Spam Identified...and then let through?

This is the area for a general support questions, discussions and information that you can read and share. Post your experiences, stats and tricks and tips that are not covered elsewhere. Remember, for questions please search the FAQ first, as your question may already be answered.

Moderators: wizard, magicspam

Post Reply
dciwebworks
Posts: 17
Joined: Tue Nov 26, 2013 12:50 pm

Spam Identified...and then let through?

Post by dciwebworks » Mon Feb 02, 2015 12:06 pm

I have a recent customer complaint; high volume inbound where we've been successfully blocking 98% of spam. All of a sudden, we're not. Here's a header notice from one of the obvious spams that get through:

Spam detection software, running on the system "vps.myhostvps.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
root\@localhost for details.

I can't find root\@localhost, but I note that the recipient is NOT on a user exempt list on WHM or his cPanel.

What could be going on here? Thanks for your help!
Brian Clancy
DCIWebworks
Denver, CO

magicspam
Posts: 1563
Joined: Tue Oct 28, 2008 2:27 pm

Re: Spam Identified...and then let through?

Post by magicspam » Mon Feb 02, 2015 2:33 pm

Hello Brian,

Thank you very much fory our post. If you could, please send us a sample of one of these messages from your MagicSpam log. Please feel from to obfuscate the recipient address.

Thanks,

-- MagicSpam Support Team --

dciwebworks
Posts: 17
Joined: Tue Nov 26, 2013 12:50 pm

Re: Spam Identified...and then let through?

Post by dciwebworks » Sat Mar 21, 2015 8:50 am

This is happening with maddening frequency now. One user now gets TWO copies of the SPAM email instead of just one.

What a system!

X-Ham-Report: (Isn't "HAM" a phrase that you specifically use?)

Spam detection software, running on the system "vps.###########.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
root\@localhost for details.

I am sending three emails to you at the support email address as examples. And also a log from the account MagicSpam installation.
Brian Clancy
DCIWebworks
Denver, CO

dciwebworks
Posts: 17
Joined: Tue Nov 26, 2013 12:50 pm

Re: Spam Identified...and then let through?

Post by dciwebworks » Tue Mar 31, 2015 11:18 am

OK, we found in the logs that the RBLs were not updating since the 6th of March using the terminal command:

ls -al /var/cache/bms/ which gives us a list of the last updates by block list.

We then updated the ownership permissions with this command:

chown -R magicspam:magicspam /var/cache/bms

And found that it's now updating fine. But the individual MagicSpam Dashboard by cPanel site has not updated statistics, at least as can be seen, since March 6. It would be nice if the statistics panel were updated. The logs do show the content up-to-date.

In addition, I'm seeing large blocks of IP addresses that are not on any of our RBL lists, ubt are listed in Spamhaus Zen:

192.200.209.3
192.200.209.4
192.200.209.5
192.200.209.6
192.200.209.7
192.200.209.8
192.200.209.9
192.210.204.158
192.210.204.158
192.210.204.158
199.189.86.179
199.189.86.180
199.189.86.181
199.189.86.183

It's activated on our WHM, but declines to scrutinize most requests. Is there any way to get that to be more effective in its use?
Brian Clancy
DCIWebworks
Denver, CO

magicspam
Posts: 1563
Joined: Tue Oct 28, 2008 2:27 pm

Re: Spam Identified...and then let through?

Post by magicspam » Thu Apr 02, 2015 3:06 pm

Hello Brian,

Thank you for your post and for getting that sorted out. We have recently added posts to the various forums for troubleshooting this sort of permissions issue as well.

Regarding the statistics, there are two things we are interested in:
* Making sure you have the latest version of MagicSpam
* Permissions in /var/log/magicspam/. These can be fixed with

Code: Select all

chown -R magicspam:magicspam /var/log/magicspam
Finally, if you are interested in using the Spamhaus DNS RBL, or any other DNS RBL for that matter, you are more than welcome and we do allow custom DNS RBLs to be used. Please make sure you check with Spamhaus first though to see if you meet their usage terms (https://www.spamhaus.org/zen/).

Thanks!

-- MagicSpam Support Team --

dciwebworks
Posts: 17
Joined: Tue Nov 26, 2013 12:50 pm

Re: Spam Identified...and then let through?

Post by dciwebworks » Wed May 06, 2015 9:20 am

I'm leaving this here in this thread, because it speaks to the issues we've discussed.

I just noted a lot of SPAM coming through and looked at the MagicSpam RBL update logs:

-rw-r--r-- 1 magicspam magicspam 133976064 May 6 04:25 13
-rw-r--r-- 1 magicspam magicspam 78041088 May 5 10:25 23 nearly 24 hours
-rw-r--r-- 1 magicspam magicspam 28015616 May 5 22:25 35 12 hours
-rw-r--r-- 1 magicspam magicspam 173053952 May 6 04:25 36
-rw-r--r-- 1 magicspam magicspam 178673664 May 6 04:26 37
-rw-r--r-- 1 magicspam magicspam 99127296 May 6 04:26 38
-rw-r--r-- 1 magicspam magicspam 47104 Mar 6 16:16 39 not activated
-rw-r--r-- 1 magicspam magicspam 157958144 May 6 04:25 4
-rw-r--r-- 1 magicspam magicspam 7665664 May 5 22:26 40 12 hours
-rw-r--r-- 1 magicspam magicspam 26900480 May 5 22:26 41 12 hours
-rw-r--r-- 1 magicspam magicspam 268288 Mar 24 16:26 42
-rw-r--r-- 1 magicspam magicspam 10868736 May 6 04:25 5
drwxr-xr-x 2 magicspam magicspam 4096 May 6 04:26 incoming

RBLs 23,35,40 and 41 covering SORBS-DUL and all MIPSSPACE entries have not been updated in 12-24 hours. Is there any way to force an update? Because THOSE are the RBLs that normally catch 90% of our server's SPAM, at twelve hours is all the spammers need to get by.
Brian Clancy
DCIWebworks
Denver, CO

magicspam
Posts: 1563
Joined: Tue Oct 28, 2008 2:27 pm

Re: Spam Identified...and then let through?

Post by magicspam » Wed May 06, 2015 9:48 am

Hello Brian,

Thanks for your response and for including the contents of your /var/cache/bms/ directory. It looks like everything is updating as expected at the moment. Please note that MagicSpam checks for new BMS updates every six hours (randomized at install), and will download updated BMS lists if there are changes available. In your case, this would be why list 23 hasn't updated yet.

Our current infrastructure supports updates every six hours from our customers. However, as we do see how increasing this frequency could be beneficial, we have passed this onto our management and operations teams to discuss the possibility of improving update times moving forward.

Thanks Brian,

-- MagicSpam Support Team --

dciwebworks
Posts: 17
Joined: Tue Nov 26, 2013 12:50 pm

Re: Spam Identified...and then let through?

Post by dciwebworks » Fri May 29, 2015 8:42 am

MIPSpace poor and worst (40 and 41) haven't updated since 5/28 at 4:26 PM. That's 18 hours ago, and, boy, it shows up in our email boxes. We seem to be having more problems with updates over the past week.

Is there any way to "force" an update, given that the spec shows these lists are updated hourly?
Brian Clancy
DCIWebworks
Denver, CO

magicspam
Posts: 1563
Joined: Tue Oct 28, 2008 2:27 pm

Re: Spam Identified...and then let through?

Post by magicspam » Fri May 29, 2015 9:00 am

Hello Brian,

Thank you for your question. Although MagicSpam checks regularly for new reputation list updates, it doesn't re-download a list if there are no updates for it. This saves you (and us) bandwidth.
Based on the timestamp you provided, it sounds like (as of writing), you have the most up-to-date version of these reputation lists.

If you are currently having spam issues, we might suggest sending a few samples of uncaught spam, from your MagicSpam logs, to us via email at support@magicspam.com. We will see if we can provide you a recommendation on how to block these.

Thanks Brian!

-- MagicSpam Support Team --

Post Reply

Return to “General Discussions and Support Questions”

Who is online

Users browsing this forum: No registered users and 4 guests