cpanel_exim_system_filter_custom rules blocking facebook

I have set up some rules in the cpanel_exim_system_filter_custom file and am having an unexpected result.

It has been working great for over a week to globally filter the emails across my VPS. I have 31 domains in it and now I only have to set a rule up once to block common spammer "from" and "subject" terms.

I am only using "from"and "subject" rules and do not have any rules specifying "facebook" but it is blocking them. If I remove the rules from the bottom of the cpanel_exim_system_filter_custom file, the facebook email delivers normally.

Here is the email header I receive when I remove the rules:

Code:

[COLOR="#0000CD"]Return-path: <notification+kr4k54mkqbnr@facebookmail.com>
Envelope-to: [email]xxxxxx@xxx.com[/email]
Delivery-date: Tue, 17 Jun 2014 10:11:26 -0400
Received: from outmail035.prn2.facebook.com ([66.220.144.162]:62645 helo=mx-out.facebook.com)
	by xmyserverdomain.com with esmtps (TLSv1:DHE-RSA-AES128-SHA:128)
	(Exim 4.82)
	(envelope-from <notification+kr4k54mkqbnr@facebookmail.com>)
	id 1Wwu6c-00042y-Kk
	for [email]xxxxxx@xxxxxx.com[/email]; Tue, 17 Jun 2014 10:11:26 -0400
Received: from facebook.com (knG4/qU0TesChw2NpLmCsFo0Pa4GVzpcy6am1I7QExB9hBcKmJjWCFbK4qvwNG+6 10.102.107.73)
 by facebook.com with Thrift id 3b7b7ec0f62911e396380002c9e0736a-7bfc430;
 Tue, 17 Jun 2014 07:11:10 -0700
X-Facebook: from 2401:db00:20:30c7:face:0:4f:0 ([MTI3LjAuMC4x]) 
	by [url]www.facebook.com[/url] with HTTP (ZuckMail);
Date: Tue, 17 Jun 2014 07:11:10 -0700
To: xxxxxx <xxxxxx@xxxxxx.com>
From: "Facebook" <notification+kr4k54mkqbnr@facebookmail.com>
Reply-to: noreply <noreply@facebookmail.com>
Subject: Just one more step to get started on Facebook[/COLOR]
[B]
Here is my filter list if someone smarter than me can help please:[/B]

 #3BureauMonitoring
if
 $header_from: contains "3BureauMonitoring"
then
 seen finish
endif

#BloodPressureFix
if
 $header_from: contains "BloodPressureFix"
then
 seen finish
endif


#Blood Pressure Solution
if
 $header_from: contains "Blood Pressure Solution"
then
 seen finish
endif

#Bosley Hair
if
 $header_from: contains "Bosley Hair"
then
 seen finish
endif


#Business
if
 $header_from: contains "Business"
then
 seen finish
endif

#Business Grants from
if
 $header_from: contains "Business Grants"
then
 seen finish
endif

#Business Funding from
if
 $header_from: contains "Business Funding"
then
 seen finish
endif

#Consolidate
if
 $header_from: contains "Consolidate"
then
 seen finish
endif

#Consolidate Debt from
if
 $header_from: contains "Consolidate Debt"
then
 seen finish
endif

#CouponXplorer
if
 $header_from: contains "CouponXplorer"
then
 seen finish
endif

#Credit
if
 $header_from: contains "Credit"
then
 seen finish
endif

#Flex from
if
 $header_from: contains "Flex"
then
 seen finish
endif

#FS360
if
 $header_from: contains "FS360"
then
 seen finish
endif

#FSUSA
if
 $header_from: contains "FSUSA"
then
 seen finish
endif

#FreeScore360
if
 $header_from: contains "FreeScore360"
then
 seen finish
endif

#Grand Palace from
if
 $header_from: contains "Grand Palace"
then
 seen finish
endif

#Groupon
if
 $header_from: contains "Groupon"
then
 seen finish
endif

#Home Security
if
 $message_headers contains "Home Security"
then
 seen finish
endif

#High Speed Internet
if
 $message_headers contains "High Speed Internet"
then
 seen finish
endif

#imnicamail.com
if
 $message_headers contains "imnicamail.com"
then
 seen finish
endif

#Internal Fax from
if
 $header_from: contains "Internal Fax"
then
 seen finish
endif

#Internet Phone
if
 $header_from: contains "Internet Phone"
then
 seen finish
endif


#LASIK
if
 $header_from: contains "LASIK"
then
 seen finish
endif

#Lending Tree
if
 $header_from: contains "Lending Tree"
then
 seen finish
endif

#Luxury Home
if
 $header_from: contains "Luxury Home"
then
 seen finish
endif

#Maid Services
if
 $header_from: contains "Maid Services"
then
 seen finish
endif

#Medical Billing and Coding
if
 $header_from: contains "Medical Billing and Coding"
then
 seen finish
endif

#Medicare Plans
if
 $header_from: contains "Medicare Plans"
then
 seen finish
endif

#New Windows
if
 $header_from: contains "new windows"
then
 seen finish
endif


#notice to appear
if
 $header_from: contains "notice to appear"
then
 seen finish
endif

#notice of Appearance
if
 $header_from: contains "Notice of Appearance"
then
 seen finish
endif

#garcinia
if
 $header_from: contains "garcinia"
then
 seen finish
endif

#Marine
if
 $header_from: contains "Marine"
then
 seen finish
endif

#NeighborhoodAlert
if
 $header_from: contains "NeighborhoodAlert"
then
 seen finish
endif

#Nutrisystem
if
 $header_from: contains "Nutrisystem"
then
 seen finish
endif

#Nursing
if
 $header_from: contains "Nursing"
then
 seen finish
endif

#Notification
if
 $header_from: contains "Notification"
then
 seen finish
endif

#Notice
if
 $header_from: contains "Notice"
then
 seen finish
endif

#Norwegian Cruise Line
if
 $header_from: contains "Norwegian Cruise Line"
then
 seen finish
endif

#NextGear
if
 $header_from: contains "NextGear"
then
 seen finish
endif

#Oil Change
if
 $header_from: contains "Oil Change"
then
 seen finish
endif

#OmegaK
if
 $header_from: contains "OmegaK"
then
 seen finish
endif

#Online Doctorate
if
 $header_from: contains "Online Doctorate"
then
 seen finish
endif

#pennystocktweeters.com
if
 $header_from: contains "pennystocktweeters.com"
then
 seen finish
endif

#Private Yacht
if
 $header_from: contains "Private Yacht"
then
 seen finish
endif

#Platinum Credit from
if
 $header_from: contains "Platinum Credit"
then
 seen finish
endif

#replacement window
if
 $header_from: contains "replacement window"
then
 seen finish
endif

#Replace Your Windows
if
 $header_from: contains "Replace Your Windows"
then
 seen finish
endif

#replacement windows
if
 $header_from: contains "replacement windows"
then
 seen finish
endif

#Replacement Window
if
 $header_from: contains "Replacement Window"
then
 seen finish
endif

#Restore My Vision Today
if
 $header_from: contains "Restore My Vision Today"
then
 seen finish
endif

#Restore My Vision
if
 $header_from: contains "Restore My Vision"
then
 seen finish
endif

#Restore My Vision
if
 $header_from: contains "Restore My Vision"
then
 seen finish
endif

#Reverse Your Diabetes
if
 $header_from: contains "Reverse Your Diabetes"
then
 seen finish
endif

#RussianBrides
if
 $header_from: contains "RussianBrides"
then
 seen finish
endif

#Shed Building Guide
if
 $header_from: contains "Shed Building Guide"
then
 seen finish
endif

#Satellite Internet from
if
 $header_from: contains "Satellite Internet"
then
 seen finish
endif

#simply ink
if
 $header_from: contains "simply ink"
then
 seen finish
endif

#Slim Spray
if
 $header_from: contains "Slim Spray"
then
 seen finish
endif

#Spy Camera from
if
 $header_from: contains "Spy Camera"
then
 seen finish
endif

#Small Business Loan from
if
 $header_from: contains "Small Business Loan"
then
 seen finish
endif

#SmallCap network
if
 $header_from: contains "SmallCap Network "
then
 seen finish
endif

#South Beach Diet
if
 $header_from: contains "South Beach Diet"
then
 seen finish
endif

#sweetjack
if
 $header_from: contains "sweetjack"
then
 seen finish
endif

#The South Beach Diet
if
 $header_from: contains "The South Beach Diet"
then
 seen finish
endif

#The Timeshare professionals
if
 $header_from: contains "The Timeshare professionals"
then
 seen finish
endif

#TedsWoodWorking
if
 $header_from: contains "TedsWoodWorking"
then
 seen finish
endif

#Testoril
if
 $header_from: contains "Testoril"
then
 seen finish
endif

#Travelocity
if
 $header_from: contains "Travelocity"
then
 seen finish
endif

#Viagra Subject
if
 $header_subject: contains "Viagra"
then
  seen finish
endif

#viagraonline
if
 $header_subject: contains "viagraonline"
then
  seen finish
endif

#viagra from
if
 $header_from: contains "viagra"
then
     seen finish
endif

#Viagra From
if
 $header_from: contains "Viagra"
then
 seen finish
endif

#Voice Mail
if
 $header_from: contains "Voice Mail"
then
 seen finish
endif

#vydox
if
 $header_from: contains "vydox"
then
 seen finish
endif

#Walk-inTub
if
 $header_from: contains "Walk-inTub"
then
 seen finish
endif

#WebMD
if
 $header_from: contains "WebMD"
then
 seen finish
endif

#Wireless Internet from
if
 $header_from: contains "Wireless Internet"
then
 seen finish
endif

#Xerox WorkCentre from
if
 $header_from: contains "Xerox WorkCentre"
then
 seen finish
endif

#ZeroClosing
if
 $header_from: contains "ZeroClosing"
then
 seen finish
endif

 

To answer my own question, which I should have seen prior to posting, it was the rule:

#Notification
if
$header_from: contains "Notification"
then
seen finish
endif

I noticed, (no pun intended), that the header from the email had this word in it here:

(envelope-from <notification+kr4k54mkqbnr@facebookmail.com>)

When I removed this rule the email delivered normally.

I hope this helps someone else.

Also the above spam filter rule list seems to work good at this time.

If anyone has a suggestion that would make it work better please post it.

Is there a way to add a line to send them to an email account on my server prior to the "seen endif" line?

Thanks!!!!

Still learning after all these years.

 

Me again!

I created an email account named "globalspam" and then modified each rule to send a copy of each email deleted by this "cpanel_exim_system_filter_custom" file rule to it then deleted it before it reached the intended recipient so I can monitor what each rule is really doing.

I modified each rule as so:

#Rule Name
if
$header_from: contains "Rule Value"
then
deliver "$home/mail/myserverdomain.com/globalspam/" 660
seen finish
endif


It seems to be working now. And I know what is being blocked by it. I expect it will fill up quickly.

Cheers!

EDIT:

Code:

I found that instead of using

deliver "$home/mail/myserverdomain.com/globalspam/" 660"

that

deliver "Global Spam <globalspam@mydomain.com>"

worked much better