BoxTrapper Fixes

[d_j_w]

Hi,

I said "Fixes" but this could easily be "Improvements."

Here's some background: I use my domain for business. I don't want to use Spam Assassin because either I get too much spam or valid emails go into my spam box. Recently a spammer captured one of my email addresses, so I enabled BoxTrapper.

I've seen posts here about blocking domains, but this is different. The spammer (I'm sure a single source) is sending hundreds of spams a day. They come from something like this: <user>@<domain>.pro

Like other spam, <user> is anything. Unlike other spam I've seen, <domain> is also anything. The only thing constant is .pro I've created a global email filter to capture .pro in the from address and delete the spam, but this doesn't work. I have other global filters that work, and I'm guessing the reason this one doesn't work is because BoxTrapper runs before the global filter. If that's true, then running the global filter before BoxTrapper would prevent my review queue from even seeing this spam.

Also, using the web interface to BoxTrapper is time consuming and could be made much easier to use. The biggest improvement would be to put everything in the review queue on a single page rather than splitting them by date. Then with a single scan, you could delete (not blacklist) all spam. The way it is now, you need to find the review queue for every account. If you don't do this every day, then you need to check multiple dates. (Probably have to do this anyway since the date doesn't rollover at midnight my time.)

Any ideas on other ways to block .pro or make BoxTrapper easier to use?

Thanks,

Dave

 

[cPanelLauren]

I've created a global email filter to capture .pro in the from address and delete the spam, but this doesn't work. I have other global filters that work, and I'm guessing the reason this one doesn't work is because BoxTrapper runs before the global filter. If that's true, then running the global filter before BoxTrapper would prevent my review queue from even seeing this spam.

Would it be possible to provide the following?

1. The exact filter you're using.
2. The full email transaction for a delivery where the filter was in place and it didn't get filtered. You can find the logs for that at /var/log/exim_mainlog and searching by the message ID is typically the best way to do this. The query might look something like this:

exigrep 1i6GUr-0003CE-OE /var/log/exim_mainlog

Also, using the web interface to BoxTrapper is time consuming and could be made much easier to use. The biggest improvement would be to put everything in the review queue on a single page rather than splitting them by date. Then with a single scan, you could delete (not blacklist) all spam. The way it is now, you need to find the review queue for every account. If you don't do this every day, then you need to check multiple dates. (Probably have to do this anyway since the date doesn't rollover at midnight my time.)

There are several feature requests for improvements to box trapper in the features site, I'd suggest voting on the ones you'd like to see in the product (listed below). IF what you're wanting isn't listed in one of these I'd suggest opening a new one. If you choose to do that please post the link here so others can vote on it as well.

https://features.cpanel.net/topic/boxtrapper-bulk-ignore-and-blacklist-option-from-message-queue_2

https://features.cpanel.net/topic/daily-email-summary-of-boxtrapper-review-queue

https://features.cpanel.net/topic/boxtrapper-options-when-email-is-in-queue

https://features.cpanel.net/topic/boxtrapper-failed-delivery-message-summary

https://features.cpanel.net/topic/provide-a-way-to-change-the-default-values-of-boxtrapper-configurations

https://features.cpanel.net/topic/allowing-add-domain-to-safe-list-in-boxtrapper

There were a lot of recent updates to the boxtrapper API(move from cpapi1 to UAPI) in v82 of cPanel and more will be added in v 84 of cPanel which is currently in EDGE

Also in v84 you can now block domains specifically from WHM>>Email>>Exim Configuration Manager or WHM>> Email >> Filter Incoming Emails by Domain

Filter Incoming Emails by Domain - Version 84 Documentation - cPanel Documentation

documentation.cpanel.net

 

[d_j_w]

Thanks for the reply.

First, I am not a web person. I know enough to keep my site running but not make it outstanding (which is OK because of the kind of consulting business I run). My domain hosting company is InMotion Hosting and though I like what they provide, they have been less than helpful in stopping spam. They are who keeps referring me to cPanel for help.

The exact filter I'm using is:

.*.pro

Running the filter test, I get:

Return-path copied from sender
Sender = <user>@<server>.inmotionhosting.com
Recipient = <user>@<server>.inmotionhosting.com
Testing Exim filter file "/etc/vfilters/<domain>.com"

Headers charset "UTF-8"
Filtering did not set up a significant delivery.
Normal delivery will occur.

Which in itself is weird because I'm setting the sender to:

[email protected]

(<xxx> replacing identifiers for privacy just in case.)

Regarding 2.: The emails are getting blocked by BoxTrapper and put into my review queue. This is the problem. I think the global filter should just delete them so I don't have to deal with them in the review queue. I am not educated enough on this topic to find the log file you reference. I don't know how to run a command line to search as you suggest. I don't see a var directory in my site folders. I have found some log files and the boxtrapper verification file now has about 500 fake email addresses waiting for confirmation.

Thanks for your time. I appreciate your efforts.

Regards,

Dave

 

[d_j_w]

Don't know if this helps, but below is a redacted copy of a spam I got. Whois says it's from Turkey. I used to have a filter that blocked IP addresses from many of the countries that source spam. I had InMotion change (shared) servers for me a couple years ago because one of the domains kept getting the server blacklisted. It seems at that time the IP address block was lost. I need to find it again.

From [email protected] Fri Sep 06 09:06:31 2019
Received: from [REMOTEIP] (port=31513 helo=domain.pro)
by xxx.inmotionhosting.com with esmtp (Exim 4.92)
(envelope-from <[email protected]>)
id 1i6Gkp-000G1W-0L
for xxx; Fri, 06 Sep 2019 09:06:31 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mail; d=domain.pro;
h=From:Date:MIME-Version:Subject:To:Message-ID:Content-Type; i=[email protected];
bh=yr6MpLt5QfAkbKXtjwDo=;
b=h1mh7+CZc6yn3cZWGyPO1V13IbZCBTlWve69kXPeo4V6snKCslBiso1ebetPycJr7ogLU6WaCk4C8bYQzmdt0ALXVFKiwykCs
+zu46qu8MEMg5cgdLbc=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mail; d=yardload.pro;
b=a9YZAJBA2E7ehAY+AVWvNi9zTIrjJt34Y79tc0V9K3aPv0wx8Qfze
4CAsoio4tFxb2hsoSXc=;
From: " Heather Coleman" <[email protected]>
Date: Fri, 06 Sep 2019 11:03:22 -0500
MIME-Version: 1.0
Subject: 4K Drone for $99
To: <xxx>
Message-ID: <TQeLXdxuHjv7FRE8jfyjjgmOFgZwe6HLn2[email protected]>
Content-Type: multipart/alternative;
boundary="------------240622869726027001329297"

This is a multi-part message in MIME format.
--------------240622869726027001329297
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

 

[cPanelLauren]

First, I am not a web person. I know enough to keep my site running but not make it outstanding (which is OK because of the kind of consulting business I run). My domain hosting company is InMotion Hosting and though I like what they provide, they have been less than helpful in stopping spam. They are who keeps referring me to cPanel for help.

No worries, we should be able to walk you through this. One important thing to know might be, do you have root access to this server or are you on a shared hosting server?

The exact filter I'm using is:

.*.pro

That can't be the entirety of the filter, would it be possible to take a screenshot and add it here?

Running the filter test, I get:

Return-path copied from sender
Sender = <user>@<server>.inmotionhosting.com
Recipient = <user>@<server>.inmotionhosting.com
Testing Exim filter file "/etc/vfilters/<domain>.com"

Headers charset "UTF-8"
Filtering did not set up a significant delivery.
Normal delivery will occur.

That's ok - it looks like it's not flagging anyway. I'll bet due to a syntax issue in the filter which would be why I need to see the whole thing.


Mine does the same - I set it to discard email coming from my gmail address (it sends a mock transaction that actually does originate from the server) but i can confirm that mine works:

The Filter has matched the following condition(s):

$header_from: contains gmail.com

Return-path copied from sender
Sender = [email protected]
Recipient = [email protected]
Testing Exim filter file "/etc/vfilters/domain.tld"

Headers charset "UTF-8"
Save message to: /dev/null 0660
Filtering set up at least one significant delivery or other action.
No other deliveries will occur.

The exact filter I've added in global filters looks like this:



I created a .pro one for you to try as well:

The Filter has matched the following condition(s):

$header_from: contains .pro

Return-path copied from sender
Sender = [email protected]
Recipient = [email protected]
Testing Exim filter file "/etc/vfilters/domain.tld"

Headers charset "UTF-8"
Save message to: /dev/null 0660
Filtering set up at least one significant delivery or other action.
No other deliveries will occur.

Don't know if this helps, but below is a redacted copy of a spam I got.

I removed some of the original post on these headers because it was not useful in this context. The headers show the Message ID on your server. If you have root access you should be able to run the following over the CLI and get the mail transaction:

exigrep 1i6Gkp-000G1W-0L /var/log/exim_mainlog

 

[d_j_w]

Ooops. For some reason I didn't get an email re: your last reply and I just saw it.

Thanks for the links on the mods to BoxTrapper. I will take a look and add my own.

It doesn't sound like v84 will do what I need since it filters domains. But .pro is not a domain, where junk.pro is a domain. Right?

I've attached the filter. I just changed from .*.pro to .pro as you showed. Testing it appears to work. (Sorry, I just don't understand the rules.) I will post later today or this evening if I don't get any more spam through. (I also get confused with the whitelist/blacklist rules. Would be nice if you didn't need the '\' inserted.)

I am on a shared server.

Thanks a TON!

Dave

 

[d_j_w]

Wow! That simple global filter change eliminated all of the .pro spam. THANKS for correcting me!

 

[cPanelLauren]

It doesn't sound like v84 will do what I need since it filters domains. But .pro is not a domain, where junk.pro is a domain. Right?

.pro is a TLD but if you use a wildcard (the asterisk) it will filter anything.tld which is a fully qualified domain name

Testing it appears to work. (Sorry, I just don't understand the rules.) I will post later today or this evening if I don't get any more spam through.

Wow! That simple global filter change eliminated all of the .pro spam. THANKS for correcting me!

Do let me know if you have any issues with it but I'm really happy to hear that it's working for you!

(I also get confused with the whitelist/blacklist rules. Would be nice if you didn't need the '\' inserted.)

Can you explain what you mean here? Maybe I can help.

 

[d_j_w]

.pro is a TLD but if you use a wildcard (the asterisk) it will filter anything.tld which is a fully qualified domain name

OK, makes sense.



Do let me know if you have any issues with it but I'm really happy to hear that it's working for you!

I'm happy right now, except for spammers of course.


Can you explain what you mean here? Maybe I can help.

In creating whitelists, I manually took email addresses from people I wanted to add to the whitelist. I had to add all the '\' in the addresses, for example [email protected] becomes first\.last\@domain\.com. Being human, I made several errors omitting the '\' and had to correct them as they became apparent. Same is true of blacklist. When BoxTrapper puts an address on the list, it adds the '\' automatically.

That confusion carried over to global email filters since they don't work the same way. I looked through the documentation but I didn't see anything that cleared up my confusion. (Of course, that could just be more confusion on my part. )

Thanks Lauren,

Dave

 

[d_j_w]

And as long as I'm asking and you're willing to help, I also get a lot of spam from *sales*@*.com. I've tried that as a filter as well as *sales*.com and *sales*, all in the from header, but none of them stop it. Suggestion?

THANKS!

Dave