Not all incoming mails have a SPAM score

serg499

April 06, 2021 18:16

Hi! I've configured a new blacklist rule "*.cam" (see attached), it's working, but some emails from .cam still coming to the Inbox. I've checked Delivery Report (attached) and you can see that some emails doesn't have a spam score and goes directly to the inbox. Why is it happening? Thank you!

Comments

5 comments

cPRex Jurassic Moderator

April 07, 2021 17:59
Hey there! Can you search the Exim log for that specific mail ID to see if there were any issues scanning the messages? You would use a command like this to get more details: grep xx-xxxxx-xxx /var/log/exim_mainlog
where "xx-xxxxx-xxx" is the specific mail ID of that message.
0
serg499

April 07, 2021 21:03
Thank you for reply. Grep command gave me this: [root@vps /]# grep UEM2-0008O7-KC /var/log/exim_mainlog 2021-04-07 16:00:46 1lUEM2-0008O7-KC H=atl4mhob21.registeredsite.com [209.17.115.115]:56000 Warning: Message has been scanned: no virus or other harmful content was found 2021-04-07 16:00:46 1lUEM2-0008O7-KC <= cross@customerhorseshoe.cam H=atl4mhob21.registeredsite.com [209.17.115.115]:56000 P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=4433 id=kvceNceoyRqBkaNsoeC4xPCUMm0St52PM8fmrcojzqQ.VeCxe92qOpxLFJ4tedrGPASOlssa3u887t-3mV33jzo@customerhorseshoe.cam T="Spray on your head and never go bald" for info@ourdomain 2021-04-07 16:00:46 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1lUEM2-0008O7-KC 2021-04-07 16:00:47 1lUEM2-0008O7-KC => info R=virtual_user T=dovecot_virtual_delivery_no_batch C="250 2.0.0 ggd7CG8PbmD+fQAAVCkTyw Saved" 2021-04-07 16:00:47 1lUEM2-0008O7-KC Completed
0
cPDavidL

April 08, 2021 15:31
Thank you for your update! Now you're going to want to check /var/log/maillog for spamd runs coinciding with the submission of that message, that were executed by the username that owns the recipient domain. grep spamd /var/log/maillog | grep 'Apr 7 16:00' | grep $username
Be sure to replace $username with the cPanel account username that owns the recipient domain. This should show you the spam processes that handled the scanning. If it doesn't, then use your preferred pager(i use the 'less' command) to check the maillog file for errors related to spamd during that time frame.
0
serg499

April 08, 2021 23:28
Grep hasn't worked for me for unknown reason, but here's /var/log/maillog on similar email (a lot of our emails skips spam check due to the error in the first post): [CODE=bash]Apr 8 15:15:52 vps spamc[24292]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused Apr 8 15:15:52 vps spamd[4266]: spamd: connection from localhost [127.0.0.1]:36332 to port 783, fd 5
Another e-mail: [CODE=bash] Apr 8 15:16:49 vps spamd[4266]: spamd: connection from localhost [127.0.0.1]:37674 to port 783, fd 5 Apr 8 15:16:49 vps spamd[4266]: spamd: setuid to ouruser succeeded Apr 8 15:16:49 vps spamd[4266]: config: not parsing, 'allow_user_rules' is 0: meta FROM_TLD ( __FROM_TLDFROM + __FROM_TLDFROMA >= 1 ) Apr 8 15:16:49 vps spamd[4266]: config: failed to parse line, skipping, in "/home/ouruser/.spamassassin/user_prefs": meta FROM_TLD ( __FROM$ Apr 8 15:16:49 vps spamd[4266]: config: not parsing, 'allow_user_rules' is 0: header __FROM_TLDFROM From =~ /\.(cf|ga|cyou|ml|tk|bid|book|cl$ Apr 8 15:16:49 vps spamd[4266]: config: failed to parse line, skipping, in "/home/ouruser/.spamassassin/user_prefs": header __FROM_TLDFROM $ Apr 8 15:16:49 vps spamd[4266]: config: not parsing, 'allow_user_rules' is 0: header __FROM_TLDFROMA From:address =~ /\.(cf|cyou|ga|ml|tk|bi$ Apr 8 15:16:49 vps spamd[4266]: config: failed to parse line, skipping, in "/home/ouruser/.spamassassin/user_prefs": header __FROM_TLDFROMA$ Apr 8 15:16:49 vps spamd[4266]: spamd: checking message <20210408191608.6804.1550418934.swift@alliedelec.activehosted.com> for ouruser:1000 Apr 8 15:16:51 vps spamd[4266]: spamd: clean message (0.2/5.0) for ouruser:1000 in 1.5 seconds, 29857 bytes. Apr 8 15:16:51 vps spamd[4266]: spamd: result: . 0 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,SPF_HEL$ Apr 8 15:16:51 vps spamd[11787]: prefork: child states: II
Also today I've got an email from cPanel - FAILED ?: tailwatchd Don't know if it's a related issue, here's the log it gave me: [CODE=bash] Service Name tailwatchd Service Status failed ? Notification The service "tailwatchd" appears to be down. Service Check Raw Output Use of uninitialized value in string eq at /usr/local/cpanel/Cpanel/RestartSrv/Systemd.pm line 138. (XID 286yy9) The "tailwatchd" service is down. Startup Log Apr 08 17:54:38 (our server) spamc[6149]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused Apr 08 17:59:40 (our server) spamc[6563]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused Apr 08 18:04:42 (our server) spamc[7002]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused Apr 08 18:09:43 (our server) spamc[7483]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused Apr 08 18:14:45 (our server) spamc[7941]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused Apr 08 18:19:45 (our server) spamc[8420]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused Apr 08 18:24:48 (our server) spamc[8869]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused Apr 08 18:29:50 (our server) spamc[9319]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused Apr 08 18:36:46 (our server) spamc[9802]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused Apr 08 18:36:57 (our server) spamc[9877]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused Memory Information Used 4.72 GB Available 1.71 GB Installed 4 GB Load Information 2.62 1.16 0.47 Uptime 47 days, 35 minutes, and 23 seconds IOStat Information avg-cpu: %user %nice %system %iowait %steal %idle 7.33 0.08 1.34 0.00 0.00 91.24 Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtn ploop21186 47.28 411.70 4309.74 1672701230 17510141220 Top Processes PID Owner CPU % Memory % Command 9982 root 30.16 0.32 cpgreylistd - processing request 10861 root 20.84 30.11 /usr/local/cpanel/3rdparty/bin/clamd 9983 mailnull 6.38 0.20 /usr/sbin/exim -odi -Mc 1lUdH1-0002Xn-PC 9987 mailnull 3.45 0.17 /usr/sbin/exim -odi -t -oem -oi -f <> -E1lUdH1-0002Xn-PC 9836 ouruser 0.49 0.22 dovecot/lmtp
0
cPDavidL

April 09, 2021 15:25
Thank you for your update. Honestly, the fact that grep does not work, and the error shown in the tailwatchd notification, are absolutely causes for concern, and need to be investigated accordingly. Those maillog entries definitely show an issue with the connection to spamd failing. A message cannot be scanned, if the spamd service cannot be reached. I would encourage you to reach out to our support staff(at support.cpanel.net) for a more detailed investigation into why the spamd daemon is refusing connections.
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?