cPanel Email filters to stop dictionary type spam

katklaw

Member
Oct 17, 2013
5
0
1
cPanel Access Level
Website Owner
I wonder if anyone can suggest a solution to my problem that surely must be quite common but despite searching I cant find an answer for.

I have a domain that seems to come under attack for dictionary type spam attacks and want to know if theres an easy way of controlling this via c-panel forwarders or filters etc.

Each day I will get about a thousand or more spam mails addressed to say [email protected], [email protected], [email protected] None of these names have ever been used, they are obviously just try get lucky addresses. The spam mails will all be practically the same ie phishing type mails from vodafone or UPS or similar.

I cant turn the catchall off for other reasons. Periodically I can call a halt to it by setting up filters say from vodafone or UPS, but this isnt ideal as Im always playing catchup as a few days later they will come from another supposed real organisation. It also can cause problems if there was an occasion that Im wanting mail from the real vodafone or whatever.

What does remain constant is the recipient which will be one of about 50 names ie the [email protected] and [email protected] These often wont be in the TO field, but in the header as a recipient (possibly sent as a pile of BCCs).


Now I know I could set up a pile of forwarders, but it gets tedious typing in a forwarder for each name.
I had a look at filters and wondered it it would be possible to set something up from there.

Id need to set a script something like


If recipient = ([email protected] | [email protected] | [email protected]) {:fail: No such person at this address}

or even better, create a list of the affected domains and if the recipient is on the list then automatically bin it.

Is there anyway something like this can be done? Im a bit of a n00b so apologies if there is an easy way of doing this that Im not aware of.
TIA
 

katklaw

Member
Oct 17, 2013
5
0
1
cPanel Access Level
Website Owner
Because over the past 15yrs Ive held the domain various addresses direct to various folders in outlook
ie [email protected], [email protected] [email protected] Practically everytime Ive signed up somewhere I use a separate prefix. In the past this has worked well against (hacked) forum type spam.. if someone starts spamming then I ditch it because I know who has leaked out my info

It is (or was) a personal email address and for about 14 years the system worked well. It was when the ashampoo server got hacked last year and when my details must have been harvested from there that I started getting the same spam emails to [email protected] [email protected] [email protected] etc.

Too late to roll back now because there are too many in use.. half of them I couldnt remember off the top of my head.
Many people use this system. Heck some ISPs even sell email with a catchall as a benefit!
 

katklaw

Member
Oct 17, 2013
5
0
1
cPanel Access Level
Website Owner
ok through trial and error, this works, but Im not sure if there a more efficient way?

Code:
# Exim filter


if not first_delivery and error_message then finish endif

#dictionary_spam
if
 foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
 or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "[email protected]" ) 
then
 fail "No such person at this address"
endif
wondering if ther is a way that you can merge the $thisaddress to include the names rather than it loop round each time.
 

Infopro

Well-Known Member
May 20, 2003
17,075
524
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Because over the past 15yrs Ive held the domain various addresses direct to various folders in outlook
ie [email protected], [email protected] [email protected] Practically everytime Ive signed up somewhere I use a separate prefix. In the past this has worked well against (hacked) forum type spam.. if someone starts spamming then I ditch it because I know who has leaked out my info
Yes, I know this type of setup well.

It is (or was) a personal email address and for about 14 years the system worked well.
What was? unknownamehere @yourdomain.com isn't an email address. Unclear on your comment there.
If your cPanel account username is johnsmith, that johnsmith @yourdomain.com "mailbox" is not an email address of course, it's used by the system. You can setup an actual email account called johnsmith @yourdsomain.com though.

It was when the ashampoo server got hacked last year and when my details must have been harvested from there that I started getting the same spam emails to [email protected] [email protected] [email protected] etc.
Not sure what this has to do with any of this.

Too late to roll back now because there are too many in use.. half of them I couldnt remember off the top of my head.
Many people use this system. Heck some ISPs even sell email with a catchall as a benefit!
I disagree. Because you can't recall all of the places you've used specific emails, or forwards (better) to keep track of your personal details on specific sites your frequent, doesn't mean you can't change up to a more efficient way of managing email spam. Since you accept all unrouted mail for your domain, and, I assume, forward it to somewhere else, you're basically spamming that end account where ever it is, with all unrouted mail you're accepting. You're also creating more work for your mail server, and you, as you have to go thru all the emails. Most of which, I assume, are spam.

Start with the ones you know of, create forwards instead of email accounts for them.
Set your Default Address. You've probably seen this link, it's been around for years. But, I'll link it here anyway:
Why you should use :fail: - ConfigServer Services

No more dictionary spam, done. Now you've got more time to recall those other emails or forwards you've used over the years and setup a forward for them.

I know that's probably not the answer you seek. Hang in there, someone will be by with a better answer, hopefully. I'm no email expert.

I would only add that reading your next post where you mention:
ok through trial and error, this works, but Im not sure if there a more efficient way?
You're going to be working on that for the rest of your life. take the first entry: [email protected]
Tomorrow, it'll be [email protected], next week it'll be [email protected] and so on.

You can try and recreate the wheel here to make sure you get that lone email from some website you visited 2 years ago if you want. But it's a bit easier to take the proper route and clean up the mess. Getting pounded by a dictionary attack is messy.
 

katklaw

Member
Oct 17, 2013
5
0
1
cPanel Access Level
Website Owner
I know what you are saying, but I asked for help with a script.

Ok my set up may be wrong according to some, but that are many that use this system and I mentioned it worked well up until the ashampoo servers got hacked, which was when I started getting all the same spam emails addressed to [email protected] and the other alias's. The ashampoo hack had a LOT to do with my problems I see now.

I suppose I should be grateful that I didnt give ashampoo my main email address or that would be spammed to death too now.
Something I started 14yrs ago and worked well up till last year. They repeatedly use the same alias addresses time after time and no new names have been added over the past year, I have a list of them, and I simply thought there would be any easy way to block them.

Sorry for asking for help if it cant be done :(