Outgoing spam scanning: Don't calculate spam score using authenticated IPs with RBLs, DNS, Hello or SPF records

rocksolidhq shared this idea 4 years ago
Completed

While i appreciate now being able to filter outbound messages it would be nice to have the option to apply a set of rules and thresholds that are not tied to the inbound mail filtering.

We've been finding that some of our less savvy users jot quick notes in e-mail that are being blocked by the outbound filters and are then stymied by an NDR.

This results in our support team spending quite a bit of time trying to rephrase the original message to become acceptable to spamassassin.

Best Answer
photo

This is now available in 11.48+

We will update this functionality in 11.48 to disable RBL and IP checks on the outgoing scan since these checks are generating false positives because they run against the authenticated sender who is likely not a mail server.

This has been assigned case 121289 for internal tracking.

Comments (14)

photo
1

Sorry about the formating of the request above. The line breaks were removed when I send the reqest and cPanel's feature validation team didn't bother to put them back (shame we don't have a preview page before submitting final report).

I believe this to be more of a bug report then a feature request.

The feature to scan outgoing mail has already been voted for and is advertised as implemented. However outgoing mail for users authenticated by SMTP is scanned for :

RBL's on user's IP (Spamhaus Zen lists ADSL IP's thus making most users be on this list)

SPF on user's IP ( If you enforce SPF to the server's IP this makes your user unable to send any e-mail because the SPF check is run against the ADSL IP and not the server's IP.

Delivered direct to MX with Outlook headers : Outlook users shouldn't send e-mail either…

etc.

You can't set a spam score any lower than 15 or 20 with the current settings.

photo
1

We are using an external filterservice (Spamexperts) for incomming mails. But we want to use spamassassin to filter the outgoing mails. Therefore it would be really great, to disable the inbound filtering but enable the outbound filtering. Splitting this two features would also for us make sense.

photo
1

There is a bug report about this. Users are getting spf and rbls applied to their local adsl ips although they are authenticated.

photo
1

monarobase wrote:

Sorry about the formating of the request above. The line breaks were removed when I send the reqest and cPanel's feature validation team didn't bother to put them back (shame we don't have a preview page before submitting final report).

I believe this to be more of a bug report then a feature request.

The feature to scan outgoing mail has already been voted for and is advertised as implemented. However outgoing mail for users authenticated by SMTP is scanned for :

RBL's on user's IP (Spamhaus Zen lists ADSL IP's thus making most users be on this list)

SPF on user's IP ( If you enforce SPF to the server's IP this makes your user unable to send any e-mail because the SPF check is run against the ADSL IP and not the server's IP.

Delivered direct to MX with Outlook headers : Outlook users shouldn't send e-mail either…

etc.

You can't set a spam score any lower than 15 or 20 with the current settings.

I attempted to clean-up the SpamAssassin output formatting by re-adding line-breaks and then wrapping it in a code block.

Regarding a solution to your request, would it be acceptable if there was an option that would limit outbound scanning to only unauthenticated senders?

photo
1

No, we've had a few customers with viruses on their computers that send spam using their e-mail software. These e-mails should be bounced based on the contents of the e-mails being spam.

We need to scan all outgoing mail for spam but not run checks based on authenticated user's IP addresses.

On one server we have managed to change some exim rules to for example prevent an authenticated user's IP from being checked against spam haus rules as they list all ADSL IP's.

You need to go through every rule that shoudl'nt be run for authenticated uses and tell exim to only run it on non authenticated users.

I presume non running spam assassin on authenticated users would help for hacked accounts from sending spam but not help from zombie computers from sending spam.

photo
1

I conatacted Cpanel about this, and while they rearlize that the current system doesn't work for most people, they are treating these bugs as a feature request because it envolves redesigning their outgoing spam system. We're going to have to envest in a smarthost spam scanning applience because of this

photo
2

This feature is needed; however, more importantly some functionality to automatically detect a surge in outgoing spam for a particular email account and provide notification or various control options is badly needed. There is currently no real mechanism to monitor for accounts that begin to spam due to account compromise, etc.

photo
1

Full support for this future. It had created an odd situation with a client where his ip was being blocked by spamassassin. The authenticated ip should not be checked against RBLs and should be exempt from all filteration.

photo
1

The outgoing antispam feature doesn't work in our oppinion.

It created two issues :

1) Users couldn't send e-mails using most ADSL suppliers

2) Sending e-mails with PHP took a very long time

We didn't have an option to not filter outgoing spam so we opted for SpamExperts, originaly as a workaround but now we've adopted it definitivly because it is better than we expected :)

photo
1

This is now available in 11.48+

We will update this functionality in 11.48 to disable RBL and IP checks on the outgoing scan since these checks are generating false positives because they run against the authenticated sender who is likely not a mail server.

This has been assigned case 121289 for internal tracking.

photo
1

Hello, please also disable checks like the one that checks if the e-mail is sent directly from outlook, as this is normal for an authenticated user.

photo
1

monarobase wrote:

Hello, please also disable checks like the one that checks if the e-mail is sent directly from outlook, as this is normal for an authenticated user.

Are there any other rule names that you would like to see disabled (other then

DOS_OUTLOOK_TO_MX)?

You can find that in the X-Spam/Ham-Report header in each email processed by SpamAssassin

Content analysis details: (-7.6 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

-5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at http://www.dnswl.org/, high

trust

[209.132.183.25 listed in list.dnswl.org]

-0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)

[209.132.183.25 listed in wl.mailspike.net]

-0.0 SPF_HELO_PASS SPF: HELO matches SPF record

-0.0 SPF_PASS SPF: sender matches SPF record

-0.7 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain

-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%

[score: 0.0000]

-0.0 RCVD_IN_MSPIKE_WL Mailspike good senders

photo
1

Hello,

All the rules aren't listed only the ones that are applied by the message when you manually enable verbose logging in exim for incomming e-mail.

Any rules that run on the user's IP address or are based on the users software or environement should be ignored. Once the user is logged in the e-mails he sends should be treated in the same way as if they were sent localy from a php script on the users account.

Thanks.

photo
1

cpanelnick wrote:

Are there any other rule names that you would like to see disabled (other then

DOS_OUTLOOK_TO_MX)?

You can find that in the X-Spam/Ham-Report header in each email processed by SpamAssassin

Content analysis details: (-7.6 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

-5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at http://www.dnswl.org/, high

trust

[209.132.183.25 listed in list.dnswl.org]

-0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)

[209.132.183.25 listed in wl.mailspike.net]

-0.0 SPF_HELO_PASS SPF: HELO matches SPF record

-0.0 SPF_PASS SPF: sender matches SPF record

-0.7 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain

-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%

[score: 0.0000]

-0.0 RCVD_IN_MSPIKE_WL Mailspike good senders

Nick, unfortunately the server does not appear to log the specific rules as to why an outbound message is being scored with spam, all i can see is simply the total score? how to solve that?