Spam Assassin header is broken
We get our email through an account on a shared host at eUKHost. It is a Linux host using cPanel. We make use of Spam Assassin, or at least we used to.
A couple of weeks ago we started getting broken emails because our client could not cope with the X-Ham-Report: header which was typically over 3,500 characters long. The header is also somewhat garbled. To ensure that it wasn't being messed up by our server, I went and collected a mail via the cPanel interface and Roundcube. Here is an example offending header.
X-Ham-Report: =?ISO-8859-1?Q?Spam_detection_software=2C_running_on_the_system_=22merlin=2Eeukhost?= =?ISO-8859-1?Q?ing=2Enet=22=2C=0A_has_NOT_identified_this_incoming_e?= =?ISO-8859-1?Q?mail_as_spam=2E__The_original=0A_message_has_been_att?= =?ISO-8859-1?Q?ached_to_this_so_you_can_view_it_or_label=0A_similar_?= =?ISO-8859-1?Q?future_email=2E__If_you_have_any_questions=2C_see=0A_?= =?ISO-8859-1?Q?root=5C=40localhost_for_details=2E=0A_Content_preview?= =?ISO-8859-1?Q?=3A__Spam_filtering_should_be_on_Spam_filtering_shoul?= =?ISO-8859-1?Q?d_be_on_=0A_Content_analysis_details=3A___=280=2E6_po?= =?ISO-8859-1?Q?ints=2C_5=2E0_required=29=0A__pts_rule_name__________?= =?ISO-8859-1?Q?____description=0A_----_----------------------_------?= =?ISO-8859-1?Q?--------------------------------------------=0A__0=2E0?= =?ISO-8859-1?Q?_RCVD=5FIN=5FVALIDITY=5FCERTIFIED=5FBLOCKED_RBL=3A_AD?= =?ISO-8859-1?Q?MINISTRATOR_NOTICE=3A_The=0A_________________________?= =?ISO-8859-1?Q?____query_to_Validity_was_blocked=2E__See=0A_________?= =?ISO-8859-1?Q?____________________https=3A//knowledge=2Evalidity=2Ec?= =?ISO-8859-1?Q?om/hc/en-us/articles/20961730681243=0A_______________?= =?ISO-8859-1?Q?_______________for_more_information=2E=0A____________?= =?ISO-8859-1?Q?_____________=5B209=2E85=2E210=2E174_listed_in_sa-tru?= =?ISO-8859-1?Q?sted=2Ebondedsender=2Eorg=5D=0A__0=2E0_RCVD=5FIN=5FVA?= =?ISO-8859-1?Q?LIDITY=5FSAFE=5FBLOCKED_RBL=3A_ADMINISTRATOR_NOTICE=3A_?= =?ISO-8859-1?Q?The_query_to=0A______________________________Validity?= =?ISO-8859-1?Q?_was_blocked=2E__See=0A_____________________________h?= =?ISO-8859-1?Q?ttps=3A//knowledge=2Evalidity=2Ecom/hc/en-us/articles?= =?ISO-8859-1?Q?/20961730681243=0A______________________________for_m?= =?ISO-8859-1?Q?ore_information=2E=0A_____________________________=5B2?= =?ISO-8859-1?Q?09=2E85=2E210=2E174_listed_in_sa-accredit=2Ehabeas=2Ec?= =?ISO-8859-1?Q?om=5D=0A__0=2E0_RCVD=5FIN=5FVALIDITY=5FRPBL=5FBLOCKED?= =?ISO-8859-1?Q?_RBL=3A_ADMINISTRATOR_NOTICE=3A_The_query_to=0A______?= =?ISO-8859-1?Q?________________________Validity_was_blocked=2E__See=0A_?= =?ISO-8859-1?Q?____________________________https=3A//knowledge=2Eval?= =?ISO-8859-1?Q?idity=2Ecom/hc/en-us/articles/20961730681243=0A______?= =?ISO-8859-1?Q?________________________for_more_information=2E=0A___?= =?ISO-8859-1?Q?_________________________=5B209=2E85=2E210=2E174_list?= =?ISO-8859-1?Q?ed_in_bl=2Escore=2Esenderscore=2Ecom=5D=0A_-0=2E0_SPF?= =?ISO-8859-1?Q?=5FPASS_______________SPF=3A_sender_matches_SPF_recor?= =?ISO-8859-1?Q?d=0A_-0=2E1_DKIM=5FVALID_____________Message_has_at_l?= =?ISO-8859-1?Q?east_one_valid_DKIM_or_DK_signature=0A_-0=2E1_DKIM=5FV?= =?ISO-8859-1?Q?ALID=5FEF__________Message_has_a_valid_DKIM_or_DK_sig?= =?ISO-8859-1?Q?nature_from=0A_____________________________envelope-f?= =?ISO-8859-1?Q?rom_domain=0A_-0=2E1_DKIM=5FVALID=5FAU__________Messa?= =?ISO-8859-1?Q?ge_has_a_valid_DKIM_or_DK_signature_from_author's=0A_?= =?ISO-8859-1?Q?____________________________domain=0A__0=2E1_DKIM=5FS?= =?ISO-8859-1?Q?IGNED____________Message_has_a_DKIM_or_DK_signature=2C_?= =?ISO-8859-1?Q?not_necessarily_valid=0A__0=2E8_BAYES=5F50___________?= =?ISO-8859-1?Q?____BODY=3A_Bayes_spam_probability_is_40_to_60%=0A___?= =?ISO-8859-1?Q?__________________________=5Bscore=3A_0=2E5137=5D=0A_?= =?ISO-8859-1?Q?_0=2E0_FREEMAIL=5FFROM__________Sender_email_is_commo?= =?ISO-8859-1?Q?nly_abused_enduser_mail_provider=0A__________________?= =?ISO-8859-1?Q?___________=5Bmullocksj=28at=29gmail=2Ecom=5D=0A__0=2E0?= =?ISO-8859-1?Q?_HTML=5FMESSAGE___________BODY=3A_HTML_included_in_me?= =?ISO-8859-1?Q?ssage?=
I raised a support ticket with eUKHost and was told that this new behaviour was due to a new cPanel bug. I was sceptical because I did not find posts from other unhappy users, but they assured me it was true. Here is a partial quote from eUKHost:
"We completely understand your concern. The issue you’re referring to relates to an internal cPanel bug that has been reported through cPanel’s internal tracking system rather than on a public changelog or documentation page, which is why it may not appear in a general Google search."
So, can anyone tell me if it is true? If it is a cPanel bug, does anyone know when it might be fixed? Does anyone know of a workaround?
We have been forced to disable Spam Assassin, which is sad!
Thanks in advance for any help
-
Hey there! We have case CPANEL-50170 open on this, and you can follow along using the link here: https://support.cpanel.net/hc/en-us/articles/36160643334807-Email-message-headers-X-Ham-Reports-and-X-Spam-Reports-output-is-not-readable
0 -
cPRex
If a spam message is scored as 7.4, as an example, shouldn't X-Spam-Report show and indicate every trigger / test that adds the score up to 7.4?
In this message example, all I see is 2 items, adding up to 1.2. The others do not show up in X-Spam-Report.
And shouldn't one be able to set report_safe in /etc/mail/spamassassin/local.cf ? It seems that regardless of whether i set it to report_safe 0 or report_safe 1 it looks the same.
X-Spam-Checked-In-Group: fg8@cq.eformi.shop
X-Spam-Status: Yes, score=7.4
X-Spam-Score: 74
X-Spam-Bar: +++++++
X-Spam-Report: Spam detection software, running on the system "xxx.yyyyyyyy.zzz",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: We're all ears — your opinion matters.
<https://wsnvedgwsh.blob.core.windows.net/manjsbwg/hqagvws.html>
Your feedback helps us make your experience even better. Take a quick survey
today for a chance to receive an exclusive reward <https://wsnvedgwsh.blob.core.windows.net/manjsbwg/hqagvws.html>—
and t [...]
Content analysis details: (7.4 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.2 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist
[URI: wsnvedgwsh.blob.core.windows.net]
-0.0 SPF
X-Spam-Flag: YES
X-Spam-Report: =?ISO-8859-1?Q?Spam_detection_software=2C_running_on_the_system_=22xxx=2Eyyyyyy?=
=?ISO-8859-1?Q?yy=2Ezzz=22=2C=0A_has_identified_this_incoming_email_?=
=?ISO-8859-1?Q?as_possible_spam=2E__The_original=0A_message_has_been?=
=?ISO-8859-1?Q?_attached_to_this_so_you_can_view_it_or_label=0A_simi?=
=?ISO-8859-1?Q?lar_future_email=2E__If_you_have_any_questions=2C_see?=
=?ISO-8859-1?Q?=0A_root=5C=40localhost_for_details=2E=0A_Content_pre?=
=?ISO-8859-1?Q?view=3A__We're_all_ears_=E2=80=94_your_opinion_matter?=
=?ISO-8859-1?Q?s=2E_=3Chttps=3A//wsnvedgwsh=2Eblob=2Ecore=2Ewindows=2En?=
=?ISO-8859-1?Q?et/manjsbwg/hqagvws=2Ehtml=3E=0A____Your_feedback_hel?=
=?ISO-8859-1?Q?ps_us_make_your_experience_even_better=2E_Take_a_quic?=
=?ISO-8859-1?Q?k_survey=0A____today_for_a_chance_to_receive_an_exclu?=
=?ISO-8859-1?Q?sive_reward_=3Chttps=3A//wsnvedgwsh=2Eblob=2Ecore=2Ew?=
=?ISO-8859-1?Q?indows=2Enet/manjsbwg/hqagvws=2Ehtml=3E=E2=80=94=0A__?=
=?ISO-8859-1?Q?__and_t_=5B=2E
Subject: [SPAM] =?UTF-8?Q?=F0=9F=8E=81Claim_Your_Free_Jack_Link=E2=80=99s_Beef_Jerky_Box_fro?=
=?UTF-8?Q?m_Costco?=0 -
mtindor - yes, but maybe it's broken because of the current case?
0 -
cPRex Maybe. But the work around didn't suggest that so I was just throwing it out there, and I had already done the workaround. Somebody else has already posted all of the details of what is really broken, thankfully, along with a painful (but doable) workaround in the meantime. I'll probably do that extended, unapproved workaround tomorrow.
0 -
Is this work around supposed to survive updates and restarts? Is there any further update?
0 -
Uncensored-Hosting - I checked things on my end and see that the case is resolved in version 132.0.9 and higher:
https://docs.cpanel.net/changelogs/132-change-log/
If you're still seeing the issue it would likely be best to create a ticket as we're expecting this to be fixed at this point.
0
Please sign in to leave a comment.
Comments
6 comments