Do email filters work on full RFC2822 address?

Jan 25, 2018
6
0
1
Ottawa, Canada
cPanel Access Level
Reseller Owner
Do the cpanel email filters work on the entire RFC2822 email address? I am trying to filter spam emails which come from addresses of this format:

Fannie H. <[email protected]>

The pattern in all the emails is the Fannie H. part, not the actual address. I get 50 spam emails a day from people like:
Fannie H.
Peter L.
Susan R.
etc...

I wrote this regex filter: [A-Z][a-z]* [A-Z]\. \<.*\>

and i tested it with the mail filter. The mail filter suggests that it works; but i continue to get the emails. My guess would be a bug in the filter (as this should work) as well as a bug in the filter tester (since it suggests filter works; but doesn't).
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Hello,

Yes, it should be possible to filter the "from" name in that manner. Could you let us know the exact filter rule you created, and an example of an entry in /var/log/exim_mainlog for an email that was not properly filtered? Ensure to replace real domain names and IP addresses with examples when pasting the output.

Thank you.
 
Jan 25, 2018
6
0
1
Ottawa, Canada
cPanel Access Level
Reseller Owner
Hello,

Yes, it should be possible to filter the "from" name in that manner. Could you let us know the exact filter rule you created, and an example of an entry in /var/log/exim_mainlog for an email that was not properly filtered? Ensure to replace real domain names and IP addresses with examples when pasting the output.

Thank you.
I am not sure what you mean by "the exact filter", is their an export feature to export the rule? As i posted above the rule is a regex rule with this pattern: [A-Z][a-z]* [A-Z]\. \<.*\>

A screenshot of the cpanel config: [removed - please attach images directly in the response]http://take.ms/cRUNW

Hmm... looking through the exim log i do not see a record of the 3 emails which match this pattern which i have recently received. Very odd. I tried sending an email from an address that matches the pattern and i get a 550 request fail email returned saying the mailbox is unavailable - which sounds like it is correct. Yet, i have 3 emails since i added the filter which seem to violate the filter.

I will change the filter from discard to redirect to email to get a better idea if anything is being filtered.
 
Jan 25, 2018
6
0
1
Ottawa, Canada
cPanel Access Level
Reseller Owner
I changed the name on my gmail account to Peter L. and tested from there and now i see entry in exim log (and email is not filtered):

2018-01-25 16:01:59 1eeoei-0004MW-M5 H=mail-vk0-f53.google.com [209.85.213.53]:38737 Warning: "SpamAssassin as admin detected message as NOT spam (-2.0)"
2018-01-25 16:01:59 1eeoei-0004MW-M5 H=mail-vk0-f53.google.com [209.85.213.53]:38737 Warning: Message has been scanned: no virus or other harmful content was found
2018-01-25 16:01:59 1eeoei-0004MW-M5 <= [email protected] H=mail-vk0-f53.google.com [209.85.213.53]:38737 P=esmtps X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=4250 [email protected]l.com T="test 8" for [email protected]
2018-01-25 16:01:59 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1eeoei-0004MW-M5
2018-01-25 16:01:59 SMTP connection from mail-vk0-f53.google.com [209.85.213.53]:38737 closed by QUIT
2018-01-25 16:01:59 1eeoei-0004MW-M5 => peter <[email protected]> R=virtual_user T=virtual_userdelivery
2018-01-25 16:01:59 1eeoei-0004MW-M5 Completed
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Hello,

Could you open a support ticket using the link in my signature so we can take a closer look?

Thank you.
 
Jan 25, 2018
6
0
1
Ottawa, Canada
cPanel Access Level
Reseller Owner
hmm.. but for the last test, redirecting to an address with my email address contained in from, i do see the redirect address listed for this email in the exim log as such:

2018-01-25 16:29:37 1eep5S-0004pr-RL H=mail-ua0-f182.google.com [209.85.217.182]:36054 Warning: "SpamAssassin as admin detected message as NOT spam (-2.0)"
2018-01-25 16:29:37 1eep5S-0004pr-RL H=mail-ua0-f182.google.com [209.85.217.182]:36054 Warning: Message has been scanned: no virus or other harmful content was found
2018-01-25 16:29:37 1eep5S-0004pr-RL <= [email protected] H=mail-ua0-f182.google.com [209.85.217.182]:36054 P=esmtps X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=4247 [email protected]l.com T="test 11" for [email protected]
2018-01-25 16:29:37 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1eep5S-0004pr-RL
2018-01-25 16:29:37 SMTP connection from mail-ua0-f182.google.com [209.85.217.182]:36054 closed by QUIT
2018-01-25 16:29:37 1eep5S-0004pr-RL => junk ([email protected]) <[email protected]> R=virtual_user T=virtual_userdelivery
2018-01-25 16:29:37 1eep5S-0004pr-RL Completed

but email still shows up at original address and not the redirect one.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Hello,

Yes, if you only have reseller access, please report the issue to your web hosting provider so they can take a closer look. They can then open a support ticket with us if necessary.

Thank you.