Exchange / SMTP Authentication / Spam Score

[Scott Laughead]

First off I just want to say thank you for having such a wonderful support tool available for WHM/cPanel.

Okay..

I host about a 100 clients on my dedicated server which contains WHM and cPanel. Most clients have their own cPanel account, others are just a sub account under the main server domain.

My email flows really well from clients using POP/SMTP for outgoing email, as each user is required to authenticate with their own individual credentials to send out email. No problem.

However, since the beginning of the year, I have noticed that my clients using Exchange/Outlook as an internal mail server is getting Outbound spam scores with a base of 2 that go up to 5 to 7 on general correspondence. Prior to the beginning of the year, everything flowed fine.

What is happening, each of these clients using Exchange/Outlook have one SMTP Hub Transport on their Exchange machine, so we set them up to authenticate into our server to send out bound mail through one common user (example): [email protected] uses [email protected] to authenticate and then relay the mail out off our server. All users are using the same common user to authenticate.

On my WHM in my Exim Configuration, I have mail using our SMTP to be scanned for SPAM so that if someone was to get hacked or compromised, my server would help stop the attack and mail from going out. That is not a problem for most clients using general correspondence as their spam scores on the outbound are between (negative 1 and 0). However, by relaying these messages through our server from Exchange with one Hub Transport Authentication setup, these folks are starting with spam scores between 2 and 7. This means that my server is either blocking their messages (my Outbound Threshhold is set at 5), or when it arrives to its destination, it is being filtered into that recipients spam folder.

All records (SPF, PTR) check out excellent on MXToolbox.com. None of my IP's or domains are on any kind of Blacklist. My mail server reputation score out at SenderScore.com is at a 97 out of 100. If you send out from the webmail from these same accounts, bypass the Exchange server, spam scores are between (negative 1 and 0).

There has to be a setting in my WHM Exim Configuration Manager, or DNS Records that allows me to pass these emails from the Exchange server to my server, using one common authenticated user and prevent spam scores from shooting up.

I have been working for a week with my hosting company, who I lease the server through. They are as stumped as I am.

Please, if anyone can help shed some light on this, it would be much appreciated.

PS..I didn't provide Internet Headers or error messages because I know this is exactly what is happening, but I can't find the tool or function that allows this to pass through unassaulted by the SMTP Spam Filter.

 

[cPanelLauren]

Hi @Scott Laughead


The user_prefs for cPanel exim scanner (the internal name for outbound spam assassin) are located at /var/cpanel/userhomes/cpaneleximscanner/.spamassassin/user_prefs.

From here you can see that there aren't really any rules being hit but spam_assassin's base db

[root@server .spamassassin]# cat user_prefs
skip_rbl_checks 1      # No need to check our authenticated senders to see if they are in an
               # an RBL as they likely will be.  We only care about RBLS for incoming
                       # spam scanning.
internal_networks 0/0  # We treat all authenticated senders as internal because the ip checks
                       # are likely useless for outbound spam scanning.
[root@server .spamassassin]#

The base configuration is in the local.cf which can be found at /etc/mail/spamassassin/local.cf though what rules are being hit on outbound spam scanning isn't noted specifically in the headers of messages. My assumption would be that the user's local IP address is having IP reputation issues which is unfortunately fairly common through no fault of your user in most cases.

 

[Scott Laughead]

I do appreciate your reply. My first thought was that the reputation of the IP had been compromised as well. However, that is one of the first things I checked. These customers outbound email leave off the IP associated with the IP of the connection in which they get their service through (Spectrum). However, in each instance, Spectrum had been contacted previous, a PTR record had been created to link back to the customer mail server. The PTR records are great for each of these clients. SPF records are in place, and MX Toolbox says everything checks as green and good. Also, individual blacklist checks indicate that none of these dedicated IP addresses are on any blacklist (all clean). SenderScore.com says that these IP addresses have not had sufficient enough amounts of email to be on their list, so I would assume that is a good thing since they are individual company mail servers.

This is only happening with my clients that use Exchange and authenticate through a single user to push out email. Any other configuration, email is flowing and scoring great. I have checked all headers and there is nothing in the email that would indicate why it is scoring the email as spam. Since my thresh hold on outbound scanning of email is set at 5, most of these being scored from 2-4 go out and deliver to the spam boxes of the recipients. If it hits a level of 5, it rejects the email message from even forwarding out off my server and sends it back to sender.

I have reviewed each email that is being rejected, and of course each have an attachment, but they are PDF's. The ones being scored between 2-4, it is just general correspondence of someone asking questions, or replaying to someone else. There are no signature plugins to social media or anything like that either.

Continued brainstorming is appreciated.

 

[cPanelLauren]

Hi @Scott Laughead


Definitely a conundrum -

This is only happening with my clients that use Exchange and authenticate through a single user to push out email.

Have you checked the exchange server's reputation as well? Have you tried putting the Exchange server IP's in the only-verify recipient portion of the exim configuration?

Only-verify-recipient
Hosts or IP addresses that should be exempt from all spam checks at SMTP time, except recipient verification. Hosts or IP addresses you enter here are stored in /etc/trustedmailhosts.

You might also look into the following:

Trusted SMTP IP addresses 
IP addresses exempt from all SMTP sender, recipient, spam, and relaying checks. IP addresses you enter here are stored in /etc/skipsmtpcheckhosts. These senders must still use an RFC-compliant HELO name if the Require RFC-compliant HELO setting is enabled

 

[Scott Laughead]

This is only happening with my clients that use Exchange and authenticate through a single user to push out email.
Have you checked the exchange server's reputation as well?

Yes. I have checked the reputations for each Exchange server and there is either not enough mail flow to warrant a report on them, or if there is, they check out as very good.

Have you tried putting the Exchange server IP's in the only-verify recipient portion of the exim configuration?

Code:
Only-verify-recipient
Hosts or IP addresses that should be exempt from all spam checks at SMTP time, except recipient verification. Hosts or IP addresses you enter here ar

I just added my clients Exchange server IP into this list in Exim. It didn't help.

Code:
Trusted SMTP IP addresses
IP addresses exempt from all SMTP sender, recipient, spam, and relaying checks. IP addresses you enter here are stored in /etc/skipsmtpcheckhosts. These senders

I just added that same client IP address to this list AS WELL (so it is in both lists now), and that didn't help either.

SMTP mail scanner is still flagging them with a minimum spam score of 2.

Here is the Internet Header of the message they used to test email going out:

Received: from Server2012.corp.mydomain.com (my local ip) by
 Server2012.corp.mydomain.com (my local ip) with Microsoft SMTP Server (TLS) id
 15.0.1365.1 via Mailbox Transport; Wed, 6 Feb 2019 09:34:50 -0500
Received: from Server2012.corp.mydomain.com (my local ip) by
 Server2012.corp.mydomain.com (my local ip) with Microsoft SMTP Server (TLS) id
 15.0.1365.1; Wed, 6 Feb 2019 09:34:50 -0500
Received: from sjl0vm-hesra17.colo.sonicwall.com (ip of my hosted gateway filter) by
 Server2012.corp.mydomain.com (my local ip) with Microsoft SMTP Server (TLS) id
 15.0.1365.1 via Frontend Transport; Wed, 6 Feb 2019 09:34:49 -0500
Authentication-Results: sjl0vm-hesra17.colo.sonicwall.com;
   spf=pass [email protected];
Received: from my-mail-server.com ([my mail server IP])
   by sjl0vm-hesra17.colo.sonicwall.com ([ip of my hosted gateway filter]) (SonicWall 9.2.2.5291)
   with ESMTPS (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256/256)
   id i201902061434571043596-15861; Wed, 06 Feb 2019 06:34:58 -0800
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
   d=client-domain.com; s=default; h=MIME-Version:Content-Type:Message-ID:
   Subject:Date:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:
   Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
   :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
   List-Subscribe:List-Post:List-Owner:List-Archive;
   bh=xuOKNRjDX9oBhfXEkwZlBAvmjAwcOofqZRD/QCSm3kc=; b=nwnFxBl7oaldBwgBKb5dZT4bKz
   V1UPT7LVflr5Q/UDDpUaxS52ToWGjTUYyv4jAwhgN7eMPCID8eYwyLfZ2EYDwaDYIDSOttyfZCVbV
   Y7YNzYz/Jv4WfnRvDBUjqNpH0b07e+YqrQ9pgbqkw4H7GJ04e3ChEOp+Lltt0En2+Z8RWUehj+xfs
   wbu4lzFZr4Jqxefbz3lOP0NhMHDP0r/6/qJPBAEQvmsiA1EywZx4RlOpL0xe3n+IqVtxQnKiJ7ySg
   ieVATYm1FLpHXwyyvEsrYt6+e0d3t+IQenaF7C0KGZhm8gefHyOA4O2cE+w/v3U1pkEk6ud+n1WyA
   1vH4dUWw==;
Received: from [client exchange server ip] (port=19999 helo=remote.client-domain.com)
   by my-mail-server.com with esmtpsa (TLSv1:AES128-SHA:128)
   (Exim 4.91)
   (envelope-from <[email protected]>)
   id 1grOHY-00039x-KK
   for [email protected]; Wed, 06 Feb 2019 09:34:46 -0500
Received: from SERVER2008.client-exchange-name.local ([fe80::2064:c205:66cd:c7f2]) by
 SERVER2008.client-exchange-name.local ([fe80::2064:c205:66cd:c7f2%10]) with mapi; Wed, 6 Feb
 2019 09:34:41 -0500
From: Client Name <[email protected]>
To: My Name <[email protected]>
Date: Wed, 6 Feb 2019 09:34:40 -0500
Subject: Insurance
Thread-Topic: Insurance
Thread-Index: AdS+KQ1tQS10i5B8SaGLWVyb9ARX0w==
Message-ID: <[email protected]>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative;
   boundary="_000_DE069E53D71B6A418AA8DF4168FF3A040781E984SERVER2008ltalo_"
MIME-Version: 1.0
X-OutGoing-Spam-Status: No, score=2.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - my-mail-server.com
X-AntiAbuse: Original Domain - mydomain.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - client-domain.com
X-Get-Message-Sender-Via: my-mail-server.com: authenticated_id: [email protected]
X-Authenticated-Sender: my-mail-server.com: [email protected]
X-Source:
X-Source-Args:
X-Source-Dir:
X-Mlf-SPF: SPF Pass (result=pass;action=none;identity=MAILFROM;domain=client-domain.com;source=(my mail server IP address);details:allowedlist=consider;)
X-Mlf-DKIM: DKIM Disabled (result=disabled;)
X-Mlf-DMARC: DMARC Disabled (result=disabled;)
X-Mlf-Language-Detected: NoLanguageFilter_English
X-Mlf-Connecting-IP: (my mail server IP address)
X-Mlf-Country-Code: US
X-Mlf-Rules: rn;26.57[0.00884]
X-Mlf-SVM: sn;0.922:71:6:17:48
X-Mlf-Tp-MsgRecvd: 2019 02 06 1434
X-Mlf-Tp-Versions: DB1420;DC1420;DT1420;DV1420;HT1420;I41420;PB1420;SB1420;
X-Mlf-Tp-Versions: TT1420;WH1420;XB1420;
X-Mlf-Rules-Pos-Features: HEADERNGRAM_x-ms-tnef-correlator_acceptlanguage_
   3.90;HEADERNGRAM_acceptlanguage_content-type_3.81;HEADERNGRAM_thread-index_m
   essage-id_3.78;HEADERNGRAM_x-ms-has-attach_x-ms-tnef-correlator_3.21;HEADERN
   GRAM_subject_thread-topic_3.20;HEADERNGRAM_content-language_x-ms-has-attach_
   3.19;HEADERNGRAM_thread-topic_thread-index_3.13;HEADERNGRAM_accept-language_
   content-language_3.11;
X-Mlf-Rules-Neg-Features: ATTACHSIZE_0_-0.50;HEADERNGRAM_x-outgoing-spam-s
   tatus_x-antiabuse_-0.25;HEADERNGRAM_x-antiabuse_x-antiabuse_0.00;HEADERNGRAM
   _x-antiabuse_x-get-message-sender-via_0.00;HEADERNGRAM_x-authenticated-sende
   r_x-source_0.00;HEADERNGRAM_x-get-message-sender-via_x-authenticated-sender_
   0.00;HEADERNGRAM_x-source-args_x-source-dir_0.00;HEADERNGRAM_x-source_x-sour
   ce-args_0.00;
X-Mlf-Sliderbars: N4,B4,S4,L4,Q4,G4,A4,I4
X-Mlf-AV-DAT: 9158;201902061319;201902061322
X-Mlf-DSE-Version: 5485
X-Mlf-Rules-Version: s20190111180506; ds20171117204456;
   di20181214013800; ri20170405183854; fs20190111170037
X-Mlf-SVM-Version: 20180829092608; 0
X-Mlf-Smartnet-Version: 20190109010522
X-Mlf-Threat: nothreat
X-Mlf-Threat-Detailed: nothreat;other;none;none
X-Mlf-Version: 9.2.2.5291
X-Mlf-License: BSVKCAP_T_
X-Mlf-UniqueId: i201902061434571043596
Return-Path: [email protected]
X-MS-Exchange-Organization-Network-Message-Id: d6498e6b-3c50-4ca2-99e3-08d68c40403c
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-Organization-AuthSource: Server2012.corp.mydomain.com
X-MS-Exchange-Organization-AuthAs: Anonymous

I appreciate the ideas so far. Hope this new information can help. Thank you so much.

 

[cPanelLauren]

Hi @Scott Laughead

Interesting that you have a DKIM record which is shown earlier in the headers but the check on DKIM is disabled:

X-Mlf-DKIM: DKIM Disabled (result=disabled;)

Also, the scores here may also be playing a part in this issue:

X-Mlf-Rules-Pos-Features: HEADERNGRAM_x-ms-tnef-correlator_acceptlanguage_
   3.90;HEADERNGRAM_acceptlanguage_content-type_3.81;HEADERNGRAM_thread-index_m
   essage-id_3.78;HEADERNGRAM_x-ms-has-attach_x-ms-tnef-correlator_3.21;HEADERN
   GRAM_subject_thread-topic_3.20;HEADERNGRAM_content-language_x-ms-has-attach_
   3.19;HEADERNGRAM_thread-topic_thread-index_3.13;HEADERNGRAM_accept-language_
   content-language_3.11;
X-Mlf-Rules-Neg-Features: ATTACHSIZE_0_-0.50;HEADERNGRAM_x-outgoing-spam-s
   tatus_x-antiabuse_-0.25;HEADERNGRAM_x-antiabuse_x-antiabuse_0.00;HEADERNGRAM
   _x-antiabuse_x-get-message-sender-via_0.00;HEADERNGRAM_x-authenticated-sende
   r_x-source_0.00;HEADERNGRAM_x-get-message-sender-via_x-authenticated-sender_
   0.00;HEADERNGRAM_x-source-args_x-source-dir_0.00;HEADERNGRAM_x-source_x-sour
   ce-args_0.00;

This is some other spam scanning though not SpamAssassin but rather a separate service.

I'm curious if you send the exact message to a domain being scanned by SpamAssassin if you'll get the same score. That way you could see the headers to identify what is being hit. I'm leaning heavily toward it being related to the attachments but there really isn't a way to tell at this point.

 

[Scott Laughead]

Hi @Scott Laughead


Definitely a conundrum -


Have you checked the exchange server's reputation as well? Have you tried putting the Exchange server IP's in the only-verify recipient portion of the exim configuration?

Only-verify-recipient
Hosts or IP addresses that should be exempt from all spam checks at SMTP time, except recipient verification. Hosts or IP addresses you enter here are stored in /etc/trustedmailhosts.

You might also look into the following:

Trusted SMTP IP addresses
IP addresses exempt from all SMTP sender, recipient, spam, and relaying checks. IP addresses you enter here are stored in /etc/skipsmtpcheckhosts. These senders must still use an RFC-compliant HELO name if the Require RFC-compliant HELO setting is enabled

Hello Lauren,

Sorry this has taken so long to get back to you on this matter. I have indeed added their Exchange server IP address to the Trusted SMTP IP addresses, I also did the Only-verify-recipient. This still does not appear to be helping. I have indeed checked the reputation of the Exchange server IP, comes back clean and good.

If you send from their webmail account on the server, it comes back with an initial spam score of -1. Even with the Only-verify-recipient and Trusted SMTP, it is still scanning it for spam and marking it with a spam score of 2 or more if it leaves from their exchange server. Like I said, none of this was occurring prior to the beginning of the year, now it is. No settings have been changed in the system except what you have requested I try to fix this.

I don't know why it is even scanning the email leaving from this IP/Domain after adding them to the exempt list.

I know that the current version of cPanel I am using is coming to end of life on March 31st, 2019 and I have plans with my server company to update it before then. Do you think this end of life product is causing this issue, or it is something specific to the Exchange boxes and their IP addresses? As I said, this is only occurring with my Exchange customers since the beginning of the year. This makes me think it is Exchange, but when everything comes back solid (no blacklists, good SPF, good PTR, sender reputation very high), why would MY SERVER, the outbound SMTP server that they are Authenticating into be scoring spam at such a high level on general correspondence?

Any additional brainstorming is much appreciated. Thanks.

 

[cPanelMichael]

I have indeed added their Exchange server IP address to the Trusted SMTP IP addresses, I also did the Only-verify-recipient. This still does not appear to be helping. I have indeed checked the reputation of the Exchange server IP, comes back clean and good.

If you send from their webmail account on the server, it comes back with an initial spam score of -1. Even with the Only-verify-recipient and Trusted SMTP, it is still scanning it for spam and marking it with a spam score of 2 or more if it leaves from their exchange server. Like I said, none of this was occurring prior to the beginning of the year, now it is. No settings have been changed in the system except what you have requested I try to fix this.

I don't know why it is even scanning the email leaving from this IP/Domain after adding them to the exempt list.

I know that the current version of cPanel I am using is coming to end of life on March 31st, 2019 and I have plans with my server company to update it before then. Do you think this end of life product is causing this issue, or it is something specific to the Exchange boxes and their IP addresses? As I said, this is only occurring with my Exchange customers since the beginning of the year. This makes me think it is Exchange, but when everything comes back solid (no blacklists, good SPF, good PTR, sender reputation very high), why would MY SERVER, the outbound SMTP server that they are Authenticating into be scoring spam at such a high level on general correspondence?

Hello @Scott Laughead,

Could you open a support ticket so we can take a closer look at the affected system to get a better idea of what's happening? You can post the ticket number here and I'll link this thread to it.

Thank you.