How block domains that uses amazones in "Filter Incoming Emails by Domain"

[Secmas]

There are a lot of spammers that are using amazones to hide under that service, I tried to use the "Filter Incoming Emails by Domain" writing there the email address that the customer sees like per example:
enco.com.gt

but that email address is using all the following addresses from amazones and the above filter didn't work:
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com
[email protected]east-2.amazonses.com

The only part of the email that is kind of common from those senders is:
010f0176fc ... @us-east-2.amazonses.com

So, How may I can block that emails in "Filter Incoming Emails by Domain"?
I tired:
010f0176fc*.us-east-2.amazonses.com
but the filter shows an error.

Any idea?

Thanks in advance for your inputs.

 

[cPRex]

Hey there! In that interface you can't enter anything before the wildcard. You can try just using *.us-east-2.amazonses.com on that page and that will work well. Can you try that instead?

 

[Secmas]

@cPRex
Thank you for answering back.
I know I can do that but I didn't want to go for that option as I don't know if legit users from amazones are using that email server.

Instead I have created an SpamAssassin rule that is blocking that account, but I really like how the cPanel plugin works as it is a EXIM step while SpamAssassin is not.

Any idea why the cPanel app didn't block the domain that appears under the From: header as well? That will be great.

 

[cPRex]

I'm not completely sure what your last sentence means with regards to the From header settings. Can you get me more details on that?

 

[Secmas]

Sure, when I check the emails that enters into my servers, I can see the headers of the emails.

Per example, using the same info about what we are talking (I have modified some info):

Received: from e226-3.smtp-out.us-east-2.amazonses.com ([23.251.226.3]:41197)
    by server.myserver.com with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    (Exim 4.93)
    (envelope-from <[email protected]east-2.amazonses.com>)
    Date: Thu, 14 Jan 2021 23:39:22 +0000
To: [email protected]
From: ENCO <[email protected]>
Reply-To: ENCO <[email protected]>
Subject: =?UTF-8?Q?[Conecta_con_m=C3=A1s_clientes_desde_la_palma_de_tu_mano]?=

So, if you see the "From:" it shows the domain name that I want to block and that I have written into "Filter Incoming Emails by Domain" but it never gets blocked.
I assume that cPanel addon looks for the "evelope-from:" section of the email instead of looking into the "From:" header.

It will be great that "Filter Incoming Emails by Domain" could check for both, the envelope-from and the From: to block what we want.

 

[cPRex]

That sounds like a good feature request :D

For more advanced filter rules that let you choose what you block, you can do it in the account level through the Global Filers tool in cPanel, but there isn't an equivalent tool at the WHM level.

 

[Secmas]

Well, for now I have just wrote my own SpamAssassin rule that is global and it is working, but it is easier to add domains to the WHM plugin.
Hope cPanel could check on this.

Regards,
Sergio

 

[cPRex]

It would be best to use the link in my signature to submit a feature request, as our development team approves those and it will also let other cPanel users vote on it.

 

[Secmas]

Ok, doing it now.

Thanks.

 

[keat63]

If you can't get any of the above suggestions to work for any reason, this has been discussed on the CSF forum.

Custom REGEX rules for CSF. - ConfigServer Community Forum

 

[Secmas]

Thank you, @keat63.

That thread in ConfigServer is mine, I am the one that started that thread and wrote some of my rules in there.

What I am asking here is a little bit different.

As you know emails have a few steps when entering into the server, the First Step is mostly managed by EXIM and the fastest way to block spammers is to manage the spammer IPs in the /etc/spammeripblocks, that blocks right in the act the emails sent by the IPs that are in there. It also will block IPs that are in Barracuda, SpamCop or any other Black List that you have set in there.

Then, if the IP is not in there, the next steps will follow. One of the steps is to check the list of domains that the cPanel plugin saves at /etc/blocked_incoming_email_domains, so it doesn't require to much time from server than checking on the list if the domain is blocked there.

If the email is not blocked by EXIM, then the email will be checked by SpamAssassin rules and then any other option that you write as the REGEX rules.

In the case that I am asking, using a REGEX is out of option, as the REGEX will block the IP in the firewall and I don't want to block AMAZONES IPs, what I want is to block the offending domain.

Sorry if I extended a bit my reply