY: HTML included in message * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's * domain * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily * valid * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature * 1.5 FSL_HELO_BARE_IP_2 No description available. X-Spam-Status: Yes, hits=6.4 required=-20.0 tests=BAYES_99,BAYES_999, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FSL_HELO_BARE_IP_2,HTML_MESSAGE, RCVD_NUMERIC_HELO,SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no
    rDNS is set up correctly and I have no issues with that. I tried both Horde or Roundcube. It's the same. I wish I had access on another server's webmail as well to try once more or perhaps somebody else with a real server could try the isnotspam.com service to give us some more feedback about webmail messages. Question: when you see the headers from isnotspam.com how many lines starting with Received: from ....
    do you see? Can you post them here and hide any private data?
    0
  • cPanelLauren
    Hi @EneTar Actually, I'd really like to see if you can provide me the full headers of the message. I think you might be on to something but I would need to see your full headers to know for sure. Thanks!
    0
  • EneTar
    @cPanelLauren Do you want me to post here by hiding any private data (Hiding data in email headers sometimes confuses and is harder to understand) or is there any way to contact you privately and provide all data?
    0
  • cPanelLauren
    Hi @EneTar You can hide the private data, just ensure that it's clear which entries are domains, the hostname and IP addresses
    0
  • EneTar
    Ok I've hidden some ids usernames and IPs which I think it is obvious what they mean and I scrambled some base64 encoding I wasn't sure about The important stuff is: user@domain.com server.public.ip.here my.hostname.eu home.user.ip.here here are the full headers From user@domain.com Wed May 09 10:21:10 2018 Return-path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on localhost.localdomain X-Spam-Flag: YES X-Spam-Level: ****** X-Spam-Report: * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% * [score: 1.0000] * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record * -0.0 SPF_PASS SPF: sender matches SPF record * 1.2 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% * [score: 1.0000] * 0.1 HTML_MESSAGE BODY: HTML included in message * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's * domain * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily * valid * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature * 1.5 FSL_HELO_BARE_IP_2 No description available. X-Spam-Status: Yes, hits=6.4 required=-20.0 tests=BAYES_99,BAYES_999, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FSL_HELO_BARE_IP_2,HTML_MESSAGE, RCVD_NUMERIC_HELO,SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Envelope-to: hiddenisnotspamid@isnotspam.com Delivery-date: Wed, 09 May 2018 10:21:10 +0000 Received: from my.hostname.eu ([server.public.ip.here] helo=domain.com) by localhost.localdomain with esmtp (Exim 4.84_2) (envelope-from ) id 1fGMDe-000Aha-1j for hiddenisnotspamid@isnotspam.com; Wed, 09 May 2018 10:21:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=domain.com; s=default; h=MIME-Version:Content-Type:Subject:To:From:Message-ID:Date: Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; ....hidden..... Received: from [127.0.0.1] (port=48342 helo=my.hostname.eu) by my.hostname.eu with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1) (envelope-from ) id 1fGMDY-0002OC-Bj for hiddenisnotspamid@isnotspam.com; Wed, 09 May 2018 13:21:04 +0300 Received: from home.user.ip.here ([home.user.ip.here]) by domain.com (Horde Framework) with HTTPS; Wed, 09 May 2018 10:21:04 +0000 Date: Wed, 09 May 2018 10:21:04 +0000 Message-ID: <20180509102104.Horde.evgfTHyASiJAsjeBgfy@domain.com> From: My Name To: hiddenisnotspamid@isnotspam.com Subject: test email from Horde User-Agent: Horde Application Framework 5 Content-Type: multipart/alternative; boundary="=_WDUa34dfdGFFY2PJxGrrFbf" MIME-Version: 1.0 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - my.hostname.eu X-AntiAbuse: Original Domain - isnotspam.com X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - domain.com X-Get-Message-Sender-Via: my.hostname.eu: authenticated_id: user@domain.com X-Authenticated-Sender: my.hostname.eu: user@domain.com X-Source: X-Source-Args: X-Source-Dir: X-DKIM-Status: pass (domain.com) This message is in MIME format. --=_WDUa34dfdGFFY2PJxGrrFbf Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Description: Plaintext Message Content-Disposition: inline .....Hi there message content here....
    Do you see anything wrong? please let me know if you need any further details
    0
  • cPanelLauren
    What I'm looking for is one of these lines:
    Received: from my.hostname.eu ([server.public.ip.here] helo=domain.com)

    Received: from [127.0.0.1] (port=48342 helo=my.hostname.eu)

    To have an IP address and neither of them does. Looking through threads here and elsewhere on this issue it's one of a few things Now what I am curious about is if it's reporting (incorrectly) an invalid helo because it assigns the mailhelo as the domain name rather than the hostname. # cat /etc/mailhelo example.com: example.com
    To test that though, I'd like to see if it would be possible for you to do the following:
    • Disable (temporarily) "Send mail from account's dedicated IP"
    • Enable Reference /etc/mailhelo for outgoing SMTP HELO
    • Enable Reference /etc/mailips for outgoing SMTP connections
    • Modify /etc/mailhelo to the following: *:
    • Modify /etc/mailips to the following: domain:
    • Test sending again
    Thanks!
    0
  • EneTar
    Hi @cPanelLauren Isn't 127.0.0.1 still an IP although it is the localhost IP? Received: from [127.0.0.1] (port=48342 helo=my.hostname.eu)
    Furthermore I ran 2 more tests from one cPanel server to another cPanel server and vice versa. This is the result from the 2 0.9 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
    1.2 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
    Please note that I don't see the rule FSL_HELO_BARE_IP_2 This specific rule is not documented in spamassassin and it seems to overlap with a couple of other rules. FALSE POSITIVE Anyway from the point that RCVD_NUMERIC_HELO is triggered when sending from one cpanel server to the other then it's not a false positive of the mailtester software. It's either a flase positive of spamassasin or a real issue. rDNS About the rDNS. What test do you want me to run to exclude any rDNS issue? Although i think that in case of malconfigured rDNS spamassassin triggers a few rules which I don't see on any of my tests. The outcome of this thread is that [QUOTE]Hello, To update this thread, the issue was that this is most likely a false positive with mail-tester.com. Other checking services showed that the HELO was correct.
    However I 've just shown that this happens on multiple sources even from a cPanel server to another. Continuing to the test you specified Here are all Received: headers from top to bottom of the message Received: from recipients.hostname.here .... Received: from sender.hostname.here ([sender.server.ip.here]:44190) ... Received: from [127.0.0.1] (port=39202 helo=sender.hostname.here) .... Received: from public.user.ip.here ([public.user.ip.here]) by senderdomain.com (Horde Framework) with ... 1.2 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO ....
    So it's the same. Can't you find 2 cPanel server properly set up so that you run this test?
    0
  • cPanelLauren
    Isn't 127.0.0.1 still an IP although it is the localhost IP?

    Yes, but this is normal and we can clearly see on my test server that it does the IPv6 equivalent with no matching of that rule - ::1 Received: from [::1] (port=48760 helo=server.example.com) by server.example.com with esmtpa (Exim 4.90_1)
    This is saying Received: from [127.0.0.1] and in context of what you're looking for is irrelevant. The concern should be the helo= field which clearly states a domain in all cases.
    So it's the same. Can't you find 2 cPanel server properly set up so that you run this test?

    The servers I'm setting up are using cPanel and are properly configured and don't encounter this issue which is why I'm experiencing difficulty replicating this, I've used internal testing servers and my own personal servers. At this point, I'd like to see if it would be possible for you to open a ticket using the link in my signature so we can take a closer look at your configuration specifically. Please update this post with the ticket ID once it's open. Thanks!
    0
  • EneTar
    I've used internal testing servers and my own personal servers.

    Thank you I didn't know this. So it seems that there is an issue with my particular setup on all servers. I will open a ticket for this and update this thread.
    0
  • cPanelLauren
    Hi @EneTar Great, hopefully we can help you get it sorted. Thanks!
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post