incoming mail bypassing DKIM, SPF, and SpamAssassin on cPanel-CentOS7

Hello all..

i have DKIM, SPF, and SpamAssassin enabled on all accounts, but i don't understand how emails like this one below are getting through...
i'm afraid that, somehow, my server is acting as an open relay..

Here is an actual example of the headers of a spam/ransom message that got through, and you can clearly see that SpamAssassin didn't even check it, that SPF and DKIM each should have failed, yet it got through..

Please, if anyone has any idea, please any suggestions are desperately welcome..

Here are the raw headers of the message:
Code:
Return-Path: <test@cns-universal.co.th>
Delivered-To: --my-email-address--
Received: from --my-host-name--
    by --my-host-name-- with LMTP
    id eP2NFSuPglznMwAAugyn/Q
    (envelope-from <test@cns-universal.co.th>)
    for <--my-email-address-->; Fri, 08 Mar 2019 16:50:03 +0100
Return-path: <test@cns-universal.co.th>
Envelope-to: --my-email-address--
Delivery-date: Fri, 08 Mar 2019 16:50:03 +0100
Received: from [27.254.148.50] (port=55104 helo=WIN-41GNGA78579.home)
    by --my-host-name-- with esmtp (Exim 4.91)
    (envelope-from <test@cns-universal.co.th>)
    id 1h2Hkr-0003Sf-O8
    for --my-email-address--; Fri, 08 Mar 2019 16:50:03 +0100
Received: from [210-245-51-office-net-static-ip.fpt.vn] ([210.245.51.64]) by home with MailEnable ESMTP; Sat, 9 Mar 2019 21:05:33 +0700
Subject: --my-first-name--
From: <--my-email-address-->
Content-Type: multipart/related;
boundary="17E4BDA2FE-0DF9-A276D708F5-787407A80C-E69887"
MIME-Version: 1.0
Abuse-Reports-To: abuse@mailer.cns-universal.co.th
Message-ID:
<3675240188.290539026745856556730149035695.JavaMail.app@wsrmk.9dt28d>
To: --my-email-address--
List-Unsubscribe:
<mailto:h-fjbmof_zxybaobh_htehvzb_hhmvt_bb@bounce.cns-universal.co.th?subject=Unsubscribe>
User-Agent: ORYANOO 6.2
Date: Fri, 8 Mar 2019 15:32:57 +0100
X-Complaints-To: <abuse@cns-universal.co.th>
X-aid: 8635314994
Organization: Esgxuwpq
Here is the result of the command:
exigrep 1h2Hkr-0003Sf-O8 /var/log/exim_mainlog
Code:
2019-03-08 16:50:03 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1h2Hkr-0003Sf-O8

2019-03-08 16:50:03 1h2Hkr-0003Sf-O8 malware acl condition: clamd /var/clamd : unable to connect to UNIX socket (/var/clamd): No such file or directory
2019-03-08 16:50:03 1h2Hkr-0003Sf-O8 H=(WIN-41GNGA78579.home) [27.254.148.50]:55104 Warning: Message has been scanned: no virus or other harmful content was found
2019-03-08 16:50:03 1h2Hkr-0003Sf-O8 <= test@cns-universal.co.th H=(WIN-41GNGA78579.home) [27.254.148.50]:55104 P=esmtp S=258040 id=3675240188.290539026745856556730149035695.JavaMail.app@wsrmk.9dt28d T="--my-first-name--" for --my-email-address--
2019-03-08 16:50:03 1h2Hkr-0003Sf-O8 => --my-first-name-- <--my-email-address--> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <--my-email-address--> eP2NFSuPglznMwAAugyn/Q Saved"
2019-03-08 16:50:03 1h2Hkr-0003Sf-O8 Completed
Again, clearly all checks have been bypassed...
How does this happen?
 

KH-JonathanKW

Technical Support
Staff member
This typically only happens if there is some variation of a whitelist occurring which would have prevented it from being checked.

Based on that exim log; it doesn't look like spamassassin is enabled for that domain -- as even if it was whitelisted; you would see the spamassassin acl line.

For clarification; SPF/DKIM is only for outgoing authentication and other mail servers being able to authenticate your mail.

It does little for incoming, beyond the '-all' for hard reject on those who spoof your email.

This is the kind of issue where you submit a ticket for an in depth and thorough investigation.
 

phpAddict

Active Member
No open relay for you there. The first server to relay that message was...
Received: from [210-245-51-office-net-static-ip.fpt.vn] ([210.245.51.64]) by home with MailEnable ESMTP; Sat, 9 Mar 2019 21:05:33 +0700
Which somehow sent it in the future o_O
If instead the first one, or maybe second, you saw was
--my-host-name--
Then you'd have a possible open relay with your server. But, instead, the only place you see where your server received the message was last, as expected.
 
This typically only happens if there is some variation of a whitelist occurring which would have prevented it from being checked.

Based on that exim log; it doesn't look like spamassassin is enabled for that domain -- as even if it was whitelisted; you would see the spamassassin acl line.
But that's my whole point, it is enabled -- here's a random example, same domain (and there is no whitelist):
Code:
2019-03-08 11:22:32 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1h2Ce3-0006MV-Bc

2019-03-08 11:22:32 1h2Ce3-0006MV-Bc H=8.mo173.mail-out.ovh.net [46.105.46.122]:43343 Warning: "SpamAssassin as --my-admin-accnt-- detected message as NOT spam (4.0)"
2019-03-08 11:22:32 1h2Ce3-0006MV-Bc malware acl condition: clamd /var/clamd : unable to connect to UNIX socket (/var/clamd): No such file or directory
2019-03-08 11:22:32 1h2Ce3-0006MV-Bc H=8.mo173.mail-out.ovh.net [46.105.46.122]:43343 Warning: Message has been scanned: no virus or other harmful content was found
2019-03-08 11:22:32 1h2Ce3-0006MV-Bc <= --sender-email-address-- H=8.mo173.mail-out.ovh.net [46.105.46.122]:43343 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=37944 id=!&!AAAAAAAAAAAYAAAAAAAAAGm3hplS6n9MltCOf6x05HJCjAAAEAAAAPuBjYaS0O9GlEp63CXd7mwBAAAAAA==@--sender-domain-- T="COMMANDE COUSSIN - DEMANDE INFO COULEUR" for --my-email-address--
2019-03-08 11:22:32 1h2Ce3-0006MV-Bc => --my-first-name-- <--my-email-address--> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <--my-email-address--> 8xXrBWhCglzCXwAAugyn/Q Saved"
2019-03-08 11:22:32 1h2Ce3-0006MV-Bc Completed
For clarification; SPF/DKIM is only for outgoing authentication and other mail servers being able to authenticate your mail.

It does little for incoming, beyond the '-all' for hard reject on those who spoof your email.
So what's the point of SPF/DKIM if even my server ignores its own rules (which are, by the way, set for a hard reject)?

i'm not trying to be argumentative; i really appreciate the help!
i just don't understand why i always to have to abide by SPF/DKIM/DMARC for Google, Hotmail, etc.., but cPanel doesn't seem to care about these policies...
i mean, i get it; i don't have Google's or MS's clout to just say, screw you if you don't abide by my rules..

This is the kind of issue where you submit a ticket for an in depth and thorough investigation.
I didn't want to bother you with this, and i was hoping to get a helpful discussion going...

Thank you so much, as always, for your help!
 
No open relay for you there. The first server to relay that message was...

Which somehow sent it in the future o_O
Yes, living in France is like living in a distant future where everyone gets proper healthcare and decent vacation time ;-)
All joking aside, that's why -- the server is on French time..

If instead the first one, or maybe second, you saw was

Then you'd have a possible open relay with your server. But, instead, the only place you see where your server received the message was last, as expected.
Will look into it..
Thank you!!
 

NetVicious

New Member
This problem it's a little hole on SPF, DKIM and DMARC for the mailing lists (you can see the List-Unsubscribe header).

This allows a mailing list to send one email with a spoofed from, the real from addres it's on the the envelope-from on the mail headers, on the example it's
test@cns-universal.co.th. That address it's also used on the Return-path. When you write a message to a mailing list, all it's member receive that message and the from field it's spoofed, because that message it being resend by the mailing list server.

This thing it's working as design to allow that. SPF, DKIM and DMARC it's checked within the envelope-from address

The spammers and starting to use this little hole to send spam. I'm trying to place a solution on my servers do not allowing to receive my own email addressed spoofed, but I'm yet investigating how to do that ....
 

KH-JonathanKW

Technical Support
Staff member
That address it's also used on the Return-path.
Yup; when the message has a <return-path> address set; SPF by default is designed not to be checked.

I spent days reading and crosschecking RFC's in how SPF is designed -- in short; it was never meant to combat spoofing directly

Due to this; I've not yet found any desirable result beyond configuring spamassassin to score harsher -- I've been experiencing this issue on my own server, with my own emails and I'm enduring it like everyone else.
 

NetVicious

New Member
Exactly. I looked for a rule in SpamAsssassin which checks if there it's one external envelope-from and a local from. There are some but there doesn't do any distinction about if the from address it's local or not. I think if I give they more points I will be marking as spam legitimal mailing lists my users receive. I only want to mark mails spoofing local accounts.

 
Top