A better filter for spam domain names

Mise

Active Member
May 15, 2011
44
2
58
I don't mind being told to shut up :)

And I did ask,

Would a double wildcard work. ?

[email protected]

(the forum must see the actual string as an sql injection or something)
Exim documentation seems to allow to delimitate better the parts (See "22. String testing conditions") :

although I'm not sure regarding the variable $h_from, and I can't do too much experiments in my server. I have some hysterical customers who behave like drug addicts when a message has an special delay, not mention when a message is lost.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,366
799
263
Houston
@Mise

Just to confirm:

  • I added the following custom filter "custom_words" with the contents as follows:
    Code:
    if
    $h_from: contains "hacker" or
    $h_from: contains "anonym" or
    $h_subject: contains "Viagra" or
    $h_subject: contains "Cialis"
    then
    #fail text "Unable to delivery"
    seen finish
    endif
  • Enabled it in the Exim Configuration Manager:
    Code:
    Your changes have been saved.
    
    Restarting cPanel daemons...done.
    
    Updating your system to reflect any changes...
    Creating new setting for “filter_custom_words” of “On”. “filter_custom_words” was updated.
    Done.
    Your configuration changes have been saved! Waiting for “exim” to restart ………waiting for “exim” to initialize ………finished.
    
    Service Status
    exim (/usr/sbin/exim -ps -bd -q1h -oP /var/spool/exim/exim-daemon.pid) is running as mailnull with PID 16326 (systemd+/proc check method).
    exim (/usr/sbin/exim -qG) is running as root with PID 16328 (systemd+/proc check method).
    
    Startup Log
    Jan 17 15:07:39 server.cptechsupport.us systemd[1]: Starting Exim is a Mail Transport Agent, which is the program that moves mail from one machine to another....
    Jan 17 15:07:39 server.cptechsupport.us systemd[1]: Started Exim is a Mail Transport Agent, which is the program that moves mail from one machine to another..
    
    exim restarted successfully.
  • Sent a test email from my test account I created the other day:
    Code:
    [[email protected] options]# exigrep 1isYsK-0004Rx-Gr /var/log/exim_mainlog
    2020-01-17 15:09:56.573 [17121] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1isYsK-0004Rx-Gr
    
    2020-01-17 15:09:56.540 [17109] 1isYsK-0004Rx-Gr H=mail4.protonmail.ch [185.70.40.27]:20226 I=[MyIPAddress]:25 Warning: "SpamAssassin as lauren detected message as NOT spam (1.8)"
    2020-01-17 15:09:56.556 [17109] 1isYsK-0004Rx-Gr H=mail4.protonmail.ch [185.70.40.27]:20226 I=[MyIPAddress]:25 Warning: Message has been scanned: no virus or other harmful content was found
    2020-01-17 15:09:56.558 [17109] 1isYsK-0004Rx-Gr <= [email protected] H=mail4.protonmail.ch [185.70.40.27]:20226 I=[MyIPAddress]:25 P=esmtps L- X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=3924 M8S=0 RT=0.136s id=oM-u53fPDhV323SShIqElFpuYHTRaEcHq_7cytbNh7Uqx[email protected]protonmail.com T="test" from <[email protected]> for [email protected]
    2020-01-17 15:09:56.666 [17121] 1isYsK-0004Rx-Gr => lauren <[email protected]> F=<[email protected]> P=<[email protected]> R=virtual_user T=dovecot_virtual_delivery S=4142 C="250 2.0.0 <[email protected]> Ob5YJqQiIl7mQgAA9Z/phw Saved" QT=4.144s DT=0.038s
    2020-01-17 15:09:56.667 [17121] 1isYsK-0004Rx-Gr Completed QT=4.144s
  • Note that the delivery was successful.
 

Mise

Active Member
May 15, 2011
44
2
58
then there is something strange in my Exim config that I cannot see.
If I can find what happens I will post here.

Thank you for your time in testing in another server!
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,366
799
263
Houston
Does the filter support pattern anchors:

Code:
$h_from: contains ".top$" or
In bash, this would only match .top when at the end of a string.
If he was using his filter it, this would work.

Using the cPanel/WHM feature this would not work. *.pro works without issue as has been evidenced in this thread and domains aren't entered in the standard filter format like you would if you were creating a filter file.
 

Mise

Active Member
May 15, 2011
44
2
58
Hi Lauren

finally I have found the problem

When I add some change inside the custom filter:
/usr/local/cpanel/etc/exim/sysfilter/options/custom_words

this is not added automatically inside:
/etc/cpanel_exim_system_filter

so what happens is, I was not following the instructions in comments at the end of file /etc/cpanel_exim_system_filter:

Code:
# BEGIN - Included from /usr/local/cpanel/etc/exim/sysfilter/options/custom_words
# (Use the Basic Editor in the Exim Configuration Manager in WHM to change)
# or manually edit /etc/exim.conf.localopts and run /scripts/buildeximconf

I believed the restart Exim process was doing that work automatically. Although this is not the case. And the portion of the custom filter with an old error was present from many days ago inside file /etc/cpanel_exim_system_filter

Just by editing the error in /etc/cpanel_exim_system_filter, saving and restart Exim, and all is working, the messages are no discarded.

The error was this:

$h_from: contains ".pro" or

when the chain ".pro" is present in the sender this is discarded. Therefore [email protected] is discarded. However, when including ".pro" in the WHM filter and I use the custom word filter only for $h_subject then both works:
Code:
if
   $h_subject : contains "Hacker" or
   $h_subject : contains "nonym"
   #...(etc)
then
  #fail text "Unable to delivery"
  seen finish
endif
.


I would suggest including also another comment inside /usr/local/cpanel/etc/exim/sysfilter/options/custom_words to warn about the process to follow.

error solved :)

thanks for all the help!
 
Last edited:

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,366
799
263
Houston
Hi @Mise

I'm really glad you found the source of the issue!

This is not necessary due to the way we explain how to edit this in the custom filter documentation How to Customize the Exim System Filter File | cPanel & WHM Documentation - the purpose for suggesting that you enable/disable the filter through the exim configuration editor is because it rebuilds the exim configuration.

If you're going to edit it manually, once you make your edits (and after you're sure the filter is enabled) you need to run the following to rebuild the exim conf:

/scripts/buildeximconf

then restart exim.

It, for some reason, didn't occur to me that you might be editing this file manually then not making the modification in the exim configuration manager. Either way, thanks for reporting back and letting us know what happened.

I'd love to hear if you run into any issues with the domain blocking feature if you're moving forward with using it.