A better filter for spam domain names

[Mise]

I don't mind being told to shut up

And I did ask,

Would a double wildcard work. ?

[email protected]

(the forum must see the actual string as an sql injection or something)

Exim documentation seems to allow to delimitate better the parts (See "22. String testing conditions") :

3. Exim filter files

Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet.

www.exim.org

although I'm not sure regarding the variable $h_from, and I can't do too much experiments in my server. I have some hysterical customers who behave like drug addicts when a message has an special delay, not mention when a message is lost.

 

[cPanelLauren]

@Mise

Just to confirm:

• I added the following custom filter "custom_words" with the contents as follows:

  if
  $h_from: contains "hacker" or
  $h_from: contains "anonym" or
  $h_subject: contains "Viagra" or
  $h_subject: contains "Cialis"
  then
  #fail text "Unable to delivery"
  seen finish
  endif

• Enabled it in the Exim Configuration Manager:

  Your changes have been saved.
  
  Restarting cPanel daemons...done.
  
  Updating your system to reflect any changes...
  Creating new setting for “filter_custom_words” of “On”. “filter_custom_words” was updated.
  Done.
  Your configuration changes have been saved! Waiting for “exim” to restart ………waiting for “exim” to initialize ………finished.
  
  Service Status
  exim (/usr/sbin/exim -ps -bd -q1h -oP /var/spool/exim/exim-daemon.pid) is running as mailnull with PID 16326 (systemd+/proc check method).
  exim (/usr/sbin/exim -qG) is running as root with PID 16328 (systemd+/proc check method).
  
  Startup Log
  Jan 17 15:07:39 server.cptechsupport.us systemd[1]: Starting Exim is a Mail Transport Agent, which is the program that moves mail from one machine to another....
  Jan 17 15:07:39 server.cptechsupport.us systemd[1]: Started Exim is a Mail Transport Agent, which is the program that moves mail from one machine to another..
  
  exim restarted successfully.

• Sent a test email from my test account I created the other day:
  

  [[email protected] options]# exigrep 1isYsK-0004Rx-Gr /var/log/exim_mainlog
  2020-01-17 15:09:56.573 [17121] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1isYsK-0004Rx-Gr
  
  2020-01-17 15:09:56.540 [17109] 1isYsK-0004Rx-Gr H=mail4.protonmail.ch [185.70.40.27]:20226 I=[MyIPAddress]:25 Warning: "SpamAssassin as lauren detected message as NOT spam (1.8)"
  2020-01-17 15:09:56.556 [17109] 1isYsK-0004Rx-Gr H=mail4.protonmail.ch [185.70.40.27]:20226 I=[MyIPAddress]:25 Warning: Message has been scanned: no virus or other harmful content was found
  2020-01-17 15:09:56.558 [17109] 1isYsK-0004Rx-Gr <= [email protected] H=mail4.protonmail.ch [185.70.40.27]:20226 I=[MyIPAddress]:25 P=esmtps L- X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=3924 M8S=0 RT=0.136s id=oM-u53fPDhV323SShIqElFpuYHTRaEcHq_7cytbNh7Uqx[email protected]protonmail.com T="test" from <[email protected]> for [email protected]
  2020-01-17 15:09:56.666 [17121] 1isYsK-0004Rx-Gr => lauren <[email protected]> F=<[email protected]> P=<[email protected]> R=virtual_user T=dovecot_virtual_delivery S=4142 C="250 2.0.0 <[email protected]> Ob5YJqQiIl7mQgAA9Z/phw Saved" QT=4.144s DT=0.038s
  2020-01-17 15:09:56.667 [17121] 1isYsK-0004Rx-Gr Completed QT=4.144s

• Note that the delivery was successful.

 

[keat63]

Just a test for CpanelLauren.
Please ignore

*@*.me

 

[Mise]

• Note that the delivery was successful.

Do you have also the domain *.pro inside the WHM Filter domain?

I'm sorry but you didn't mention this. Just to be sure

 

[cPanelLauren]

Do you have also the domain *.pro inside the WHM Filter domain?

I'm sorry but you didn't mention this. Just to be sure

I have the *.pro included in the Blocked domains:


Which was the entire point of testing this...

 

[Mise]

then there is something strange in my Exim config that I cannot see.
If I can find what happens I will post here.

Thank you for your time in testing in another server!

 

[cPanelLauren]

Feel free to open a ticket as well @Mise and we can take a more in-depth look at your configuration. If you do open a ticket please update this thread with the Ticket ID and I'll update here with the outcome.

 

[rackaid]

Does the filter support pattern anchors:

$h_from: contains ".top$" or

In bash, this would only match .top when at the end of a string.

 

[cPanelLauren]

Does the filter support pattern anchors:

$h_from: contains ".top$" or

In bash, this would only match .top when at the end of a string.

If he was using his filter it, this would work.

Using the cPanel/WHM feature this would not work. *.pro works without issue as has been evidenced in this thread and domains aren't entered in the standard filter format like you would if you were creating a filter file.

 

[Mise]

Hi Lauren

finally I have found the problem

When I add some change inside the custom filter:
/usr/local/cpanel/etc/exim/sysfilter/options/custom_words

this is not added automatically inside:
/etc/cpanel_exim_system_filter

so what happens is, I was not following the instructions in comments at the end of file /etc/cpanel_exim_system_filter:

# BEGIN - Included from /usr/local/cpanel/etc/exim/sysfilter/options/custom_words
# (Use the Basic Editor in the Exim Configuration Manager in WHM to change)
# or manually edit /etc/exim.conf.localopts and run /scripts/buildeximconf

I believed the restart Exim process was doing that work automatically. Although this is not the case. And the portion of the custom filter with an old error was present from many days ago inside file /etc/cpanel_exim_system_filter

Just by editing the error in /etc/cpanel_exim_system_filter, saving and restart Exim, and all is working, the messages are no discarded.

The error was this:

$h_from: contains ".pro" or

when the chain ".pro" is present in the sender this is discarded. Therefore [email protected] is discarded. However, when including ".pro" in the WHM filter and I use the custom word filter only for $h_subject then both works:

if
   $h_subject : contains "Hacker" or
   $h_subject : contains "nonym"
   #...(etc)
then
  #fail text "Unable to delivery"
  seen finish
endif

.


I would suggest including also another comment inside /usr/local/cpanel/etc/exim/sysfilter/options/custom_words to warn about the process to follow.

error solved

thanks for all the help!

 

[cPanelLauren]

Hi @Mise

I'm really glad you found the source of the issue!

This is not necessary due to the way we explain how to edit this in the custom filter documentation How to Customize the Exim System Filter File | cPanel & WHM Documentation - the purpose for suggesting that you enable/disable the filter through the exim configuration editor is because it rebuilds the exim configuration.

If you're going to edit it manually, once you make your edits (and after you're sure the filter is enabled) you need to run the following to rebuild the exim conf:

/scripts/buildeximconf

then restart exim.

It, for some reason, didn't occur to me that you might be editing this file manually then not making the modification in the exim configuration manager. Either way, thanks for reporting back and letting us know what happened.

I'd love to hear if you run into any issues with the domain blocking feature if you're moving forward with using it.