3

I have a server running cPanel/WHM with exim and SpamAssassin. I've been noticing an issue where emails coming in with forged spamassassin headers bypassing some of the filtering. I want to strip out all SpamAssassin headers before it goes through spamassassin and then filtered into the inbox/spam folders.

Searching the net, the only similar instance I could find was from 2004. However, the exim config by that user and by me are very different. I am not sure how to apply it. I can run formail against a file containing the message to remove the headers, but I don't know how to make exim do that.

Just to provide an example, a message will come in with headers like this:

X-Spam-Status: No, score=1.3
X-Spam-Score: 13
X-Spam-Bar: +
X-Ham-Report: Spam detection software, running on the system "serv02.example.com", has
        identified this incoming email as possible spam.  The original message *snip*
X-Spam-Flag: NO

My SpamAssassin will add these headers to the message:

X-Spam-Status: Yes, score=6.8
X-Spam-Score: 68
X-Spam-Bar: ++++++
X-Spam-Report: Spam detection software, running on the system "serv02.example.com", has
        identified this incoming email as possible spam.  The original message *snip*
X-Spam-Flag: YES

But because the exim vfilter rules read the first X-Spam headers, the email ends up in the user's inbox instead of in the spam folder.

Travis Campbell
  • 1,466
  • 7
  • 15
ytjohn
  • 417
  • 6
  • 12

3 Answers3

1

Check out if SpamAssassins remove_header or clear_headers configuration file options will do what you want.

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
  • After trying these two options, they don't appear to have any affect. – ytjohn Jan 16 '12 at 09:01
  • Apparently, you also can remove headers in exim using the [headers_remove list](http://www.exim.org/exim-html-current/doc/html/spec_html/ch44.html#SECTheadersaddrem) - although I am not sure if headers actually will get removed before checking the vfilter rules. – the-wabbit Jan 16 '12 at 21:09
1

Exim for cPanel uses vfilters stored in /etc/vfilters and relies on the X-Spam-Bar header. Other systems may use X-Spam-Flag-Status or the Score to determine whether to save the message in the inbox, a spam folder, or delete it. Unfortunately, vfilter will use the very first match, which is the crux of this issue.

Outdated solution found http://wiki.exim.org/ExiscanExamples#Replacing_foreign_Spamassassin_headers_with_local_ones

Add into ACL's somewhere warn spam = exiscan:true set acl_m0 = ($spam_bar) $spam_score set acl_m1 = $spam_report

This will set ACL variables appropriately for the following processing in the system filter:

Add into system filter:

if first_delivery then
  # ...

  headers remove X-Spam-Score:X-Spam-Report:X-Spam-Checker-Version:X-Spam-Status:X-Spam-Level
  if $acl_m2 is not ""dd then
    headers add "X-Spam-Score: $acl_m0"
    headers add "X-Spam-Report: $acl_m1"
  endif
endif

In cPanel, the system filter is /etc/cpanel_exim_system_filter and the acl_mX variables are different, so lets figure those out. Add this to the end of cpanel_exim_filters

# work out our acl variables!
if first_delivery then
    headers add "X-acl-m0: $acl_m0"
    headers add "X-acl-m1: $acl_m1"
    headers add "X-acl-m2: $acl_m2"
    headers add "X-acl-m3: $acl_m3"
    headers add "X-acl-m4: $acl_m4"
    headers add "X-acl-m5: $acl_m5"
    headers add "X-acl-m6: $acl_m6"
    headers add "X-acl-m7: $acl_m7"
end

--- did this and got: X-acl-m1: user1 X-acl-m2: 1 X-acl-m3: X-acl-m4: X-acl-m5: X-acl-m6: X-acl-m7:

So i find the section of exim.conf that adds headers and see all the $spam variables. I wonder if they carry over? Let's find out.

headers add "X-Test-Spam-Subject: ***SPAM*** $h_subject"
headers add "X-Test-Spam-Score:$spam_score"
headers add "X-Test-Spam-Score-Int: $spam_score_int"
headers add "X-Test-Spam-Bar: $spam_bar"
headers add "X-Test-Spam-Report: $spam_report"

So $spam_score_int is carried over along with $h_subject, but not spam_bar, which is vital

X-Test-Spam-Subject: ***SPAM*** test
X-Test-Spam-Status: 
X-Test-Spam-Score: 33
X-Test-Spam-Bar:
X-Test-Spam-Report:

But.. I realized that headers carry through, which might work

headers add "X-Test-Spam-Bar: $h_X-Spam-Bar"

results in:

X-Test-Spam-Bar: +
+++

So the $h headers have both the headers received and headers added.

Solution?

Add custom spam filters into exim.conf and then swap them out in cpanel_exim_filter

log_message = "SpamAssassin as ${acl_m1} detected message as spam ($spam_score)"
add_header = X-989Spam-Subject: ***SPAM*** $h_subject
add_header = X-989Spam-Status: Yes, score=$spam_score
add_header = X-989Spam-Score: $spam_score_int
add_header = X-989Spam-Bar: $spam_bar
add_header = X-Spam-Report: $spam_report
add_header = X-989Spam-Flag: YES

add_header = X-989Spam-Status: No, score=$spam_score
add_header = X-989Spam-Score: $spam_score_int
add_header = X-989Spam-Bar: $spam_bar
add_header = X-Ham-Report: $spam_report
add_header = X-989Spam-Flag: NO
log_message = "SpamAssassin as ${acl_m1} detected message as NOT spam ($spam_score)"

Ok, now to make this more persistent. First, copy your cpanel_exim_system filter:

cp /etc/cpanel_exim_system_filter /etc/custom_exim_system_filter

Log into WHM Main >> Service Configuration >> Exim Configuration Editor, and click Advanced Editor

Scroll down and change the spam header section to look like below. Note that you're just changing X-Spam headers to X-989Spam headers (you can of course use any custom name you like as long as your custom-exim-system-filters match. Since the configuration file may change over time, make sure you are modifying only the add_header lines.

add_header = X-989Spam-Subject: ***SPAM*** $h_subject
add_header = X-989Spam-Status: Yes, score=$spam_score
add_header = X-989Spam-Score: $spam_score_int
add_header = X-989Spam-Bar: $spam_bar
add_header = X-Spam-Report: $spam_report
add_header = X-989Spam-Flag: YES

-- and --

add_header = X-989Spam-Status: No, score=$spam_score
add_header = X-989Spam-Score: $spam_score_int
add_header = X-989Spam-Bar: $spam_bar
add_header = X-Ham-Report: $spam_report
add_header = X-989Spam-Flag: NO

Save your configuration and wait for WHM to refresh.

Go back to Main >> Service Configuration >> Exim Configuration Editor >> Filters

Change the system filter file to point to /etc/custom_exim_system_filter

ytjohn
  • 417
  • 6
  • 12
1

The accepted answer may have been the best you could do in 2012, or with the commonly available exim versions in 2012, but nowadays exim does have a remove_header directive that can be used in ACLs. It was added with version 4.82:

  1. New ACL modifier "remove_header" can remove headers before message gets handled by routers/transports.
Julian Fondren
  • 156
  • 2