Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Custom exim system filter not working

Discussion in 'E-mail Discussion' started by Elliot Hagerty, Jan 29, 2019.

  1. Elliot Hagerty

    Elliot Hagerty Member

    Joined:
    Aug 17, 2018
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    Bristol
    cPanel Access Level:
    Root Administrator
    Hi, can someone tell me a part of my custom exim filter isn't working? Specifically the message_body? Everything else seems to work fine.

    Code:
    if
        $h_subject: is "accounts mugfesp" or
        $h_subject: is "The decision to suspend your account. Waiting for payment." or 
        $h_subject: is "account problem detected" or
        $h_subject: is "Send Unlimited Emails Instantly, without any restriction" or
        $h_subject: is "two suspec... kolcloopt"
        $h_subject: contains "Jason Bateman thanks wife and" or
        $message_body: contains "from YOUR hacked account"
    then
        fail text "Your message was detected as spam. If this was by mistake, please call and inform us of the issue. DF Sales Ltd."
    seen finish
    endif
    
     
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    442
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    @cPanelLauren gave us this tip which works extremely well:
    You can then test all the parts of the filter using the Filter test in cPanel
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren likes this.
  3. Elliot Hagerty

    Elliot Hagerty Member

    Joined:
    Aug 17, 2018
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    Bristol
    cPanel Access Level:
    Root Administrator
    Ah, didn't even think about doing that! Great tip, just done as suggested, copied it over to my sysfilter with the same formatting and it's working fine now! I had also noticed on line 6, I'd forgotten an 'or' which wasn't helping either.

    Thanks @cPanelLauren & @rpvw

    On a seperate note, I'm trying to block incoming spam spoofing from my email address. I thought I'd be able to stop this by searching the email body. This works fine when I manually send an email. However when viewing the raw source of the spammers email, it contains the following strange formatting, which makes it hard to try and stop, as each time the formatting is slightly different.
    Code:
    You m=D0=B0=E2=80=8By n=D0=BE=E2=80=8Bt kn=D0=BE=E2=80=8Bw me =D0=B0=E2=80=
    =8Bnd y=D0=BE=E2=80=8Bu =D0=B0=E2=80=8Br=D0=B5=E2=80=8B prob=D0=B0=E2=80=8B=
    bly wondering why =D1=83=E2=80=8B=D0=BE=E2=80=8Bu =D0=B0=E2=80=8Br=D0=B5=E2=
    =80=8B getting this =D0=B5=E2=80=8B mail, right?
     
    #3 Elliot Hagerty, Jan 30, 2019
    Last edited: Jan 30, 2019
    cPanelLauren likes this.
  4. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    442
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Your code example is a mixture of plain text and Quoted-Printable encoding, and once decoded, tuns into
    ..... and they often follow it with some claim about how they activated your web-cam and have a video of you doing something you wouldn't want your friends to see - and demand a payment not to send the fictitious video to all your contacts ! :eek: or some equally unlikely claim that is designed to trick you into guilty compliance.

    The spammers and scammers are increasingly using this technique to obfuscate their content, and evade spam and content filtering. There is little one can easily do to prevent it due to the variety and complexity of the encoding available to them

    You might find the encode/decode utilities useful ; available on-line at h t t p s://toolbox.googleapps.com/apps/encode_decode/ and the utf-8 encoder/decoder at h t t p s://mothereff.in/utf-8
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Elliot Hagerty

    Elliot Hagerty Member

    Joined:
    Aug 17, 2018
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    Bristol
    cPanel Access Level:
    Root Administrator
    Yes, you're exactly right. It's a pain that I can't easily search the message body as plain text, as that would solve the issue!

    I think I read another post from someone who's having a similar issue with spam emails looking like it's being sent from there self with a similar message. Is there a good exim rule to use? Here's a header example from a typical spam email:

    Code:
    Return-Path: <[email protected]>
    Delivered-To: [email protected]
    Received: from myserver.com
        by myserver.com with LMTP id 8LjyCa3YUFzpVwAAPb2kjA
        for <[email protected]>; Tue, 29 Jan 2019 22:50:21 +0000
    Return-path: <[email protected]>
    Envelope-to: [email protected]
    Delivery-date: Tue, 29 Jan 2019 22:50:21 +0000
    Received: from apn-46-xx-xx-xxx.static.gprs.plus.pl ([46.xx.xx.xxx]:33980 helo=iquersant.us)
        by myserver.com with esmtp (Exim 4.91)
        (envelope-from <[email protected]>)
        id 1goaXN-0000a0-J7
        for [email protected]; Tue, 29 Jan 2019 21:03:18 +0000
    Received: from [24.xx.xx.xx] (helo=[192.168.1.00])
        by relay.gaonet.gov with esmtpa
        envelope from <[email protected]>
        authenticated with [email protected]
        message id 1goaX7-0000ul-pc
        for [email protected]; Tue, 29 Jan 2019 22:32:25 +0200
    Received: from [08.xx.xx.xx] (helo=[192.168.1.03])
        by relay.doralpd-fl.gov with esmtpa
        envelope from <[email protected]>
        authenticated with [email protected]
        message id 1goaX7-0000dg-az
        for [email protected]; Tue, 29 Jan 2019 22:32:25 +0200
    Date: Wed, 30 Jan 2019 00:03:01 +0300
    X-grahfreng: dengzask
    X-jushdol: yandkuk
    Mime-Version: 1.0
    Content-Type: text/html; charset="utf-8"
    From: "My Name" <[email protected]>
     
  6. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    442
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    The holy grail of GLOBAL spam filtering is to block spam that uses your email address as the spoofed 'from' address, and delivers it you your account, and originates from a remote Sender User.

    Shouldn't be a problem should it ?

    The issue is to determine if the Sender User is remote or an actual user on your server. Whilst one could do something like Pseudo Code
    Code:
    if "$h_to:, $h_from:" contains [email protected] then ...
    this is only practical at user level, and may block you from sending a genuine copy of an email to yourself.

    There are a couple of other threads you may like to read through
    Spam email from self
    Incoming malformed junk mail

    If you work out how to do it - please let us know :-D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Elliot Hagerty

    Elliot Hagerty Member

    Joined:
    Aug 17, 2018
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    Bristol
    cPanel Access Level:
    Root Administrator
    See my first idea was the following
    Code:
    if $header_from matches $header_to and $reply_address: does not match $header_from then
    Which in my head makes sense? As I thought '$reply_address' would be 'Return-Path'... or am I being stupid? :-D
     
  8. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    442
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    The problem I have experienced so far, is that I have been unable to get the content of one variable to be tested against the content of another variable.

    So:
    $header_from matches $header_to does not work - tries to match the content of $header_from to the string $header_to (as opposed to the content of the variable $header_to)

    I have not been able to determine if the problem is my syntax, or if the exim filter just doesn't work that way o_O

    The docs are clear that for a “matches” test, after expansion of both strings, the second one is interpreted as a regular expression, but the statement that An “is” test does an exact match between the strings, having first expanded both strings.suggests that each variable(string) should be expanded .......... I just have never made it work :(


    Hope you have better luck !
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Elliot Hagerty

    Elliot Hagerty Member

    Joined:
    Aug 17, 2018
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    Bristol
    cPanel Access Level:
    Root Administrator
    So I've managed to get the following working fine for me:

    Code:
    if
        $header_from matches $header_to and $return_path: does not contain "amazonmail" or
        $header_from matches $header_to and $return_path: does not contain "companyname"
    then
        fail text "Your message was detected as spam. If this was by mistake, please call and inform us of the issue. Company Name."
    seen finish
    endif
    
    We send our outgoing mail through either amazon mail or our own server, hence the two. I've thoroughly tested this, going to a different contact, then sending an email to my self on either outgoing server, and it's working absolutely fine. The next test, will be if I still receive the spam emails.

    Not sure if this will help anyone?
     
  10. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    506
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Awesome I'm glad @rpvw sent you that. To confirm all is working well now?

    Also @rpvw your help here is fantastic, thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice