Outgoing SPAM Email Problems
Over the past few weeks we've been getting lots of trouble with out going spam. We currently use Amazon AWS server to send emails anyway. Me and my colleagues have been receiving emails that are from our accounts e.g. from [removed - please exclude real domain names and IP addresses from the output]
Here's an example of the headers of a typical SPAM email we're receiving:
[removed - please exclude real domain names and IP addresses from the output]
Obviously each time we get these SPAM emails, their IP is switched so it's hard to try and block it that way. We've reset email account passwords and also the main cPanel account. Also we have SpamAssassin setup and slightly tweaked to try and prevent this, but obviously aren't having much luck. I've tried doing the usual stuff recommended by cPanel.
I'd appreciate if someone could help me out as this is happening for at least another 5/6 accounts.
-
Here's a snippet from the exim_mainlog [removed - please exclude real domain names and IP addresses from the output] 0 -
exim_mainlog 2018-08-17 11:07:06 1fqbeo-0004Di-Gm H=([154.113.98.8]) [154.113.98.8]:15256 Warning: "SpamAssassin as example detected message as NOT spam (-69.2)" 2018-08-17 11:07:06 1fqbeo-0004Di-Gm <= name@example.com H=([154.113.98.8]) [154.113.98.8]:15256 P=esmtp S=2971 id=219918524.201808171105@example.co.uk T="Let's have fun?" for name@example.com 2018-08-17 11:07:06 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1fqbeo-0004Di-Gm 2018-08-17 11:07:06 SMTP connection from ([154.113.98.8]) [154.113.98.8]:15256 closed by QUIT 2018-08-17 11:07:07 1fqbeo-0004Di-Gm => name R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 uOksMUqedltCNgAAPb2kjA Saved" 2018-08-17 11:07:07 1fqbeo-0004Di-Gm Completed0 -
Hi @Elliot Hagerty This doesn't look like outbound spam based on what you're providing it looks like inbound spam (you're receiving the spam not sending it) But it does look like there is some trickery occurring due to the fact the message is being marked as being from your user (which it isn't) The reason why it's getting marked as NOT spam is detailed in the scoring: Content analysis details: (-56.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -100 USER_IN_WHITELIST From: address is in the user's white-list 5.0 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.0000] 0.8 KAM_COUK Scoring .co.uk emails higher due to poor registry security. 1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL, https://senderscore.org/blacklistlookup/ [113.189.99.245 listed in bl.score.senderscore.com] 6.2 RCVD_IN_MSPIKE_L5 RBL: Very bad reputation (-5) [113.189.99.245 listed in bl.mailspike.net] 3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [113.189.99.245 listed in zen.spamhaus.org] 3.3 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS 4.4 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL 1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see ] 1.5 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 1.9 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date 1.0 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% [score: 1.0000] 1.8 PYZOR_CHECK Listed in Pyzor (https://pyzor.readthedocs.io/en/latest/) 1.9 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.0 HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam (FTSDMCXX/boundary variant) direct-to-MX 2.0 RDNS_NONE Delivered to internal network by a host with no rDNS 0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted 0.3 DIGEST_MULTIPLE Message hits more than one network digest check 1.5 HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam
specifically:-100 USER_IN_WHITELIST From: address is in the user's white-list
Basically what's happening here is the spammer is taking advantage of users who whitelist their own domains if your own domain wasn't in the whitelist there the message would have received a spam score of over 30 and been marked as such (deleted if you had autodelete enabled) Because spam scoring isn't done on local domains (local -> local) meaning if your MX records for this domain are hosted locally I would suggest removing the domain from the whitelist so you'll stop receiving this type of spam. The only way I can think of to workaround this reliably otherwise would be to increase the points match on the SPF failure rule as right now it's set to add 1.5 to the score:1.5 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
That is set here Globally:grep SPF /usr/local/cpanel/etc/mail/spamassassin/CPANEL.cf # SPF failures and information ifplugin Mail::SpamAssassin::Plugin::SPF score SPF_NONE 0 score SPF_HELO_NONE 0 score SPF_PASS -0.001 score SPF_HELO_PASS -0.001 score SPF_FAIL 4.0 score SPF_HELO_FAIL 4.0 score SPF_HELO_NEUTRAL 0 score SPF_HELO_SOFTFAIL 1.5 score SPF_NEUTRAL 0 score SPF_SOFTFAIL 1.5
To modify this per account through cPanel you'd go to cPanel >> Email >>Spam Filters -> Show Additional Configurations -> Configure Calculated Spam Scores Settings If you wanted to modify it per account via CLI you can do so as follows:cat /home/$user/.spamassassin/user_prefs score SPF_SOFTFAIL 1000
Please sign in to leave a comment.
Comments
3 comments