SOLVED Global email filter - block .co email addresses

[d_j_wills]

I have this same problem. I don't want to block .co, but I would like to block .buzz and a bunch of other bogus domains. And doing the same type of filter such as ends in .buzz, discard does not work! I've spent hours with my hosting company and they have no answer.

Sorry to learn when coming to cpanel forums that this is a more wide-spread problem.

d.

 

[d_j_wills]

Hmmm... Anybody have a solution?

 

[cPanelLauren]

To add to that last response, if my assumption is correct, maybe matching regex is the way to go? I did this as a quick and dirty version of it that will match *.co


View attachment 66997

The regex example I used here should work did you not try this?

 

[d_j_wills]

The regex example I used here should work did you not try this?

Hi Lauren,

Thanks for the reply. I installed the filter shown in the attached picture last night. This morning I received spam from this domain. Here is the spam, with my private information removed:

From john.sartoris-************@improssifish.work Fri Aug 07 08:41:11 2020
Received: from [170.130.213.54] (port=54760 helo=mail.improssifish.work)
by ********** with esmtp (Exim 4.93)
(envelope-from <john.sartoris-*******@improssifish.work>)
id 1k44UZ-009x82-HS
for *******; Fri, 07 Aug 2020 08:41:11 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=improssifish.work;
h=Date:From:To:Subject:MIME-Version:Content-Type:List-Unsubscribe:Message-ID; i=[email protected];
bh=TZO+wy759zAJiYaw3e7QXevcY5E=;
b=Z/J2f/nKkelAd+An8wGC07ocvZLRl+ddWfHU3D5+bMwYWBcePYTFFgh3PXxEgp4bMsB7AwF3xHTp
AGRmD3KQOPOv//1z0EeBiyNfgFQ4VI8AK0T3WDGFMeYE+vCfgZqq+1vvDOo8n1PHQD2OwukYFReB
JVBWohuG76nlmnWxuEQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=improssifish.work;
b=KgsiioLjUFdTxwdZh3H3trDojsCGzRrPWrwB55MVJpu4T7AiqELJymmOD5b3AkGt37YOPzWv0hHz
pXb1cOiNDtPddos5TwUG7P00k4481tEUhWG00OqTwz9+7DAPGj41RM4HIz3eeHQ2N7eCZZMjJ/k7
rKTGBvOdHtqo9ej8FH8=;
Received: by mail.improssifish.work id h5m8r00001g0 for <*******>; Fri, 7 Aug 2020 13:35:45 -0400 (envelope-from <john.sartoris-*******@improssifish.work>)
Date: Fri, 7 Aug 2020 13:35:45 -0400
From: "John Sartoris" <[email protected]>
To: <*******>
Subject: You've Been Nominated for inclusion with Who's Who&hellip;

Thanks again for your help!

Regards,

Dave

 

[cPanelLauren]

What is the output when you put [email protected] in the Filter Test box in the Create a New Filter screen??

I wonder if something like this would work better: Blocking all cPanel users from emailing specific domains/email accounts

 

[d_j_wills]

What is the output when you put [email protected] in the Filter Test box in the Create a New Filter screen??

I wonder if something like this would work better: Blocking all cPanel users from emailing specific domains/email accounts

Sigh. This is the response:

Save message to: /dev/null 0660
Filtering set up at least one significant delivery or other action.
No other deliveries will occur.

I know I deleted all the spam in the BoxTrapper queue after creating the filter *yesterday*. Yet the time stamp on this spam is from this morning. So this is very conflicting information.

I'll keep an eye out today, and add that filter template for other bogus domains that are hitting me.

Thanks again.

Dave

 

[d_j_wills]

I continue to get spam from email addresses that show as sent to /dev/null if I test them. This is 3 hours after I installed the filters.

This is the lastest one captured by Track Delivery:

bobby-coleman-<myuser>=<mydomain>[email protected]

Aug 7, 2020, 3:26:15 PM

<myuser>@<mydomain>com

Accepted

I assume (?) that BoxTrapper is running after Track Delivery. Regardless, the spam is reaching my inbox even though BoxTrapper is configured to delete.

?

 

[d_j_wills]

Is there anything else I can do in cpanel to track down why these filters are not working?

Thanks,

Dave

 

[d_j_wills]

Looks like nobody, including cpanel, really knows what's going on here. Let me review the problem:

A global email filter can be created using regex to delete spam with a filter such as "^.*\.buzz$"

The filter can be tested and does indicate the spam will be delivered to /dev/null 0660.

But even though the filter sees the spam, it is still delivered to the recipient and not /dev/null.

I believe I've shown this in my posts. (PLEASE correct me if I'm wrong!) So that indicates there is a failure in BoxTrapper.

Help!

 

[commanderclif]

I'm fairly certain that when I create a unique .something email filter that it blocks those from going to my SPAM folder.
Attaching what I just added for .buzz since I don't see where I've made one of those in the past, nor think I've been getting any from that but will keep an eye and see if any make it through. I'm still waiting to see if I get .co ones to come in, I've had a few days of nothing but in SPAM right now are 35 messages form the last two days or so that all have .com endings. sighhh I hate spam. At one point I even turned on some filter that mail can only come from certain countries of origin but I'm sure a simple VPN set up would allow SPAMers to get around that.

 

[d_j_wills]

I'm fairly certain that when I create a unique .something email filter that it blocks those from going to my SPAM folder.
Attaching what I just added for .buzz since I don't see where I've made one of those in the past, nor think I've been getting any from that but will keep an eye and see if any make it through. I'm still waiting to see if I get .co ones to come in, I've had a few days of nothing but in SPAM right now are 35 messages form the last two days or so that all have .com endings. sighhh I hate spam. At one point I even turned on some filter that mail can only come from certain countries of origin but I'm sure a simple VPN set up would allow SPAMers to get around that.

commanderclif,

I am not a cpanel expert, nor do I play one on TV. I believe your filter will work, but it will have other (possibly unintended) consequences. Not only will it block all email from [email protected], but it will also block all email from [email protected]. Maybe you don't care about .buzz, but other domains will cause deletion of probably desired email. It would be pretty easy to get an email from somebody.co<something>@somewhere.com.

Have you ever gotten CpanelLauren's regex filter to work?

Dave

 

[d_j_wills]

Next, I investigated Spam Experts. At first I thought this would be a great tool. Unfortunately, there is almost no documentation on how to use it (available to me, at least). For example, there are multiple selections for blacklist. Which one to use? And when I configured it, the configurations would disappear (i.e., no Save button). It looks like this would be a great spam blocking tool, if it was documented and it works.

I never used Spam Assassin because even at reasonable levels it would declare valid emails as possible spam. It does this by putting lots of junk headers into the email. (I was being spammed by Spam Assassin!) And then if you reply to that email without editing the headers, your reply has the same spam in it that Spam Assassin added to the incoming mail. Not a good thing when replying to customers.

I might have stumbled into a solution that might work. (I still need to confirm it isn't blocking valid mail.) Spam Assassin has a blacklist that appears to work, unlike Spam Experts or Global Email Filter. So I set the Spam Assassin threshold really high (20) so almost nothing is declared spam, and then added the bogus domains like .buzz to the Spam Assassin blacklist. I still use Global Email filters to block spam from repeat spammers who use domains I care about, such as .com and others.

YMMV.

Dave

 

[commanderclif]

commanderclif,

I am not a cpanel expert, nor do I play one on TV. I believe your filter will work, but it will have other (possibly unintended) consequences. Not only will it block all email from [email protected], but it will also block all email from [email protected]. Maybe you don't care about .buzz, but other domains will cause deletion of probably desired email. It would be pretty easy to get an email from somebody.co<something>@somewhere.com.

Have you ever gotten CpanelLauren's regex filter to work?

Dave

I can confirm I've not gotten any SPAM as of late from a .co but unsure if it is the regex that is catching it or just senders not using that lately. I can admit I hadn't thought about aldrin.buzz emailing me...he usually uses his buzz.aldrin account when he hits me up, hehe but I do take your point. Since its just my wife and I using this cpanel email account and us being a tiny company, I'm more interested in locking things down then possibly hanging someone up. But to your point, if the spam filter tool of "ends in" worked, which I seem to have not been able to get to work successfully, then "from" "ends with" .buzz would be the best fix.

 

[d_j_wills]

AFAIK, cPanel has not given an answer that resolves this. I think I said before I'm not a regex expert, but I'm certain that the regex filter "^.*\.buzz$" does not work.

I've looked more into regex to confirm that the '\' escapes special characters. I believe the '.' (dot) character means match any single character ('*' for one character). so "\." should match a dot. And that makes me believe "ends with" "\.buzz" should work.

I've created multiple Global Email Filters that contain "ends with" "\.<domain>" and I can see that at least *some* of the spam is getting through. (I say "some" because it's not clear if spam is being deleted or none is coming in. I have questions about Track Delivery which I will post elsewhere.)

Dave

 

[Postpit]

You can do it through filter by blocking user IP address.

 

[d_j_wills]

My last post on this thread...

Blocking by IP address isn't a good solution (for me). There are too many IP addresses from foreign countries to block. Even .htaccess isn't a good solution because you (I) need to update too often.

After much help from my domain host, I've found a couple filters that "seem" to work:

"matches regex" [email protected]+\.<TLD>

or for more unique filters:

"matches regex" [email protected]<somewhere>.<TLD>

Dave

 

[commanderclif]

Hey Dave -
Been awhile since I hit this page. I don't get email notifications to replies here, I'll figure out if that is something I can fix later, but can you give me any understanding to what the regex is you did here to get it working? I'm a noob at regex so looking at this I'm not sure what I would leave as is vs. what I would change to make a new filter. Like if I wanted to filter .co ending without .com or if I wanted to use this to block .deal or something. Thanks for keeping the thread alive!

 

[cPanelLauren]

The TLD portion of the filter @d_j_wills notes can be any tld so .com or co would work


Also @commanderclif you can change your notification preferences for the forums by clicking your username on the top menu bar -> Select Preferences -> scroll down to Content Options

You'll see setting for the following:

• Automatically watch content you create…
  • and receive email notifications
• Automatically watch content you interact with…
  • and receive email notifications

Select which you'd like and for new posts, you'll get notified according to these.

I took the liberty of selecting yes for you on Automatically watch content you create and Automatically watch content you interact with, but I left the email notifications set to no as I feel that is something you should choose for yourself.

 

[d_j_wills]

Hey Dave -

Been awhile since I hit this page. I don't get email notifications to replies here, I'll figure out if that is something I can fix later, but can you give me any understanding to what the regex is you did here to get it working? I'm a noob at regex so looking at this I'm not sure what I would leave as is vs. what I would change to make a new filter. Like if I wanted to filter .co ending without .com or if I wanted to use this to block .deal or something. Thanks for keeping the thread alive!

Sorry, I didn't get an email from your post either. (Looked at Lauren's note, but all my checkboxes are checked saying I should get emails. ???)

The regex filters are too generic for me to want to use them because they occasionally block valid emails. I've determined how to block bogus or unwanted domains, but it's cumbersome. With Lauren's help, I found email coming from [email protected] (as an example), could also come from <[email protected]>. But an ends with filter on ".buzz" would not catch an ends with ".buzz>", and an ends with ".buzz>" would not catch an ends with ".buzz". If you can get either in the from address, you need to have 2 different filters.

Once doing this, I was able to cut spam way down.

Dave

 

[commanderclif]

Interesting Dave! I'll look to add that for future extensions I want to block. THANKS!