[CPANEL-26054] SpamAssassin forwards locally delivered SPAM

LBJ

• March 06, 2019 22:39

G'day All, I can never find an obvious place to lodge bug reports other than by raising a support ticket, so I'll try it here. On all our 76.0.20 servers, the option to scan outgoing and forwarded email is not detecting definite spam created on-server and sent to an external address via a forwarder. Only email sent directly to an external address is being correctly handled. This makes it very easy to spam from a compromised account on cPanel servers. Steps to reproduce: 1. Enable the following Exim options... Scan outgoing messages for spam and reject based on defined Apache SpamAssassin" score Do not forward mail to external recipients based on the defined Apache SpamAssassin" score 2. Generate a spam message from the server (PHP mailto() for example) to a forwarder pointing to an external address. Use the SpamAssassin GTUBE string for spam. The spam will be delivered without issue. Outgoing spam is only blocked if sent directly to the external address. Using a forwarder completely bypasses the security. Best regards, LBJ

• 

  LBJ

  • March 07, 2019 04:45

  Confirmed bug and case submitted to cPanel developers as CPANEL-26054. Best regards, LBJ

  0
• 

  cPanelMichael

  • March 07, 2019 18:59

  Hi @LBJ, As you noted, internal case CPANEL-26054 was opened to report an issue where the option to scan outgoing and forwarded email is not detecting definite SPAM created on-server and sent to an external address via a forwarder. I'll monitor this case and update this thread with more information on it's status as it becomes available. Thank you.

  0
• 

  LBJ

  • May 14, 2019 04:34

  Hi @LBJ, As you noted, internal case CPANEL-26054 was opened to report an issue where the option to scan outgoing and forwarded email is not detecting definite SPAM created on-server and sent to an external address via a forwarder. I'll monitor this case and update this thread with more information on it's status as it becomes available. Thank you.

  
  G'day Michael, Is there any update on this, or at least a likely time-frame? We're still forced to add complex code to fully block webform spam where users have opted to email out via a configured forwarder to an external email address. Best regards, LBJ

  0
• 

  cPanelMichael

  • May 15, 2019 18:00

  Hello @LBJ, This case is fixed in cPanel & WHM version 82 (this version is not yet available to the public). You should see this version published to the EDGE release tier some time after version 80 reaches STABLE. Thank you.

  0
• 

  LBJ

  • May 15, 2019 22:37

  G'day Michael, Thanks very much for that. Best regards, LBJ

  0
• 

  cPanelMichael

  • July 09, 2019 18:37

  Hello, To update, here's the entry in the Release Tier on the link below:

  0

Please sign in to leave a comment.