Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Discarding spam messages (Exim rules)

Discussion in 'E-mail Discussion' started by jtgroup, Mar 8, 2019.

  1. jtgroup

    jtgroup Active Member

    Joined:
    Nov 21, 2017
    Messages:
    30
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hello everyone,

    We have been using the following script in the advanced settings of Exim Administration Manager:

    # Inserted to block domains access
    # Local from blacklist: /etc/eximblacklist
    reject_domains:
    driver = redirect
    # RBL Blacklist incoming hosts
    domains = +eximblacklist
    allow_fail
    data = :fail: Connection rejected: $domain is manually blacklisted.

    This has been useful but I would like to make a slight adjustment to it. Currently if a spamming domain is on our custom list, e-mails will get returned to send with the '$domain is manually blacklisted' message.

    What I would like to do is adapt the script so that no message is returned to the sender. Can anyone help me please?

    Kind regards


    James
     
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,209
    Likes Received:
    77
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I tried the exim_backlist method, and whilst it works to a certain extent, its a manual process.
    You'll eventually get bored of updating the file.
    Not only that, spammers just move on, so whilst you'll blacklist 'some-spammer.com' he'll only come back as 'another-spammer.com'

    As for dropping the message, I assume you'll need to blackhole them.
    How you do this, I'm not sure, but instead of allow_fail, what would happen if you tried allow_blackhole.

    Personally, I wouldn't go down the exim_blacklist route, but instead look at utilising a number of free RBL's in your exim config.
     
  3. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,815
    Likes Received:
    443
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    If you wanted to silently fail them you could do

    Code:
        data = :blackhole:
    
    But ultimately that wouldn't be RFC compliant.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. jtgroup

    jtgroup Active Member

    Joined:
    Nov 21, 2017
    Messages:
    30
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi Lauren,

    Thank you. Is there a way to remain RFC compliant whilst achieving what I want? I just want to prevent those messages getting to the users' inboxes and not have the sender receive notification.

    Kind regards


    James
     
  5. foxmedo

    foxmedo Member

    Joined:
    Apr 21, 2014
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    i have same problem as you and i need to block some email adresse to not send emails to my clients
     
  6. jtgroup

    jtgroup Active Member

    Joined:
    Nov 21, 2017
    Messages:
    30
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi Foxmedo,

    The above does allow you to block entire domains but we are still trying to find a solution to block individual accounts from sending messages to the server. I'll let you know when I have more.


    James
     
  7. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,815
    Likes Received:
    443
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @jtgroup

    Failing with a message is the only RFC compliant solution, you really only get two choices in that respect. Subsequently, the bounce messages wouldn't be delivered if sent to a non-existent domain and would ultimately exceed Exim's retries and be removed from the queue.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. jtgroup

    jtgroup Active Member

    Joined:
    Nov 21, 2017
    Messages:
    30
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi Lauren,

    Is there a way to adjust the script so that caught messages get forwarded to another account e.g. spam@mydomain.com ?

    It would be useful to do this for a while to see which messages are getting caught.

    Kind regards


    James
     
  9. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,209
    Likes Received:
    77
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I don't quite understand the RFC compliance thing.

    If a server bounces an email, then this would be classed as being compliant.
    If it accepts it, but secretly drops it, who would know that it had been dropped, it can't be reported that it's been secretly dropped as by doing so, would become complaint again. ??

    So as far as anything goes, to all intents and purposes, it would appear that it's been delivered.
    So whilst we might aim to be RFC compliant, I don't fully see the point in this scenario.

    As regards blocking individual email addresses from sending to your server, CSF mailscanner will do this, but it's not free.
    Also, you could build a global filter in the users cpanel, and keep adding to this as your list grows, but this would have to be done at user level.

    A global filter at server level would be a cool idea.
     
    #9 keat63, Mar 12, 2019
    Last edited: Mar 12, 2019
  10. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,815
    Likes Received:
    443
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi James,

    There certainly is! The exim documentation here should be helpful in configuring this: 22. The redirect router


    I think where this originates from, is from the perspective of a system administrator in charge of managing mail on a server, it is necessary to understand why an email was bounced, in the event that a recipient server has set mail to be blackholed you'll never get any indication that the message was bounced or that there was even a problem. RFC compliance rules are geared toward benign entities not spammers.

    RFC 5321 - Simple Mail Transfer Protocol Is the RFC blackholing mail violates if you'd like to read through it
    SpamAssassin can do this as well and it's built in.

    The exim system filter will do this we also have a tutorial on managing it - How to Customize the Exim System Filter File - cPanel Knowledge Base - cPanel Documentation

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. jtgroup

    jtgroup Active Member

    Joined:
    Nov 21, 2017
    Messages:
    30
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi guys,

    Thanks Lauren, I'll take a look at the redirect option.

    The global filter tutorial you've got is useful but not very friendly from a sys admin point of view as you have to add all of the lines to the file for each address e.g.:

    if ("$h_from:" contains "user@example.com")
    then fail
    endif

    Would it be possible to have a different but similar rule whereby we can just add a new address per line, similar to the rule in my first thread?

    Kind regards


    James
     
  12. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,815
    Likes Received:
    443
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi James,

    Unfortunately, each string needs to be on a separate line separated by or as follows:

    Code:
    if
     $header_from: contains "anyaddresshere@gmail.com"
     or $header_from: contains "anotheraddresshere@email.tld"
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. jtgroup

    jtgroup Active Member

    Joined:
    Nov 21, 2017
    Messages:
    30
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi Lauren,

    I changed the script's last line to this but then the spam messages started coming through again. Would you mind taking a look for me to see what the issue is as it appears making this change means that the whole custom filter is ignored?

    Kind regards


    James
     
  14. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,815
    Likes Received:
    443
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @jtgroup


    Can you show me the filter again as well as the output from /var/log/exim_mainlog of one of the spam emails that made it through?


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. jtgroup

    jtgroup Active Member

    Joined:
    Nov 21, 2017
    Messages:
    30
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hello @cPanelLauren,

    Sorry, it has been a while!

    I've run some tests and here is the export of the /var/log/exim_mainlog when the Exim settings are set to:
    # Inserted to block domains access
    # Local from blacklist: /etc/eximblacklist
    reject_domains:
    driver = redirect
    # RBL Blacklist incoming hosts
    domains = +eximblacklist
    allow_fail
    data = :blackhole:


    The log file shows:

    2019-05-17 16:12:11 1hReWj-000IAG-H3 H=cp162175.hpdns.net [91.238.162.175]:44076 Warning: "SpamAssassin as jtgroupco detected message as NOT spam (0.7)"

    2019-05-17 16:12:11 1hReWj-000IAG-H3 <= sending@address.com H=cp162175.hpdns.net [91.238.162.175]:44076 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=3895 id=a1$

    2019-05-17 16:12:11 SMTP connection from cp162175.hpdns.net [91.238.162.175]:44076 closed by QUIT

    2019-05-17 16:12:11 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1hReWj-000IAG-H3

    2019-05-17 16:12:11 1hReWj-000IAG-H3 => info <receiving@address.com> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <receiving@address.com> aInZB0vP3lziBgEA8OEBAg Saved"

    2019-05-17 16:12:11 1hReWj-000IAG-H3 Completed

    2019-05-17 16:12:11 SMTP connection from [83.223.113.157]:50124 (TCP/IP connection count = 3)



    The result was that the e-mail did get through to the recipient's inbox.

    I'd like to know what I can do to change the Exim settings so that the message is blocked but no error is sent to the sender, letting them know that the message was unsuccessful.

    If you could help me, that would be great :0)

    Kind regards


    James
     
  16. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,815
    Likes Received:
    443
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. jtgroup

    jtgroup Active Member

    Joined:
    Nov 21, 2017
    Messages:
    30
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi @cPanelLauren,

    The steps I followed are these ones:
    hostingmatters.co.uk/support/help-guides/86-server-management/46-whm-block-server-from-receiving-e-mails-from-particular-domains

    Kind regards


    James
     
    #17 jtgroup, May 20, 2019 at 2:19 AM
    Last edited by a moderator: May 20, 2019 at 4:06 AM
  18. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,815
    Likes Received:
    443
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @jtgroup

    Troubleshooting 3rd party customizations like this is a bit beyond our ability to support but, you might also try sending the mail to /dev/null which has the same function essentially as blackhole. I'm resending Exim's documentation on the redirect router which is extremely useful

    22. The redirect router
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. jtgroup

    jtgroup Active Member

    Joined:
    Nov 21, 2017
    Messages:
    30
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi @cPanelLauren,

    I've taken a look and tried various changes to the 'data = :fail: Connection rejected: $domain is manually blacklisted.' line of code by nothing else works. I cannot seem to get the messages to blackhole.

    Does anyone have any ideas?

    Kind regards


    James
     
  20. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,815
    Likes Received:
    443
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @jtgroup

    Per the exim documentation, you should be able to use blackhole or /dev/null as blackhole behaves a bit differently, more than likely it's a matter of configuration.

    A great resource for exim configuration/modifications would be the exim-users mailing list which you can find here: Exim-users Info Page

    You might also look to enlist the assistance of a qualified system administrator. If you don't have one you might find one here: System Administration Services | cPanel Forums


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice