Skip to main content

Exchange / SMTP Authentication / Spam Score

Comments

7 comments

  • cPanelLauren
    Hi @Scott Laughead The user_prefs for cPanel exim scanner (the internal name for outbound spam assassin) are located at /var/cpanel/userhomes/cpaneleximscanner/.spamassassin/user_prefs. From here you can see that there aren't really any rules being hit but spam_assassin's base db [root@server .spamassassin]# cat user_prefs skip_rbl_checks 1 # No need to check our authenticated senders to see if they are in an # an RBL as they likely will be. We only care about RBLS for incoming # spam scanning. internal_networks 0/0 # We treat all authenticated senders as internal because the ip checks # are likely useless for outbound spam scanning. [root@server .spamassassin]#
    The base configuration is in the local.cf which can be found at /etc/mail/spamassassin/local.cf though what rules are being hit on outbound spam scanning isn't noted specifically in the headers of messages. My assumption would be that the user's local IP address is having IP reputation issues which is unfortunately fairly common through no fault of your user in most cases.
    0
  • Scott Laughead
    I do appreciate your reply. My first thought was that the reputation of the IP had been compromised as well. However, that is one of the first things I checked. These customers outbound email leave off the IP associated with the IP of the connection in which they get their service through (Spectrum). However, in each instance, Spectrum had been contacted previous, a PTR record had been created to link back to the customer mail server. The PTR records are great for each of these clients. SPF records are in place, and MX Toolbox says everything checks as green and good. Also, individual blacklist checks indicate that none of these dedicated IP addresses are on any blacklist (all clean). SenderScore.com says that these IP addresses have not had sufficient enough amounts of email to be on their list, so I would assume that is a good thing since they are individual company mail servers. This is only happening with my clients that use Exchange and authenticate through a single user to push out email. Any other configuration, email is flowing and scoring great. I have checked all headers and there is nothing in the email that would indicate why it is scoring the email as spam. Since my thresh hold on outbound scanning of email is set at 5, most of these being scored from 2-4 go out and deliver to the spam boxes of the recipients. If it hits a level of 5, it rejects the email message from even forwarding out off my server and sends it back to sender. I have reviewed each email that is being rejected, and of course each have an attachment, but they are PDF's. The ones being scored between 2-4, it is just general correspondence of someone asking questions, or replaying to someone else. There are no signature plugins to social media or anything like that either. Continued brainstorming is appreciated.
    0
  • cPanelLauren
    Hi @Scott Laughead Definitely a conundrum -
    This is only happening with my clients that use Exchange and authenticate through a single user to push out email.

    Have you checked the exchange server's reputation as well? Have you tried putting the Exchange server IP's in the only-verify recipient portion of the exim configuration? Only-verify-recipient Hosts or IP addresses that should be exempt from all spam checks at SMTP time, except recipient verification. Hosts or IP addresses you enter here are stored in /etc/trustedmailhosts.
    You might also look into the following: Trusted SMTP IP addresses IP addresses exempt from all SMTP sender, recipient, spam, and relaying checks. IP addresses you enter here are stored in /etc/skipsmtpcheckhosts. These senders must still use an RFC-compliant HELO name if the Require RFC-compliant HELO setting is enabled
    0
  • Scott Laughead
    This is only happening with my clients that use Exchange and authenticate through a single user to push out email. Have you checked the exchange server's reputation as well? Yes. I have checked the reputations for each Exchange server and there is either not enough mail flow to warrant a report on them, or if there is, they check out as very good. Have you tried putting the Exchange server IP's in the only-verify recipient portion of the exim configuration?
    Code: Only-verify-recipient Hosts or IP addresses that should be exempt from all spam checks at SMTP time, except recipient verification. Hosts or IP addresses you enter here ar

    I just added my clients Exchange server IP into this list in Exim. It didn't help.
    Code: Trusted SMTP IP addresses IP addresses exempt from all SMTP sender, recipient, spam, and relaying checks. IP addresses you enter here are stored in /etc/skipsmtpcheckhosts. These senders

    I just added that same client IP address to this list AS WELL (so it is in both lists now), and that didn't help either. SMTP mail scanner is still flagging them with a minimum spam score of 2. Here is the Internet Header of the message they used to test email going out: Received: from Server2012.corp.mydomain.com (my local ip) by Server2012.corp.mydomain.com (my local ip) with Microsoft SMTP Server (TLS) id 15.0.1365.1 via Mailbox Transport; Wed, 6 Feb 2019 09:34:50 -0500 Received: from Server2012.corp.mydomain.com (my local ip) by Server2012.corp.mydomain.com (my local ip) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Wed, 6 Feb 2019 09:34:50 -0500 Received: from sjl0vm-hesra17.colo.sonicwall.com (ip of my hosted gateway filter) by Server2012.corp.mydomain.com (my local ip) with Microsoft SMTP Server (TLS) id 15.0.1365.1 via Frontend Transport; Wed, 6 Feb 2019 09:34:49 -0500 Authentication-Results: sjl0vm-hesra17.colo.sonicwall.com; spf=pass smtp.mailfrom=user@client-domain.com; Received: from my-mail-server.com ([my mail server IP]) by sjl0vm-hesra17.colo.sonicwall.com ([ip of my hosted gateway filter]) (SonicWall 9.2.2.5291) with ESMTPS (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256/256) id i201902061434571043596-15861; Wed, 06 Feb 2019 06:34:58 -0800 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=client-domain.com; s=default; h=MIME-Version:Content-Type:Message-ID: Subject:Date:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=xuOKNRjDX9oBhfXEkwZlBAvmjAwcOofqZRD/QCSm3kc=; b=nwnFxBl7oaldBwgBKb5dZT4bKz V1UPT7LVflr5Q/UDDpUaxS52ToWGjTUYyv4jAwhgN7eMPCID8eYwyLfZ2EYDwaDYIDSOttyfZCVbV Y7YNzYz/Jv4WfnRvDBUjqNpH0b07e+YqrQ9pgbqkw4H7GJ04e3ChEOp+Lltt0En2+Z8RWUehj+xfs wbu4lzFZr4Jqxefbz3lOP0NhMHDP0r/6/qJPBAEQvmsiA1EywZx4RlOpL0xe3n+IqVtxQnKiJ7ySg ieVATYm1FLpHXwyyvEsrYt6+e0d3t+IQenaF7C0KGZhm8gefHyOA4O2cE+w/v3U1pkEk6ud+n1WyA 1vH4dUWw==; Received: from [client exchange server ip] (port=19999 helo=remote.client-domain.com) by my-mail-server.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.91) (envelope-from ) id 1grOHY-00039x-KK for myname@mydomain.com; Wed, 06 Feb 2019 09:34:46 -0500 Received: from SERVER2008.client-exchange-name.local ([fe80::2064:c205:66cd:c7f2]) by SERVER2008.client-exchange-name.local ([fe80::2064:c205:66cd:c7f2%10]) with mapi; Wed, 6 Feb 2019 09:34:41 -0500 From: Client Name To: My Name Date: Wed, 6 Feb 2019 09:34:40 -0500 Subject: Insurance Thread-Topic: Insurance Thread-Index: AdS+KQ1tQS10i5B8SaGLWVyb9ARX0w== Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_DE069E53D71B6A418AA8DF4168FF3A040781E984SERVER2008ltalo_" MIME-Version: 1.0 X-OutGoing-Spam-Status: No, score=2.0 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - my-mail-server.com X-AntiAbuse: Original Domain - mydomain.com X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - client-domain.com X-Get-Message-Sender-Via: my-mail-server.com: authenticated_id: authenticated-user@client-domain.com X-Authenticated-Sender: my-mail-server.com: authenticated-user@client-domain.com X-Source: X-Source-Args: X-Source-Dir: X-Mlf-SPF: SPF Pass (result=pass;action=none;identity=MAILFROM;domain=client-domain.com;source=(my mail server IP address);details:allowedlist=consider;) X-Mlf-DKIM: DKIM Disabled (result=disabled;) X-Mlf-DMARC: DMARC Disabled (result=disabled;) X-Mlf-Language-Detected: NoLanguageFilter_English X-Mlf-Connecting-IP: (my mail server IP address) X-Mlf-Country-Code: US X-Mlf-Rules: rn;26.57[0.00884] X-Mlf-SVM: sn;0.922:71:6:17:48 X-Mlf-Tp-MsgRecvd: 2019 02 06 1434 X-Mlf-Tp-Versions: DB1420;DC1420;DT1420;DV1420;HT1420;I41420;PB1420;SB1420; X-Mlf-Tp-Versions: TT1420;WH1420;XB1420; X-Mlf-Rules-Pos-Features: HEADERNGRAM_x-ms-tnef-correlator_acceptlanguage_ 3.90;HEADERNGRAM_acceptlanguage_content-type_3.81;HEADERNGRAM_thread-index_m essage-id_3.78;HEADERNGRAM_x-ms-has-attach_x-ms-tnef-correlator_3.21;HEADERN GRAM_subject_thread-topic_3.20;HEADERNGRAM_content-language_x-ms-has-attach_ 3.19;HEADERNGRAM_thread-topic_thread-index_3.13;HEADERNGRAM_accept-language_ content-language_3.11; X-Mlf-Rules-Neg-Features: ATTACHSIZE_0_-0.50;HEADERNGRAM_x-outgoing-spam-s tatus_x-antiabuse_-0.25;HEADERNGRAM_x-antiabuse_x-antiabuse_0.00;HEADERNGRAM _x-antiabuse_x-get-message-sender-via_0.00;HEADERNGRAM_x-authenticated-sende r_x-source_0.00;HEADERNGRAM_x-get-message-sender-via_x-authenticated-sender_ 0.00;HEADERNGRAM_x-source-args_x-source-dir_0.00;HEADERNGRAM_x-source_x-sour ce-args_0.00; X-Mlf-Sliderbars: N4,B4,S4,L4,Q4,G4,A4,I4 X-Mlf-AV-DAT: 9158;201902061319;201902061322 X-Mlf-DSE-Version: 5485 X-Mlf-Rules-Version: s20190111180506; ds20171117204456; di20181214013800; ri20170405183854; fs20190111170037 X-Mlf-SVM-Version: 20180829092608; 0 X-Mlf-Smartnet-Version: 20190109010522 X-Mlf-Threat: nothreat X-Mlf-Threat-Detailed: nothreat;other;none;none X-Mlf-Version: 9.2.2.5291 X-Mlf-License: BSVKCAP_T_ X-Mlf-UniqueId: i201902061434571043596 Return-Path: user@client-domain.com X-MS-Exchange-Organization-Network-Message-Id: d6498e6b-3c50-4ca2-99e3-08d68c40403c X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0 X-MS-Exchange-Organization-AuthSource: Server2012.corp.mydomain.com X-MS-Exchange-Organization-AuthAs: Anonymous
    I appreciate the ideas so far. Hope this new information can help. Thank you so much.
    0
  • cPanelLauren
    Hi @Scott Laughead Interesting that you have a DKIM record which is shown earlier in the headers but the check on DKIM is disabled: X-Mlf-DKIM: DKIM Disabled (result=disabled;)
    Also, the scores here may also be playing a part in this issue: X-Mlf-Rules-Pos-Features: HEADERNGRAM_x-ms-tnef-correlator_acceptlanguage_ 3.90;HEADERNGRAM_acceptlanguage_content-type_3.81;HEADERNGRAM_thread-index_m essage-id_3.78;HEADERNGRAM_x-ms-has-attach_x-ms-tnef-correlator_3.21;HEADERN GRAM_subject_thread-topic_3.20;HEADERNGRAM_content-language_x-ms-has-attach_ 3.19;HEADERNGRAM_thread-topic_thread-index_3.13;HEADERNGRAM_accept-language_ content-language_3.11; X-Mlf-Rules-Neg-Features: ATTACHSIZE_0_-0.50;HEADERNGRAM_x-outgoing-spam-s tatus_x-antiabuse_-0.25;HEADERNGRAM_x-antiabuse_x-antiabuse_0.00;HEADERNGRAM _x-antiabuse_x-get-message-sender-via_0.00;HEADERNGRAM_x-authenticated-sende r_x-source_0.00;HEADERNGRAM_x-get-message-sender-via_x-authenticated-sender_ 0.00;HEADERNGRAM_x-source-args_x-source-dir_0.00;HEADERNGRAM_x-source_x-sour ce-args_0.00;
    This is some other spam scanning though not SpamAssassin but rather a separate service. I'm curious if you send the exact message to a domain being scanned by SpamAssassin if you'll get the same score. That way you could see the headers to identify what is being hit. I'm leaning heavily toward it being related to the attachments but there really isn't a way to tell at this point.
    0
  • Scott Laughead
    Hi @Scott Laughead Definitely a conundrum - Have you checked the exchange server's reputation as well? Have you tried putting the Exchange server IP's in the only-verify recipient portion of the exim configuration? Only-verify-recipient Hosts or IP addresses that should be exempt from all spam checks at SMTP time, except recipient verification. Hosts or IP addresses you enter here are stored in /etc/trustedmailhosts.
    You might also look into the following: Trusted SMTP IP addresses IP addresses exempt from all SMTP sender, recipient, spam, and relaying checks. IP addresses you enter here are stored in /etc/skipsmtpcheckhosts. These senders must still use an RFC-compliant HELO name if the Require RFC-compliant HELO setting is enabled

    Hello Lauren, Sorry this has taken so long to get back to you on this matter. I have indeed added their Exchange server IP address to the Trusted SMTP IP addresses, I also did the Only-verify-recipient. This still does not appear to be helping. I have indeed checked the reputation of the Exchange server IP, comes back clean and good. If you send from their webmail account on the server, it comes back with an initial spam score of -1. Even with the Only-verify-recipient and Trusted SMTP, it is still scanning it for spam and marking it with a spam score of 2 or more if it leaves from their exchange server. Like I said, none of this was occurring prior to the beginning of the year, now it is. No settings have been changed in the system except what you have requested I try to fix this. I don't know why it is even scanning the email leaving from this IP/Domain after adding them to the exempt list. I know that the current version of cPanel I am using is coming to end of life on March 31st, 2019 and I have plans with my server company to update it before then. Do you think this end of life product is causing this issue, or it is something specific to the Exchange boxes and their IP addresses? As I said, this is only occurring with my Exchange customers since the beginning of the year. This makes me think it is Exchange, but when everything comes back solid (no blacklists, good SPF, good PTR, sender reputation very high), why would MY SERVER, the outbound SMTP server that they are Authenticating into be scoring spam at such a high level on general correspondence? Any additional brainstorming is much appreciated. Thanks.
    0
  • cPanelMichael
    I have indeed added their Exchange server IP address to the Trusted SMTP IP addresses, I also did the Only-verify-recipient. This still does not appear to be helping. I have indeed checked the reputation of the Exchange server IP, comes back clean and good. If you send from their webmail account on the server, it comes back with an initial spam score of -1. Even with the Only-verify-recipient and Trusted SMTP, it is still scanning it for spam and marking it with a spam score of 2 or more if it leaves from their exchange server. Like I said, none of this was occurring prior to the beginning of the year, now it is. No settings have been changed in the system except what you have requested I try to fix this. I don't know why it is even scanning the email leaving from this IP/Domain after adding them to the exempt list. I know that the current version of cPanel I am using is coming to end of life on March 31st, 2019 and I have plans with my server company to update it before then. Do you think this end of life product is causing this issue, or it is something specific to the Exchange boxes and their IP addresses? As I said, this is only occurring with my Exchange customers since the beginning of the year. This makes me think it is Exchange, but when everything comes back solid (no blacklists, good SPF, good PTR, sender reputation very high), why would MY SERVER, the outbound SMTP server that they are Authenticating into be scoring spam at such a high level on general correspondence?

    Hello @Scott Laughead, Could you open a
    0

Please sign in to leave a comment.