The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Account Level Filters Fail Periodically

Discussion in 'E-mail Discussions' started by jayharland, Nov 6, 2014.

  1. jayharland

    jayharland Member

    Joined:
    Apr 18, 2014
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hello all!

    I've got an issue here that is really frustrating me. With out server we receive a horrendous amount of spam. Anywhere between 500-1000 a day. It's insane.

    To combat this I've employed account level filters across our domains. This is been effective but not 100%. And now it's gotten to the point where I have around 50 filters containing multiple regular expressions each.

    The problem is that the filters fail sometimes when they shouldn't. I've been at this for 6 months now so I've gotten fairly clever with my filters.

    Still, I receive spam that should be caught, and when I test the message source it says it matches a filter and is redirected... yet it wasn't, sometimes it's like filter isn't even there and the emails are delivered normally.

    Could it be because I have too many filters? Anyone familiar with this problem?

    Thanks!

    - Jay
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,852
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Do you have root access to this system? Are you able to review /var/log/exim_mainlog for a message where the filter failed to see the output?

    Thank you.
     
  3. jayharland

    jayharland Member

    Joined:
    Apr 18, 2014
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Thanks for the response. I do have root access but I'm unsure how to find a message where the filter failed to see the output.

    I've tried: exigrep "error" exim_mainlog

    But that just displays a crap ton of text. Can you help me as to how to search for filter failures perhaps, or something along those lines?
     
    #3 jayharland, Nov 6, 2014
    Last edited: Nov 6, 2014
  4. jayharland

    jayharland Member

    Joined:
    Apr 18, 2014
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Ok, an update on this...

    When cPanel checks the email against the filters, is it checking the message source, or just the displayed text? What I found upon further investigation is that one of the emails in question is coming with alternative parts, a plain text and an html option.

    The plain text option does not match the filter, however, the message source includes the html and does. Interesting.

    It's possible that the issue isn't internal and actually related to my understanding of how the emails are being check against the filter.
     
  5. jayharland

    jayharland Member

    Joined:
    Apr 18, 2014
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Do account level filters check all message parts?

    Hello! I posted on here last week about what appeared to be custom filters failing from time to time.

    I've seen two types of mail now that have come through, yet when the message source is checked against the filters, sure enough it catches it. However, both of these emails have two parts, and the filter only matches the HTML portion, not the plain text.

    What I've determined is that when a spam email contains two parts, a plain text and an html version, the filter is only being checked against the plain text portion. Can someone with more knowledge of cPanel confirm this for me?
     
  6. companero

    companero Member

    Joined:
    Nov 5, 2014
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Im having the same problem. My settings were working just fine, then and since the amount of spam increased a lot the last 2 weeks, i added filters to discard messages matching 7 + , which was working, but suddenly, it is not really deleting anything and im back to 100 emails at spam folder/day.
    It seems theres an issue here no?
     
  7. companero

    companero Member

    Joined:
    Nov 5, 2014
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    How come nobody else is having this problem? From one day to another a lot of spam is making it through the account level filters, it must be some kind vulnerability no?
     
  8. jayharland

    jayharland Member

    Joined:
    Apr 18, 2014
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    I think for me the problem was with how I understood the emails being parsed. I've noticed that if an email comes with two parts, for example a plain text and html version, the filter (which would match the html version) isn't triggered. I've asked for more info on this but haven't seen any.

    I'd like to know exactly how account level filters are seeing the email.
     
  9. jayharland

    jayharland Member

    Joined:
    Apr 18, 2014
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Understing how Account Level Filters see incoming emails

    I had posted about this before but my thread is no where to be found?

    How do account level filters view incoming email?

    I'm trying to write filters to match the message source, but using "Any Header" doesn't work and either does "Body". I already know that "Any Header" doesn't actually mean what it says since Return-Path isn't included, etc. I'm trying to find out what is being checked, what constitutes as "Any Header".

    - - - Updated - - -

    What I want to do is check against the message source if there is a zip file attached and then look for suspicious names like "download.zip" etc. I can write the regex for this but it fails always as an account level filter.
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,852
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Re: Understing how Account Level Filters see incoming emails

    I've merged this post with the original thread as the questions are related. Feel free to open a support ticket using the link in my signature so we can take a closer look at the behavior you are describing. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
Loading...

Share This Page