cPanel Email filters to stop dictionary type spam

I wonder if anyone can suggest a solution to my problem that surely must be quite common but despite searching I cant find an answer for.

I have a domain that seems to come under attack for dictionary type spam attacks and want to know if theres an easy way of controlling this via c-panel forwarders or filters etc.

Each day I will get about a thousand or more spam mails addressed to say dave@mydomain, mike@mydomain, cliff@mydomain. None of these names have ever been used, they are obviously just try get lucky addresses. The spam mails will all be practically the same ie phishing type mails from vodafone or UPS or similar.

I cant turn the catchall off for other reasons. Periodically I can call a halt to it by setting up filters say from vodafone or UPS, but this isnt ideal as Im always playing catchup as a few days later they will come from another supposed real organisation. It also can cause problems if there was an occasion that Im wanting mail from the real vodafone or whatever.

What does remain constant is the recipient which will be one of about 50 names ie the daves@ and mikes@. These often wont be in the TO field, but in the header as a recipient (possibly sent as a pile of BCCs).


Now I know I could set up a pile of forwarders, but it gets tedious typing in a forwarder for each name.
I had a look at filters and wondered it it would be possible to set something up from there.

Id need to set a script something like


If recipient = (abc@mydomain.com | cde@mydomain.com | fegh@mydomain.com) {:fail: No such person at this address}

or even better, create a list of the affected domains and if the recipient is on the list then automatically bin it.

Is there anyway something like this can be done? Im a bit of a n00b so apologies if there is an easy way of doing this that Im not aware of.
TIA

 

Because over the past 15yrs Ive held the domain various addresses direct to various folders in outlook
ie banking@, shopping@ vodafone@ Practically everytime Ive signed up somewhere I use a separate prefix. In the past this has worked well against (hacked) forum type spam.. if someone starts spamming then I ditch it because I know who has leaked out my info

It is (or was) a personal email address and for about 14 years the system worked well. It was when the ashampoo server got hacked last year and when my details must have been harvested from there that I started getting the same spam emails to ashampoo@ mike@ fred@ etc.

Too late to roll back now because there are too many in use.. half of them I couldnt remember off the top of my head.
Many people use this system. Heck some ISPs even sell email with a catchall as a benefit!

 

ok through trial and error, this works, but Im not sure if there a more efficient way?

Code:

# Exim filter


if not first_delivery and error_message then finish endif

#dictionary_spam
if
 foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "alexander@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "antor@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "arun@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "barnes@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "bell@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "bob@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "catchthismail@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "chappell@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "chatman@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "cheryll@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "childers@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "childress@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "chin@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "choi@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "christie@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "christian_mair@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "christopher@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "chung@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "cisneros@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "clement@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "click@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "clifford@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "clifton@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "clinton@mydomain.com" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "clyde@mydomain.com" ) 
then
 fail "No such person at this address"
endif

wondering if ther is a way that you can merge the $thisaddress to include the names rather than it loop round each time.

 

I know what you are saying, but I asked for help with a script.

Ok my set up may be wrong according to some, but that are many that use this system and I mentioned it worked well up until the ashampoo servers got hacked, which was when I started getting all the same spam emails addressed to ashampoo@ and the other alias's. The ashampoo hack had a LOT to do with my problems I see now.

I suppose I should be grateful that I didnt give ashampoo my main email address or that would be spammed to death too now.
Something I started 14yrs ago and worked well up till last year. They repeatedly use the same alias addresses time after time and no new names have been added over the past year, I have a list of them, and I simply thought there would be any easy way to block them.

Sorry for asking for help if it cant be done

 

There will likely be hundreds - possibly near 1000 over the past 15yrs