Email alias spam problems

[vincentg]

Having been getting these messages for quite some time with no way to block them I think it would be nice if Cpanel can some how add spam checking to an alias.

I have an email forward setup to send emails to my WHMCS support system and to message my cell phone.

I keep getting these messages where I believe the IP's are not real.
Email address: qNIFMgxEzc
Subject: vOUHpqERSr
Message: uRmcLypvhSPi

There is no way to block this

 

[keat63]

They have to be coming from somewhere.
Do the headers reveal anything.

 

[vincentg]

All I get is an IP address which the list of IP's just keeps growing which leads me to believe they are not real.
220.246.39.206
125.208.105.212
31.163.136.38
182.74.163.250
14.169.245.243
41.47.67.122
98.153.88.118
103.220.159.202
118.69.21.150
113.172.244.179
211.75.13.207
62.48.200.140
88.85.241.182

Never see the same IP twice

If I create the email account spam assassin works.

The header is useless as the sender is me as I am the forwarder.

 

[cPanelLauren]

This is a bit confusing, these emails should be logged. Do you have root access to the server? If not are they noted in cPanel>>Email>>Track Delivery

 

[vincentg]

There are no entries in Var/logs for these emails
Checked all logs and see nothing.
I have two forwards set up
One that send it to a WHMCS PHP script
The other that sends it to my cell phone as a message.

Both get this email

Why there is no log entry - maybe you can shed some light on it?

 

[cPanelLauren]

Any email that is received by the server will have a transaction present in the exim mainlog. If you view the headers, it should show you the message id (MID) and with that you should be able to search the exim log:

exigrep MID /var/log/exim_mainlog

 

[vincentg]

Got an entry for them if I grep the subject in exim mainlog which for one is UJcXahesESKN
Comes back with an email address
I only see one for the forward to my cell phone
There is no entry for the pipe at all if we grep pipe.php
Other legitimate support emails do show for grep pipe.php

I have no actual email as this is a pipe to the whmcs support system
All I have is:

Ticket #386619 has been opened by zZNXayuJfj. Client: zZNXayuJfj Department: Pre-sales Subject: UJcXahesESKN Priority: High ZyGDihwvxAFq ​ IP Address: 98.230.46.218

At first I tried grep for zZNXayuJfj
And it returns nothing

But this has been a problem with cpanel for a long time - if you forward emails to let say your ISP email address the spam is forwarded also!
20 years later and Cpanel still can not spam filter a alias ???
Why can't this be filtered prior to the forward?

I maybe able to stop these garbage emails if these email addresses I find repeat.
That is if they use only a few email addresses which are real

Why do I have to go through so much trouble to block a bad sender?

 

[cPanelLauren]

But this has been a problem with cpanel for a long time - if you forward emails to let say your ISP email address the spam is forwarded also!
20 years later and Cpanel still can not spam filter a alias ???
Why can't this be filtered prior to the forward?

There's definitely a solution for this, by setting the following in the exim configuration:

Do not forward mail to external recipients based on the defined Apache SpamAssassin™ score - pending you're in fact scanning mail with Spam Assassin. I will state that it has absolutely never been the best practice to forward mail like that though. For example, if you want to receive your server's email at Gmail, they allow you to import it in and act as a mail client, many other email service providers offer this as well. This way you benefit not only from their proprietary spam filtering, but also aren't having to manage the forwarding.


Are these emails actually opening tickets with WHMCS? What it sounds like is happening here is an issue that could easily be resolved by implementing a captcha on the support ticket link, if that's the case.

 

[vincentg]

these are the email addresses returned from grep on exim log

[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

Are they real - I doubt it which leaves me no way to block these emails.

Every email gives a new IP and a new email address.
But spamassassin seems to be able to block it as I tried to create the email account and the emails were blocked.

 

[SamuelM]

Hello @vincentg,

Can you clarify what you mean by:

If I create the email account spam assassin works.

There's usually some common characteristic in the mail logs or in the message's headers that you can use to create an effective mail filter. I would encourage you to submit a ticket using the link in my signature if you suspect that the SpamAssassin feature is not working correctly. We would be happy to access your server and review the relevant logs.