Global email filter - block .co email addresses

commanderclif

Member
Aug 19, 2017
13
0
1
Jacksonville FL
cPanel Access Level
Website Owner
I've tried to set up a global email filter to block .co emails which I've been getting a lot of Spam from lately. Typically, if I see spam coming from an email address like [email protected] I'll create a filter to block - "From contains .monster". Can't do that with .co or I'll block .com. However, the dropdown for "ends with" doesn't see to work. So a filter "From ends with .co" I still get the messages arriving in the SPAM folder. So settings on the server are decent at flagging and tagging ***SPAM*** messages so this is just spam box control where I like to keep it so nothing even lands in there either.
 

commanderclif

Member
Aug 19, 2017
13
0
1
Jacksonville FL
cPanel Access Level
Website Owner
I've not blocked a subnet via the firewall yet, any link or advice how to do that for the this 170.130.212.xxx?

I'm sure the problem can be addressed different ways, I know while some folks want to keep things more open, I'm good with tightening things down. I've even thought that if I could do something that blocked anything that wasn't .com, .net, .gov, .edu etc. then I'd consider it since I've set up so many filters for the .moster etc. domains that I don't think any legit email I'm going to get.
 

commanderclif

Member
Aug 19, 2017
13
0
1
Jacksonville FL
cPanel Access Level
Website Owner
Thanks keat63. I did not have CSF installed but went in to my WHM, got it installed and pasted that line in to the list. Turned off test mode so "I THINK" I've got it set and will keep an eye out for emails from that IP to see if I did anything wrong or hopefully, ever see one from there again.

Two questions please!
RESTRICT_SYSLOG says it is disabled by default. Leave that off?
I'm a bit fuzzy on the "do not delete" for the line I added, could you explain?

THANKS!
 

commanderclif

Member
Aug 19, 2017
13
0
1
Jacksonville FL
cPanel Access Level
Website Owner
Found this in the support doc for CSF:
"If you don't want csf to rotate a particular IP in csf.deny if the line limit
is reach you can do so by adding "do not delete" within the comment field,"

So I guess I don't understand what rotate a particular IP means.


Thanks keat63. I did not have CSF installed but went in to my WHM, got it installed and pasted that line in to the list. Turned off test mode so "I THINK" I've got it set and will keep an eye out for emails from that IP to see if I did anything wrong or hopefully, ever see one from there again.

Two questions please!
RESTRICT_SYSLOG says it is disabled by default. Leave that off?
I'm a bit fuzzy on the "do not delete" for the line I added, could you explain?

THANKS!
 

commanderclif

Member
Aug 19, 2017
13
0
1
Jacksonville FL
cPanel Access Level
Website Owner
Just got a SPAM message from a .co email address so at first thought the CSF filter wasn't working but this came in from 185.249.203.11 according to the email header. SO I guess I can just keep adding IP addresses eh?

I never heard anything back regarding why the global email filter wasn't working for email address when using the "ending in" filtering. Any thoughts on why that is?
 

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
12,377
1,129
313
Houston
I tested this using the filter trace and the exact filter you used:

Screenshot at Jul 29 17-48-01.png

Code:
 Sub-condition is false: not first_delivery
Condition is false: not first_delivery and error_message
Condition is true: $header_from: ends .co
Return-path copied from sender
Sender      = [email protected]
Recipient   = [email protected]
Testing Exim filter file "/etc/vfilters/mydomain.net"

Headers charset "UTF-8"
Save message to: /dev/null 0660
Filtering set up at least one significant delivery or other action.
No other deliveries will occur.

So, I'm unsure why your filter didn't catch this. What is in the actual headers for these in some examples you've received (be sure to change your domain/server information). My assumption is the actual header From: line does not end in .co
 

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
12,377
1,129
313
Houston
To add to that last response, if my assumption is correct, maybe matching regex is the way to go? I did this as a quick and dirty version of it that will match *.co


Screenshot at Jul 29 18-03-55.png
 

commanderclif

Member
Aug 19, 2017
13
0
1
Jacksonville FL
cPanel Access Level
Website Owner
Thank you Lauren. I actually googled Regex before I ever came to this forum and what I read made me go.....huh?! But I did wonder if that was something that could be leveraged. As to your previous comment about .co working, I'm looking at a email header here but as far as I can read it, looks like its coming from a .co unless I'm missing something. I'll paste a header below.

Code:
Content-Type: multipart/alternative; boundary="------------893596661600190599490218"
Mime-Version: 1.0
Envelope-To: [email protected]
X-Spam-Report: Spam detection software, running on the system "xxx.xxxxxxxx.com", has identified this incoming email as possible spam.  The original message has been attached to this so you can view it or label similar future email.  If you have any questions, see root\@localhost for details. Content preview:  So it's a good balance This would require auditing the carbon footprint of the supply chain of everything sold in the UK, including imports We have had to hire people for snow removal, says Renewables [...]  Content analysis details:   (16.0 points, 3.0 required) pts rule name              description ---- ---------------------- -------------------------------------------------- 1.2 URIBL_ABUSE_SURBL      Contains an URL listed in the ABUSE SURBL blocklist [URIs: defeatrank.co] 0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.  See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: defeatrank.co] -0.5 BAYES_05               BODY: Bayes spam probability is 1 to 5% [score: 0.0218] 4.0 SPF_HELO_FAIL          SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=defeatrank.co;ip=185.249.203.6;r=xxx.xxxxxxxx.com] 4.0 SPF_FAIL               SPF: sender does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=aware%40defeatrank.co;ip=185.249.203.6;r=xxx.xxxxxxxx.com] 0.0 HTML_MESSAGE           BODY: HTML included in message 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to background 0.9 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/) 1.9 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 2.0 RDNS_NONE              Delivered to internal network by a host with no rDNS 0.0 FSL_BULK_SIG           Bulk signature with no Unsubscribe 2.4 NORDNS_LOW_CONTRAST    No rDNS + hidden text
X-Spam-Status: Yes, score=16.0
X-Spam-Bar: ++++++++++++++++
X-Spam-Score: 160
Return-Path: <[email protected]>
Return-Path: <[email protected]>
X-Spam-Flag: YES
Delivery-Date: Wed, 29 Jul 2020 13:23:09 -0500
<CqMstnvM-re8QEArwAbYkbX3[email protected]defeatrank.co>
Received: from xxx.xxxxxxxx.com by xxx.xxxxxxxx.com with LMTP id 4N+iKY2+IV+UIAAAXIk9kg (envelope-from <[email protected]>) for <[email protected]>; Wed, 29 Jul 2020 13:23:09 -0500
Received: from [185.249.203.6] (port=53450 helo=defeatrank.co) by xxx.xxxxxxxx.com with esmtp (Exim 4.93) (envelope-from <[email protected]>) id 1k0qik-00029n-OO for [email protected]; Wed, 29 Jul 2020 13:23:09 -0500
Delivered-To: [email protected]
 

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
12,377
1,129
313
Houston
Yea, to be honest, I am downright awful with regex it's just not a strong suit of my though I try and force myself to get better with it.

So this looks like just part of the headers but the matching is very exact in the "ends with" and From: portions. The line needs to end with .co none of this shows the From: line that looks like this:

Code:
From: Lauren  <[email protected]>
Date: Thu, 2 Jul 2020 15:11:56 -0700
Message-ID: <CAF7rb1dsdfsdSEQ8Ex_fV1xVBOp_4Zvi3Q8TJ=Bza7=FDSKLJFDI(GS)R([email protected]>
Subject: Undeliverable
To: [email protected]
 

commanderclif

Member
Aug 19, 2017
13
0
1
Jacksonville FL
cPanel Access Level
Website Owner
Okay so instead of showing headers, I viewed message raw source and I see this there that is most similar to your example:

Code:
From: " Phillip Ramirez" <[email protected]>
Date: Wed, 29 Jul 2020 13:07:52 -0500
MIME-Version: 1.0
To: <[email protected]>
Message-ID: <CqMstnvM-re8QEArwAbYkbX3[email protected]defeatrank.co>
Content-Type: multipart/alternative;
 boundary="------------893596661600190599490218"
 

keat63

Well-Known Member
Nov 20, 2014
1,684
180
93
cPanel Access Level
Root Administrator
Off-topic, but On the CSF thing, there are some preset profiles that you can play with.
I'm guessing that it comes out of the box with a conservative profile.

Make sure you whitelist your own IP address or subnet etc, just in case you lock yourself out.
Give yourself a back door, like your home IP/subnet and your office IP etc.

Regarding the rotate.
CSF will monitor for attacks, depending on the profile you use, it will start to blacklist IP addresses that it sees as being an attack of some sort.
It stores these in a table.
Once this table is full, IP's will start to fall off the edge to make way for new ones coming in.

This is good in the respect that the rotation could take a few weeks or a month, meaning the attacker is locked out for this period.

CSF is highly configurable and is a great tool to help keep out hackers etc.


On the original subject, i'm keen to learn why it doesn't work.
My attack plan differs from yours, so I haven't created a filter.
 
Last edited:

commanderclif

Member
Aug 19, 2017
13
0
1
Jacksonville FL
cPanel Access Level
Website Owner
Thanks for that, I did inadvertently block my backup system from being able to access their sites after setting up the firewall so thanks for this info, now that I've been through fixing that I should be able to add some other IPs easily enough.
 

commanderclif

Member
Aug 19, 2017
13
0
1
Jacksonville FL
cPanel Access Level
Website Owner
20 SPAM messages from .co in the last 24 hours so the regex Global Email Filter isn't working. I mean there has GOT to be a way to get the filter to capture these no? Got one two days ago from a .buzz, made a filter for it, no more .buzz emails in junk folder. Please share any ideas but I'm thinking for now I might try a filter that only lets .com .net etc. come through and see how that goes.