A better filter for spam domain names

Mise

Active Member
May 15, 2011
44
2
58
I have a word filter to avoid spam from some .domains inside /usr/local/cpanel/etc/exim/sysfilter/options/custom_words

Code:
if
   $h_from: contains ".top" or
   $h_from: contains ".pro" or
   $h_from: contains ".xyz" or
   $h_from: contains ".bid"
   and $h_from: does not contain "legitimatedomain.com"

then
  seen finish
endif


it works well, although I experience problems with a few legitimate senders who are using ".top" in their email adrresses
like: "richard.top[email protected]"

Their messages also are discarded.

My only way to avoid this problem is including exceptions in this way:

Code:
and $h_from: does not contain "legitimatedomain.com"

although I'm looking for a better automatic way to solve this issue.

I cannot find enough information inside Exim docs about the $h_from variable. I wonder if there is some valid way to
specify a better expression, something like:

$h_from: contains "@*.top"

to delimitate the filter action to the last part of the sender address


thanks for any help
 

keat63

Well-Known Member
Nov 20, 2014
1,548
140
93
cPanel Access Level
Root Administrator
CSF mailscanner everytime for me.
It's not free, but not expensive and does exactly this with minimal of fuss.
 

Mise

Active Member
May 15, 2011
44
2
58
@Mise

It's quite new, which is why I pointed it out! Let me know if it works for you :)
bad news I'm here again.

It seems the whm filter window has the same problem, and these messages are discarded. It is not able to distinguish the second part of the address.

I have included the chains in this way:

*.pro
*.bid
*.buzz
*.desi
*.gdn

and Exim shows "discarded" when looking "[email protected]":

2020-01-11 11:31:31.241 [941] 1iqENa-0000ED-2N => discarded (system filter)


also, it seems in the filter windows there is some delay in applying the changes. After emptying the filter window and restart exim, the changes weren't applied immediately or perhaps in a definitive way. I have need to apply two times and restart again.

Hope you can solve this issue. There are some legitimate address which can use the format "[email protected]", "[email protected]" which would be discarded (not sure in the case of "[email protected]" but the first "[email protected]" is sure)

I suppose there is some way to limit the filter after the "@" although I cannot find how to do it.

thanks! :)
 

Mise

Active Member
May 15, 2011
44
2
58
Can you show me the output from the logs where it discarded a message with the first part? If that is actually the case this would be considered something that needs to be resolved.
logs only shows this line:
2020-01-11 11:31:31.241 [941] 1iqENa-0000ED-2N => discarded (system filter)

that's all.

Please, do a test blocking domain *.pro and then with any sender address "mike.pro[email protected]"

Yes, I believe you should do something or maybe contact with Exim developers in case the regular expressions are not allowed inside "$h_from" variable.

While these lists of spammer domains grows in internet probably more people can be affected. And the "discard" option don't send notifications, at least in my case

I would add more logs although I don't want to activate these filters because I ignore if this can affect more chain addresses like "mike.prolan[email protected]" or similar.

I experienced a bad problem with a customer just because only one message, and I fear the filter activation can affect to some entering message from a new legitimate sender.


waiting news,


Thanks so much, :)
 

Mise

Active Member
May 15, 2011
44
2
58
here is one real excerpt.
I have made minimal replacements, the real email addresses involved are exactly with the same format


- domain filter: *.pro


Code:
2020-01-07 08:11:26.436 [9518] SMTP connection from mail-ua1-f49.google.com [209.85.222.51]:39494 I=[2.2.2.2]:25 closed by QUIT
2020-01-07 08:11:26.490 [9522] 1iaira-0004Pa-1P DKIM: d=gmail.com s=20161025 c=relaxed/relaxed a=rsa-sha256 b=2048 [verification succeeded]
2020-01-07 08:11:26.545 [9522] 1iaira-0004Pa-1P <= [email protected] H=mail-vs1-f53.google.com [209.85.217.51]:32976 I=[2.2.2.2]:25 P=esmtps L- X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no SNI="mydomain.com" S=64060 M8S=0 DKIM=gmail.com RT=0.397s [email protected] T="Mr. Sender" from <[email protected]> for [email protected]
2020-01-07 08:11:26.550 [9574] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1iaira-0004Pa-1P
2020-01-07 08:11:26.553 [9574] 1iaira-0004Pa-1P => discarded (system filter)
2020-01-07 08:11:26.553 [9574] 1iaira-0004Pa-1P Completed QT=0.509s

thanks to your message about logs I have found more senders discarded in past times because they contained the chain ".pro" and others in some place of the first part address.

Then now this is sure: any sender like "[email protected]" is discarded because the chain *.pro is detected

It can affects legitimate email addresses depending of the blocked domains ( .pro, .xyz, .bid and etc.. )

Please, update the WHM filter.


thanks! :)
 
Last edited:

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,366
799
263
Houston
@Mise

In the opening of the thread here you noted that you had modified the exim system filter but this behavior was occurring. Did you remove your system filter prior to enabling this setting?

I ask because of two reasons:

  1. the output you've noted indicates this is a system filter:
    Code:
    2020-01-07 08:11:26.553 [9574] 1iaira-0004Pa-1P => discarded (system filter)
  2. I cannot replicate this behavior in any fashion:

  • First I created and sent from an account with no period in the user: laurenprolific

    Code:
    [[email protected] ~]# exigrep 1irpgq-0005BL-7W /var/log/exim_mainlog
    [/LIST]
    2020-01-15 14:55:01.047 [20000] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1irpgq-0005BL-7W
    
    2020-01-15 14:55:00.999 [19923] 1irpgq-0005BL-7W H=sender4-pp-o98.domain.com [136.143.188.98]:25849 I=[MyIPAddress]:25 Warning: "SpamAssassin as lauren detected message as NOT spam (-0.2)"
    2020-01-15 14:55:01.036 [19923] 1irpgq-0005BL-7W H=sender4-pp-o98.domain.com [136.143.188.98]:25849 I=[MyIPAddress]:25 Warning: Message has been scanned: no virus or other harmful content was found
    2020-01-15 14:55:01.039 [19923] 1irpgq-0005BL-7W <= [email protected] H=sender4-pp-o98.domain.com [136.143.188.98]:25849 I=[MyIPAddress]:25 P=esmtps L- X=TLS1.2:ECDHE-RSA-AES256-SHA384:256 CV=no SNI="mydomain.us" S=3576 M8S=0 RT=0.116s [email protected] T="pro test" from <[email protected]> for [email protected]
    2020-01-15 14:55:01.128 [20000] 1irpgq-0005BL-7W => lauren <[email protected]> F=<[email protected]> P=<[email protected]> R=virtual_user T=dovecot_virtual_delivery S=3778 C="250 2.0.0 <[email protected]> h1CEBiV8H177TQAA9Z/phw Saved" QT=0.895s DT=0.022s
    2020-01-15 14:55:01.130 [20000] 1irpgq-0005BL-7W Completed QT=0.897s
    • Then I created an account with a period in the user lauren.prolific and used protonmail just to be thorough:

  • Code:
    [[email protected] ~]# exigrep 1irprJ-0006RC-0Z /var/log/exim_mainlog
    2020-01-15 15:05:54.147 [24842] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1irprJ-0006RC-0Z
    
    2020-01-15 15:05:54.107 [24750] 1irprJ-0006RC-0Z H=mail-40130.protonmail.ch [185.70.40.130]:33267 I=[MyIPAddress]:25 Warning: "SpamAssassin as lauren detected message as NOT spam (1.8)"
    2020-01-15 15:05:54.136 [24750] 1irprJ-0006RC-0Z H=mail-40130.protonmail.ch [185.70.40.130]:33267 I=[MyIPAddress]:25 Warning: Message has been scanned: no virus or other harmful content was found
    2020-01-15 15:05:54.139 [24750] 1irprJ-0006RC-0Z <= [email protected] H=mail-40130.protonmail.ch [185.70.40.130]:33267 I=[MyIPAddress]:25 P=esmtps L- X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=3890 M8S=0 RT=0.139s id=MNP0OUXeXN9qby-ddb28WXCf9-kB3LkwpfY8AhuTkilG5[email protected]protonmail.com T="prolific testing" from <[email protected]> for [email protected]
    2020-01-15 15:05:54.215 [24842] 1irprJ-0006RC-0Z => lauren <[email protected]> F=<[email protected]> P=<[email protected]> R=virtual_user T=dovecot_virtual_delivery S=4107 C="250 2.0.0 <[email protected]> GHgZDLJ+H16RXwAA9Z/phw Saved" QT=5s DT=0.013s
    2020-01-15 15:05:54.216 [24842] 1irprJ-0006RC-0Z Completed QT=5s
 
  • Like
Reactions: Mise

Mise

Active Member
May 15, 2011
44
2
58
that's strange. You are right, it is not emptied,

inside /usr/local/cpanel/etc/exim/sysfilter/options/custom_words I have:

Code:
if
$h_from: contains "hacker" or
$h_from: contains "anonym" or
$h_subject: contains "Viagra" or
$h_subject: contains "Cialis"
then
#fail text "Unable to delivery"
seen finish
endif

Do you mean is there some incompatibility between the existence of both filters?

Should I delete the custom_words file completely?


thanks!

*PD: I have no any trace of ".pro" inside /usr/local/cpanel/etc/exim folders

Code:
 # grep -i "\.pro" /usr/local/cpanel/etc/exim -R
 
Last edited:

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,366
799
263
Houston
You noted initially that you had the following:

I have a word filter to avoid spam from some .domains inside /usr/local/cpanel/etc/exim/sysfilter/options/custom_words
That had the following:
Code:
if
   $h_from: contains ".top" or
   $h_from: contains ".pro" or
   $h_from: contains ".xyz" or
   $h_from: contains ".bid"
   and $h_from: does not contain "legitimatedomain.com"

then
  seen finish
endif
I am unaware if you removed this or not but it would explain the filtering of these. As you can see in my test it is clearly not filtering .pro from the first part of the message. I can't replicate this at all and it looks like a configuration issue.

In the filter you had previously you did not have a / before .pro so a grep for "/.pro" would be invalid.

Can you send me a screenshot of the settings in WHM>>Service Configuration>>Exim Configuration Manager->Filters?
 

Mise

Active Member
May 15, 2011
44
2
58
In the filter you had previously you did not have a / before .pro so a grep for "/.pro" would be invalid.
please note in the grep command I wrote it was "\.pro" instead "/.pro".
In my terminal it works;

Code:
# grep -i "\.pro" /usr/local/cpanel/etc/exim -R
the backslash "\" can include the character "." and the search is able to find ".pro" instead only "pro"


I am unaware if you removed this or not but it would explain the filtering of these. As you can see in my test it is clearly not filtering .pro from the first part of the message.
I can't replicate this at all and it looks like a configuration issue.
...
Can you send me a screenshot of the settings in WHM>>Service Configuration>>Exim Configuration Manager->Filters?
I can see. Although I'm not sure if you are replicating exactly what I say


Please, to replicate this bug follow these 3 steps:


(1)-
Write the following inside /usr/local/cpanel/etc/exim/sysfilter/options/custom_words

Code:
if
$h_from: contains "hacker" or
$h_from: contains "anonym" or
$h_subject: contains "Viagra" or
$h_subject: contains "Cialis"
then
#fail text "Unable to delivery"
seen finish
endif
Save and restart Exim



(2) - write the following inside WHM -> "Filter Incoming Emails by Domain" :
(see the attached image)
17012020.jpg
*.top
*.pro
*.xyz
*.bid

Save and restart Exim



(3) - now send to yourself a message from some email address including the characters .pro in the first part:

In example:


now check the logs. At least in my case, the message is discarded.



please, confirm this


Thanks!
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,366
799
263
Houston
  1. None of our testing is done with custom configurations in place. My testing (and our internal testing) absolutely will not take into account custom configurations you may have in place. Customizations such as a custom filter being present are things you would need to troubleshoot.
  2. You can clearly see in the output I provided that with the default settings in place the .pro in the first part of my email address was not filtered.
  3. I requested the following screenshot but I don't see it in your response:
    Can you send me a screenshot of the settings in WHM>>Service Configuration>>Exim Configuration Manager->Filters?
  4. What I'm trying to surmise is if you still have the following custom filter in place which would account for the behavior you're seeing:
    Code:
    if $h_from: contains ".top" or
    $h_from: contains ".pro" or
    $h_from: contains ".xyz" or
    $h_from: contains ".bid"
    and $h_from: does not contain "legitimatedomain.com"
    
    then
    seen finish
    endif
Otherwise, if you'd like to open a ticket please do so, as I am unable to replicate the behavior your reporting with cPanel/WHM's default settings.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,366
799
263
Houston
I don't mind being told to shut up :)

And I did ask,

Would a double wildcard work. ?

[email protected]

(the forum must see the actual string as an sql injection or something)
Actually I believe it italicizes it :) and two asterisks makes it bold - I'll shut that feature off (it was useful for me but i can see how it wouldn't be in this instance)
 
  • Like
Reactions: keat63

Mise

Active Member
May 15, 2011
44
2
58
  1. None of our testing is done with custom configurations in place. My testing (and our internal testing) absolutely will not take into account custom configurations you may have in place. Customizations such as a custom filter being present are things you would need to troubleshoot.
  2. You can clearly see in the output I provided that with the default settings in place the .pro in the first part of my email address was not filtered.
  3. I requested the following screenshot but I don't see it in your response: WHM>>Service Configuration>>Exim Configuration Manager->Filters?
  4. What I'm trying to surmise is if you still have the following custom filter in place which would account for the behavior you're seeing:
    Code:
    if $h_from: contains ".top" or
    $h_from: contains ".pro" or
    $h_from: contains ".xyz" or
    $h_from: contains ".bid"
    and $h_from: does not contain "legitimatedomain.com"
    
    then
    seen finish
    endif
Otherwise, if you'd like to open a ticket please do so, as I am unable to replicate the behavior your reporting with cPanel/WHM's default settings.
I attach you an screenshot of WHM>>Service Configuration>>Exim Configuration Manager->Filters:

17012020_2.jpg


and this is the code of the active /etc/cpanel_exim_system_filter (without comments):
Code:
root># grep ^[^#] /etc/cpanel_exim_system_filter

if not first_delivery
then
finish
endif
if error_message and $header_from: contains "[email protected]"
then
finish
endif
if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
then
fail text "This message has been rejected because it has\n\
potentially executable content $1\n\
This form of attachment has been used by\n\
recent viruses or other malware.\n\
If you meant to send this file then please\n\
package it up as a zip file and resend it."
seen finish
endif
if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))([\\\\s;]|\\$)"
then
fail text "This message has been rejected because it has\n\
potentially executable content $1\n\
This form of attachment has been used by\n\
recent viruses or other malware.\n\
If you meant to send this file then please\n\
package it up as a zip file and resend it."
seen finish
endif
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"
then
fail text "This message has been rejected because it has\n\
a potentially executable attachment $1\n\
This form of attachment has been used by\n\
recent viruses or other malware.\n\
If you meant to send this file then please\n\
package it up as a zip file and resend it."
seen finish
endif
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"
then
fail text "This message has been rejected because it has\n\
a potentially executable attachment $1\n\
This form of attachment has been used by\n\
recent viruses or other malware.\n\
If you meant to send this file then please\n\
package it up as a zip file and resend it."
seen finish
endif
if
$h_from: contains "Hacker" or
$h_from: contains "nonym" or
$h_subject: contains "masturb" or
$h_subject: contains "Viagra" or
$h_subject: contains "Cialis"
then
#fail text "Unable to delivery"
seen finish
endif
if "${if def:header_X-Spam-Subject: {there}}" is there
then
headers remove Subject
headers add "Subject: $rh_X-Spam-Subject:"
headers remove X-Spam-Subject
endif
well, this is no an enough urgence to open a ticket. For that reason I write here in this thread. Just to discard the problem in my server. And I believe if there is a bug it can affect more people using custom word filters.

Meanwhile I have disabled the WHM filter. I don't want to delete the custom_word file because it is effective in my server for the spam coming with these words, which is worse. Although it worked better with both joined because most times these domains and words appears in the same message, although not always.

Sometimes spammers writes special characters to bypass word filters, then the .domain filter is useful. Other times it is the inverse case.


thanks