cpanel pro & boxtrapper : what works and what doesn't

Folks,

After using BoxTrapper (version 0.9.9 I believe) for a while, and after reading through all the threads related to BoxTrapper, I've come up with some good tips for it as well as my list of bugs and suggestions. I would welcome any comments, including any suggested fixes for the issues that I have with it. Thanks!

First off, let me say that I think that this is a GREAT idea in theory. An integrated opt-in spam solution is a MUST for cpanel. Particularly one that is end-user managable. My wife is happy again because BoxTrapper has made her spam virtually go away (kudos for the techie husband who _finally_ did something about spam. *grin*).

That being said, here's my current list of gripes and suggestions and tips:

Gripe #1: End-user management is so broken as to be unusuable.
If you log into WebMail and access the BoxTrapper tools, you notice that:
a) there is no link to configure the various emails (verify, re-verify, blacklisted). These currently can only be configured via the main cpanel account
b) the lists are not actually editable!!! If you try to edit one, and then click the SAVE button, you get a page with SAVED but it's not actually running any code (as far as I can tell). It certainly doesn't save the list, so your edits are lost. The only way to manually edit the list is from the main cpanel account (or edit the file on the server, I guess)

Both of these features are kinda important for us Web Hosters so that our clients can manage their own accounts.

Gripe #2: list regexp is either too limiting or else needs some documentation
Currently, as far as I know, you can only do straight string matching on "from" and "subject". You can do wildcard equivalents, but not to the level of functionality of, say, perl regular expressions. And you can't match against "to" or "cc" or "reply-to" or any other header fields.

Gripe #3: returnverify message isn't sent
First off, I'm not even sure this is a necessary feature. Once a user replies to the verify message, they should understand based upon the message that there is nothing more to do and that you will then receive their original message. So, the gripe is that this is a broken thing, even though IMHO it should be ignored (not used) anyway.

Gripe #4: verify code should match to original message, not incoming address
If user1@somewhere.com sends an email and then gets the verify message, but upon reply, the person, who is a techie and has Eudora configured with multiple personalities, each with a different email address, replies to the verify message as from: differentuser@somewhereelse.com, BoxTrapper mistakenly adds "differentuser@somewhereelse.com" to the whitelist and since it doesn't match "user1@somewhere.com", it (a) doesn't add user1@somewhere.com to the whitelist and (worse!) (b) doesn't release the original email from user1@somewhere.com. What is should do is: associate the verify code with the original email address regardless of the To: field in the verify reply and then (a) whitelist the original address (user1@somewhere.com) and (b) release the email(s) for that address

Gripe #5: whitelist gets munged when combining manual edits and automatic edits (from queue actions and/or auto-whitelisting)
The infamous blank from line is an example of this. I've also noticed straight up blank lines. This causes false matches which puts spam in the inbox. At least this is manageable, but requires periodically going in via the main cpanel account (see gripe #1) and cleaning up the whitelist (and other lists).

Gripe #6: Queue should be inbox-like, not day-based pagination (like the logs)
It is annoying to have to navigate back days to see messages in the queue from previous days. The queue should be like any of the webmail systems inboxes: just a long list of messages sorted by day and optionally paginated at some number (like 50). The queue should also have various sorting, filtering, date range selection and such functions.

Gripe #7: Queue actions are per-message and require clicking on a message
Just like with the webmail systems, you should be able to select multiple (or all) messages in the queue from the queue list and then perform sensible actions: delete all, delete and blacklist, delete and ignorelist, delete and whitelist (why not), release and X, etc.

Gripe #8: The log file should contain more information for "successes"
It just says "Email matches line 2 of whitelist" or such. The matches should work like the failures and queues: show from address and subject line. This would make reading the log file easier. In fact, it should be like exim logs or other system logs... have an internally consistent structure like:
<date&timestamp> <messageid> <from> <status (success, fail/ignore, queue, etc)> <subject> <notes>
or something like that. Then, all the lines would be structurally the same.

-Danimal

 

... more ...

And now some general suggestions:

Suggestion #1: add in ASK-like email controls. It would be nice to be able to view the log or queue and perform actions on the queue directly via email. ASK and TMDA have this feature. Also, to be able to modify the lists via email edits.

Suggestion #2: have daily? and/or weekly? backups of configuration options, including the lists. Then, if your whitelist gets messed up, for example, you can roll back to a previous working version.

Suggestion #3: Make the queue more user-friendly (see Gripe #7)

Suggestion #4: same for the log file (see Grip #8)

Suggestion #5: provide some very basic documentation on configuration options (like codes for the emails)

Suggestion #6: have optional auto-reminder emails. I.e. if you set your queue to purge at 30 days, then have an option to have BoxTrapper email your account a list of queue items that will be auto-purged in X days. So let's say you set X to 2, then every day you'd get an email with the list of queue emails (maybe from and subject) that will be purged in 2 or less days.

Suggestion #7: have optional auto-ignore-list. I.e. if on, then when emails are auto-purged from the queue, they are added to the ignore list. This way, you don't have to do _anything_ about the spam (unless the spammer replies) and it keeps your queue clean because spam messages in the queue eventually get added to the ignore list. The only downside is that if you miss a real address, it gets added eventually to the ignore list and you never see future messages from that address. On the other hand, if you didn't see it in the queue and it got purged, you wouldn't see it anyway.

Suggestion #8: Add a "auto-pass key" as an optional feature. This is where you could define a chunk of text of whatever sort... and if an email comes in and matches that text, the email bypasses the verify/list mechanism and just goes to your inbox. This way, you could add some unique string or phrase or something in emails that you send to people (perhaps new or potential clients). When/if they reply, and include your message in the reply, their reply goes right through and doesn't require whitelisting.

Suggestion #9: Add 3rd-party access control delegation. As a parent, it concerns me what junk might make it into my kids email box. It would be great if I could have access to manage their account (either partially or fully) without having to log into their webmail account. I.e. from _my_ webmail account, clicking on the BoxTrapper, I could have a list of accounts to manage, perhaps just like there are multiple webmail systems I could choose. Then, if I chose my son's account, I could manage the queue and the lists and such. Actually, a whole set of parental control features would be nice... maybe even beyond parental control... this could be good for CxO's who are too busy to manage their accounts and want their secretaries to do it? Hmmm...

Suggestion #10: have the verify emails come from the To: field of the original email, even if it doesn't match the BoxTrapper account. For example, if I have dude@one.com forward to dude@two.com and dude@two.com is the BoxTrapper-enabled account, then if someone emails to dude@one.com, the BoxTrapper verify message should come from dude@one.com instead of dude@two.com (which is what it does now).

-Danimal

 

... and more ...

And now some tips I've learned:

Tip #1: Modify your verify email message and take out the %headers% tag. It's just too ugly and most people will not know what it is.

Tip #2: In your verify email, mention that the _purpose_ of their reply is to release their _original_ email to your inbox and that any content they put in their reply will be lost/not read.

Tip #3: here are some header tags you can use in the verify (and return verify and blacklist) emails:
%acct%
%msgid%
%subject%
%email%
%headers%
%webdomain%

Tip #4 (from another thread): here's a good template for the verify email (I actually use this one):
-------------------------------------
To: %email%
Subject: Sender Verification Request [ verify#%msgid% ]

In the war on spam, here's another line of defense.

Your e-mail entitled "%subject%" to %acct% is from an e-mail address that I don't recognize yet. For me to recieve messages from your %email% address, please reply to this message without changing the subject.

Once you reply to this message, I'll get your original and future messages without further interference given that they're coming from %email%.

Also please note that your reply will be used to automatically approve and release your original message, so don't put anything in your reply since I won't ever read it.

Thank you!

-----

My Account: %acct%
Message ID:%msgid%
Subject: %subject%
Web Domain: %webdomain%
Email: %email%

-----

Full Headers: %headers%

-------------------------------------

Tip #5: the lists use regexp pattern matching. So, to match a whole domain, just do:
from @domain.com
or even:
from @domain

Tip #6: because the lists use regexp pattern matching, beware of characters that may cause pattern issues. For example, if you subscribe to a mailing list and the name of the list is prepended to the subject line as [listname] then pattern-match _without_ the brackets:
GOOD: subject listname
BAD: subject [listname]
(the latter will cause a match-all success and match everything)


That's enough for now! Enjoy!

And if you've made it this far. Whew! :D

-Danimal