The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How can I block spam emails with a fixed sibject coming to several domains

Discussion in 'E-mail Discussions' started by Kent Brockman, Jul 15, 2014.

  1. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello guys! I'm receiving these spam emails in several domains, so I need a way to filter them at smtp time. I know the exim filter file can intercept this but I don't find the correct syntax.
    The purpose is to send to /dev/null the emails from any source containing a given string in the subject.
    Can anybody give some help?

    Thanks in advance!
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Have you considered using the "Account Level Filtering" option in cPanel, or is this across multiple accounts? What Exim filter rule did you already try?

    Thank you.
     
  3. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello Michael, I've been able to solve it by using exim system filter file.
    Yes, this is to mitigate a spam wave coming randomly to several domains. That's why a global filter is needed.

    The solution consist in adding the following code somewhere in the midlle of /etc/cpanel_exim_system_filter

    Code:
    if $message_headers: contains "DOMAIN-TO-BLOCK.com"
            or $message_body: contains "TEXT PATTERN USED ACROSS ALL THE UNSOLICITED EMAILS"
            and not error_message
    then
            seen finish
    endif
    This rule will deliver to a blackhole (/dev/null) all the messages where the headers contain the domain name to block OR the common denominator text pattern (if the spam messages fortunately have something in common, and since it is an ellaborated phishing scam, they do). It just worked like a charm. :)

    It's of note, that this method is the best way to stop spam when the source IP from the emails is different in every message. If the source IP were the same, I could easily block them using the Exim Configuration Manager > Blacklisted SMTP IP addresses list... or even block the IP in the firewall.
     
Loading...

Share This Page