Global email filters override Default Address

perplex

Member
May 3, 2016
6
1
3
UK
cPanel Access Level
Root Administrator
Hello, To fight spam I've set up multiple "Global Email Filters" for a domain, however these filters now appear to have overridden the "Default Address = Discard" setting that I have in place! This means that if get an email with a 'bad word' in its body and sent to [email protected] the bad word gets matched by my filter uneccessarily instead of using its default address and the email being discarded immediately.

Can you explain why my Default Address (Discard) is being overridden by filters? I presume it's the way cPanel works - but surely there has to be a way to place the Default Address first, and then to stop processing global email filters?

Thanks in advance.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,261
313
Houston
Can you explain why my Default Address (Discard) is being overridden by filters?
I think we'd need to see the rule before I can give you an answer to this, would it be possible for you to provide it?
 

perplex

Member
May 3, 2016
6
1
3
UK
cPanel Access Level
Root Administrator
I think we'd need to see the rule before I can give you an answer to this, would it be possible for you to provide it?
Hello, I have many filters, is this of relevance? As I said it appears 'ANY' global filter rule that is added will override a users 'Default Address' Discard setting. I believe cpanel shouldn't work this way really, or there should be at least the option of placing the Default Address/discard above all filters. OK so anyway here's one of my rules -

Filter Name: SPAM Body

Body (matches regex):
(?<!=)==(?!=)|(?-i)回|V2FudCBzZXgg|(?i)Vi\/agra|pussy|****|Good\s?day!|porno|girlfriend|keylogger|\$1500|Cialis|hacked|garantie|apporter|appartient|Lyft|sexual|envoyant|sexy|Cilais|Levtira|Vigara|sensual|Online\s?Pharmacy|Debt\s?Relief|TERMINIX|antiviruses|bored

Actions1 (Redirect to email):
[email protected]

Actions2 (Stop processing more rules)
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,261
313
Houston
I think I understand what's happening now, you're saying if the spam email matches some regex in the rule it's automatically sent to [email protected] rather than (in the case of the default email) discarded.


This is due to the way that exim processes these rules. The processing for this takes place prior to the processing for the discard of email sent to the default address so the forward to happens then I'd assume that the match on the default address is hit and the message to the default address is discarded (meaning it doesn't reach the default address, just the address you're forwarding to) this behavior is expected.
 

perplex

Member
May 3, 2016
6
1
3
UK
cPanel Access Level
Root Administrator
This is due to the way that exim processes these rules. The processing for this takes place prior to the processing for the discard of email sent to the default address so the forward to happens then I'd assume that the match on the default address is hit and the message to the default address is discarded (meaning it doesn't reach the default address, just the address you're forwarding to) this behavior is expected.
Thanks for this, it's what I thought. Is there a way to get around this so that the Default Address (discard) is actioned prior to my filter rules? eg. Maybe creating a new 'regex' filter rule that mimics what cpanel Default Address/discard should be doing. Basically I would like a regex rule to:

Filter Rule = Match all emails sent to: "[email protected]"
Action = Discard
Action = Stop processing more rules

It would be really great if some genius out there could come up with a solid solution as I've spent so many days trying resolve this with no joy. My regex skills a very limited and i've hunted high and low on Google too. Thanks! :)
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,261
313
Houston
Hi @perplex


What about something like this? (keep in mind this is an extremely simple example)

Code:
if
 $message_body matches "REGEX HERE"
 and $header_to: does not contain "[email protected]"
then
 deliver "[email protected]"
 finish
endif
 

perplex

Member
May 3, 2016
6
1
3
UK
cPanel Access Level
Root Administrator
Hi Lauren, I was hoping that you could be a bit more specific if possible please, I'm not that great at regex especially of the Perl variety! I was looking for something like this -

Email To (matches regex): If Does Not Match This (john OR peter OR luke @mydomain.co.uk)
Action: Discard

Eg. So [email protected] would be discarded but
[email protected] or [email protected] or [email protected] would be accepted for delivery.

Many thanks!
 
Last edited:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,261
313
Houston
In my example I was assuming you were using your own regex to determine if mail was to be forwarded as spam. Other than that, I gave you the entire rule I'm not sure what you mean by specific?

The rule indicates if email matches "your regex" and isn't being sent to "your default address/es" then forward to your "spam email"
 

perplex

Member
May 3, 2016
6
1
3
UK
cPanel Access Level
Root Administrator
UPDATE: I've now managed to create a good regex rule to filter spam via cPanel email filters, I shall post it here to help others in my next response. I'm just adding final touches to it and wondered if anyone is able to tell me how to use 'word boundaries' in cpanel global email filters, I know cPanel uses PERL regex but I just can't get my code to work! Please show me how to match the text highlighted in red in the string below:

Match:
PCFkb2N9eXBlIGh0bWw+DQo8aHRt

Perl Regex:
What I have already: Fkb2N9.*
What did not work: \BFkb2N9\B

Basically if a spam email contains Fkb2N9 in a long Base64 string then I can deal with it, probably quarantine or disregard it as junk.
 
Last edited:
  • Like
Reactions: cPanelLauren

CanUser

Registered
Jan 2, 2020
1
0
1
Canada
cPanel Access Level
Website Owner
I think I understand what's happening now, you're saying if the spam email matches some regex in the rule it's automatically sent to [email protected] rather than (in the case of the default email) discarded.


This is due to the way that exim processes these rules. The processing for this takes place prior to the processing for the discard of email sent to the default address so the forward to happens then I'd assume that the match on the default address is hit and the message to the default address is discarded (meaning it doesn't reach the default address, just the address you're forwarding to) this behavior is expected.
I'm trying to set up something I've seen others asking: specifically, if a message is sent to "user<any_number>@mydomain.com" (eg [email protected]) it will be forwarded to a single email address (eg [email protected]). If mail is received at any other email address, it is replied to with "user not found".

I have a Default address set up to reply with a "user not found" message. I also have a Global filter set up. I've tested the filter using the test process within cPanel and it works as expected. However, when sending messages from an external source, my filter isn't working. All messages are returned with "user not found" despite being sent to a valid email address like "[email protected]" that should result in forwarding. So my messages are being processed by my Default action, even though they should have been processed by my global filter.

My understanding from the response in this thread, it that messages are processed by the global filters first, and if that doesn't result in any action, the default address action is taken. Is my understanding correct, and if so, why aren't my global filters working?

Filter is as follows:

To begins with user
Action redirect to email [email protected]
Stop processing rules.

I'm an end user of cPanel.

Thanks for your help.