How to block emails by wildcard across a server

[martin MHC]

Exim Version 4.91-5 WHM version 78.0.23

There are many email domains that are receiving spams from the same source emails,

SpamAssassin is impractical as this blocks wildcard domains only on a per-account basis.

What I want to do:
-- Check a sending domain matches a set pattern or a wildcard pattern, and if so discard silently across any server account.

What I have read so far...
I have read various topics on this:

• - Exim Blacklist Domains Issue
• - https://forums.cpanel.net/threads/block-incoming-emails-from-domain.606795/
• - deano.me/2016/05/how-to-block-emails-by-domain-in-whm-exim/
• - unix.stackexchange.com/questions/213537/regex-usage-in-exim-filtering

And the documentation on applying Exim rules.

- How to Customize the Exim System Filter File - cPanel Knowledge Base - cPanel Documentation

However, The example on the WHM Documentation is simple and does not reference wildcarding. I have set up a file per the documentation and reading links above, thus:

if
  $h_from: contains "@example.com"
  or $h_from: contains "@example.net"
  or $h_from: matches ".*@.*\.example\.org$"
  or $h_from: matches ".*@.*\.icu$"
#then noerror seen finish
then
  deliver "SpamTest <[email protected]>"
  seen finish
endif

The Exim Documentation on PCRE ( Exim Specification - Regular expressions ) states that in "matches" that single backslashes are enough (rather than double) and that dollar signs do not need escaping.

And this seems to stop the "Contains" but I suspect this rule also seems to be failing for all emails. I received reports that at least one client has received no emails since this was put in place.

What I would like to achieve

I am trying to set a single cannonical location on the server to list PCRE email from accounts that should be silently blocked from all server accounts.

I need so far:

• - To block anything from @example.com (this works)
• - To block anything from @example.net (this works)
• - To block anything from any email shaped as <anything>@<anything>.example.org
• - To block anything from any email shaped as <anything>@<anything>.icu

From the stackexchange link above I also ran the "/usr/sbin/exim -bF <scriptfile> -f <sender>" but this returned nothing; so was ambiguous (I am a litte fishing in the dark, here) .

What is the best way of achieving this aim, Once I'm confident of the PCRE working I can add further domains to the list.

Thank you.

 

[Infopro]

I understand that this might not be what you're after, but I use MailScanner Front End for this. With all the new domain extensions being used for spam these days, this makes blocking them one by one, a little easier.

 

[cPanelMichael]

Hello @martin MHC,

I realize this thread is a couple of months old, but I wanted to let you know that cPanel & WHM version 84 includes a new feature that addresses one of the needs you expressed in your post here:

Implemented case CPANEL-28808: Give Exim the ability to block incoming mail from domains.

While it doesn't provide for support for blocking individual email addresses through wildcards, it does make blocking individual domains and subdomains easier to manage. Here's a glance at this feature as seen in WHM >> Email >> Filter Incoming Emails by Domain on a server running cPanel & WHM version 83.9999.137 (this is a development build for version 84):



I encourage you to submit a feature request if you'd like to see this feature expanded for more use cases.

Thanks!

 

[martin MHC]

@cPanelMichael Many thanks for updating me on this development, this looks excellent. I'm happy enough with domain level blocking (from experience it seems usual for the majority of specific spam addresses to come from nonsense domains anywho) that this new system offers. Looking forward to the release of WHM 84. Thanks again.