Help needed with Global Filters (body regex)

[Alain Gagnon]

Hello!

We have a client who wants to redirect emails containing certain attachments to another email address for review, but I'm having some problems making a body regex that works without issues for his needs. Ex, [email protected] receives an email with a zip file, that needs to be copied to [email protected] instead.

At first, I put in a body matches regex condition with this statement:
Content-Disposition: attachment; filename=".*.zip"
Only to notice that CPanel removed the " symbol when I edit the filter anew. I figured I'd try it, but the end result is that even if an attachment is not a zip file, if the letters zip are found later in the email, the .* in the regex catches the letters and matches the filter.

I then tried to emphasize the . and the " by putting escaping them with a \ but that didn't work as well as I would have liked, the filter did not work.
Content-Disposition: attachment; filename=\".*\.zip\"
Filter error: error while compiling regular expression "Content-Disposition: attachment; filename=\".*\.zip\": \ at end of pattern at offset 52

Doubling them was recommended elsewhere, but while CPanel accepted the filter then, it's not matching it as I test it.

As I am not a guru with regexes, I'm turning here for help if somehow can help me along with a pointer or a solution that would work!

Thanks for your time!

 

[Alain Gagnon]

I've had more time to play around with this, and I think I found a (manual) solution that works for now, but is not optimal in the long run. After searching around for posts, I've found a not supported way to edit the filters by doing this:

1- create 2 global filter rules, 1 that will be used, the second one a dummy that hopefully never matches (ex: to address [email protected])
2- delete the /home/user/.cpanel/filter.cache file
3- edit the /home/user/.cpanel/filter.yaml file with the syntax I want, ex:

rules:
-
match: matches
opt: or
part: $message_body
val: "Content-Disposition:.*attachment.*filename=\".*zip\""
-
match: matches
opt: or
part: $message_body
val: "Content-Disposition:.*attachment.*filename=\".*rar\""

4- Once the yaml filter file seems correct, edit the 2nd rule, and just save it, which will recreate the filter.cache file and migrate the settings to /etc/vfilters/domain_name

Once that's done, the yaml file is stripped of the " and the \" become simple " so it can't be reused without manual modifications, so I keep a backup of the syntax for further modifications if needed.

I assume that it's an unintended effect, or that I'm not aware of a more proper way to escape characters to match what I want it to match, but it works for now.

If any CPanel admins wanna chime in and tell me if it's worth opening a support ticket for this, or if I'm clearly not using the solution in a proper way, I'd be happy to proceed!

 

[cPanelMichael]

Hello,

You may also find the following thread helpful when researching different methods of implementing filter rules for zip files:

Reject emails with ZIP files containing EXE files

It's different than the specific rule you are seeking, but offers some insight you may find helpful.

Thank you.