Restored Exim defaults, now all in spam

[adeyjones]

Hi, one of my servers was set to send all email via Amazon SES but I was forgetting to verify new accounts and it was becoming a pain so I restored Exim back to all defaults to scrap the whole SES thing.

Since doing that, all outgoing mail is now being delivered to spam. I have just had a system email sent to myself which went to junk so looking at the message header and it has the following:

X-Spam-Report: Spam detection software, running on the system "HOSTNAME", has identified this incoming email as possible spam.
The original message has been attached to this so you can view it or label similar future email.
If you have any questions, see root\@localhost for details.
Content preview: Time: Thu Oct 13 10:18:06 2022 +0100 IP: xx.xx.xx.xx (GB/United Kingdom/-) User: root Log line: xx.xx.xx.xx - root [10/13/2022:09:18:02 -0000] "GET /favicon.ico HTTP/1.1" 200 0 "https://xx.xx.org.uk:2087/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML [...]
Content analysis details: (8.9 points, 5.0 required) pts rule name
description ---- ---------------------- -------------------------------------------------- 0.8 BAYES_50
BODY: Bayes spam probability is 40 to 60% [score: 0.5000] 0.0
WEIRD_PORT URI: Uses non-standard port number for HTTP 1.0
KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods 2.6
RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 0.0
KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment 2.5
KAM_LINKBAIT Short messages containing little more than a link, from a domain with no security in place 2.0
HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) 0.0
X-Spam-Bar: ++++++++

- How do I check what post number my server it using for http, I would assume it is 80 as I don't remember ever changing this but the email has been given 1 post for a "weird port number".
- What are anti-forgery methods, why would I need them and how do I get them? I've never heard of this in all my years however i'm open to looking in to this if it is something I need.
- DKIM or SPF Failure, I have recently used the recommended settings from email deliverability and these are in place so not sure why this is failing.
- There is 2 points for a short message containing little more than a link, however this email was a WHM/cpanel root access alert so that cannot be helped, can these be excluded from the rule some how?

Thanks in anticipation.

 

[cPRex]

Hey there! It's always possible your server's IP just has a poor reputation, but that would not have been a factor when your mail was routed through the SES system. I'd recommend checking your server's main IP address with a tool like Email Blacklist Check - IP Blacklist Check - See if your server is blacklisted to see if it shows up in any of the major blacklists there.

Unless you've made custom changes to the machine, the port number would be 80 and 443, but you can confirm this in WHM >> Tweak Settings under the "Apache non-SSL IP/port" and "Apache SSL port" value.

The anti-forgery methods are just the typical things we recommend - rDNS/PTR, DKIM, SPF, all those types of things. Do you have proper reverse DNS in place for the IP address that sends mail? This is something that would be setup by your host.

There are online tools that will check the validity of your SPF and DIM, so you may want to scan your domain with those to ensure they are working as expected.

I see the standard root access alert is seven lines so I'm not sure why that would be flagged as too short.

 

[adeyjones]

Hey @cPRex - I have checked the IP at mxtoolbox.com and that's all fine.

I can confirm the ports are still set as default 80/443.

Regarding rDNS, I remember someone on this forum helping me a couple of weeks ago setting up an rDNS on the elastic IP of one of my other servers in my AWS dashboard, i've just checked my elastic IP's and this one is the only one out of 4 which doesn't have a rDNS so I have done that now. Will see how I get on with that now.

And the root access alert email I got did contain seven lines (though 2 are blank):

Time: Thu Oct 13 10:18:06 2022 +0100
IP: xx.xx.xx.xx (GB/United Kingdom/-)
User: root

Log line:

xx.xx.xx.xx - root [10/13/2022:09:18:02 -0000] "GET /favicon.ico HTTP/1.1" 200 0 "https://xx.xx.org.uk:2087/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6 Safari/605.1.15" "s" "-" 2087

Maybe you'll need to stick a funky cPanel email signature on these so they're no longer seen as too short.

 

[cPRex]

Just to confirm, was it the cPanel mailserver marking that message as too short, or was it the remote server? I can't tell from the previous output.

 

[adeyjones]

It was in the message header from the recipient server, however they're both WHM/cPanel servers (both mine), was an email from one of my servers (hence root access alert) being sent to my own account on another one of my servers.

 

[cPRex]

Thanks for that - let me do some testing on this and I'll reply once I have more details.

 

[cPRex]

Oh, I just realized those notifications are from LFD, which is part of CSF, so that's not something we could adjust on our end anyway. You'd need to poke CSF at Support – ConfigServer Services to have them tweak that specific notification.