On 25 Apr 2021, at 22:26, Alan wrote:
On 2021-04-25 19:31, Bill Cole wrote:
On 25 Apr 2021, at 18:40, Alan wrote:
[...]
If I recall correctly, the "X-OutGoing-Spam-Status" header which
triggers that rule (with some exemptions) is not actually used by
anything within cPanel, and a non-spam result in that header
certainly should not be trusted anywhere but the system generating
it. So it may be helpful to do the scan but to forego adding the
header or to at least make cPanel use a local name.
I've posted to a 13 month old thread on the cPanel forums that was
left at "we'll update you", asking for an update. I can't see any
useful purpose to having that header in there.
It is probably worth digging into the cPanel exim.conf editor (I don't
recall what they call it, but it's there somewhere at the WHM level...)
to kill the header. You may want to look through the deployed exim.conf
to make sure that it's not somehow using the header for internal
communication between different stages of handling.
Obfuscated headers follow. Haven't dug into it but it looks like
another FP on KAM_MXURI, I'm guessing that's because the message is
coming from my.our-domain.net and "my" is close enough to "mx", which
would be unfortunate.
If KAM_MXURI is hitting on 'my' then it is not from the current version
of KAM.cf. I have a vague recollection of a 'my.' URI match somewhere
being removed recently for too many FPs, but I can't find evidence of it
being here. The current version of that rule is:
uri KAM_MXURI /^(?:http:\/\/)?(mail|mx)\..{1,40}\..{1,8}/i
So, that would likely be a body URI hit, as I see no match in the
headers.
At least the NUMERIC_HTTP_ADDR is something I can fix.
MPART_ALT_DIFF should also be fixable simply by making the text/plain
part of the message a reasonable rendering of the HTML part or by only
sending a text/plain message, which would be even safer but I find hard
to get anyone to do. I guess sending only HTML would achieve the same
thing, but, ewwww.
You also should look at your trusted_networks and internal_networks
settings. If I'm understanding this correctly through the obfuscation,
it should have hit ALL_TRUSTED. Keep in mind that trusted_networks is
machines whose MTAs you trust to not forge Received headers, it is not
necessarily machines you trust to not send spam. That won't help with
mail leaving your system, but it will give mail from your machines to
you a strong advantage.
Return-Path: <our-domain.supp...@our-domain.com>
Delivered-To: our-domain.supp...@our-domain.com
Received: from ssc010.our-domain.net
by ssc010.our-domain.net with LMTP
id KGkdFSHVhWBRCgAAk/bwIA
(envelope-from <our-domain.supp...@our-domain.com>)
for <our-domain.supp...@our-domain.com>; Sun, 25 Apr 2021 16:46:25
-0400
Return-path: <our-domain.supp...@our-domain.com>
Envelope-to: our-domain.supp...@our-domain.com
Delivery-date: Sun, 25 Apr 2021 16:46:25 -0400
Received: from our-server.our-domain.net ([100.101.102.103]:34044)
by ssc010.our-domain.net with esmtps (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.94)
(envelope-from <our-domain.supp...@our-domain.com>)
id 1lale4-0002xo-LD
for our-domain.supp...@our-domain.com; Sun, 25 Apr 2021 16:46:25
-0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=my.our-domain.net; s=default;
h=Content-Transfer-Encoding:Content-Type:
MIME-Version:Message-ID:Subject:Reply-To:From:To:Date:Sender:Cc:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=j53ixXbMXzxOWOuh7uN7dlHw0Vr6LfiGnD/j577LPKs=;
b=0nJJlFR/3NPsGrwKOpTGdc+6Vu
YO7UqkOwYydYNQijRJqe0dxqUwdHt06x57tx1DhoAJC/EmM6buHejeghdXLO+K+X3Di9rQ/hU85bj
uvZnd2jvf4kn/Hg47bCEw7/3oByYNbTJ8VK2WhNTb6x3q0zsbT//ODf5t2afLOM1SqWNW65i2YR2J
OvoY+VLh6dH44zhssa0XWuDZ+JYJYKoDMYKLN5SQ9PLqu+tQo50frwLmvfULLqP5scNCir9xWvDHH
/WRF490NRwD5ljrTNxAxT6xQgTQV2KGM/ND6WnajJJpT5JeAsGP41C/YzNUOZyhX62DNB4XbYId6b
Mgj3eN4w==;
Received: from [100.101.102.103] (port=54664 helo=my.our-domain.net)
by our-server.our-domain.net with esmtpsa (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94)
(envelope-from <our-domain.supp...@our-domain.com>)
id 1lale3-0002hS-Sp; Sun, 25 Apr 2021 16:46:24 -0400
Date: Sun, 25 Apr 2021 20:46:23 +0000
To: "First Last (Customer, Inc.)" <first-l...@their-domain.com>
From: "our-domain Inc." <our-domain.supp...@our-domain.com>
Reply-To: "our-domain Inc." <our-domain.supp...@our-domain.com>
Message-ID:
<rqx1wokfk2hpwh7li3bl39dqajytzhujijod1cf...@my.our-domain.net>
X-Mailer: our-domain Inc.
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_rqx1wOkfk2HPwH7li3bl39DQAjYTzhuJiJOD1cfpxU"
Content-Transfer-Encoding: 8bit
X-OutGoing-Spam-Status: No, score=1.3
X-AntiAbuse: This header was added to track abuse, please include it
with any abuse report
X-AntiAbuse: Primary Hostname - our-server.our-domain.net
X-AntiAbuse: Original Domain - our-domain.com
X-AntiAbuse: Originator/Caller UID/GID - [xx yy] / [xx yy]
X-AntiAbuse: Sender Address Domain - our-domain.com
X-Get-Message-Sender-Via: our-server.our-domain.net: authenticated_id:
system-nore...@my.our-domain.net
X-Authenticated-Sender: our-server.our-domain.net:
system-nore...@my.our-domain.net
X-Source:
X-Source-Args:
X-Source-Dir:
X-Spam-Status: Yes, score=6.7
X-Spam-Score: 67
X-Spam-Bar: ++++++
X-Spam-Report: Spam detection software, running on the system
"ssc010.our-domain.net",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: our-domain Hosting Services To protect against
forged messages,
we are using a verification code, set by you, in every message we
send. Please
check the code below against the value you set. If you have not
set a verification
co [...]
Content analysis details: (6.7 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL
was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: list-manage.com]
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.5000]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 WEIRD_PORT URI: Uses non-standard port number for
HTTP
1.2 NUMERIC_HTTP_ADDR URI: Uses a numeric IP address in URL
1.5 KAM_MXURI URI: URI begins with a mail exchange
prefix, i.e.
mx.[...]
0.0 NORMAL_HTTP_TO_IP URI: URI host has a public dotted-decimal
IPv4
address
0.0 HTML_MESSAGE BODY: HTML included in message
0.8 MPART_ALT_DIFF BODY: HTML and text parts are different
0.1 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html
MIME
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily
valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK
signature
2.3 HAS_X_OUTGOING_SPAM_STAT Has header claiming outbound spam scan
- why trust the results?
X-Spam-Flag: YES
Subject: ***SPAM*** New Account Information
--
For SpamAsassin Users List
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
