A better filter for spam domain names

[Mise]

I have a word filter to avoid spam from some .domains inside /usr/local/cpanel/etc/exim/sysfilter/options/custom_words

if
   $h_from: contains ".top" or
   $h_from: contains ".pro" or
   $h_from: contains ".xyz" or
   $h_from: contains ".bid"
   and $h_from: does not contain "legitimatedomain.com"

then
  seen finish
endif

it works well, although I experience problems with a few legitimate senders who are using ".top" in their email adrresses
like: "richard.top[email protected]"

Their messages also are discarded.

My only way to avoid this problem is including exceptions in this way:

and $h_from: does not contain "legitimatedomain.com"

although I'm looking for a better automatic way to solve this issue.

I cannot find enough information inside Exim docs about the $h_from variable. I wonder if there is some valid way to
specify a better expression, something like:

$h_from: contains "@*.top"

to delimitate the filter action to the last part of the sender address


thanks for any help

 

[cPanelLauren]

Something new that may interest you might be Filter Incoming Emails by Domain | cPanel & WHM Documentation

Have you taken a look at this to see if it would work for you?

 

[keat63]

CSF mailscanner everytime for me.
It's not free, but not expensive and does exactly this with minimal of fuss.

 

[Mise]

Something new that may interest you might be Filter Incoming Emails by Domain | cPanel & WHM Documentation

Have you taken a look at this to see if it would work for you?

uops.... I was not aware of this WHM feature. Much easier, thanks a lot!

 

[cPanelLauren]

@Mise

It's quite new, which is why I pointed it out! Let me know if it works for you

 

[Mise]

@Mise

It's quite new, which is why I pointed it out! Let me know if it works for you

bad news I'm here again.

It seems the whm filter window has the same problem, and these messages are discarded. It is not able to distinguish the second part of the address.

I have included the chains in this way:

*.pro
*.bid
*.buzz
*.desi
*.gdn

and Exim shows "discarded" when looking "[email protected]":

2020-01-11 11:31:31.241 [941] 1iqENa-0000ED-2N => discarded (system filter)


also, it seems in the filter windows there is some delay in applying the changes. After emptying the filter window and restart exim, the changes weren't applied immediately or perhaps in a definitive way. I have need to apply two times and restart again.

Hope you can solve this issue. There are some legitimate address which can use the format "[email protected]in.com", "[email protected]" which would be discarded (not sure in the case of "[email protected]" but the first "[email protected]" is sure)

I suppose there is some way to limit the filter after the "@" although I cannot find how to do it.

thanks!

 

[keat63]

Would two wildcards work.
eg [email protected].pro


Just a thought

(forum wouldnt allow me to use stars)

 

[Mise]

Would two wildcards work.
eg [email protected].pro
Just a thought
(forum would allow me to use stars)

that's not allowed, it shows the error:

[email protected]: The label must contain only non-ASCII characters and the following: a-z, A-Z, 0-9 y -.

 

[cPanelLauren]

@Mise

Can you show me the output from the logs where it discarded a message with the first part? If that is actually the case this would be considered something that needs to be resolved.

 

[Mise]

Can you show me the output from the logs where it discarded a message with the first part? If that is actually the case this would be considered something that needs to be resolved.

logs only shows this line:
2020-01-11 11:31:31.241 [941] 1iqENa-0000ED-2N => discarded (system filter)

that's all.

Please, do a test blocking domain *.pro and then with any sender address "mike.pro[email protected]"

Yes, I believe you should do something or maybe contact with Exim developers in case the regular expressions are not allowed inside "$h_from" variable.

While these lists of spammer domains grows in internet probably more people can be affected. And the "discard" option don't send notifications, at least in my case

I would add more logs although I don't want to activate these filters because I ignore if this can affect more chain addresses like "mike.prolan[email protected]" or similar.

I experienced a bad problem with a customer just because only one message, and I fear the filter activation can affect to some entering message from a new legitimate sender.


waiting news,


Thanks so much,

 

[cPanelLauren]

Hello,

I was hoping you'd be able to provide the log excerpt for this from the exim logs at /var/log/exim_mainlog

 

[Mise]

here is one real excerpt.
I have made minimal replacements, the real email addresses involved are exactly with the same format

• my server: 2.2.2.2
• sender: [email protected]
• receiver: [email protected]

- domain filter: *.pro

2020-01-07 08:11:26.436 [9518] SMTP connection from mail-ua1-f49.google.com [209.85.222.51]:39494 I=[2.2.2.2]:25 closed by QUIT
2020-01-07 08:11:26.490 [9522] 1iaira-0004Pa-1P DKIM: d=gmail.com s=20161025 c=relaxed/relaxed a=rsa-sha256 b=2048 [verification succeeded]
2020-01-07 08:11:26.545 [9522] 1iaira-0004Pa-1P <= [email protected] H=mail-vs1-f53.google.com [209.85.217.51]:32976 I=[2.2.2.2]:25 P=esmtps L- X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no SNI="mydomain.com" S=64060 M8S=0 DKIM=gmail.com RT=0.397s [email protected] T="Mr. Sender" from <[email protected]> for [email protected]
2020-01-07 08:11:26.550 [9574] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1iaira-0004Pa-1P
2020-01-07 08:11:26.553 [9574] 1iaira-0004Pa-1P => discarded (system filter)
2020-01-07 08:11:26.553 [9574] 1iaira-0004Pa-1P Completed QT=0.509s

thanks to your message about logs I have found more senders discarded in past times because they contained the chain ".pro" and others in some place of the first part address.

Then now this is sure: any sender like "[email protected]" is discarded because the chain *.pro is detected

It can affects legitimate email addresses depending of the blocked domains ( .pro, .xyz, .bid and etc.. )

Please, update the WHM filter.


thanks!

 

[cPanelLauren]

@Mise

In the opening of the thread here you noted that you had modified the exim system filter but this behavior was occurring. Did you remove your system filter prior to enabling this setting?

I ask because of two reasons:

1. the output you've noted indicates this is a system filter:
   

   2020-01-07 08:11:26.553 [9574] 1iaira-0004Pa-1P => discarded (system filter)

2. I cannot replicate this behavior in any fashion:

• First I created and sent from an account with no period in the user: laurenprolific
  
  

  [[email protected] ~]# exigrep 1irpgq-0005BL-7W /var/log/exim_mainlog
  [/LIST]
  2020-01-15 14:55:01.047 [20000] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1irpgq-0005BL-7W
  
  2020-01-15 14:55:00.999 [19923] 1irpgq-0005BL-7W H=sender4-pp-o98.domain.com [136.143.188.98]:25849 I=[MyIPAddress]:25 Warning: "SpamAssassin as lauren detected message as NOT spam (-0.2)"
  2020-01-15 14:55:01.036 [19923] 1irpgq-0005BL-7W H=sender4-pp-o98.domain.com [136.143.188.98]:25849 I=[MyIPAddress]:25 Warning: Message has been scanned: no virus or other harmful content was found
  2020-01-15 14:55:01.039 [19923] 1irpgq-0005BL-7W <= [email protected] H=sender4-pp-o98.domain.com [136.143.188.98]:25849 I=[MyIPAddress]:25 P=esmtps L- X=TLS1.2:ECDHE-RSA-AES256-SHA384:256 CV=no SNI="mydomain.us" S=3576 M8S=0 RT=0.116s [email protected] T="pro test" from <[email protected]> for [email protected]
  2020-01-15 14:55:01.128 [20000] 1irpgq-0005BL-7W => lauren <[email protected]> F=<[email protected]> P=<[email protected]> R=virtual_user T=dovecot_virtual_delivery S=3778 C="250 2.0.0 <[email protected]> h1CEBiV8H177TQAA9Z/phw Saved" QT=0.895s DT=0.022s
  2020-01-15 14:55:01.130 [20000] 1irpgq-0005BL-7W Completed QT=0.897s

  • Then I created an account with a period in the user lauren.prolific and used protonmail just to be thorough:
• 
  

  [[email protected] ~]# exigrep 1irprJ-0006RC-0Z /var/log/exim_mainlog
  2020-01-15 15:05:54.147 [24842] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1irprJ-0006RC-0Z
  
  2020-01-15 15:05:54.107 [24750] 1irprJ-0006RC-0Z H=mail-40130.protonmail.ch [185.70.40.130]:33267 I=[MyIPAddress]:25 Warning: "SpamAssassin as lauren detected message as NOT spam (1.8)"
  2020-01-15 15:05:54.136 [24750] 1irprJ-0006RC-0Z H=mail-40130.protonmail.ch [185.70.40.130]:33267 I=[MyIPAddress]:25 Warning: Message has been scanned: no virus or other harmful content was found
  2020-01-15 15:05:54.139 [24750] 1irprJ-0006RC-0Z <= [email protected] H=mail-40130.protonmail.ch [185.70.40.130]:33267 I=[MyIPAddress]:25 P=esmtps L- X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=3890 M8S=0 RT=0.139s id=MNP0OUXeXN9qby-ddb28WXCf9-kB3LkwpfY8AhuTkilG5[email protected]protonmail.com T="prolific testing" from <[email protected]> for [email protected]
  2020-01-15 15:05:54.215 [24842] 1irprJ-0006RC-0Z => lauren <[email protected]> F=<[email protected]> P=<[email protected]> R=virtual_user T=dovecot_virtual_delivery S=4107 C="250 2.0.0 <[email protected]> GHgZDLJ+H16RXwAA9Z/phw Saved" QT=5s DT=0.013s
  2020-01-15 15:05:54.216 [24842] 1irprJ-0006RC-0Z Completed QT=5s

 

[Mise]

that's strange. You are right, it is not emptied,

inside /usr/local/cpanel/etc/exim/sysfilter/options/custom_words I have:

if
$h_from: contains "hacker" or
$h_from: contains "anonym" or
$h_subject: contains "Viagra" or
$h_subject: contains "Cialis"
then
#fail text "Unable to delivery"
seen finish
endif

Do you mean is there some incompatibility between the existence of both filters?

Should I delete the custom_words file completely?


thanks!

*PD: I have no any trace of ".pro" inside /usr/local/cpanel/etc/exim folders

 # grep -i "\.pro" /usr/local/cpanel/etc/exim -R

 

[cPanelLauren]

You noted initially that you had the following:

I have a word filter to avoid spam from some .domains inside /usr/local/cpanel/etc/exim/sysfilter/options/custom_words

That had the following:

if
   $h_from: contains ".top" or
   $h_from: contains ".pro" or
   $h_from: contains ".xyz" or
   $h_from: contains ".bid"
   and $h_from: does not contain "legitimatedomain.com"

then
  seen finish
endif

I am unaware if you removed this or not but it would explain the filtering of these. As you can see in my test it is clearly not filtering .pro from the first part of the message. I can't replicate this at all and it looks like a configuration issue.

In the filter you had previously you did not have a / before .pro so a grep for "/.pro" would be invalid.

Can you send me a screenshot of the settings in WHM>>Service Configuration>>Exim Configuration Manager->Filters?

 

[Mise]

In the filter you had previously you did not have a / before .pro so a grep for "/.pro" would be invalid.

please note in the grep command I wrote it was "\.pro" instead "/.pro".
In my terminal it works;

# grep -i "\.pro" /usr/local/cpanel/etc/exim -R

the backslash "\" can include the character "." and the search is able to find ".pro" instead only "pro"

I am unaware if you removed this or not but it would explain the filtering of these. As you can see in my test it is clearly not filtering .pro from the first part of the message.
I can't replicate this at all and it looks like a configuration issue.
...
Can you send me a screenshot of the settings in WHM>>Service Configuration>>Exim Configuration Manager->Filters?

I can see. Although I'm not sure if you are replicating exactly what I say


Please, to replicate this bug follow these 3 steps:


(1)- Write the following inside /usr/local/cpanel/etc/exim/sysfilter/options/custom_words

if
$h_from: contains "hacker" or
$h_from: contains "anonym" or
$h_subject: contains "Viagra" or
$h_subject: contains "Cialis"
then
#fail text "Unable to delivery"
seen finish
endif

Save and restart Exim



(2) - write the following inside WHM -> "Filter Incoming Emails by Domain" :
(see the attached image)

*.top
*.pro
*.xyz
*.bid

Save and restart Exim



(3) - now send to yourself a message from some email address including the characters .pro in the first part:

In example:

From: "[email protected]"    To:  "[email protected]"

now check the logs. At least in my case, the message is discarded.



please, confirm this


Thanks!

 

[keat63]

I don't mind being told to shut up

And I did ask,

Would a double wildcard work. ?

[email protected]

(the forum must see the actual string as an sql injection or something)

 

[cPanelLauren]

1. None of our testing is done with custom configurations in place. My testing (and our internal testing) absolutely will not take into account custom configurations you may have in place. Customizations such as a custom filter being present are things you would need to troubleshoot.
2. You can clearly see in the output I provided that with the default settings in place the .pro in the first part of my email address was not filtered.
3. I requested the following screenshot but I don't see it in your response:
   

   Can you send me a screenshot of the settings in WHM>>Service Configuration>>Exim Configuration Manager->Filters?

4. What I'm trying to surmise is if you still have the following custom filter in place which would account for the behavior you're seeing:
   

   if $h_from: contains ".top" or
   $h_from: contains ".pro" or
   $h_from: contains ".xyz" or
   $h_from: contains ".bid"
   and $h_from: does not contain "legitimatedomain.com"
   
   then
   seen finish
   endif

Otherwise, if you'd like to open a ticket please do so, as I am unable to replicate the behavior your reporting with cPanel/WHM's default settings.

 

[cPanelLauren]

I don't mind being told to shut up

And I did ask,

Would a double wildcard work. ?

[email protected]

(the forum must see the actual string as an sql injection or something)

Actually I believe it italicizes it and two asterisks makes it bold - I'll shut that feature off (it was useful for me but i can see how it wouldn't be in this instance)

 

[Mise]

1. None of our testing is done with custom configurations in place. My testing (and our internal testing) absolutely will not take into account custom configurations you may have in place. Customizations such as a custom filter being present are things you would need to troubleshoot.
2. You can clearly see in the output I provided that with the default settings in place the .pro in the first part of my email address was not filtered.
3. I requested the following screenshot but I don't see it in your response: WHM>>Service Configuration>>Exim Configuration Manager->Filters?
4. What I'm trying to surmise is if you still have the following custom filter in place which would account for the behavior you're seeing:
   

   if $h_from: contains ".top" or
   $h_from: contains ".pro" or
   $h_from: contains ".xyz" or
   $h_from: contains ".bid"
   and $h_from: does not contain "legitimatedomain.com"
   
   then
   seen finish
   endif

Otherwise, if you'd like to open a ticket please do so, as I am unable to replicate the behavior your reporting with cPanel/WHM's default settings.

I attach you an screenshot of WHM>>Service Configuration>>Exim Configuration Manager->Filters:




and this is the code of the active /etc/cpanel_exim_system_filter (without comments):

root># grep ^[^#] /etc/cpanel_exim_system_filter

if not first_delivery
then
finish
endif
if error_message and $header_from: contains "[email protected]"
then
finish
endif
if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
then
fail text "This message has been rejected because it has\n\
potentially executable content $1\n\
This form of attachment has been used by\n\
recent viruses or other malware.\n\
If you meant to send this file then please\n\
package it up as a zip file and resend it."
seen finish
endif
if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))([\\\\s;]|\\$)"
then
fail text "This message has been rejected because it has\n\
potentially executable content $1\n\
This form of attachment has been used by\n\
recent viruses or other malware.\n\
If you meant to send this file then please\n\
package it up as a zip file and resend it."
seen finish
endif
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"
then
fail text "This message has been rejected because it has\n\
a potentially executable attachment $1\n\
This form of attachment has been used by\n\
recent viruses or other malware.\n\
If you meant to send this file then please\n\
package it up as a zip file and resend it."
seen finish
endif
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"
then
fail text "This message has been rejected because it has\n\
a potentially executable attachment $1\n\
This form of attachment has been used by\n\
recent viruses or other malware.\n\
If you meant to send this file then please\n\
package it up as a zip file and resend it."
seen finish
endif
if
$h_from: contains "Hacker" or
$h_from: contains "nonym" or
$h_subject: contains "masturb" or
$h_subject: contains "Viagra" or
$h_subject: contains "Cialis"
then
#fail text "Unable to delivery"
seen finish
endif
if "${if def:header_X-Spam-Subject: {there}}" is there
then
headers remove Subject
headers add "Subject: $rh_X-Spam-Subject:"
headers remove X-Spam-Subject
endif

well, this is no an enough urgence to open a ticket. For that reason I write here in this thread. Just to discard the problem in my server. And I believe if there is a bug it can affect more people using custom word filters.

Meanwhile I have disabled the WHM filter. I don't want to delete the custom_word file because it is effective in my server for the spam coming with these words, which is worse. Although it worked better with both joined because most times these domains and words appears in the same message, although not always.

Sometimes spammers writes special characters to bypass word filters, then the .domain filter is useful. Other times it is the inverse case.


thanks