sending from webmail triggers Spamassassin rules

[EneTar]

Hi I noticed today using those 2 services
Newsletters spam test by mail-tester.com
Is Not Spam - Online Spam checker for newsletters and email marketing

that when I send from webmail (I tried both Horde and Roundcube)

there is a line which I think triggers a couple of rules in Spamassassin. Please note that when sending from an email client this doesn't happen

So I noticed that there are 2 lines

First:

Received: from my.hostname.eu ([server.public.ip.here] helo=accountuser.com)

The line above seems to be correct however I have that the following line is to be questioned:

Received: from [127.0.0.1] (port=48342 helo=my.hostname.eu)

I may be mistaken but it seems to trigger
FSL_HELO_BARE_IP_2 (IP used in the HELO request The hostname should be a domain name, not an IP address)

and

RCVD_NUMERIC_HELO (Received: contains an IP address used for HELO)

I think it should be localhost or the hostname instead of [127.0.0.1]

Can you try to see if you have the same issue? I have already tried with 3 servers. All have the same result. All servers have the Send mail from account’s dedicated IP address enabled in Exim Configuration.

 

[cPanelLauren]

Hi @EneTar

Can you tell me what you have (if anything) in /etc/mailhelo?

This may be a false positive but I will attempt to replicate on our side as well, I'll update here once complete.


Thanks!

 

[EneTar]

Hi @cPanelLauren. On one of my servers the /etc/mailhelo has the domains and subdomains of the dedicated ips. On the other 2 servers the file is empty. (All servers though have the same behavior I described in my first post.) However please note that all servers have the Send mail from account’s dedicated IP address enabled in Exim Configuration which as far as I know when enabled the system doesn't use the /etc/mailhelo file.

Did you replicate this on your end?

 

[cPanelLauren]

Hi @EneTar

I attempted to replicate with a testing server with 2 IP's and send from account's dedicated IP address enabled on the server. Unfortunately, I did not get the same results as you did there was no reference to FSL_HELO_BARE_IP_2.

Please keep in mind this is a testing server and I didn't have a DKIM added nor did I have rDNS implemented. With that being said the errors I received seem to be accurate.

The famous spam filter SpamAssassin. Score: -2.6.
A score below -5 is considered spam.
-0.8    DKIM_ADSP_NXDOMAIN    No valid author signature and domain not in DNS
-0.1    DKIM_SIGNED    Message has a DKIM or DK signature, not necessarily valid
This negative score will become positive if the signature is validated. See immediately below.
-0.379    NO_DNS_FOR_FROM    Envelope sender has no MX or A DNS records
-1.274    RDNS_NONE    Delivered to internal network by a host with no rDNS
This may be a false-positive, please check the reverse DNS test below to confirm or not this issue
-0.01    T_DKIM_INVALID    Your DKIM signature is not valid
Have a look at our DKIM test below to know why

Re-looking at your earlier response:

I think it should be localhost or the hostname instead of [127.0.0.1]

127.0.0.1 is fine. When looking at our test email it's received from the ipv6 equivalent:

Received: from [::1] (port=48760 helo=server.example.com)
    by server.example.com with esmtpa (Exim 4.90_1)

Though we haven't made modifications to /etc/mailhelo in our case - just what was added automatically with enabling "send mail from account's dedicated IP."

What's your rDNS set to currently? Which webmail client are you sending from? I wonder if the issue is specific to one of the clients as noted in this forum post: SOLVED - OP address used for HELO

Thanks!

 

[EneTar]

please try the isnotspam.com it outputs the headers of the received email.

In my case there is this output from Spamassassin (Please ignore the Bayes because it was just a test message with bogus content)

X-Spam-Report:
* 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
* [score: 1.0000]
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* -0.0 SPF_PASS SPF: sender matches SPF record
* 1.2 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
* 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
* [score: 1.0000]
* 0.1 HTML_MESSAGE BODY: HTML included in message
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
* domain
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* 1.5 FSL_HELO_BARE_IP_2 No description available.
X-Spam-Status: Yes, hits=6.4 required=-20.0 tests=BAYES_99,BAYES_999,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FSL_HELO_BARE_IP_2,HTML_MESSAGE,
RCVD_NUMERIC_HELO,SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no

rDNS is set up correctly and I have no issues with that.
I tried both Horde or Roundcube. It's the same. I wish I had access on another server's webmail as well to try once more or perhaps somebody else with a real server could try the isnotspam.com service to give us some more feedback about webmail messages.

Question: when you see the headers from isnotspam.com how many lines starting with

Received: from ....

do you see? Can you post them here and hide any private data?

 

[cPanelLauren]

Hi @EneTar

Actually, I'd really like to see if you can provide me the full headers of the message. I think you might be on to something but I would need to see your full headers to know for sure.

Thanks!

 

[EneTar]

@cPanelLauren Do you want me to post here by hiding any private data (Hiding data in email headers sometimes confuses and is harder to understand) or is there any way to contact you privately and provide all data?

 

[cPanelLauren]

Hi @EneTar

You can hide the private data, just ensure that it's clear which entries are domains, the hostname and IP addresses

 

[EneTar]

Ok I've hidden some ids usernames and IPs which I think it is obvious what they mean and I scrambled some base64 encoding I wasn't sure about

The important stuff is:
[email protected]
server.public.ip.here
my.hostname.eu
home.user.ip.here


here are the full headers

From [email protected] Wed May 09 10:21:10 2018
Return-path: <[email protected]>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
localhost.localdomain
X-Spam-Flag: YES
X-Spam-Level: ******
X-Spam-Report:
* 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
* [score: 1.0000]
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* -0.0 SPF_PASS SPF: sender matches SPF record
* 1.2 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
* 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
* [score: 1.0000]
* 0.1 HTML_MESSAGE BODY: HTML included in message
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
* domain
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* 1.5 FSL_HELO_BARE_IP_2 No description available.
X-Spam-Status: Yes, hits=6.4 required=-20.0 tests=BAYES_99,BAYES_999,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FSL_HELO_BARE_IP_2,HTML_MESSAGE,
RCVD_NUMERIC_HELO,SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no
version=3.4.0
Envelope-to: [email protected]
Delivery-date: Wed, 09 May 2018 10:21:10 +0000
Received: from my.hostname.eu ([server.public.ip.here] helo=domain.com)
by localhost.localdomain with esmtp (Exim 4.84_2)
(envelope-from <[email protected]>)
id 1fGMDe-000Aha-1j
for [email protected]; Wed, 09 May 2018 10:21:10 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=domain.com;
s=default; h=MIME-Version:Content-Type:Subject:To:From:Message-ID:Date:
Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive;
....hidden.....
Received: from [127.0.0.1] (port=48342 helo=my.hostname.eu)
by my.hostname.eu with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
(Exim 4.90_1)
(envelope-from <[email protected]>)
id 1fGMDY-0002OC-Bj
for [email protected]; Wed, 09 May 2018 13:21:04 +0300
Received: from home.user.ip.here ([home.user.ip.here]) by domain.com (Horde Framework)
with HTTPS; Wed, 09 May 2018 10:21:04 +0000
Date: Wed, 09 May 2018 10:21:04 +0000
Message-ID: <[email protected]>
From: My Name <[email protected]>
To: [email protected]
Subject: test email from Horde
User-Agent: Horde Application Framework 5
Content-Type: multipart/alternative; boundary="=_WDUa34dfdGFFY2PJxGrrFbf"
MIME-Version: 1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - my.hostname.eu
X-AntiAbuse: Original Domain - isnotspam.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - domain.com
X-Get-Message-Sender-Via: my.hostname.eu: authenticated_id: [email protected]
X-Authenticated-Sender: my.hostname.eu: [email protected]
X-Source:
X-Source-Args:
X-Source-Dir:
X-DKIM-Status: pass (domain.com)
This message is in MIME format.

--=_WDUa34dfdGFFY2PJxGrrFbf
Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes
Content-Description: Plaintext Message
Content-Disposition: inline

.....Hi there message content here....

Do you see anything wrong?
please let me know if you need any further details

 

[cPanelLauren]

What I'm looking for is one of these lines:

Received: from my.hostname.eu ([server.public.ip.here] helo=domain.com)

Received: from [127.0.0.1] (port=48342 helo=my.hostname.eu)

To have an IP address and neither of them does.

Looking through threads here and elsewhere on this issue it's one of a few things

• A false positive from Spam Assassin - the threads here indicate a false positive with Mail-Tester but I'm more inclined to lean on SpamAssassin since it occurs with the SA rules through multiple testing products - The hostname should be a domain name, not an IP
• The rDNS is incorrect - While I don't know what your rDNS is currently you did note that it was correct. This originates from the following Mailing List Archive: FSL_HELO_BARE_IP_2 rule?
• There is actually an IP in the line helo= - There were some cases where the mail client was using the IP as the helo but I'm not seeing that occurring here.

Now what I am curious about is if it's reporting (incorrectly) an invalid helo because it assigns the mailhelo as the domain name rather than the hostname.

# cat /etc/mailhelo
example.com: example.com

To test that though, I'd like to see if it would be possible for you to do the following:

1. Disable (temporarily) "Send mail from account's dedicated IP"
2. Enable Reference /etc/mailhelo for outgoing SMTP HELO
3. Enable Reference /etc/mailips for outgoing SMTP connections
4. Modify /etc/mailhelo to the following:

   *: <yourhostnamehere>

5. Modify /etc/mailips to the following:

   domain: <DedicatedIPAddressHere>

6. Test sending again

Thanks!

 

[EneTar]

Hi @cPanelLauren


Isn't 127.0.0.1 still an IP although it is the localhost IP?

Received: from [127.0.0.1] (port=48342 helo=my.hostname.eu)

Furthermore I ran 2 more tests from one cPanel server to another cPanel server and vice versa. This is the result from the 2

0.9 RCVD_NUMERIC_HELO      Received: contains an IP address used for HELO

1.2 RCVD_NUMERIC_HELO      Received: contains an IP address used for HELO

Please note that I don't see the rule FSL_HELO_BARE_IP_2 This specific rule is not documented in spamassassin and it seems to overlap with a couple of other rules. Mailing List Archive: FSL_HELO_BARE_IP_2 rule?

FALSE POSITIVE
Anyway from the point that RCVD_NUMERIC_HELO is triggered when sending from one cpanel server to the other then it's not a false positive of the mailtester software. It's either a flase positive of spamassasin or a real issue.

rDNS
About the rDNS. What test do you want me to run to exclude any rDNS issue? Although i think that in case of malconfigured rDNS spamassassin triggers a few rules which I don't see on any of my tests.


The outcome of this thread The hostname should be a domain name, not an IP is that

Hello,

To update this thread, the issue was that this is most likely a false positive with mail-tester.com. Other checking services showed that the HELO was correct.

However I 've just shown that this happens on multiple sources even from a cPanel server to another.

Continuing to the test you specified

Here are all Received: headers from top to bottom of the message

Received: from recipients.hostname.here
....
Received: from sender.hostname.here ([sender.server.ip.here]:44190)
...
Received: from [127.0.0.1] (port=39202 helo=sender.hostname.here)
....
Received: from public.user.ip.here ([public.user.ip.here]) by senderdomain.com (Horde Framework) with
...
  1.2 RCVD_NUMERIC_HELO      Received: contains an IP address used for HELO
  ....

So it's the same. Can't you find 2 cPanel server properly set up so that you run this test?

 

[cPanelLauren]

Isn't 127.0.0.1 still an IP although it is the localhost IP?

Yes, but this is normal and we can clearly see on my test server that it does the IPv6 equivalent with no matching of that rule - ::1

Received: from [::1] (port=48760 helo=server.example.com)
    by server.example.com with esmtpa (Exim 4.90_1)

This is saying Received: from [127.0.0.1] and in context of what you're looking for is irrelevant. The concern should be the helo= field which clearly states a domain in all cases.

So it's the same. Can't you find 2 cPanel server properly set up so that you run this test?

The servers I'm setting up are using cPanel and are properly configured and don't encounter this issue which is why I'm experiencing difficulty replicating this, I've used internal testing servers and my own personal servers. At this point, I'd like to see if it would be possible for you to open a ticket using the link in my signature so we can take a closer look at your configuration specifically. Please update this post with the ticket ID once it's open.

Thanks!

 

[EneTar]

I've used internal testing servers and my own personal servers.

Thank you I didn't know this. So it seems that there is an issue with my particular setup on all servers. I will open a ticket for this and update this thread.

 

[cPanelLauren]

Hi @EneTar

Great, hopefully we can help you get it sorted.

Thanks!