Page 1 of 1

Does Mailscanner work with Cpanel Email Forwarders?

Posted: 19 Feb 2008, 22:59
by drinky
We have a problem where one of our cpanel customers has an email forwarder sending emails on to their ISP address. They are getting hundreds of spam emails which mailscanner is marking as highscoring spam. As a result their ISP is blocking much of their mail, including legitimate emails. When I look into mailwatch it shows the spam emails are recognised as highscoring spam but still forwarded to the ISP address

Are email forwarders processed in the same way as POP email accounts?

How can I get Mailscanner to stop forwarding these spam messages?

Appreciate any help or guidance.

Cheers
Brett

Posted: 19 Feb 2008, 23:48
by sdjl
Toggle the configuration to delete high scoring spam. You can do it for low scoring spam too if you wanted.

Posted: 20 Feb 2008, 01:45
by drinky
Thanks sdjl

I should have mentioned that the clients mailscanner configuration is set to delete highscoring spam and have lowered the score to 10. With this in mind, the high scoring spam is still forwarded to the clients ISP account.

I've noticed on full POP accounts with same configuration, the mail is correctly filtered as per the configuration settings.

Any further suggestions?

Thanks
Brett

Posted: 20 Feb 2008, 08:48
by Sarah
If configured to do so, MailScanner will delete spam before it is forwarded. It does not treat mail that will be forwarded any differently than mail delivered locally. It would seem there is something not quite right with your configuration.

Are you running the latest version of MailScanner and MSFE?

Have you checked the actual rules file - spamhigh.action.rules - to ensure that the domain's high-scoring spam is actually set to be deleted in that file? Are ALL high-scoring spam emails still being forwarded, or just some of them? Are the forwarded spam mails actually addressed to the domain, i.e. they are not being forwarded initially from another domain on the server that does NOT have high-scoring spam set to delete?

Posted: 20 Feb 2008, 11:08
by drinky
Thanks Sarah,

I think I might have to log a ticket for you guys to take a look at the settings on this box. Not sure how many other clients may also be affected.

We regularly update mailscanner, clamav etc via WHM as well as CFS and this server is running the current scripts.

Jonathan installed this for us a few years back and we've had an annual check each year, but something just isnt right. I'm pretty sure nothing has been tampered with since the last checkup.

I've checked as per your suggestions and everything is as it should be with regard to the delete high score setting.

This one example is a score of 30, but still delivered:

Spam: Y Action(s): deliver
High Scoring Spam: Y Action(s): deliver
SpamAssassin Spam: Y
Listed in RBL: N
Spam Whitelisted: N
Spam Blacklisted: N
SpamAssassin Autolearn: Y (spam)
SpamAssassin Score: 30.68
Spam Report:
Score Matching Rule Description cached
score=30.68
5 required
autolearn=spam
3.50 BAYES_99
0.27 DATE_IN_FUTURE_03_06
2.17 DCC_CHECK
2.75 DOS_OE_TO_MX
3.12 FORGED_MUA_OUTLOOK
3.71 HELO_LH_HOME
1.90 INVALID_MSGID
0.00 PRICES_ARE_AFFORDABLE
0.91 RCVD_IN_PBL
0.88 RCVD_IN_SORBS_DUL
0.10 RDNS_NONE
0.00 STOX_REPLY_TYPE
1.86 URIBL_AB_SURBL
1.96 URIBL_BLACK
1.50 URIBL_JP_SURBL
1.50 URIBL_OB_SURBL
1.08 URIBL_RHS_DOB
1.50 URIBL_SBL
0.47 URIBL_SC_SURBL
1.50 URIBL_WS_SURB

Would this be treated as a support request or fall under a general server management package?

Thanks and Regards

Brett

Posted: 04 Jul 2008, 01:33
by andyfowler
Sorry to re-open a 5-month-old thread, but we're having this same problem. We have Mailscanner FE configured to delete high-scoring spam, but it continues to be delivered (I can tell this from logs and from Mailwatch).

Is my best policy to open a ticket? Are there other places to check?

Posted: 04 Jul 2008, 11:58
by Sarah
Andy,

What log are you looking at? The exim log? MailWatch does always not report the Spam action correctly. Could you give an example from your exim log showing an email that MS marked as high-scoring spam but it was forwarded and not deleted. Also, have you checked /usr/mailscanner/etc/rules/spamhigh.action.rules to make sure that the action for the domain the mail was sent to is actually set to delete?

Regards,
Sarah

Posted: 04 Jul 2008, 14:40
by andyfowler
Thanks Sarah,

I actually managed to solve the problem in a roundabout fashion. In WHM, Mailscanner FE was reporting that the default action for high-scoring spam was "delete," but in spamhigh.action.rules, the last line was

Code: Select all

FromOrTo: default deliver
I changed this to delete, and it seems to have solved my problem. The strange thing is that in spamhigh.action.rules, the action for the specific domain was already set to delete, but MailScanner was not respecting this setting for forwarders. I'd prefer the default action to be delete, anyway, so I don't mind that it was ignoring the per-domain setting.

Posted: 04 Jul 2008, 14:54
by andyfowler
Actually, Sarah, your post got me thinking, and you were right. After carefully re-comparing MailWatch to the exim logs, I discovered that MailWatch was incorrectly reporting the action. Slightly embarassing, but it was, in fact, deleting the messages it was supposed to.

The funny thing is that after I changed that line in spamhigh.action.rules, MailScanner started displaying the correct action, even though it was actually performing the correct action all along.

I am suitably chagrined. Do you know if this is a MailWatch bug or something in the MailScanner configuration? I'm a PHP coder, and I may look into MailWatch, to keep this from embarrassing others.

Posted: 07 Jul 2008, 07:30
by Sarah
I don't know if it's mailwatch or mailscanner, but I would guess mailwatch. Maybe it's just taking whatever is in the default line in the mailscanner rules?