Blocking email with Exim4 using the IP

[sting01]

Hello,

we are under a spam campaign with the infamous blackmailing ($524). Personaly I do not give sh*t, but my boss for various legal reasons it afraid the news of it will pop up.

After examination I found only one common thing : while emails do have the FROM : [email protected], the RECEIVED : from is clearly not our IP :

Received: from [14.189.127.50] (helo=static.vnpt.vn)

Assuming outr IP is 54.xxx.xxx.xxx that one is obviously coming from outside (Haiphong in Vietnam in that case).

What is the correct spelling of the corresponding Header Variable? Is it $header_received_from?
Or somehting else (please notice the full column after Received).

Thanks very much

Sting

 

[keat63]

If you have CSF installed, you could add the offending IP the the CSF blocklist.
One thing I find with frequent spam though, is that it's usually done by bots, where the IP will change, so whilst adding the IP may fix the issue today, it's likley to resurface from another source tomorrow.

The way I normally get around this would be to create a global filter in cpanel, along the lines:

If body contains "some common phrase"
Then fail
and discard the message.

I guess you could just discard the message without the fail, but i live in hope that somewhere, someone will see the fail and realise his server/pc/email address may have been hacked and fix it.

 

[cPanelLauren]

I'd also like to add that when you create a global filter through the cPanel UI it uses:

$header_from or $message_headers