Blocking email with Exim4 using the IP


Oct 19, 2018
cPanel Access Level
Root Administrator

we are under a spam campaign with the infamous blackmailing ($524). Personaly I do not give sh*t, but my boss for various legal reasons it afraid the news of it will pop up.

After examination I found only one common thing : while emails do have the FROM : [email protected], the RECEIVED : from is clearly not our IP :

Received: from [] (

Assuming outr IP is that one is obviously coming from outside (Haiphong in Vietnam in that case).

What is the correct spelling of the corresponding Header Variable? Is it $header_received_from?
Or somehting else (please notice the full column after Received).

Thanks very much



Well-Known Member
Nov 20, 2014
cPanel Access Level
Root Administrator
If you have CSF installed, you could add the offending IP the the CSF blocklist.
One thing I find with frequent spam though, is that it's usually done by bots, where the IP will change, so whilst adding the IP may fix the issue today, it's likley to resurface from another source tomorrow.

The way I normally get around this would be to create a global filter in cpanel, along the lines:

If body contains "some common phrase"
Then fail
and discard the message.

I guess you could just discard the message without the fail, but i live in hope that somewhere, someone will see the fail and realise his server/pc/email address may have been hacked and fix it.
  • Like
Reactions: cPanelLauren