The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel Email filters to stop dictionary type spam

Discussion in 'E-mail Discussions' started by katklaw, Oct 17, 2013.

  1. katklaw

    katklaw Member

    Joined:
    Oct 17, 2013
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    I wonder if anyone can suggest a solution to my problem that surely must be quite common but despite searching I cant find an answer for.

    I have a domain that seems to come under attack for dictionary type spam attacks and want to know if theres an easy way of controlling this via c-panel forwarders or filters etc.

    Each day I will get about a thousand or more spam mails addressed to say dave@mydomain, mike@mydomain, cliff@mydomain. None of these names have ever been used, they are obviously just try get lucky addresses. The spam mails will all be practically the same ie phishing type mails from vodafone or UPS or similar.

    I cant turn the catchall off for other reasons. Periodically I can call a halt to it by setting up filters say from vodafone or UPS, but this isnt ideal as Im always playing catchup as a few days later they will come from another supposed real organisation. It also can cause problems if there was an occasion that Im wanting mail from the real vodafone or whatever.

    What does remain constant is the recipient which will be one of about 50 names ie the daves@ and mikes@. These often wont be in the TO field, but in the header as a recipient (possibly sent as a pile of BCCs).


    Now I know I could set up a pile of forwarders, but it gets tedious typing in a forwarder for each name.
    I had a look at filters and wondered it it would be possible to set something up from there.

    Id need to set a script something like


    If recipient = (abc@mydomain.com | cde@mydomain.com | fegh@mydomain.com) {:fail: No such person at this address}

    or even better, create a list of the affected domains and if the recipient is on the list then automatically bin it.

    Is there anyway something like this can be done? Im a bit of a n00b so apologies if there is an easy way of doing this that Im not aware of.
    TIA
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Please provide me with just one. There should be none, IMHO. :)
     
  3. katklaw

    katklaw Member

    Joined:
    Oct 17, 2013
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Because over the past 15yrs Ive held the domain various addresses direct to various folders in outlook
    ie banking@, shopping@ vodafone@ Practically everytime Ive signed up somewhere I use a separate prefix. In the past this has worked well against (hacked) forum type spam.. if someone starts spamming then I ditch it because I know who has leaked out my info

    It is (or was) a personal email address and for about 14 years the system worked well. It was when the ashampoo server got hacked last year and when my details must have been harvested from there that I started getting the same spam emails to ashampoo@ mike@ fred@ etc.

    Too late to roll back now because there are too many in use.. half of them I couldnt remember off the top of my head.
    Many people use this system. Heck some ISPs even sell email with a catchall as a benefit!
     
  4. katklaw

    katklaw Member

    Joined:
    Oct 17, 2013
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    ok through trial and error, this works, but Im not sure if there a more efficient way?

    Code:
    # Exim filter
    
    
    if not first_delivery and error_message then finish endif
    
    #dictionary_spam
    if
     foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "alexander@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "antor@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "arun@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "barnes@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "bell@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "bob@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "catchthismail@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "chappell@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "chatman@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "cheryll@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "childers@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "childress@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "chin@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "choi@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "christie@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "christian_mair@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "christopher@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "chung@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "cisneros@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "clement@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "click@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "clifford@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "clifton@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "clinton@mydomain.com" ) 
     or foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress is "clyde@mydomain.com" ) 
    then
     fail "No such person at this address"
    endif
    wondering if ther is a way that you can merge the $thisaddress to include the names rather than it loop round each time.
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yes, I know this type of setup well.

    What was? unknownamehere @yourdomain.com isn't an email address. Unclear on your comment there.
    If your cPanel account username is johnsmith, that johnsmith @yourdomain.com "mailbox" is not an email address of course, it's used by the system. You can setup an actual email account called johnsmith @yourdsomain.com though.

    Not sure what this has to do with any of this.

    I disagree. Because you can't recall all of the places you've used specific emails, or forwards (better) to keep track of your personal details on specific sites your frequent, doesn't mean you can't change up to a more efficient way of managing email spam. Since you accept all unrouted mail for your domain, and, I assume, forward it to somewhere else, you're basically spamming that end account where ever it is, with all unrouted mail you're accepting. You're also creating more work for your mail server, and you, as you have to go thru all the emails. Most of which, I assume, are spam.

    Start with the ones you know of, create forwards instead of email accounts for them.
    Set your Default Address. You've probably seen this link, it's been around for years. But, I'll link it here anyway:
    Why you should use :fail: - ConfigServer Services

    No more dictionary spam, done. Now you've got more time to recall those other emails or forwards you've used over the years and setup a forward for them.

    I know that's probably not the answer you seek. Hang in there, someone will be by with a better answer, hopefully. I'm no email expert.

    I would only add that reading your next post where you mention:
    You're going to be working on that for the rest of your life. take the first entry: alexander@
    Tomorrow, it'll be alexander1@, next week it'll be alexander7943@ and so on.

    You can try and recreate the wheel here to make sure you get that lone email from some website you visited 2 years ago if you want. But it's a bit easier to take the proper route and clean up the mess. Getting pounded by a dictionary attack is messy.
     
  6. katklaw

    katklaw Member

    Joined:
    Oct 17, 2013
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    I know what you are saying, but I asked for help with a script.

    Ok my set up may be wrong according to some, but that are many that use this system and I mentioned it worked well up until the ashampoo servers got hacked, which was when I started getting all the same spam emails addressed to ashampoo@ and the other alias's. The ashampoo hack had a LOT to do with my problems I see now.

    I suppose I should be grateful that I didnt give ashampoo my main email address or that would be spammed to death too now.
    Something I started 14yrs ago and worked well up till last year. They repeatedly use the same alias addresses time after time and no new names have been added over the past year, I have a list of them, and I simply thought there would be any easy way to block them.

    Sorry for asking for help if it cant be done :(
     
  7. katklaw

    katklaw Member

    Joined:
    Oct 17, 2013
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    There will likely be hundreds - possibly near 1000 over the past 15yrs :(
     
Loading...

Share This Page