Custom exim system filter not working

[Elliot Hagerty]

Hi, can someone tell me a part of my custom exim filter isn't working? Specifically the message_body? Everything else seems to work fine.

if
    $h_subject: is "accounts mugfesp" or
    $h_subject: is "The decision to suspend your account. Waiting for payment." or 
    $h_subject: is "account problem detected" or
    $h_subject: is "Send Unlimited Emails Instantly, without any restriction" or
    $h_subject: is "two suspec... kolcloopt"
    $h_subject: contains "Jason Bateman thanks wife and" or
    $message_body: contains "from YOUR hacked account"
then
    fail text "Your message was detected as spam. If this was by mistake, please call and inform us of the issue. DF Sales Ltd."
seen finish
endif

 

[rpvw]

@cPanelLauren gave us this tip which works extremely well:

What I normally do to ensure that it's syntactically correct is create the filter in cPanel>>Mail>>Global Email Filters then once it's finished grab the data written to /etc/vfilters/domain.tld for it and add it to the sysfilter.

You can then test all the parts of the filter using the Filter test in cPanel

 

[Elliot Hagerty]

@cPanelLauren gave us this tip which works extremely well:
You can then test all the parts of the filter using the Filter test in cPanel

Ah, didn't even think about doing that! Great tip, just done as suggested, copied it over to my sysfilter with the same formatting and it's working fine now! I had also noticed on line 6, I'd forgotten an 'or' which wasn't helping either.

Thanks @cPanelLauren & @rpvw

On a seperate note, I'm trying to block incoming spam spoofing from my email address. I thought I'd be able to stop this by searching the email body. This works fine when I manually send an email. However when viewing the raw source of the spammers email, it contains the following strange formatting, which makes it hard to try and stop, as each time the formatting is slightly different.

You m=D0=B0=E2=80=8By n=D0=BE=E2=80=8Bt kn=D0=BE=E2=80=8Bw me =D0=B0=E2=80=
=8Bnd y=D0=BE=E2=80=8Bu =D0=B0=E2=80=8Br=D0=B5=E2=80=8B prob=D0=B0=E2=80=8B=
bly wondering why =D1=83=E2=80=8B=D0=BE=E2=80=8Bu =D0=B0=E2=80=8Br=D0=B5=E2=
=80=8B getting this =D0=B5=E2=80=8B mail, right?

 

[rpvw]

Your code example is a mixture of plain text and Quoted-Printable encoding, and once decoded, tuns into

You mаy nоt knоw me аnd yоu аrе probаbly wondering why уоu аrе getting this е mail, right?

..... and they often follow it with some claim about how they activated your web-cam and have a video of you doing something you wouldn't want your friends to see - and demand a payment not to send the fictitious video to all your contacts ! or some equally unlikely claim that is designed to trick you into guilty compliance.

The spammers and scammers are increasingly using this technique to obfuscate their content, and evade spam and content filtering. There is little one can easily do to prevent it due to the variety and complexity of the encoding available to them

You might find the encode/decode utilities useful ; available on-line at h t t p s://toolbox.googleapps.com/apps/encode_decode/ and the utf-8 encoder/decoder at h t t p s://mothereff.in/utf-8

 

[Elliot Hagerty]

Your code example is a mixture of plain text and Quoted-Printable encoding, and once decoded, tuns into ..... and they often follow it with some claim about how they activated your web-cam and have a video of you doing something you wouldn't want your friends to see - and demand a payment not to send the fictitious video to all your contacts !

The spammers and scammers are increasingly using this technique to obfuscate their content, and evade spam and content filtering. There is little one can easily do to prevent it due to the variety and complexity of the encoding available to them

You might find the encode/decode utilities useful ; available on-line at h t t p s://toolbox.googleapps.com/apps/encode_decode/ and the utf-8 encoder/decoder at h t t p s://mothereff.in/utf-8

Yes, you're exactly right. It's a pain that I can't easily search the message body as plain text, as that would solve the issue!

I think I read another post from someone who's having a similar issue with spam emails looking like it's being sent from there self with a similar message. Is there a good exim rule to use? Here's a header example from a typical spam email:

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from myserver.com
    by myserver.com with LMTP id 8LjyCa3YUFzpVwAAPb2kjA
    for <[email protected]>; Tue, 29 Jan 2019 22:50:21 +0000
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Tue, 29 Jan 2019 22:50:21 +0000
Received: from apn-46-xx-xx-xxx.static.gprs.plus.pl ([46.xx.xx.xxx]:33980 helo=iquersant.us)
    by myserver.com with esmtp (Exim 4.91)
    (envelope-from <[email protected]>)
    id 1goaXN-0000a0-J7
    for [email protected]; Tue, 29 Jan 2019 21:03:18 +0000
Received: from [24.xx.xx.xx] (helo=[192.168.1.00])
    by relay.gaonet.gov with esmtpa
    envelope from <[email protected]>
    authenticated with [email protected]
    message id 1goaX7-0000ul-pc
    for [email protected]; Tue, 29 Jan 2019 22:32:25 +0200
Received: from [08.xx.xx.xx] (helo=[192.168.1.03])
    by relay.doralpd-fl.gov with esmtpa
    envelope from <[email protected]>
    authenticated with [email protected]
    message id 1goaX7-0000dg-az
    for [email protected]; Tue, 29 Jan 2019 22:32:25 +0200
Date: Wed, 30 Jan 2019 00:03:01 +0300
X-grahfreng: dengzask
X-jushdol: yandkuk
Mime-Version: 1.0
Content-Type: text/html; charset="utf-8"
From: "My Name" <[email protected]>

 

[rpvw]

The holy grail of GLOBAL spam filtering is to block spam that uses your email address as the spoofed 'from' address, and delivers it you your account, and originates from a remote Sender User.

Shouldn't be a problem should it ?

The issue is to determine if the Sender User is remote or an actual user on your server. Whilst one could do something like Pseudo Code

if "$h_to:, $h_from:" contains [email protected] then ...

this is only practical at user level, and may block you from sending a genuine copy of an email to yourself.

There are a couple of other threads you may like to read through
Spam email from self
Incoming malformed junk mail

If you work out how to do it - please let us know

 

[Elliot Hagerty]

The holy grail of GLOBAL spam filtering is to block spam that uses your email address as the spoofed 'from' address, and delivers it you your account, and originates from a remote Sender User.

Shouldn't be a problem should it ?

The issue is to determine if the Sender User is remote or an actual user on your server. Whilst one could do something like Pseudo Code

if "$h_to:, $h_from:" contains [email protected] then ...

this is only practical at user level, and may block you from sending a genuine copy of an email to yourself.

There are a couple of other threads you may like to read through
Spam email from self
Incoming malformed junk mail

If you work out how to do it - please let us know

See my first idea was the following

if $header_from matches $header_to and $reply_address: does not match $header_from then

Which in my head makes sense? As I thought '$reply_address' would be 'Return-Path'... or am I being stupid?

 

[rpvw]

The problem I have experienced so far, is that I have been unable to get the content of one variable to be tested against the content of another variable.

So:
$header_from matches $header_to does not work - tries to match the content of $header_from to the string $header_to (as opposed to the content of the variable $header_to)

I have not been able to determine if the problem is my syntax, or if the exim filter just doesn't work that way

The docs are clear that for a “matches” test, after expansion of both strings, the second one is interpreted as a regular expression, but the statement that An “is” test does an exact match between the strings, having first expanded both strings.suggests that each variable(string) should be expanded .......... I just have never made it work

$return_path

When a message is being delivered, this variable contains the return path – the sender field that will be sent as part of the envelope. It is not enclosed in <> characters. At the start of routing an address, $return_path has the same value as $sender_address, but if, for example, an incoming message to a mailing list has been expanded by a router which specifies a different address for bounce messages, $return_path subsequently contains the new bounce address, whereas $sender_address always contains the original sender address that was received with the message. In other words, $sender_address contains the incoming envelope sender, and $return_path contains the outgoing envelope sender.

$reply_address

When a message is being processed, this variable contains the contents of the Reply-To: header line if one exists and it is not empty, or otherwise the contents of the From: header line. Apart from the removal of leading white space, the value is not processed in any way. In particular, no RFC 2047 decoding or character code translation takes place.

Hope you have better luck !

 

[Elliot Hagerty]

The problem I have experienced so far, is that I have been unable to get the content of one variable to be tested against the content of another variable.

So:
$header_from matches $header_to does not work - tries to match the content of $header_from to the string $header_to (as opposed to the content of the variable $header_to)

I have not been able to determine if the problem is my syntax, or if the exim filter just doesn't work that way

The docs are clear that for a “matches” test, after expansion of both strings, the second one is interpreted as a regular expression, but the statement that An “is” test does an exact match between the strings, having first expanded both strings.suggests that each variable(string) should be expanded .......... I just have never made it work




Hope you have better luck !

So I've managed to get the following working fine for me:

if
    $header_from matches $header_to and $return_path: does not contain "amazonmail" or
    $header_from matches $header_to and $return_path: does not contain "companyname"
then
    fail text "Your message was detected as spam. If this was by mistake, please call and inform us of the issue. Company Name."
seen finish
endif

We send our outgoing mail through either amazon mail or our own server, hence the two. I've thoroughly tested this, going to a different contact, then sending an email to my self on either outgoing server, and it's working absolutely fine. The next test, will be if I still receive the spam emails.

Not sure if this will help anyone?

 

[cPanelLauren]

Thanks @cPanelLauren & @rpvw

Awesome I'm glad @rpvw sent you that. To confirm all is working well now?

Also @rpvw your help here is fantastic, thanks!