Emails Bypassing RBL Reject and SpamAssassin Bounce

[DigitalEssence]

Hi,

I'm trying to reduce the amount of spam my customers are receiving and have been digging around and noticed that emails appear to be bypassing the RBL reject and SpamAssassin bounce settings settings in Exim.

In Home > Service Configuration > Exim Configuration Manager > basic editor > RBLs I have the following in custom RBLs

Origin RBL name DNS list Info URL Action
System spamcop bl.spamcop.net SpamCop.net - Blocking List ( bl.spamcop.net )
System spamhaus zen.spamhaus.org The Spamhaus Project - ZEN
System spamhaus_spamcop zen.spamhaus.org, bl.spamcop.net

and

RBL: bl.spamcop.net
Reject mail at SMTP time if the sender host is in the bl.spamcop.net RBL

RBL: zen.spamhaus.org
Reject mail at SMTP time if the sender host is in the zen.spamhaus.org RBL.

Both set to On.

In Filters I have

Apache SpamAssassin™: bounce spam score threshold set to 20.

But emails are still being received to customers accounts which have a score over 20 and are in one of the above RBLs.

An example mail is:

SpamAssassin Rules

AWL -0.71 Adjusted score from AWL reputation of From: address
BAYES_99 5.00 Bayes spam probability is 99 to 100%
BAYES_999 1.00 Bayes spam probability is 99.9 to 100%
DCC_CHECK 1.10 Detected as bulk mail by DCC (dcc-servers.net)
DIGEST_MULTIPLE 0.29 Message hits more than one network digest check
DKIM_SIGNED 0.10 Message has a DKIM or DK signature, not necessarily valid
DKIM_VALID -0.10 Message has at least one valid DKIM or DK signature
DKIM_VALID_AU -0.10 Message has a valid DKIM or DK signature from author's domain
HTML_FONT_LOW_CONTRAST 0.00 HTML font color similar or identical to background
HTML_MESSAGE 0.00 HTML included in message
KAM_LOTSOFHASH 0.25 Emails with lots of hash-like gibberish
KAM_VERY_BLACK_DBL 5.00
RAZOR2_CF_RANGE_51_100 1.89 Razor2 gives confidence level above 50%
RAZOR2_CHECK 0.92 Listed in Razor2 (Vipul's Razor: home)
SPF_PASS -0.00 SPF: sender matches SPF record
URIBL_BLACK 20.00 Contains an URL listed in the URIBL blacklist
URIBL_DBL_SPAM 4.50 Contains a spam URL listed in the Spamhaus DBL blocklist

SpamAssassin Score 39.14
SpamAssassin Auto Learn spam

Email Header

Received: from port.example.org ([51.68.xx.xx]:54492)
by my.server.name with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256)
(Exim 4.91)
(envelope-from <[email protected]>)
id 1gUoAV-0007aK-Oz
for [email protected]; Thu, 06 Dec 2018 07:33:55 +0000
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=example.com;
h=Message-ID:Date:Subject:From:Reply-To:To:MIME-Version:Content-Type:List-Unsubscribe:List-Id; [email protected];
bh=SPdhvDfi2QfWReaAE3SPzo2wStU=;
b=YVdUn9Wxa2QJHSWrqrO3Sn8GhjKVePte1xhNrdAaHHitYVAwXcayoE2WiqM67LE3dqu016TkDze0
i2aJ8Sksuxsm9j3cIG9BbxFY9Fo4xPXudvM1LO8pzNMoAPD7p9qgPCOetbq1LhILIWCg6r1+JbvP
1e+6fAcDQo8+LtkLwSM=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=example.com;
b=Z1RLr+7feAhn1sSPqgcQJcjwyX4cadzz5g9opiPzFDF+fSk3jyll8/UVASeH6mJvyMCcnRpCFdEQ
I5l+OWxppYy0o0X8Ez4thi/lboPYZv5OKGiY5y+0DIBfOPmPmk2bnSZNpcGb9J4lMgyIM0WAroaj
kEIKQLe597X9fDuQn8A=;
Message-ID: <[email protected]>
Date: Thu, 06 Dec 2018 07:33:14 +0000
Subject: No need to pay in advance for the fuel with your fuel card !
From: Fuel Card <[email protected]>
Reply-To: Fuel Card <[email protected]>
To: "[email protected]" <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="_=_swift_v4_1544081594_fada3c31d08731de7cf49efb2608ffa7_=_"
X-Sender: [email protected]
X-Report-Abuse: Please report abuse for this campaign here:
MailWizz | Please login
X-Receiver: [email protected]
X-Mw-Tracking-Did: 0
X-Mw-Subscriber-Uid: aq9458j2chea1
X-Mw-Mailer: SwiftMailer - @SWIFT_VERSION_NUMBER@
X-Mw-Delivery-Sid: 4
X-Mw-Customer-Uid: dk725e6ega1c5
X-Mw-Customer-Gid: 0
X-Mw-Campaign-Uid: oe2077he9a426
List-Unsubscribe: <MailWizz>
List-Id: dj838q17nwef1 <ZF_UK_CRPN1>
Feedback-ID: oe2077he9a426:aq9458j2chea1:dj838q17nwef1:dk725e6ega1c5

If I grep the message ID:

grep 1gUoAV-0007aK-Oz /var/log/exim_mainlog

I see:

2018-12-06 07:33:55.857 [29160] 1gUoAV-0007aK-Oz <= [email protected] H=port.example.org [51.68.xx.xx]:54492 I=[92.68.56.62]:25 P=esmtps X=TLSv1:ECDHE-RSA-AES256-SHA:256 CV=no S=20253 M8S=8 RT=0.045s [email protected] T="No need to pay in advance for the fuel with your fuel card !" from <[email protected]> for [email protected]
2018-12-06 07:34:06.216 [29495] cwd=/var/spool/MailScanner/incoming 5 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1gUoAV-0007aK-Oz
2018-12-06 07:34:06.280 [29495] 1gUoAV-0007aK-Oz => enquiries <[email protected]> F=<[email protected]> P=<[email protected]> R=virtual_user T=dovecot_virtual_delivery S=21667 C="250 2.0.0 <[email protected]> YCNfDu7QCFw8cwAAn4SkQg Saved" QT=10s DT=0.056s
2018-12-06 07:34:06.298 [29495] 1gUoAV-0007aK-Oz => |/usr/local/cpanel/bin/autorespond [email protected] /home2/customeraccount/.autorespond ([email protected]) <[email protected]> F=<[email protected]> SRS=<[email protected]> P=<[email protected]> R=virtual_aliases_nostar T=jailed_virtual_address_pipe S=21158 QT=10s DT=0.017s
2018-12-06 07:34:06.298 [29495] 1gUoAV-0007aK-Oz Completed QT=10s

I may be totally misunderstanding this but I would have assumed that this email should have been rejected because it was in the Spamhaus DBL blocklist and bounced because the SpamAssassin score is above 20?

If I can provide any further information, please shout.

thanks.


EDIT

I've checked my exim_rejectlog and saw plenty of entries for both Spamcop and spamhuas so did some further digging and noticed that the Spamhaus DBL mentioned in the SpamAssassin Rules is not the same as the Spamhaus Zen list that is included in the default Exim configuration.

So that explains why they aren't being rejected.

So my only question now is why the Filter:

Apache SpamAssassin™: bounce spam score threshold set to 20 isn't working and I'm still seeing the emails being delivered to accounts.

 

[cPanelLauren]

HI @DigitalEssence


A couple things:

1:

Apache SpamAssassin™: bounce spam score threshold set to 20.

20 is really high, this means that mail with a spamscore of 20 or lower you're allowing - personally I set mine to 2-3

2: I see the following in your exim_mainlog output:

2018-12-06 07:34:06.216 [29495] cwd=/var/spool/MailScanner/incoming 5 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1gUoAV-0007aK-Oz

This indicates to me that you're using mailscanner and mail isn't even being scanned by SpamAssassin it's all being handled through MailScanner


There's nothing wrong with using this software but I do want to point out that configuration for spam needs to all be handled from within the application, and it's been known to be problematic with our Exim/Mail configurations.

 

[DigitalEssence]

Hi Lauren,

thanks for your reply.

1) In Mailscanner, legitimate emails can have a score up to about 5 or 6 so 20 is a good threshold for High Probability spam.
2) Doh! Yes, I'm using Mailscanner. But I thought that used Spamassassin hence me using that threshold setting.

Let me go off and do some checking. Looks like that's the reason.

I've actually been able to reduce the spam by adding a couple of extra RBLs. I've added Baracuda, SEMFresh from Spameatingmonkey (Gotta love the name) and uribl but this one isn't working yet. I used multi.uribl.com but that may be the wrong address.

So far this has had a great impact on spam which hopefully should keep my customers happy.

 

[cPanelLauren]

Hi @DigitalEssence

If you're using the scores we use 1,2, 3 etc. that's really really high its = to 200. Spam Assassin's actual score for our 2 is 20(based on the scoring in the header). I'm really not sure if that's how MailScanner does it or not. The RBL's will be great because they reject/accept at SMTP time before MailScanner or anything else has a chance to process. The only one you want to be careful in my experience is Barracuda as they tend to be overly cautious and end I ended up with a lot of false positives.

 

[DigitalEssence]

Thanks Lauren,

I'm going to disable the bouncing based on the SA score as it seems that MailScanner is scoring these differently.

I do though have an issue with emails listed on the URIBL not being blocked.

I've got multi.uribl.com in my list of custom RBL's and then Custom RBL: URIBL [?] set to On but emails are still being received.

There's also no sign of URIBL in the exim_reject log either.

MailScanner is showing me the following SpamAssassin Score:

URIBL_BLACK 20.00 Contains an URL listed in the URIBL blacklist

And I see the following in the header:

Received: from mta53.mhmail.co.uk ([78.129.159.18]:52650)
   by hostname.domainname.net with esmtp (Exim 4.91)
   (envelope-from <[email protected]>)
   id 1gWKeK-00087L-Qf
   for [email protected]; Mon, 10 Dec 2018 12:27:00 +0000

If I look up this url at URIBL.COM - Realtime URI Blacklist it shows as listed.

I'd quite like to get this resolved as URIBL has a 100% hit rate for spam senders so seems pretty robust. All of the other RBL's I've added to Exim Configuration Manager » Manage Custom RBLs are working and showing in the reject log except for URIBL.

 

[cPanelLauren]

Hi @DigitalEssence

It looks like you had this same issue previously I found the thread here: SOLVED - Query to URIBL was blocked - How do I set up a caching nameserver?

Which indicated that your dns resolvers may have been the issue?

This thread also goes over the perl script you can add for surbl COOL! Another defense against SPAM: SURBL
Blocking Spam in Exim with URI Block Lists