Mass SPAM Issue - MailScanner and cPanel Configuration
Hello,
I am experiencing a significant issue with a high volume of SPAM emails being received on my servers, directly affecting my clients.
Currently, I use MailScanner to handle email processing, but I have noticed that some emails are bypassing MailScanner and thus are not receiving proper blocking. The most I can do at the moment is route them to the SPAM folder based on their scoring. However, this has caused an overload in the SPAM inbox, resulting in considerable inconvenience.Typically, the SPAM emails received originate from subdomains ending with .sbs or .us.
Is there any additional configuration or measure I can implement directly on cPanel to prevent or reduce these unwanted emails? Additionally, is there a method to ensure all emails are mandatorily processed fully by MailScanner?
These emails are managed by a node server, acting as a child server of my primary server.
Thank you in advance for your assistance.
-
Hey there! It would likely be best to contact MailScanner about this issue as that isn't one of our tools, so I am not familiar with the configuration options available to you. I would expect them to have more details on their end for this situation.
0 -
Im having the same issue in my WHM server, a lot of SPAM with .sbs domain.
0 -
Sergio Junior - you can use the WHM >> Filter Incoming Emails by Domain tool to block entire domains from sending mail to your server:
https://docs.cpanel.net/whm/email/filter-incoming-emails-by-domain/
0 -
I understand that blocking the domain is an option, but this type of spam is quite different from the usual cases. All of my clients are receiving spam from these domains, which suggests that we're dealing with a large-scale spam operation. It seems like there’s a massive sender targeting our server, making it difficult to pinpoint the exact source of the issue.
0 -
Are they all coming from the same IP or subnet? If so, you could block the connections at the firewall.
0 -
You might already be familiar with the information but incase you are not..
If you are using Mailscanner and the front-end addon you should be able to see the mailtransport, header IP's in a easy readable format. Take a look at those and see if any of them might be ignored, whitelisted aswell as the spamreportline and bayes score these provide normally good hints at what is happening.
You can use something like abuseipdb https://www.abuseipdb.com/ or Cisco Talos https://talosintelligence.com/reputation_center to manually look if there is a active history with the found IP's and or associated domains and then decide on a possible range block as a temporary or more permanent measure. The effectiveness will naturally vary and you always have to take your clients in mind but sometimes it is the fastest solution.
Also if you never want .sbs or .us for any client you can add them to the block list in mailscanner itself as global rule so you do not have to bother with individual lists./usr/mailscanner/etc/rules/spam.blacklist.rules
For example:
To: *@* and From: *@*.sbs yes
To: *@* and From: *@*.us yes
But that is the shotgun method you want to be carefull with it.
Make sure you also reload the Mailscanner rules after the edit.
In addition Mailscanner has a lot of statistics to check if you are not familiar with its capability. For example Configserver Mailscanner FE --> MailControl -> Menu -> Statistics.
One of the first I always check in there is Spam Relay IP's Lots of spam total vs little ham total is often a pretty good indication it is not something you want to even process as spam but rather block outright. Can save a lot of time auditing per client.2 -
Hello, ITHKBO Thanks for the tips!
However, emails with the .sbs extension are being delivered without passing through MailScanner, and I haven't found a solution for this yet.
As an alternative, I used cPRex suggestion to block by domain, which has been working so far, but it's not the ideal solution.
0 -
Hello,
I had implemented cPRex suggestion, and it was working even though it's not the ideal solution, as we have a few international clients who may receive legitimate emails from
.sbsdomains.However, starting three days ago, I began receiving a high volume of spam emails with no sender signature (
Return-Path: <>).
Still, when I check the message headers, I can clearly see that the domain originates from a.sbsdomain, for example:Received: from documento07g.docedocepave.sbsHow is this even possible? Shouldn't the block still prevent these messages from being delivered?
Any ideas or suggestions would be appreciated!
0 -
Can you let me know *exactly* how you've configured the "Filter Incoming Emails by Domain" tool so I can review that?
0 -
Sure, I added
*.sbsand it worked for about 20 days. But this week, I started receiving spam emails without a sender signature and after digging into the headers, I found that they are still coming from.sbsdomains.0 -
Any chance you could create a ticket so this can be investigated directly on the system?
0 -
Is it possible to create a ticket with a Partner Supported License?
0 -
Not directly with us, no - you'd have to reach out to your provider and then they would contact us if they can't resolve the issue.
1
Please sign in to leave a comment.
Comments
13 comments