Global Email Filters not working any more

Operating System & Version
Apache Version 2.4.46
cPanel & WHM Version
cPanel Version 86.0 (build 38) / CENTOS 6.10 [redacted] v86.0.38

iNiC

Member
Aug 1, 2020
13
2
3
Earth
cPanel Access Level
Reseller Owner
ISSUE:
Global Email Filters (GEF) is no longer discarding IP blocks.

EXAMPLE:
In GEF, Under RULES, choose "Any Header" > "Contains" insert IP 170.130.209.* <--- wildcard, "Action" = "Discard"

RESULT:
Spam from 170.130.209.140 to 170.130.209.149 gets through. And it's the same spam, different day, different 4th octet.

NOTES:
  • SpamAssassin (AKA 'Spam Filters') is set to "Spam Threshold Score (2.5)"
  • cPanel Version 86.0 (build 38)
  • Host PHP version: PHP 7.4 (ea-php74)
  • Apache Version 2.4.46
  • WHM / CENTOS 6.10 [redacted] v86.0.38
  • Is on 'Shared hosting.'
Thanks you for your time,

~i~
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,974
921
313
cPanel Access Level
Root Administrator
Hey there! Thanks for bringing this to my attention. I tested this and confirmed it is no longer interpreting the wildcard operator properly, although entering a full IP address did work as expected.

I've created case CPANEL-36423 and you can follow along with that case using this link if you're signed in to our ticket system:

 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,974
921
313
cPanel Access Level
Root Administrator
@iNiC - our developers were able to reproduce the issue, but what they weren't able to reproduce was having any previous version of cPanel using a wildcard interpreter on the "contains" match. At this point, they are asking for a ticket to get submitted from a system where this type of filter used to work.

If that's possible and describes your situation, could you submit a ticket to our team so we could do some more investigating into this?
 

iNiC

Member
Aug 1, 2020
13
2
3
Earth
cPanel Access Level
Reseller Owner
they are asking for a ticket to get submitted from a system where this type of filter used to work.
Sorry for delay.
I've no idea how open a ticket at cPanel. I use a "reseller" account and cannot find a way to create a ticket, except the ones that go to the Host - who BTW, told me to report it here. If the cPanel Devs know, and can replicate it, why repeat the process by opening a ticket if they already know?
If that's possible and describes your situation, could you submit a ticket to our team so we could do some more investigating into this?
I cannot access the top menu (My Requests Submit a Request Sign In) perhaps there are Stalkers wrapped around the menu links. I count 18 of them.

Sorry I cannot provide the cPanel Devs with a Request, Ticket or fix. It would be nice if we could go back to using wild cards in the IP instead of manually adding ###.###.###.001 and then same first 3 octets and the next being 002, and so on. Makes the Global Filters useless.

I appreciate your being here to help,

~i~
 
Last edited:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,974
921
313
cPanel Access Level
Root Administrator
The devs were not able to find evidence that the previous option had ever worked before. When I said earlier that I "confirmed it is no longer interpreting" the wildcard, I was under the assumption that this behavior had worked in the past, but after testing various older versions of cPanel we were not able to make any version perform the intended behavior, which indicates this may not be a bug but how this has always behaved.
 

iNiC

Member
Aug 1, 2020
13
2
3
Earth
cPanel Access Level
Reseller Owner
The devs were not able to find evidence that the previous option had ever worked before. When I said earlier that I "confirmed it is no longer interpreting" the wildcard, I was under the assumption that this behavior had worked in the past, but after testing various older versions of cPanel we were not able to make any version perform the intended behavior, which indicates this may not be a bug but how this has always behaved.
Has anyone come up with a way to block IPs without having to enter the full IP for very spam?
REASON WHY:
  1. loads of spam from 209.###.xxx.### where ### is legit, and.xxx are changing for spammer. I had a friend with 209 IP (gmail) his next octet might be 25, the next 217 and 50
    The spammers has a round of IPs in the 3rd octet only that is 209.50.xxx.###
is it possible to block the IP based a range of numbers in 2nd only, or 3rd only or or 4th or and or all?

OR, is there a tweak that would let me block 209.*.*.* BUT let 209.200.100.100 though?
I have tried the CIDR range but that didn't work.

Thanks for your time

~i~
 

iNiC

Member
Aug 1, 2020
13
2
3
Earth
cPanel Access Level
Reseller Owner
The devs were not able to find evidence that the previous option had ever worked before. When I said earlier that I "confirmed it is no longer interpreting" the wildcard, I was under the assumption that this behavior had worked in the past, but after testing various older versions of cPanel we were not able to make any version perform the intended behavior, which indicates this may not be a bug but how this has always behaved.
@cPRex Hello?

Yes, I got that. But why response to my follow-up? Is no one ready to say tough luck or what?

What then is the solution? Do we have to write every single IP address out, one line at a time?
Example:
209.123.123.1
209.123.124.1
209.123.125.1 until 0 - 255 has been submitted and bog down the server?
I cannot believe that there is no decent method of blocking spam. Spam Assassin only works with a very narrow margin of old-time spam. I could set it to score of .5 but trash still gets through, and real email is discarded.

I have tried the CIDR such as 194.31.0.0/32 using a converter (IP to CIDR online converter) but 194.122.34.30 to 194.31.99.100 gets through anyway. I am willing to block all of Gmail (209.*.*.*.) or all of any so-called email host that can't deal with it's spam if that what it takes. But I don't know how.

/i
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,974
921
313
cPanel Access Level
Root Administrator
I spoke with the email development team today about this and currently the only official way to get this working is to enter one IP address per line. These filters, and Exim, aren't designed to work with wildcards. We did play around with some older versions when you initially made this thread, and couldn't find any old versions of cPanel where this did work.
 

texo

Well-Known Member
Mar 28, 2007
150
3
168
cPanel Access Level
Root Administrator
I cannot believe that there is no decent method of blocking spam.
If those IPs are spamming your server, then why waste time creating exim filters, when you can just block the IP or CIDR at the firewall level? That way server resources are not wasted. That's what I do.
 
  • Like
Reactions: cPRex

iNiC

Member
Aug 1, 2020
13
2
3
Earth
cPanel Access Level
Reseller Owner
......... you can just block the IP or CIDR at the firewall level? That way server resources are not wasted. That's what I do.

I do not have access to firewall. I have a dumbed-down WHM, on my Reseller account. Just today I discovered the Host had decided to disable the Softaculous auto-backups a while ago. It's the kind of Host I dislike the most. Now we are scrambling to set up 51 separate crons.
I do block the IP. But companies like OVH, Serverion, Gmail, and Amazon sell huge blocks of IPs to anyone that has the money. I have used a online (IP to CIDR online converter) converter for that. However, cPanel Global Email Filters seems to ignore CIDRs, so when a IP is (example) 123.456.789.50 I'll manually add .51, .52, .53 into last octet and about 10 -15 more - one per "Create a New Filter" in the Global Email Filters. Time consuming isn't it.
Too, when converting some blocks ranges, there is usually a list of CIDR's. I tested it by using CIDRs again.

I'm have a shared host reseller account with 52 domains (and some subdomains and domain addons) . Imagine the task! So I only do my own domain and show my 51 clients 'How to' when they complain that Spam Assassin (AKA Spam Filter?) doesn't cut it. Professional Spam Filter is too heavy for most clients wallets.

........server resources are not wasted
Right now, I don't care about server resources. The way we've been treated - care went out the window.

Now - for the CRON experience. I have looked through here, but they are written with the idea that the reader know how anyway. None of the sites I've checked indicate what the "script" is. And I thought I'd have the weekend off. :)

Thanks for the tip. @texo - the help I have seen at forums here is invaluable - most of the time. Don't what we'd do without you folk.

i