The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cpanel_exim_system_filter_custom rules blocking facebook

Discussion in 'E-mail Discussions' started by StoneyCreeker, Jun 17, 2014.

  1. StoneyCreeker

    StoneyCreeker Well-Known Member

    Joined:
    Oct 17, 2006
    Messages:
    50
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Upper-East TN
    cPanel Access Level:
    Root Administrator
    I have set up some rules in the cpanel_exim_system_filter_custom file and am having an unexpected result.

    It has been working great for over a week to globally filter the emails across my VPS. I have 31 domains in it and now I only have to set a rule up once to block common spammer "from" and "subject" terms.

    I am only using "from"and "subject" rules and do not have any rules specifying "facebook" but it is blocking them. If I remove the rules from the bottom of the cpanel_exim_system_filter_custom file, the facebook email delivers normally.

    Here is the email header I receive when I remove the rules:
    Code:
    [COLOR="#0000CD"]Return-path: <notification+kr4k54mkqbnr@facebookmail.com>
    Envelope-to: [email]xxxxxx@xxx.com[/email]
    Delivery-date: Tue, 17 Jun 2014 10:11:26 -0400
    Received: from outmail035.prn2.facebook.com ([66.220.144.162]:62645 helo=mx-out.facebook.com)
    	by xmyserverdomain.com with esmtps (TLSv1:DHE-RSA-AES128-SHA:128)
    	(Exim 4.82)
    	(envelope-from <notification+kr4k54mkqbnr@facebookmail.com>)
    	id 1Wwu6c-00042y-Kk
    	for [email]xxxxxx@xxxxxx.com[/email]; Tue, 17 Jun 2014 10:11:26 -0400
    Received: from facebook.com (knG4/qU0TesChw2NpLmCsFo0Pa4GVzpcy6am1I7QExB9hBcKmJjWCFbK4qvwNG+6 10.102.107.73)
     by facebook.com with Thrift id 3b7b7ec0f62911e396380002c9e0736a-7bfc430;
     Tue, 17 Jun 2014 07:11:10 -0700
    X-Facebook: from 2401:db00:20:30c7:face:0:4f:0 ([MTI3LjAuMC4x]) 
    	by [url]www.facebook.com[/url] with HTTP (ZuckMail);
    Date: Tue, 17 Jun 2014 07:11:10 -0700
    To: xxxxxx <xxxxxx@xxxxxx.com>
    From: "Facebook" <notification+kr4k54mkqbnr@facebookmail.com>
    Reply-to: noreply <noreply@facebookmail.com>
    Subject: Just one more step to get started on Facebook[/COLOR]
    [B]
    Here is my filter list if someone smarter than me can help please:[/B]
    
     #3BureauMonitoring
    if
     $header_from: contains "3BureauMonitoring"
    then
     seen finish
    endif
    
    #BloodPressureFix
    if
     $header_from: contains "BloodPressureFix"
    then
     seen finish
    endif
    
    
    #Blood Pressure Solution
    if
     $header_from: contains "Blood Pressure Solution"
    then
     seen finish
    endif
    
    #Bosley Hair
    if
     $header_from: contains "Bosley Hair"
    then
     seen finish
    endif
    
    
    #Business
    if
     $header_from: contains "Business"
    then
     seen finish
    endif
    
    #Business Grants from
    if
     $header_from: contains "Business Grants"
    then
     seen finish
    endif
    
    #Business Funding from
    if
     $header_from: contains "Business Funding"
    then
     seen finish
    endif
    
    #Consolidate
    if
     $header_from: contains "Consolidate"
    then
     seen finish
    endif
    
    #Consolidate Debt from
    if
     $header_from: contains "Consolidate Debt"
    then
     seen finish
    endif
    
    #CouponXplorer
    if
     $header_from: contains "CouponXplorer"
    then
     seen finish
    endif
    
    #Credit
    if
     $header_from: contains "Credit"
    then
     seen finish
    endif
    
    #Flex from
    if
     $header_from: contains "Flex"
    then
     seen finish
    endif
    
    #FS360
    if
     $header_from: contains "FS360"
    then
     seen finish
    endif
    
    #FSUSA
    if
     $header_from: contains "FSUSA"
    then
     seen finish
    endif
    
    #FreeScore360
    if
     $header_from: contains "FreeScore360"
    then
     seen finish
    endif
    
    #Grand Palace from
    if
     $header_from: contains "Grand Palace"
    then
     seen finish
    endif
    
    #Groupon
    if
     $header_from: contains "Groupon"
    then
     seen finish
    endif
    
    #Home Security
    if
     $message_headers contains "Home Security"
    then
     seen finish
    endif
    
    #High Speed Internet
    if
     $message_headers contains "High Speed Internet"
    then
     seen finish
    endif
    
    #imnicamail.com
    if
     $message_headers contains "imnicamail.com"
    then
     seen finish
    endif
    
    #Internal Fax from
    if
     $header_from: contains "Internal Fax"
    then
     seen finish
    endif
    
    #Internet Phone
    if
     $header_from: contains "Internet Phone"
    then
     seen finish
    endif
    
    
    #LASIK
    if
     $header_from: contains "LASIK"
    then
     seen finish
    endif
    
    #Lending Tree
    if
     $header_from: contains "Lending Tree"
    then
     seen finish
    endif
    
    #Luxury Home
    if
     $header_from: contains "Luxury Home"
    then
     seen finish
    endif
    
    #Maid Services
    if
     $header_from: contains "Maid Services"
    then
     seen finish
    endif
    
    #Medical Billing and Coding
    if
     $header_from: contains "Medical Billing and Coding"
    then
     seen finish
    endif
    
    #Medicare Plans
    if
     $header_from: contains "Medicare Plans"
    then
     seen finish
    endif
    
    #New Windows
    if
     $header_from: contains "new windows"
    then
     seen finish
    endif
    
    
    #notice to appear
    if
     $header_from: contains "notice to appear"
    then
     seen finish
    endif
    
    #notice of Appearance
    if
     $header_from: contains "Notice of Appearance"
    then
     seen finish
    endif
    
    #garcinia
    if
     $header_from: contains "garcinia"
    then
     seen finish
    endif
    
    #Marine
    if
     $header_from: contains "Marine"
    then
     seen finish
    endif
    
    #NeighborhoodAlert
    if
     $header_from: contains "NeighborhoodAlert"
    then
     seen finish
    endif
    
    #Nutrisystem
    if
     $header_from: contains "Nutrisystem"
    then
     seen finish
    endif
    
    #Nursing
    if
     $header_from: contains "Nursing"
    then
     seen finish
    endif
    
    #Notification
    if
     $header_from: contains "Notification"
    then
     seen finish
    endif
    
    #Notice
    if
     $header_from: contains "Notice"
    then
     seen finish
    endif
    
    #Norwegian Cruise Line
    if
     $header_from: contains "Norwegian Cruise Line"
    then
     seen finish
    endif
    
    #NextGear
    if
     $header_from: contains "NextGear"
    then
     seen finish
    endif
    
    #Oil Change
    if
     $header_from: contains "Oil Change"
    then
     seen finish
    endif
    
    #OmegaK
    if
     $header_from: contains "OmegaK"
    then
     seen finish
    endif
    
    #Online Doctorate
    if
     $header_from: contains "Online Doctorate"
    then
     seen finish
    endif
    
    #pennystocktweeters.com
    if
     $header_from: contains "pennystocktweeters.com"
    then
     seen finish
    endif
    
    #Private Yacht
    if
     $header_from: contains "Private Yacht"
    then
     seen finish
    endif
    
    #Platinum Credit from
    if
     $header_from: contains "Platinum Credit"
    then
     seen finish
    endif
    
    #replacement window
    if
     $header_from: contains "replacement window"
    then
     seen finish
    endif
    
    #Replace Your Windows
    if
     $header_from: contains "Replace Your Windows"
    then
     seen finish
    endif
    
    #replacement windows
    if
     $header_from: contains "replacement windows"
    then
     seen finish
    endif
    
    #Replacement Window
    if
     $header_from: contains "Replacement Window"
    then
     seen finish
    endif
    
    #Restore My Vision Today
    if
     $header_from: contains "Restore My Vision Today"
    then
     seen finish
    endif
    
    #Restore My Vision
    if
     $header_from: contains "Restore My Vision"
    then
     seen finish
    endif
    
    #Restore My Vision
    if
     $header_from: contains "Restore My Vision"
    then
     seen finish
    endif
    
    #Reverse Your Diabetes
    if
     $header_from: contains "Reverse Your Diabetes"
    then
     seen finish
    endif
    
    #RussianBrides
    if
     $header_from: contains "RussianBrides"
    then
     seen finish
    endif
    
    #Shed Building Guide
    if
     $header_from: contains "Shed Building Guide"
    then
     seen finish
    endif
    
    #Satellite Internet from
    if
     $header_from: contains "Satellite Internet"
    then
     seen finish
    endif
    
    #simply ink
    if
     $header_from: contains "simply ink"
    then
     seen finish
    endif
    
    #Slim Spray
    if
     $header_from: contains "Slim Spray"
    then
     seen finish
    endif
    
    #Spy Camera from
    if
     $header_from: contains "Spy Camera"
    then
     seen finish
    endif
    
    #Small Business Loan from
    if
     $header_from: contains "Small Business Loan"
    then
     seen finish
    endif
    
    #SmallCap network
    if
     $header_from: contains "SmallCap Network "
    then
     seen finish
    endif
    
    #South Beach Diet
    if
     $header_from: contains "South Beach Diet"
    then
     seen finish
    endif
    
    #sweetjack
    if
     $header_from: contains "sweetjack"
    then
     seen finish
    endif
    
    #The South Beach Diet
    if
     $header_from: contains "The South Beach Diet"
    then
     seen finish
    endif
    
    #The Timeshare professionals
    if
     $header_from: contains "The Timeshare professionals"
    then
     seen finish
    endif
    
    #TedsWoodWorking
    if
     $header_from: contains "TedsWoodWorking"
    then
     seen finish
    endif
    
    #Testoril
    if
     $header_from: contains "Testoril"
    then
     seen finish
    endif
    
    #Travelocity
    if
     $header_from: contains "Travelocity"
    then
     seen finish
    endif
    
    #Viagra Subject
    if
     $header_subject: contains "Viagra"
    then
      seen finish
    endif
    
    #viagraonline
    if
     $header_subject: contains "viagraonline"
    then
      seen finish
    endif
    
    #viagra from
    if
     $header_from: contains "viagra"
    then
         seen finish
    endif
    
    #Viagra From
    if
     $header_from: contains "Viagra"
    then
     seen finish
    endif
    
    #Voice Mail
    if
     $header_from: contains "Voice Mail"
    then
     seen finish
    endif
    
    #vydox
    if
     $header_from: contains "vydox"
    then
     seen finish
    endif
    
    #Walk-inTub
    if
     $header_from: contains "Walk-inTub"
    then
     seen finish
    endif
    
    #WebMD
    if
     $header_from: contains "WebMD"
    then
     seen finish
    endif
    
    #Wireless Internet from
    if
     $header_from: contains "Wireless Internet"
    then
     seen finish
    endif
    
    #Xerox WorkCentre from
    if
     $header_from: contains "Xerox WorkCentre"
    then
     seen finish
    endif
    
    #ZeroClosing
    if
     $header_from: contains "ZeroClosing"
    then
     seen finish
    endif
     
    #1 StoneyCreeker, Jun 17, 2014
    Last edited by a moderator: Jun 17, 2014
  2. StoneyCreeker

    StoneyCreeker Well-Known Member

    Joined:
    Oct 17, 2006
    Messages:
    50
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Upper-East TN
    cPanel Access Level:
    Root Administrator
    To answer my own question, which I should have seen prior to posting, it was the rule:

    #Notification
    if
    $header_from: contains "Notification"
    then
    seen finish
    endif


    I noticed, (no pun intended), that the header from the email had this word in it here:

    (envelope-from <notification+kr4k54mkqbnr@facebookmail.com>)

    When I removed this rule the email delivered normally.

    I hope this helps someone else.

    Also the above spam filter rule list seems to work good at this time.

    If anyone has a suggestion that would make it work better please post it.

    Is there a way to add a line to send them to an email account on my server prior to the "seen endif" line?

    Thanks!!!!

    Still learning after all these years.
     
  3. StoneyCreeker

    StoneyCreeker Well-Known Member

    Joined:
    Oct 17, 2006
    Messages:
    50
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Upper-East TN
    cPanel Access Level:
    Root Administrator
    Me again!

    I created an email account named "globalspam" and then modified each rule to send a copy of each email deleted by this "cpanel_exim_system_filter_custom" file rule to it then deleted it before it reached the intended recipient so I can monitor what each rule is really doing. :)

    I modified each rule as so:

    #Rule Name
    if
    $header_from: contains "Rule Value"
    then
    deliver "$home/mail/myserverdomain.com/globalspam/" 660
    seen finish
    endif



    It seems to be working now. And I know what is being blocked by it. I expect it will fill up quickly.

    Cheers!

    EDIT:

    Code:
    I found that instead of using
    
    deliver "$home/mail/myserverdomain.com/globalspam/" 660"
    
    that
    
    deliver "Global Spam <globalspam@mydomain.com>"
    
    worked much better
    
     
    #3 StoneyCreeker, Jun 17, 2014
    Last edited: Jun 18, 2014
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page