[Case 112257] Lots of spam making it past SpamAssassin
Hi guys,
All of a sudden every email account of one server is getting tons of spam.
I have checked to see if spam assassin in running on individual accounts and it seems to be running fine, but i cant explain it. Possible server breach? Is there a way to check if the spam assasin service is actually running?
Thank you
-
Hello :) Have you checked the messages and message headers to determine if the SPAM is coming from the same place, or if it's from multiple sources? You can review /var/log/exim_mainlog to see if SpamAssassin is scoring the messages and marking them as SPAM. Thank you. 0 -
I'm getting a lot of spam that simply isn't getting a high enough score in SpamAssassin. It started 2-3 days ago. Is this what you are seeing? 0 -
Lots of spam making it past Apache SpamAssassin This is really weird. A couple days ago I started getting lots of very obvious spam (loans, credit score, etc) that seems to be fooling SpamAssassin, and getting really low scores. The servers sending spam belong to different companies, but the domains/subdomains used are all from - Removed -. Is there anyone else seeing this? 0 -
Hello :) I've not seen any other reports of this issue. You may want to consider setting up an account level filter to block email from that domain name. Thank you. 0 -
If only it were that easy! :) Spam is coming from multiple subdomains from multiple domains, scattered on different servers and providers. Only when running the emails through Spamcop I can see that the domains are all from rightside.co. Is it ok to post spam samples with headers here? Is there any info I should block? 0 -
You can post the header here, but ensure you replace actual domain names and IP addresses with examples. Thank you. 0 -
Here's one of the about 40 I received yesterday. Topics ranging from miracle cures to Russian brides to home loan to auto insurance. All of them get really low scores. - Removed - 0 -
I have the same problem... Did anybody offered a solution yet? 0 -
Spamassassin not updating the rules since April may have something to do with it. Vote to try and get cPanel to break from their delayed scheduled to update to the latest release of spamassassin so we can get the updated latest rules instead of going 4-6+ months without new rules. [url=http://features.cpanel.net/responses/update-to-spamassassin-340_2]Update to SpamAssassin 3.4.0 | cPanel Feature Requests 0 -
You should try to use any other paid spam filter as Spamassassin not updating the rules since April or contact SpamAssassin to update it. 0 -
Lots of spam making it past SpamAssassin Spam is really a headache.. Spammers have all their ways around.. I am also looking for a solution on this.. 0 -
Multiple threads merged here. 0 -
[quote="toshost, post: 1704692">You should try to use any other paid spam filter as Spamassassin not updating the rules since April or contact SpamAssassin to update it.
Let me clarify. Spamassassin is updating rules for Spamassassin 3.4, which we haven't been updated to with cPanel yet even though it was released in February. Sure, they need time to vet the release, but that probably should have been done during the 11.44 releases whereas right now it's not set to be included until the 11.46 release, whenever that's due.0 -
Infopro: I did alter the headers when I posted the samples. My email and server information was kept off. Of course I didn't alter the spammer's header, because what would be the point then? It would be like posting nothing! What useful information can I post that you won't want to delete? 0 -
Domain, email, IP, modify all of it. We'll get the idea just fine. Plastering it all like that on these forums, you're helping the spammer get his email spam out to even more people. We don't need any more spam on these forums, we get enough as it is. FYI, we try our best to clean up posts similar, as they come up, look around. But, you had so much posted it was a waste of time on this end to clean up your posts, so I removed them. Help us out a little here, we're trying to help you. 0 -
[quote]Domain, email, IP, modify all of it. We'll get the idea just fine.
I don't get it. What idea you want to get? What use is an email header with all the email header information stripped? I already know it's spam, and I already see that SpamAssassin is assigning a very low score. I'll ask again: what useful information can you glean from email headers that don't have domains, email addresses or IPs? Tell me what you're looking for and I'll post it. [quote]Plastering it all like that on these forums, you're helping the spammer get his email spam out to even more people.
I'm sorry but you are going to need to explain this to me, because I don't understand. I didn't post the spam. I posted the headers, and I edited them. How is this getting email spam out to more people? [quote]But, you had so much posted it was a waste of time on this end to clean up your posts, so I removed them.
Actually you turned the effort I put in my post into a waste of time. I did take time digging up the headers, eliminating sensitive information, formatting it correctly with code tags, explaining what each email was, etc. There was helpful information posted that could have been used to find similarities between the spam headers, trace it to a known source, etc. [quote]Help us out a little here, we're trying to help you.
Well, let me know what you need from me so you can help me.0 -
If I must, but this is silly to have to explain this to you. We're not Apache SpamAssassin, so posting the spammers real details is of no use. Modified it's still of use. One of your posts, modified proper. Return-path: Envelope-to: XXXXX Delivery-date: Fri, 08 Aug 2014 12:46:54 +0200 Received: from client.domain.com ([198.23.xx.x]:60784 helo=domain.com) by XXXXX with esmtp (Exim 4.82) (envelope-from ) id 1XFhhF-0005s4-E9 for XXXXX; Fri, 08 Aug 2014 12:46:54 +0200 Date: Fri, 08 Aug 2014 03:45:03 -0700 X-Mailer: Opera7.23/Win32 M2 build 3227 Content-Type: text/plain; charset="utf-8" Message-ID: <2014.08.08.7718647.0e0fe9bf7ed4df17a7240215e42cc012.6164835.0@domain.com > From: Natural_Cures Mime-Version: 1.0 Subject: Fwd: Spam Title here, Removed. To: XXXXX Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.9 X-Spam-Score: -8 X-Spam-Bar: / X-Ham-Report: Spam detection software, running on the system "XXXXX", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see root\@localhost for details. Content preview: Spam Content Preview Here, Removed. [...] Content analysis details: (-0.9 points, 5.5 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.7 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net) 0.6 INVALID_MSGID Message-Id is not valid, according to RFC 2822 X-Spam-Flag: NO
From that we get the idea, you got a spam email.0 -
[quote]If I must, but this is silly to have to explain this to you
I'm sorry sir, have I done anything to offend you? [quote]We're not Apache SpamAssassin
Terribly sorry again, but what makes you say this? I've been using cPanel for 15 years, I know who cPanel is and which forum I'm on. [quote]From that we get the idea, you got a spam email.
That was never a doubt. I never asked for help so I could be sure if I got a spam email or not. The title of the thread -which you or some mod edited- was "Lots of spam making it past SpamAssassin". SpamAssassin, which is included with cPanel, but not developed by cPanel, is failing to filter very obvious spam, in large quantities. This has never happened before. Hence, the need to diagnose the problem: -Is it a SpamAssassin problem that can be solved? -Is there something in common with the spam received that can be filtered, or sheds some light into the problem? (this we can't do, because you've removed all information that could be used to trace the spam source). -Aren't you surprised that an obvious spam email is getting a negative SpamAssassin score?0 -
My SA rules update nightly just fine. It sounds like you're seeing a sudden change, which might indicate a corrupt Bayes database. Hard to say for sure without more information, but I would start there. I would strongly recommend installing ConfigServer's MailScanner package. It will rock your world. Installation is available for a very minimal fee, and it's worth it. MailScanner works very well with SA. If you go to his site and read the FAQs, there's a wealth of information, such as [url=http://www.configserver.com/techfaq/faqlist.php?catid=5&faqid=77&page=7]this one. 0 -
This may be a dumb question, but why does cPanel have to control the SpamAssassin version? Why can't server administrators install SpamAssassin 3.4.0 if they want to? 0 -
[quote="sparek-3, post: 1705911">This may be a dumb question, but why does cPanel have to control the SpamAssassin version? Why can't server administrators install SpamAssassin 3.4.0 if they want to?
It's integration with other services must be tested in order to avoid potential bugs with the cPanel/WHM software and other services we include such as Exim. Feel free to add this feedback to the feature request at: [url=http://features.cpanel.net/responses/update-to-spamassassin-340_2]Update to SpamAssassin 3.4.0 | cPanel Feature Requests You can also open a support ticket using the link in my signature if SpamAssassin is not behaving the way it should. This will allow us to take a closer look at the issue. Thank you.0 -
So, back on topic, it seems the problem is that we won't get updated SpamAssassin rules until the fall. And this particular breed of spam is crafted so it doesn't score high with the rules that we are using. Is there anything we can do while we wait? I'm blocking IP ranges but it comes from a lot of different servers. 0 -
How is it integrated in with Exim? Isn't it just the line: spamd_address = 127.0.0.1 783 administrators can run their own SpamAssassin daemon and let exim connect to it, can't they? I don't mean for any of this to sound condescending, I really am curious. I realize I'm probably in the minority with all of this. I just like to know how things work. I understand what you mean about having to test it and make sure it functions well with cPanel. But if cPanel wasn't having to focus on everything AND SpamAssassin integration, wouldn't this free you up to work on other endeavors? Wouldn't it also allow administrators to independently integrate SpamAssassin and other applications as it applies to their specific needs? 0 -
[quote="sparek-3, post: 1706801">I understand what you mean about having to test it and make sure it functions well with cPanel. But if cPanel wasn't having to focus on everything AND SpamAssassin integration, wouldn't this free you up to work on other endeavors? Wouldn't it also allow administrators to independently integrate SpamAssassin and other applications as it applies to their specific needs?
You are welcome to submit a feature request for the ability to manage SpamAssassin outside of cPanel: Submit A Feature Request While forum posts are helpful, it's really the feature requests that are monitored by our developers. If you want to see a change in the product, a feature request is the best way to provide feedback. Thank you.0 -
[quote="stormy, post: 1706791">So, back on topic, it seems the problem is that we won't get updated SpamAssassin rules until the fall.
Why? SpamAssassin Rule Updates happen nightly if you have them configured so. [url=http://docs.cpanel.net/twiki/bin/view/11_36/WHMDocs/UpdateConfig#SpamAssassin%C2%AE%20Rules%20Updates]Update Preferences You might want to check your update settings.0 -
[quote="MaraBlue, post: 1706892">Why? SpamAssassin Rule Updates happen nightly if you have them configured so.
As stated previously in the thread, the updated rules are not being used: [quote="kdean, post: 1704752">Spamassassin is updating rules for Spamassassin 3.4, which we haven't been updated to with cPanel yet even though it was released in February. Sure, they need time to vet the release, but that probably should have been done during the 11.44 releases whereas right now it's not set to be included until the 11.46 release, whenever that's due.
And the official cPanel answer for this is that it will be updated in the fall.0 -
Well again, I run the version of SA that cPanel provides, and the rules that are being updated. Haven't seen anything like you're describing, nor have I seen a lot of reports like yours. This means that it's highly likely that it's something specific to your system, such as a corrupt Bayes database (which I posted a fix for that). Did you try what I suggested in reply #20? 0 -
Due to the confusion here and the text in the feature request, it might be worth it if staff clarify this point - I can't immediately see a changelog anywhere for the SA update channels or an EOL announcement for that rule channel. Checking a test system, the rules seem to have last changed late July at least going by the version string output in upcp "current version is 1613764" and before that mid July "1609892". 0 -
[quote="MaraBlue, post: 1707202">Well again, I run the version of SA that cPanel provides, and the rules that are being updated. Haven't seen anything like you're describing, nor have I seen a lot of reports like yours. This means that it's highly likely that it's something specific to your system, such as a corrupt Bayes database (which I posted a fix for that). Did you try what I suggested in reply #20?
I don't know about the rule updates, that was mentioned by someone else in the thread. I have tried the bayes fixes, and unfortunately, it didn't help. I'm going to post a few of the SA results. Bear in mind that this is absolutely obvious spam (miracle cures, singles, etc). SpamAssasin results for the same piece of spam, coming twice from different servers:Content analysis details: (-0.3 points, 5.5 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.7 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 2.3 FORGED_MUA_MOZILLA Forged mail pretending to be from Mozilla X-Spam-Flag: NO
Content analysis details: (3.6 points, 5.5 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.7 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 2.8 URI_OPTOUT_USME URI: Opt-out URI -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net) 2.3 FORGED_MUA_MOZILLA Forged mail pretending to be from Mozilla X-Spam-Flag: NO
Results from another different spam, also arriving from two different servers:Content analysis details: (2.1 points, 5.5 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.7 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net) 0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 0.0 URIBL_RED Contains an URL listed in the URIBL redlist [URIs: full-medicare-plans.com] 0.3 DIGEST_MULTIPLE Message hits more than one network digest check X-Spam-Flag: NO
Content analysis details: (-2.6 points, 5.5 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.7 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Flag: NO
0 -
Please note that as mentioned, it's important to open a support ticket if you feel there is an issue with SpamAssassin and it's implementation with cPanel. You can post the ticket number here and we can update this thread with the outcome. Thank you. 0
Please sign in to leave a comment.
Comments
49 comments