D William A Posted August 25, 2015 Share Posted August 25, 2015 Hello.... to whom may care Been getting bombed with spam for a year, but just recently got annoyed enough to look into it. Submitting help tickets get me the generic run around... set up spam assassin, set up account level filters, etc. I have those set up, and the spam continues to bomb my accounts. I rerouted 4 different emails (changed MX settings) on 3 different domains to Rackspace.com and guess what .... NO SPAM I have contacted one of my clients - and sure enough he has been getting the spam too, but never mentioned it until I brough it up. this isn't good. This particular spam is coming from a group of IP ranges, usually 2 or 3 IP range groups at a time, they are all relatively normal and clean looking emails about cleaning your roof, or low interest rates for new windows, etc., all with low spam scores. There are no obnoxious emails with obvious key words to filter like ****, some ramble on about restaurant review discussion - stupid stuff..... by the time I catch one IP range and set up an account level filter they change to another IP range and bomb me with another 10 or 20 emails, but do 2 or 3 groups so I get 30 or 40 of these a day .... I can not stop this spam with user tools in cpanel.... this problem has to be solved internallly by TCH. This is a deal killer. I can't chase this spam with account level filters and I can't lower spam assassin to 1. And I can't access the domain root to mess with exim files and iptables, and set up more robust RBL's.... but... I shouldn't have to be doing this. where does TCH stand on this.? Quote Link to comment Share on other sites More sharing options...
TCH-Bala Posted August 25, 2015 Share Posted August 25, 2015 Hello David, I have reviewed the chat as well as the server logs for your domain. From what I can see, the spam emails coming in to your account are getting tagged with score varying from .08 and 1.5. This does not imply that the spamassassin software is at fault, but that spammers are getting very sophisticated using servers with proper host and rdns as well as taking care not to use explicit words which could trigger a spam block. All the emails are coming directly to your email account meaning, it has been harvested by spammers and probably being sold out in lists. We are using the default installation of spamassassin as provided by cpanel which is the same across all cpanel based hosts. The issue that I can see with your account is that you spam assassin required_score of 5 and spam auto delete of 4 is too relaxed to meet the kind of spam that is reaching your inbox. From scanning days of back logs for your email, spamassassin spam score needs to be set atleast to 2 so that spamassassin can aggresively and actively scan your emails and get it tagged. Spamassassin by default has just the generic rules, you need to continuously tweak it along with your filters to strike the right balance. I have also checked a few IPs from which you receivied spam and was not able to see them on any of the major RBL lists, this is due to the fact that they do not send from the same IP for long. Since the emails are all coming to one of your configured email accounts, I am not sure about your remark on getting no spam after you changed the MX. This means either the spam settings are as mentioned above or the MX change is still propagating. This does not mean we are shying away from our responsibilities. I would appreciate if you can give us an opportunity to get this sorted for you. I have now set up a more restrictive spam assassin score and rule for you. Please change the MX back to our server and get back to us by opening a ticket to our support department with a couple of new spam headers that you receive so that we can configure your spam rules. Quote Link to comment Share on other sites More sharing options...
D William A Posted August 25, 2015 Author Share Posted August 25, 2015 Hello I see you changed SA to level 3 and changed the account level filter to discard to spam box - this isn't going to stop this spam, like you point out they score well under 2, fact is much of it scores 0. Lets say this works (big doubts), lowering SA and discarding to spam box... I need to be able to monitor for false positives but couldn't get to the spam box email by setting up an email myemail@domain.com/spam What does changing MX settings mean... I changed them to point email to rackspace.com so TCH doesn't process my email. I have email boxes set up at RackSpace (RS) and none of the spam makes it through their email server anti-spam functions. Somehow RS is catching this spam, with no special blacklists or account level filters. The reason why I explained the details of this spam in such detail...that is, the IP groups coming in batches, and moving IP ranges, is to explain that this spammer is big time and others (at least RS) have found ways to stop them... but not TCH. right now with MX settings pointing to RS you can't see the emails, or can you ??? - they still flow through TCH at some level. You indicate that you are looking into this... this is good. Might take some time, that is OK. *****Where I am coming from regarding this topic***** - making custom adjustments at the user level on cpanel with spamassassin isn't going to work. I will certainly tighten up settings and all that - but, I am hoping TCH can figure out what it is that RS is doing. Quote Link to comment Share on other sites More sharing options...
D William A Posted August 25, 2015 Author Share Posted August 25, 2015 can you see these email groups from the inside, perhaps old emails from a week ago before I changed mailservers, or do I have to set my MX settings back to TCH? Quote Link to comment Share on other sites More sharing options...
D William A Posted August 25, 2015 Author Share Posted August 25, 2015 RS doesn't have spamassassin, and I haven't set up filters... I only turned on the default filter program, which I thought was spamassassin, I stand corrected... so all spam is getting through and I received a group of spam from the same IP range this morning, first batch - all different types of spam - and..... they all have a spam rating of 100.... I can see how I could easily filter this spam with a rating of 100. RS has found a way to score this spam very high. Same spam gets scored as good email, or good enough email at TCH. Quote Link to comment Share on other sites More sharing options...
TCH-Bala Posted August 26, 2015 Share Posted August 26, 2015 Yes, I was referring to changing the email settings back to our server so that we can see what exactly is going on and try to give you a solution. Quote Link to comment Share on other sites More sharing options...
Head Guru Posted August 26, 2015 Share Posted August 26, 2015 Hello, Sorry to hear about the issues that your facing. Drop me an email and I would like to offer you a solution that will solve your email woes. Quote Link to comment Share on other sites More sharing options...
D William A Posted October 14, 2015 Author Share Posted October 14, 2015 I redirected some of my problem email accounts to another email server (not TCH) and the spam is filtered out internally. No fiddling with spam assassin or account filters. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.