Filter Incoming Emails by Domain

keat63

Well-Known Member
Nov 20, 2014
1,548
140
93
cPanel Access Level
Root Administrator
Is it possible to use this feature where a spammer is using a common string in a domain name.
I've no doubt that these are made up throw away up domain names, but of late, I'm seeing lots of spam coming from names containing the string 'compario'

eg:

[email protected]_something.com
[email protected]_another.com
[email protected]_somethin_else.com

This has happened in the past with other phrases.
How would I create a rule on the 'Filter Incoming Emails' tool, based on the compario phrase.
I tried *@compario*.*, but the tool complains.
 

keat63

Well-Known Member
Nov 20, 2014
1,548
140
93
cPanel Access Level
Root Administrator
These were all coming from somewhere like Brazil, so in the short term I blocked the IP subnet in CSF.
However, I guess there's a chance that it will shift servers, and possible start all over again with a different domain name.

The word compario appeared ai all the sent from addresses, but they changed the domain name slightly in each one.
literally along the lines of

[email protected]
[email protected]
[email protected]

Each time the IP changed, each time the email address changed slightly.
We got bombarded for a while.
 

keat63

Well-Known Member
Nov 20, 2014
1,548
140
93
cPanel Access Level
Root Administrator
I had a custom filter based on a TLD
Code:
/usr/local/cpanel/etc/exim/sysfilter/options/inbound_tld_block file and add following code


if first_delivery
and ("$h_to:, $h_cc:" contains ".icu")
or ("$h_from:" contains ".icu")
then
seen finish
endif
This was working well to block .icu domains

I modified this to

Code:
if first_delivery
and ("$h_to:, $h_cc:" contains ".icu")
or ("$h_from:" contains ".icu")
or ("$h_to:, $h_cc:" contains "[email protected]")
or ("$h_from:" contains "[email protected]")
then
seen finish
endif
Now it doesn't work at all, not only does it not block the compario emails, the .icu ones are now getting through.

Any ideas.
 

keat63

Well-Known Member
Nov 20, 2014
1,548
140
93
cPanel Access Level
Root Administrator
This just got strange now.
The rule I had working a few days ago worked a treat on .icu tld's.
I messed about with it to restrict something else, where upon it stopped working.

Today I rolled back to just the .icu tld, but this isn't workning either now.

Code:
if first_delivery
and ("$h_to:, $h_cc:" contains ".icu")
or ("$h_from:" contains ".icu")
then
seen finish
endif
Can anyone spot anything wrong or offer any advice why it should have stopped working ?
I've re-saved exim config and restarted exim.

I do use CSF maulscanner, can this have any bearing ? although it worked great a few days ago.
 

keat63

Well-Known Member
Nov 20, 2014
1,548
140
93
cPanel Access Level
Root Administrator
Further update.

I noticed last night that exim config has the system filter file as etc/antivirus.empty (maybe a mailscanner thing ?)
I checked that file and my code is listed inside this file.

Yet I came in this morning to another 30 or so spammy emails from .icu domains

When I started toying with the exim filter last week, I removed the .icu entry from 'filter incoming emails by domain'
So this morning I re-added it, and now .icu domains are being blocked.

My conclusion is that either the system filter just doesn't work, or it doesn't work based on the above rule set.
 
Last edited:

keat63

Well-Known Member
Nov 20, 2014
1,548
140
93
cPanel Access Level
Root Administrator
I'm not quite sure exactly what you mean, so here goes.

Using ConfigServer Explorer, I'm editing the file /usr/local/cpanel/etc/exim/sysfilter/options/inbound_tld_block
and adding the above ruleset.

Go to exim config and ensure the file is defined and enabled in the filters tab.
Save exim config, which regenerates the config and restars exim, and for good measure re-starting mailscanner.


Again using CS Explorer, locate and open the file /etc/antivirus.empty, to confirm that my ruleset is defined.
During the regen, I can see a message about /etc/antivirus.empty being switched to on.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,366
799
263
Houston
Save exim config, which regenerates the config and restars exim, and for good measure re-starting mailscanner.
This is what I was looking for. I wanted primarily to see if the configuration was being rebuilt. Because you're running MailScanner I'm actually a bit concerned these changes aren't being recognized by it properly. Since everything goes into antivirus.empty.

What version of Exim and MailScanner are you on?
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,366
799
263
Houston
I don't run mailscanner and I do run an edge server. Though right now edge is v86 which is also RELEASE and CURRENT (we've just released today) so everyone should be on the same version of exim I am:

Code:
exim --version
Exim version 4.93 #2 built 23-Dec-2019 18:18:10
I noticed you're on a lower version, what version of cPanel are you on?

And I'm not having this issue with my custom filters, so I am concerned either there's an older case regarding MailScanner that is affecting you or something is up with the version of MailScanner you're using which is a bit behind their current stable release 5.2.1-1
 

keat63

Well-Known Member
Nov 20, 2014
1,548
140
93
cPanel Access Level
Root Administrator
I was on 84.something, but this evening I just updated to 86.0.4

Exim version 4.93 #2 built 23-Dec-2019 18:18:10

I'm not seeing any notice about an update to mailscanner though, and I only installed this about 3 maybe 4 weeks ago when I migrated servers.
I just forced an upgrade and I'm still on 5.0.2

I spotted 5.2.1-1 on Github, but I think maybe there's another application named mailscanner, and we are looking at the wrong one.
 
Last edited:

keat63

Well-Known Member
Nov 20, 2014
1,548
140
93
cPanel Access Level
Root Administrator
Going slightly off track, but ulimately it's probably all related.
It seems that 5.2.1-1 may be the same mailscanner.
I assumed it was branded by CSF !!!

The MSFE install page (where I installed Mailscanner from), suggests that thier install script might not be the most current version, hence 5.0.2.
Ugrading to 5.2.1 though is a mine field.
I spent the best part of an hour trying to figure out how to perform this and ended up nowhere.

Reply from CSF

'We do not use the Mailscanner script that is developed and published on Github. We forked our own version a few years ago . We monitor the "official" MailScanner but at this time there are no new features or fixes that affect the use of MailScanner on cPanel servers. '
 
Last edited:

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,366
799
263
Houston
That's super odd because I got the MailScanner site from ConfigServer where they link to it - ConfigServer MailScanner Front-End for cPanel

So I assumed since they were linking to it they were using that version, mistakenly I guess. There are some changes in v86 that will impact MailScanner (I believe) since we changed some libraries' exim depends on. What is the status of the filters now?
 

keat63

Well-Known Member
Nov 20, 2014
1,548
140
93
cPanel Access Level
Root Administrator
Since I couldn't get the filter to work, I'm back to using 'filter by domain' (gone full circle)

I'm on a war path at current, so I'll get a chance to have a play with the filters when I next see a bombardment.
 
  • Like
Reactions: cPanelLauren