Email alias spam problems

vincentg

Well-Known Member
May 12, 2004
159
4
168
new york
Having been getting these messages for quite some time with no way to block them I think it would be nice if Cpanel can some how add spam checking to an alias.

I have an email forward setup to send emails to my WHMCS support system and to message my cell phone.

I keep getting these messages where I believe the IP's are not real.
Email address: qNIFMgxEzc
Subject: vOUHpqERSr
Message: uRmcLypvhSPi

There is no way to block this
 

vincentg

Well-Known Member
May 12, 2004
159
4
168
new york
All I get is an IP address which the list of IP's just keeps growing which leads me to believe they are not real.
220.246.39.206
125.208.105.212
31.163.136.38
182.74.163.250
14.169.245.243
41.47.67.122
98.153.88.118
103.220.159.202
118.69.21.150
113.172.244.179
211.75.13.207
62.48.200.140
88.85.241.182

Never see the same IP twice

If I create the email account spam assassin works.

The header is useless as the sender is me as I am the forwarder.
 

vincentg

Well-Known Member
May 12, 2004
159
4
168
new york
There are no entries in Var/logs for these emails
Checked all logs and see nothing.
I have two forwards set up
One that send it to a WHMCS PHP script
The other that sends it to my cell phone as a message.

Both get this email

Why there is no log entry - maybe you can shed some light on it?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,250
313
Houston
Any email that is received by the server will have a transaction present in the exim mainlog. If you view the headers, it should show you the message id (MID) and with that you should be able to search the exim log:

Code:
exigrep MID /var/log/exim_mainlog
 

vincentg

Well-Known Member
May 12, 2004
159
4
168
new york
Got an entry for them if I grep the subject in exim mainlog which for one is UJcXahesESKN
Comes back with an email address
I only see one for the forward to my cell phone
There is no entry for the pipe at all if we grep pipe.php
Other legitimate support emails do show for grep pipe.php

I have no actual email as this is a pipe to the whmcs support system
All I have is:

Ticket #386619 has been opened by zZNXayuJfj.
Client: zZNXayuJfj
Department: Pre-sales
Subject: UJcXahesESKN
Priority: High
ZyGDihwvxAFq


IP Address: 98.230.46.218

At first I tried grep for zZNXayuJfj
And it returns nothing

But this has been a problem with cpanel for a long time - if you forward emails to let say your ISP email address the spam is forwarded also!
20 years later and Cpanel still can not spam filter a alias ???
Why can't this be filtered prior to the forward?

I maybe able to stop these garbage emails if these email addresses I find repeat.
That is if they use only a few email addresses which are real

Why do I have to go through so much trouble to block a bad sender?
 
Last edited by a moderator:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,250
313
Houston
But this has been a problem with cpanel for a long time - if you forward emails to let say your ISP email address the spam is forwarded also!
20 years later and Cpanel still can not spam filter a alias ???
Why can't this be filtered prior to the forward?
There's definitely a solution for this, by setting the following in the exim configuration:

Do not forward mail to external recipients based on the defined Apache SpamAssassin™ score - pending you're in fact scanning mail with Spam Assassin. I will state that it has absolutely never been the best practice to forward mail like that though. For example, if you want to receive your server's email at Gmail, they allow you to import it in and act as a mail client, many other email service providers offer this as well. This way you benefit not only from their proprietary spam filtering, but also aren't having to manage the forwarding.


Are these emails actually opening tickets with WHMCS? What it sounds like is happening here is an issue that could easily be resolved by implementing a captcha on the support ticket link, if that's the case.
 

vincentg

Well-Known Member
May 12, 2004
159
4
168
new york
these are the email addresses returned from grep on exim log

[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

Are they real - I doubt it which leaves me no way to block these emails.

Every email gives a new IP and a new email address.
But spamassassin seems to be able to block it as I tried to create the email account and the emails were blocked.
 

cPSamuelM

Technical Analyst Team Lead
Staff member
Nov 20, 2019
182
31
103
USA
cPanel Access Level
Root Administrator
Hello @vincentg,

Can you clarify what you mean by:

If I create the email account spam assassin works.
There's usually some common characteristic in the mail logs or in the message's headers that you can use to create an effective mail filter. I would encourage you to submit a ticket using the link in my signature if you suspect that the SpamAssassin feature is not working correctly. We would be happy to access your server and review the relevant logs.