Message not scanned by SpamAssassin
Hi, I'm trying to work out why an email was not scanned by SpamAssassin.
Here is an excerpt from /var/log/exim_mainlog:
For other emails, a log entry appears next to the virus scanning saying "SpamAssassin as myuser detected message as ...". The email ended up getting through to a user having no SpamAssassin headers, seemingly not being scanned for spam and this is supported by the missing log message. I would expect it to be picked up as having SPF issues given that a host from India is sending a malicious email message purporting to be from hsbc.com. Any thoughts would be appreciated - could it have happened due to a SpamAssassin update at that exact moment? (Is there any way of checking this? - I couldn't see a SpamAssassin update log) Thanks in advance -Neil
2020-03-02 05:14:26 1j8dPJ-00021d-Jh H=(s1.smallhost.in) [103.46.239.70]:56034 Warning: Message has been scanned: no virus or other harmful content was found
2020-03-02 05:14:26 1j8dPJ-00021d-Jh <= advising.service.50512926.737644.2317170144@mail.hsbcnet.hsbc.com H=(s1.smallhost.in) [103.46.239.70]:56034 P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=1547343 id=f162f0ccdb81f8982db573faeeaf90eb@mail.hsbcnet.hsbc.com T="Payment Advice - Advice Ref:[G61184613334] / Priority payment /\n Customer Ref:[Off Rental - March]" for firstnamelastname@mydomain.org
2020-03-02 05:14:26 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1j8dPJ-00021d-Jh
2020-03-02 05:14:26 1j8dPJ-00021d-Jh => firstname.lastname (firstname.lastname@mydomain.net, firstnamelastname@mydomain.net, firstnamelastname@mydomain.net) R=virtual_user T=dovecot_virtual_delivery_no_batch C="250 2.0.0 GBhgCzKWXF7RHgAAyYJOYg Saved"
2020-03-02 05:14:26 1j8dPJ-00021d-Jh => |/usr/local/cpanel/bin/autorespond firstname.lastname@mydomain.net /home/mydomainnet/.autorespond (firstname.lastname@mydomain.net, firstname.lastname@mydomain.net, firstnamelastname@mydomain.net, firstnamelastname@mydomain.net) R=virtual_aliases_nostar T=jailed_virtual_address_pipe
2020-03-02 05:14:26 1j8dPJ-00021d-Jh Completed
For other emails, a log entry appears next to the virus scanning saying "SpamAssassin as myuser detected message as ...". The email ended up getting through to a user having no SpamAssassin headers, seemingly not being scanned for spam and this is supported by the missing log message. I would expect it to be picked up as having SPF issues given that a host from India is sending a malicious email message purporting to be from hsbc.com. Any thoughts would be appreciated - could it have happened due to a SpamAssassin update at that exact moment? (Is there any way of checking this? - I couldn't see a SpamAssassin update log) Thanks in advance -Neil
# grep '' /etc/redhat-release /usr/local/cpanel/version /var/cpanel/envtype ; grep CPANEL= /etc/cpupdate.conf
/etc/redhat-release:CentOS Linux release 7.7.1908 (Core)
/usr/local/cpanel/version:11.86.0.8
/var/cpanel/envtype:standard
CPANEL=release-
Hello, Were other emails right before and right after this one also scanned? What's the output of the following? ps faux |grep spamd0 -
One thing to check since the following setting used to have a lower default and may need adjusting if the message size is just large enough. WHM " Service Configuration " Exim Configuration Manager Setting: Apache SpamAssassin": message size threshold to scan Check what this is set to as compared to the message size of the email in question in case it's larger than your threshold. 0 -
# ps faux |grep spamd root 24415 0.0 0.0 112712 960 pts/0 S+ 08:31 0:00 \_ grep --color=auto spamd root 10107 0.0 0.7 240636 118180 ? Ss Mar02 0:03 /usr/local/cpanel/3rdparty/perl/530/bin/perl -T -w /usr/local/cpanel/3rdparty/bin/spamd --allowed-ips=127.0.0.1,::1 --max-children=5 --pidfile=/var/run/spamd.pid --listen=5 --listen=6 root 10435 0.0 0.8 270656 140660 ? S Mar02 0:16 \_ spamd child root 10436 0.0 0.8 264436 136072 ? S Mar02 0:01 \_ spamd child
The previous emails around 05:12 and 05:14 were scanned by SpamAssassin. The following incoming email at 05:17 does not appear to have been scanned. SpamAssassin appears in the logs again at 05:51, which is the next incoming email.One thing to check since the following setting used to have a lower default and may need adjusting if the message size is just large enough. WHM " Service Configuration " Exim Configuration Manager Setting: Apache SpamAssassin": message size threshold to scan Check what this is set to as compared to the message size of the email in question in case it's larger than your threshold.
The email saved as a .eml file is 1.5 MB, and is 4 KB without the attachment. The threshold is currently set to 200 KB. This is lower than the default (1000 KB) so that's something that we can increase - does this threshold check the size of the message including the attachment?0 -
The email saved as a .eml file is 1.5 MB, and is 4 KB without the attachment. The threshold is currently set to 200 KB. This is lower than the default (1000 KB) so that's something that we can increase - does this threshold check the size of the message including the attachment?
I think I've answered my own question. The/usr/local/cpanel/3rdparty/bin/spamc
command has a-s
arg for max size in bytes and this is probably used with the Apache SpamAssassin": message size threshold to scan option. Indeed, testing this on an email source shows no scanning on the 1.5 MB email until this threshold is increased. This does mean though that big emails above this threshold don't get spam checked against SPF/DKIM etc. which I'd like always to be done. I guess it's a cpanel feature request but it would seem to make sense to pass emails to SpamAssassin viahead -c 500K
or similar.0
Please sign in to leave a comment.
Comments
4 comments