[Case 112257] Lots of spam making it past SpamAssassin
Hi guys,
All of a sudden every email account of one server is getting tons of spam.
I have checked to see if spam assassin in running on individual accounts and it seems to be running fine, but i cant explain it. Possible server breach? Is there a way to check if the spam assasin service is actually running?
Thank you
-
Thanks Michael! I'll open a ticket and will update the thread when it's resolved. :) 0 -
[COLOR="silver">- - - Updated - - - [quote="stormy, post: 1706791">So, back on topic, it seems the problem is that we won't get updated SpamAssassin rules until the fall. And this particular breed of spam is crafted so it doesn't score high with the rules that we are using. Is there anything we can do while we wait? I'm blocking IP ranges but it comes from a lot of different servers.
This is what I did. I started manually filtering SPAM. It works for the most part. First read the following article, the answer (or how to) is towards the end, Vinayak's last post. /http://forums.cpanel.net/f43/need-filter-all-email-348741.html#post1683761 and this is my filter (partial). If you need I can mail you the whole filter and the excel file that helps me to create it.if first_delivery and ( ($header_subject: contains "Small" and $header_subject: contains "Business" and $header_subject: contains "Loan") or ($header_subject: contains "1k" and $header_subject: contains "card") or ($header_subject: contains ".......") or ($header_subject: contains "-------") or ($header_subject: contains "Gift" and $header_subject: contains "Card" and $header_subject: contains "Survey") or ($header_from: contains "Diabetic" and $header_from: contains "Connect") or ($header_from: contains "Drug" and $header_from: contains "Facts") or ($header_from: contains "Drug" and $header_from: contains "Rehab" and $header_from: contains "Facilities") or ($header_from: contains "Credit" and $header_from: contains "Report" and $header_from: contains "Center") or ($header_from: contains "Debt" and $header_from: contains "consolidation") or ($header_from: contains "Notice" and $header_from: contains "Appearance") or ($header_from: contains "Notice" and $header_from: contains "Appear") or ) then deliver anEmail@yourdomain.com endif
This will send all mail caught by the filter to an email address, so you can monitor what is being filtered. if you just want to delete the mail. replace the line anEmail@yourdomain.com with seen finish Note: It seems like every time you make changes to your custom filters, you need to update WHM by Service Configuration " Exim Configuration Manager choose Filters tab and click on Save I hope this helps.0 -
[quote="cPanelMichael, post: 1707671">Please note that as mentioned, it's important to open a support ticket if you feel there is an issue with SpamAssassin and it's implementation with cPanel. You can post the ticket number here and we can update this thread with the outcome. Thank you.
The issue is -- it's no longer effective. I use SpamHaus Zen and Barracuda RBLs, DCC, Vipul's Razor, IXHash, DCC, and liberal additions to /etc/spammeripblocks. In the past month the amount of spam getting through the systems are insane. Definitely spamassassin (3.3.2 at least) is becoming increasingly ineffective, and I'm not sure that SpamAssassin 3.4 holds anything promising. Spammers are doing a lot to be "more reputable" from a SPF / SenderID / DKIM / DMARC standpoint. Of course, they are still hosting at the same spam havens that they are always at. At any rate, you don't want everyone opening up tickets if they think SA is ineffective, because you'd be inundated with tickets for which there is nothing you can do. Mike0 -
We do have internal case 112257 open due to the number of tickets open for this issue, and this thread itself. The commonality found is a corrupted bayes database. As a temporary workaround. users have found success when moving the /home/$user/.spamassassin bayes files out of the way so they are rebuilt over time. The case is still active and under investigation. Thank you. 0 -
@kdean says: [QUOTE]SpamAssassin not updating the rules since April may have something to do with it.
Can someone please verify whether it's correct that SpamAssassin running on a server with WHM 11.44.1 is no longer updating it's rules.0 -
[quote="kamm, post: 1719392"> Can someone please verify whether it's correct that SpamAssassin running on a server with WHM 11.44.1 is no longer updating it's rules.
Actually, the original reports I read seem to be inaccurate on that point, however the updates have been sporadic. For example, there hand't been any channel updates since July 28th or so until just a few days ago where I noticed the channel version started incrementing again. Looking at the history since April, the updates could continue for a bit and then go away for another month, so who knows what exact schedule they're on. So, right now they're updating and I "may" be seeing less spam than before get through.0 -
[quote="kamm, post: 1719392">@kdean says: Can someone please verify whether it's correct that SpamAssassin running on a server with WHM 11.44.1 is no longer updating it's rules.
On all servers that I manage, spamassassin rules are updated nightly. The latest stuff is in: /var/lib/spamassassin/3.003002/* drwxr-xr-x 3 root root 4096 Aug 29 00:54 3.003002/ (times vary by a few hours here and there) M0 -
Having this same issue. I tried to post a support ticket but the system generated an error. ? thanks to CP for looking into this for us. We have 20+ domains complaining. 0 -
[quote="alecuitti, post: 1722882">Having this same issue. I tried to post a support ticket but the system generated an error. ? thanks to CP for looking into this for us. We have 20+ domains complaining.
Is my previous post to this thread of any help? Post 1717651 Thank you.0 -
>>>>We have 20+ domains complaining. Did you try Post #33 it is time consuming and tedious, but it took care of my 50+ domain complaining. 0 -
Removing the bayes databases helped for a little bit, then the spam levels came back for most users. I wonder if the databases get corrupted easily? As far as the filter file mentioned here, I may try that. Although, the reason I choose to run whm/cpanel is precisely so that I don't have to run terminal commands. This is another discussion probably but it should be easy for a non-sysadmin to manager their servers. this is 2014. I do have confidence that we will figure out a better way to handle spam but I'm realizing that the speed at which black-hatters develop is an order of magnitude higher than white-hats. Maybe next year? 0 -
Re: Cpanel and SpamAssassin [quote="Infopro, post: 1694622">Apache SpamAssassin is updated when cPanel is updated, and yours has not been updated in a long time...
Hello, I have this: CENTOS 6.5 x86_64 standard " WHM 11.44.1 (build 18) and from a few days ago I am seeing an increase in the amount of spam i am getting, i did receive in the past four to ten spam mails in a month, today i got more than 40 spam messages, i have all the limits in 4 in the exim so i can be safe, but it seems like the spammers are getting their way to the user inbox, can you give me an advice on how to get the more strict rules and have all the users in my server safe and the spam the more away as possible? please... Kind regards, Jose0 -
Hi linkedia, I've moved your question to this thread where it fits better. Thanks 0 -
Cool, but please help, i have no money to buy all the rolex, oakley, vacation plans and pharmacy i am getting in the mail ;) 0 -
Please ensure you read through the thread your post was moved into. In particular: Post 1717651 Thank you. 0 -
This thread I've moved you to, should be helpful. Please have a read of at least this post, above yours here: [Case 112257] Lots of spam making it past SpamAssassin - cPanel Forums 0 -
[quote="sukrub, post: 1717402">and this is my filter (partial). If you need I can mail you the whole filter and the excel file that helps me to create it.
Will you email me a copy of your filter and excel file, please? ebonar at josiesque dot com Thanks,0 -
I just send you the filter and excel file 0 -
[quote="stormy, post: 1706791">Is there anything we can do while we wait? .
I'm tired of waiting. I've re-routed my mail down to 3 domains, and am paying $4 per domain per month for SpamExperts. (The $4 price is from Veerotech.net, an excellent host I use. I think you can even buy the service separate, and not use them for hosting.) It's a small price to pay for not be annoyed every day by bucketloads of crap in my inbox. cPanel is starting to get really aggravating by not natively supporting modern things (nginx, Mariadb, php-fpm), by letting old things lapse (SpamAssassin, etc), and by continuing to allow now-unsafe things to exist ("addon" domains, etc). It's sad, but Plesk is better again as of version 12.0
Please sign in to leave a comment.
Comments
49 comments