Skip to main content

Spamassassin did no SPF check for this mail, but should have done it

Comments

9 comments

  • dandadude
    It seems that spamassassin only cared about "schachters.com" domain (and not the one in the FROM address) when checking SPF, because that has no SPF record. exim_mainlog doesn't include the "FROM" address either, please check: 2021-11-03 08:20:59 1miAZv-0003kU-0n H=p3plsmtp13-04-2.prod.phx3.secureserver.net (p3plwbeout13-04.prod.phx3.secureserver.net) [173.201.192.168]:36249 Warning: "SpamAssassin as ourdomaintld detected message as NOT spam (2.2)" 2021-11-03 08:20:59 1miAZv-0003kU-0n H=p3plsmtp13-04-2.prod.phx3.secureserver.net (p3plwbeout13-04.prod.phx3.secureserver.net) [173.201.192.168]:36249 Warning: Message has been scanned: no virus or other harmful content was found 2021-11-03 08:20:59 1miAZv-0003kU-0n <= jodi@schachters.com H=p3plsmtp13-04-2.prod.phx3.secureserver.net (p3plwbeout13-04.prod.phx3.secureserver.net) [173.201.192.168]:36249 P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=3875 id=20211103001648.75234ab67224cea2030dee962839da49.d38b123ea8.wbe@email13.godaddy.com T="Fizet\351s" for jl@ourdomain.tld 2021-11-03 08:21:00 1miAZv-0003kU-0n => jl (jl@ourdomain.tld) R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 OCtBOFs4gmGANwAAsFPSkA Saved" 2021-11-03 08:21:00 1miAZv-0003kU-0n Completed So my problem is that it doesn't care about the FROM header, but it should!!! That causes it to not be spam. Is this normal behavior? Thx
    0
  • cPanelAnthony
    Hello! Using "-all" makes it strict, so this email should have failed the spam check and gotten marked. Could you please open a support ticket using the link in my signature so we can investigate? Or, if you don't have access, you can ask your hosting provider to open a ticket with cPanel.
    0
  • dandadude
    Hello! Using "-all" makes it strict, so this email should have failed the spam check and gotten marked. Could you please open a support ticket using the link in my signature so we can investigate? Or, if you don't have access, you can ask your hosting provider to open a ticket with cPanel.

    Thanks very much, I have made the ticket and also received answers. The conclusion is this: "In the SpamAssassin documentation at
    0
  • cPanelAnthony
    Hello! I'm not sure if there's an easy solution. With that being said, could you provide the ticket ID? I would like to review it along with the internal notes left by the cPanel team. Thank you!
    0
  • dandadude
    @cPanelAnthony: Thanks very much, here is the ID: 94381410
    0
  • cPanelAnthony
    It looks like the SpamAssassin score needed to be increased on a couple of rules. It also seems that we suggested that your user decrease their required spam score from 4.7 to 4. I'm glad this was resolved!
    0
  • dandadude
    @cPanelAnthony: Actually this is not a good resolution at all (I accepted it because I needed to), because no SPF scores were created by spamassassin inspite of that the "From" header contained an address that had a strict (-all) SPF record and the mail was not sent from any of the allowed IP addresses. My understanding is that according to the URL referred, spamassassin does not care about the "From" header, thus this can be forged if needed, it only takes in account "Envelope-From, Return-Path, and X-Envelope-From" headers. Do I understand right? If yes, is this a normal thing that "From" can be forged? :-) I am counting on you, because you said earlier that this shouldn't be happening, "From" should not be forgable :-) Thanks, Daniel
    0
  • cPanelAnthony
    I believe I understand! "From" headers are the most commonly forged; it's definitely not rare to see this. I thought the ~all would affect the "from" headers, but it seems Mary was correct in the ticket. As the "From" headers are easily forged, it takes into account the other headers. I apologize for any inconvenience.
    0
  • NetVicious
    I solved this kind of forged emails modifying the score assigned to the HEADER_FROM_DIFFERENT_DOMAINS spamassassin rule. You can do it on cPanel. Spam Filters / Show additional configurations / Configure calculated spam scores settings There you can add rules with a specific score. I placed the HEADER_FROM_DIFFERENT_DOMAINS with a 9,9 and my system directly deletes messages above 9 The FROMNAME_SPOOFED_EMAIL it's another good rule to place a higher score to avoid spammers spoofing emails.
    0

Please sign in to leave a comment.