incoming mail bypassing DKIM, SPF, and SpamAssassin on cPanel-CentOS7

Hello all..

i have DKIM, SPF, and SpamAssassin enabled on all accounts, but i don't understand how emails like this one below are getting through...
i'm afraid that, somehow, my server is acting as an open relay..

Here is an actual example of the headers of a spam/ransom message that got through, and you can clearly see that SpamAssassin didn't even check it, that SPF and DKIM each should have failed, yet it got through..

Please, if anyone has any idea, please any suggestions are desperately welcome..

Here are the raw headers of the message:
Code:
Return-Path: <test@cns-universal.co.th>
Delivered-To: --my-email-address--
Received: from --my-host-name--
    by --my-host-name-- with LMTP
    id eP2NFSuPglznMwAAugyn/Q
    (envelope-from <test@cns-universal.co.th>)
    for <--my-email-address-->; Fri, 08 Mar 2019 16:50:03 +0100
Return-path: <test@cns-universal.co.th>
Envelope-to: --my-email-address--
Delivery-date: Fri, 08 Mar 2019 16:50:03 +0100
Received: from [27.254.148.50] (port=55104 helo=WIN-41GNGA78579.home)
    by --my-host-name-- with esmtp (Exim 4.91)
    (envelope-from <test@cns-universal.co.th>)
    id 1h2Hkr-0003Sf-O8
    for --my-email-address--; Fri, 08 Mar 2019 16:50:03 +0100
Received: from [210-245-51-office-net-static-ip.fpt.vn] ([210.245.51.64]) by home with MailEnable ESMTP; Sat, 9 Mar 2019 21:05:33 +0700
Subject: --my-first-name--
From: <--my-email-address-->
Content-Type: multipart/related;
boundary="17E4BDA2FE-0DF9-A276D708F5-787407A80C-E69887"
MIME-Version: 1.0
Abuse-Reports-To: abuse@mailer.cns-universal.co.th
Message-ID:
<3675240188.290539026745856556730149035695.JavaMail.app@wsrmk.9dt28d>
To: --my-email-address--
List-Unsubscribe:
<mailto:h-fjbmof_zxybaobh_htehvzb_hhmvt_bb@bounce.cns-universal.co.th?subject=Unsubscribe>
User-Agent: ORYANOO 6.2
Date: Fri, 8 Mar 2019 15:32:57 +0100
X-Complaints-To: <abuse@cns-universal.co.th>
X-aid: 8635314994
Organization: Esgxuwpq
Here is the result of the command:
exigrep 1h2Hkr-0003Sf-O8 /var/log/exim_mainlog
Code:
2019-03-08 16:50:03 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1h2Hkr-0003Sf-O8

2019-03-08 16:50:03 1h2Hkr-0003Sf-O8 malware acl condition: clamd /var/clamd : unable to connect to UNIX socket (/var/clamd): No such file or directory
2019-03-08 16:50:03 1h2Hkr-0003Sf-O8 H=(WIN-41GNGA78579.home) [27.254.148.50]:55104 Warning: Message has been scanned: no virus or other harmful content was found
2019-03-08 16:50:03 1h2Hkr-0003Sf-O8 <= test@cns-universal.co.th H=(WIN-41GNGA78579.home) [27.254.148.50]:55104 P=esmtp S=258040 id=3675240188.290539026745856556730149035695.JavaMail.app@wsrmk.9dt28d T="--my-first-name--" for --my-email-address--
2019-03-08 16:50:03 1h2Hkr-0003Sf-O8 => --my-first-name-- <--my-email-address--> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <--my-email-address--> eP2NFSuPglznMwAAugyn/Q Saved"
2019-03-08 16:50:03 1h2Hkr-0003Sf-O8 Completed
Again, clearly all checks have been bypassed...
How does this happen?
 

KH-JonathanKW

Technical Support
Staff member
This typically only happens if there is some variation of a whitelist occurring which would have prevented it from being checked.

Based on that exim log; it doesn't look like spamassassin is enabled for that domain -- as even if it was whitelisted; you would see the spamassassin acl line.

For clarification; SPF/DKIM is only for outgoing authentication and other mail servers being able to authenticate your mail.

It does little for incoming, beyond the '-all' for hard reject on those who spoof your email.

This is the kind of issue where you submit a ticket for an in depth and thorough investigation.
 

phpAddict

Active Member
No open relay for you there. The first server to relay that message was...
Received: from [210-245-51-office-net-static-ip.fpt.vn] ([210.245.51.64]) by home with MailEnable ESMTP; Sat, 9 Mar 2019 21:05:33 +0700
Which somehow sent it in the future o_O
If instead the first one, or maybe second, you saw was
--my-host-name--
Then you'd have a possible open relay with your server. But, instead, the only place you see where your server received the message was last, as expected.
 
This typically only happens if there is some variation of a whitelist occurring which would have prevented it from being checked.

Based on that exim log; it doesn't look like spamassassin is enabled for that domain -- as even if it was whitelisted; you would see the spamassassin acl line.
But that's my whole point, it is enabled -- here's a random example, same domain (and there is no whitelist):
Code:
2019-03-08 11:22:32 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1h2Ce3-0006MV-Bc

2019-03-08 11:22:32 1h2Ce3-0006MV-Bc H=8.mo173.mail-out.ovh.net [46.105.46.122]:43343 Warning: "SpamAssassin as --my-admin-accnt-- detected message as NOT spam (4.0)"
2019-03-08 11:22:32 1h2Ce3-0006MV-Bc malware acl condition: clamd /var/clamd : unable to connect to UNIX socket (/var/clamd): No such file or directory
2019-03-08 11:22:32 1h2Ce3-0006MV-Bc H=8.mo173.mail-out.ovh.net [46.105.46.122]:43343 Warning: Message has been scanned: no virus or other harmful content was found
2019-03-08 11:22:32 1h2Ce3-0006MV-Bc <= --sender-email-address-- H=8.mo173.mail-out.ovh.net [46.105.46.122]:43343 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=37944 id=!&!AAAAAAAAAAAYAAAAAAAAAGm3hplS6n9MltCOf6x05HJCjAAAEAAAAPuBjYaS0O9GlEp63CXd7mwBAAAAAA==@--sender-domain-- T="COMMANDE COUSSIN - DEMANDE INFO COULEUR" for --my-email-address--
2019-03-08 11:22:32 1h2Ce3-0006MV-Bc => --my-first-name-- <--my-email-address--> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <--my-email-address--> 8xXrBWhCglzCXwAAugyn/Q Saved"
2019-03-08 11:22:32 1h2Ce3-0006MV-Bc Completed
For clarification; SPF/DKIM is only for outgoing authentication and other mail servers being able to authenticate your mail.

It does little for incoming, beyond the '-all' for hard reject on those who spoof your email.
So what's the point of SPF/DKIM if even my server ignores its own rules (which are, by the way, set for a hard reject)?

i'm not trying to be argumentative; i really appreciate the help!
i just don't understand why i always to have to abide by SPF/DKIM/DMARC for Google, Hotmail, etc.., but cPanel doesn't seem to care about these policies...
i mean, i get it; i don't have Google's or MS's clout to just say, screw you if you don't abide by my rules..

This is the kind of issue where you submit a ticket for an in depth and thorough investigation.
I didn't want to bother you with this, and i was hoping to get a helpful discussion going...

Thank you so much, as always, for your help!
 
No open relay for you there. The first server to relay that message was...

Which somehow sent it in the future o_O
Yes, living in France is like living in a distant future where everyone gets proper healthcare and decent vacation time ;-)
All joking aside, that's why -- the server is on French time..

If instead the first one, or maybe second, you saw was

Then you'd have a possible open relay with your server. But, instead, the only place you see where your server received the message was last, as expected.
Will look into it..
Thank you!!
 
Top