Do email filters work on full RFC2822 address?

Do the cpanel email filters work on the entire RFC2822 email address? I am trying to filter spam emails which come from addresses of this format:

Fannie H. <[email protected]>

The pattern in all the emails is the Fannie H. part, not the actual address. I get 50 spam emails a day from people like:
Fannie H.
Peter L.
Susan R.
etc...

I wrote this regex filter: [A-Z][a-z]* [A-Z]\. \<.*\>

and i tested it with the mail filter. The mail filter suggests that it works; but i continue to get the emails. My guess would be a bug in the filter (as this should work) as well as a bug in the filter tester (since it suggests filter works; but doesn't).

 

I am not sure what you mean by "the exact filter", is their an export feature to export the rule? As i posted above the rule is a regex rule with this pattern: [A-Z][a-z]* [A-Z]\. \<.*\>

A screenshot of the cpanel config: [removed - please attach images directly in the response]

Hmm... looking through the exim log i do not see a record of the 3 emails which match this pattern which i have recently received. Very odd. I tried sending an email from an address that matches the pattern and i get a 550 request fail email returned saying the mailbox is unavailable - which sounds like it is correct. Yet, i have 3 emails since i added the filter which seem to violate the filter.

I will change the filter from discard to redirect to email to get a better idea if anything is being filtered.

 

I changed the name on my gmail account to Peter L. and tested from there and now i see entry in exim log (and email is not filtered):

2018-01-25 16:01:59 1eeoei-0004MW-M5 H=mail-vk0-f53.google.com [209.85.213.53]:38737 Warning: "SpamAssassin as admin detected message as NOT spam (-2.0)"
2018-01-25 16:01:59 1eeoei-0004MW-M5 H=mail-vk0-f53.google.com [209.85.213.53]:38737 Warning: Message has been scanned: no virus or other harmful content was found
2018-01-25 16:01:59 1eeoei-0004MW-M5 <= [email protected] H=mail-vk0-f53.google.com [209.85.213.53]:38737 P=esmtps X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=4250 [email protected]l.com T="test 8" for [email protected]
2018-01-25 16:01:59 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1eeoei-0004MW-M5
2018-01-25 16:01:59 SMTP connection from mail-vk0-f53.google.com [209.85.213.53]:38737 closed by QUIT
2018-01-25 16:01:59 1eeoei-0004MW-M5 => peter <[email protected]> R=virtual_user T=virtual_userdelivery
2018-01-25 16:01:59 1eeoei-0004MW-M5 Completed

 

I have now added some simple filters such as "From contains" and included part of the actual email address. This also does not work. So perhaps i am missing something else here?

 

hmm.. but for the last test, redirecting to an address with my email address contained in from, i do see the redirect address listed for this email in the exim log as such:

2018-01-25 16:29:37 1eep5S-0004pr-RL H=mail-ua0-f182.google.com [209.85.217.182]:36054 Warning: "SpamAssassin as admin detected message as NOT spam (-2.0)"
2018-01-25 16:29:37 1eep5S-0004pr-RL H=mail-ua0-f182.google.com [209.85.217.182]:36054 Warning: Message has been scanned: no virus or other harmful content was found
2018-01-25 16:29:37 1eep5S-0004pr-RL <= [email protected] H=mail-ua0-f182.google.com [209.85.217.182]:36054 P=esmtps X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=4247 [email protected]l.com T="test 11" for [email protected]
2018-01-25 16:29:37 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1eep5S-0004pr-RL
2018-01-25 16:29:37 SMTP connection from mail-ua0-f182.google.com [209.85.217.182]:36054 closed by QUIT
2018-01-25 16:29:37 1eep5S-0004pr-RL => junk ([email protected]) <[email protected]> R=virtual_user T=virtual_userdelivery
2018-01-25 16:29:37 1eep5S-0004pr-RL Completed

but email still shows up at original address and not the redirect one.

 

I have no option in WHM to "Create a support ticket". Perhaps i need to get my hosting company to raise the ticket.