Block incoming emails from domain

DennisMidjord

Well-Known Member
Sep 27, 2016
227
27
28
Denmark
cPanel Access Level
Root Administrator
Is it possible to block incoming emails from a specific domain? Some of our users have setup contact forms without captchas and are being targeted with spam from a list of @qq.com emails. Is it possible to block emails from this domain completely?
 

DennisMidjord

Well-Known Member
Sep 27, 2016
227
27
28
Denmark
cPanel Access Level
Root Administrator
That's seems easy.
Code:
if ("$h_from:" contains "@qq.com")
then fail
endif
Would that do it?

Also, just to be clear - would blocking all incoming messages from @qq.com accounts be a bad thing? I've never seen a legitimate email coming from any account with the qq.com domain.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello,

I don't see any harm in blocking all messages from a specific domain name if you know there is no legitimate mail sent from it. Here's an example of how the filter rule should look like:

Code:
if
 $header_from: contains "@qq.com"
then
 if error_message then save "/dev/null" 660 else fail "Messages from this domain are blocked." endif
endif
Thank you.
 
  • Like
Reactions: John W

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
in case I need apply this rule to more than one email address or domain, is possible add more lines between "if" and "then"? or what is the method for that?
Yes, you'd just insert it using "OR" like this:

Code:
if
 $header_from: contains "qqq.com"
 or $header_from: contains "zzz.com"
then
 if error_message then save "/dev/null" 660 else fail "Messages from this domain are blocked." endif
endif
Thank you.
 
  • Like
Reactions: EneTar

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
To block Hosts or Host ips we should use $sender_host_address or $received_ip_address instead of
$header_from ?
Hello,

Per Exim's documentation:

$sender_host_address: When a message is received from a remote host, this variable contains that host's IP address.
$sender_host_name: When a message is received from a remote host, this variable contains the host's name as verified by looking up its IP address. If verification failed, or was not requested, this variable contains the empty string.
However, you should still be able to use the "Any Header" option with the "contains" operator to achieve the same thing (e.g. Any Header contains 10.1.1.1).

Thank you.
 
  • Like
Reactions: EneTar

EneTar

Well-Known Member
Dec 19, 2015
149
12
18
Greece
cPanel Access Level
Root Administrator
Code:
if
$header_from: contains "qqq.com"
or $header_from: contains "zzz.com"
then
if error_message then save "/dev/null" 660 else fail "Messages from this domain are blocked." endif
endif
Can you please describe how to modify this so that the email is discarded silently with no bounce message to the sender?
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Can you please describe how to modify this so that the email is discarded silently with no bounce message to the sender?
In this case, the rule would look something like this:

Code:
if
 $header_from: contains "abc.tld"
 or $header_from: contains "123.tld"
then
 save "/dev/null" 660
endif
Note can create filter rules in cPanel (using a test account) and then view them from the command line as a method of determining which filter rules to utilize.

Thank you.
 
  • Like
Reactions: EneTar

EneTar

Well-Known Member
Dec 19, 2015
149
12
18
Greece
cPanel Access Level
Root Administrator
In this case, the rule would look something like this:

Code:
if
 $header_from: contains "abc.tld"
 or $header_from: contains "123.tld"
then
 save "/dev/null" 660
endif
Note can create filter rules in cPanel (using a test account) and then view them from the command line as a method of determining which filter rules to utilize.

Thank you.
Michael I noticed that the Mail queue in WHM (Home »Email »Mail Queue Manager) contains a lot of emails all of them
from the domains listed here
Code:
if
 $header_from: contains "abc.tld"
 or $header_from: contains "123.tld"
then
 save "/dev/null" 660
endif
For example abc.tld and 123.tld.

is there anyway those messages are discarded and be forgotten once and for all?
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello,

Can you let us know of any specific error messages when you attempt to deliver one of the messages in the queue? Also, what's a corresponding entry for one of the messages in the queue from /var/log/exim_mainlog? EX:

Code:
exigrep [email protected] /var/log/exim_mainlog
Thank you.
 

EneTar

Well-Known Member
Dec 19, 2015
149
12
18
Greece
cPanel Access Level
Root Administrator
Hello,

Can you let us know of any specific error messages when you attempt to deliver one of the messages in the queue? Also, what's a corresponding entry for one of the messages in the queue from /var/log/exim_mainlog? EX:

Code:
exigrep [email protected] /var/log/exim_mainlog
Thank you.
I went ot the queue and tried to deliver one of those messages. I got this output
Code:
LOG: MAIN
  cwd=/usr/local/cpanel/whostmgr/docroot 4 args: /usr/sbin/exim -v -M 1f6cta-000287-Se
delivering 1f6cta-000287-Se
LOG: MAIN
  original recipients ignored (system filter)
LOG: MAIN PANIC
  == /dev/null <system-filter> routing defer (-1): system_filter_file_transport is unset

exim_mainlog looks like this for this email ID
Code:
2018-04-28 06:59:25 1f6cta-000287-Se == /dev/null <system-filter> routing defer (-1): system_filter_file_transport is unset
2018-04-28 07:29:25 1f6cta-000287-Se original recipients ignored (system filter)
2018-04-28 07:29:25 1f6cta-000287-Se == /dev/null <system-filter> routing defer (-1): system_filter_file_transport is unset
2018-04-28 07:59:25 1f6cta-000287-Se original recipients ignored (system filter)
2018-04-28 07:59:25 1f6cta-000287-Se == /dev/null <system-filter> routing defer (-1): system_filter_file_transport is unset
2018-04-28 08:29:33 1f6cta-000287-Se original recipients ignored (system filter)
2018-04-28 08:29:33 1f6cta-000287-Se == /dev/null <system-filter> routing defer (-1): system_filter_file_transport is unset
2018-04-28 08:59:28 1f6cta-000287-Se original recipients ignored (system filter)
2018-04-28 08:59:28 1f6cta-000287-Se == /dev/null <system-filter> routing defer (-1): system_filter_file_transport is unset
2018-04-28 09:29:25 1f6cta-000287-Se original recipients ignored (system filter)
2018-04-28 09:29:25 1f6cta-000287-Se == /dev/null <system-filter> routing defer (-1): system_filter_file_transport is unset
2018-04-28 09:59:29 1f6cta-000287-Se original recipients ignored (system filter)
2018-04-28 09:59:29 1f6cta-000287-Se == /dev/null <system-filter> routing defer (-1): system_filter_file_transport is unset
2018-04-28 10:07:39 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: /usr/sbin/exim -Mvh 1f6cta-000287-Se
2018-04-28 10:07:39 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: /usr/sbin/exim -Mvb 1f6cta-000287-Se
2018-04-28 10:08:32 cwd=/usr/local/cpanel/whostmgr/docroot 4 args: /usr/sbin/exim -v -M 1f6cta-000287-Se
2018-04-28 10:08:32 1f6cta-000287-Se original recipients ignored (system filter)
2018-04-28 10:08:32 1f6cta-000287-Se == /dev/null <system-filter> routing defer (-1): system_filter_file_transport is unset
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello @EneTar,

Keep in mind that assistance with custom Exim filter rules is generally outside our scope of support. I recommend reaching out to a qualified system administrator, or posting to the Exim User's mailing list for in-depth technical assistance with custom filter rules. That said, one solution to try is to change the following section of your filter rule:

Code:
then
 save "/dev/null" 660
endif
To:

Code:
then noerror seen finish
endif
Exim documents this at:

3. Exim filter files

Thank you.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello :)

For anyone reaching this thread after searching for how to globally block incoming emails from specific domains, cPanel & WHM version 84 includes a new feature with this functionality:

Implemented case CPANEL-28808: Give Exim the ability to block incoming mail from domains.

Here's a glance at this feature as seen in WHM >> Email >> Filter Incoming Emails by Domain on a server running cPanel & WHM version 83.9999.137 (this is a development build for version 84):

version84-whm-filter-incoming-email-by-domain.png

Thanks!