How to filter outgoing spam emails using cpanel_exim_system_filter

Dent

Member
Dec 16, 2015
10
1
3
Earth
cPanel Access Level
Root Administrator
Hello,

I have had problems with some shared webhosting clients constantly getting their Joomla installs hacked and used for relaying spam emails. Even though I teach the clients how to prevent getting hacked, upgrade to latest versions, use anti-virus on home comp, use hard passwords etc etc, it still happens to a few of them too many times already.

I figured that even if I cant prevent the site owners from getting hacked at all times, I can prevent my servers from spitting out hundreds of thousands of spam emails if it happens.

I can then calmly clean and remove the infected files and contact site owner etc. without having to worry about my server IP getting banned.

I have stopped the outgoing emails using different methods but i find this one is the smartest, at least for me in this case. I publish my solution here so that anybody else having same problem can try this solution and hopefully also save their IP's from getting banned or similar problems.

---
How to..

Lets say that the site that has been infected more then once is the website example.com, just as an example.
The relayed spam emails sent out would typically look like [email protected] In this example I will use [email protected]

Check what emails your client is using for the site. My client in this example only uses [email protected] as only email connected to the domain. So I create a filter that will discard all other sender or reply email addresses. This is how to do it:

You need root access to your server.

Access and edit the file /etc/cpanel_exim_system_filter

Add the following :

Code:
# BEGIN - Included from /usr/local/cpanel/etc/exim/sysfilter/options/cpanel_exim_system_filter
# (Use the Basic Editor in the Exim Configuration Manager in WHM to change)
# or manually edit /etc/exim.conf.localopts and run /scripts/buildeximconf
# Exim filter to throw away all mail from one site, except from info
if $reply_address contains "@example.com" and
  $reply_address does not contain "[email protected]"
then
  seen finish
endif
if $sender_address contains "@example.com" and
  $sender_address does not contain "[email protected]"
then
  seen finish
endif
# END - Included from /usr/local/cpanel/etc/exim/sysfilter/options/cpanel_exim_system_filter
I have tested to make sure this works.

(I am sorry for the bad words they put in theirs spam, I have ** it to not offend anybody here)


Code:
exigrep [email protected] /var/log/exim_mainlog


2015-12-16 19:01:53 cwd=/home/example/public_html/templates/beez_20/images/system 4 args: /usr/sbin/sendmail -t -i [email protected]
2015-12-16 19:01:53 1a9HKj-0000yx-GQ <= [email protected] U=example P=local S=886 T="blah blah blah [email protected]
2015-12-16 19:01:53 1a9HKj-0000yx-GQ => discarded (system filter)
2015-12-16 19:01:53 1a9HKj-0000yx-GQ Completed
2015-12-16 19:01:53 cwd=/home/example/public_html/templates/beez_20/images/system 4 args: /usr/sbin/sendmail -t -i [email protected]
2015-12-16 19:01:53 1a9HKj-0000z9-IS <= [email protected] U=example P=local S=874 T="He he Babe * for [email protected]
2015-12-16 19:01:53 1a9HKj-0000z9-IS => discarded (system filter)
2015-12-16 19:01:53 1a9HKj-0000z9-IS Completed

Emails discarded! :)

I saw in Sent Summary in this case that 187,810 emails where discarded. I can calmly remove the infected files and be happy none of those emails where actually sent out :)

My 2 cent
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello :)

I am happy to see you were able to find a solution that worked successfully. Thank you for posting it here for others to see.
 
  • Like
Reactions: Dent

Dent

Member
Dec 16, 2015
10
1
3
Earth
cPanel Access Level
Root Administrator
Thank you Michael. I figure if we all post our solutions somewhere online when we have them we can all find the solutions faster if same things happens to you. Sharing is caring :)
 

hayridumanli

Member
Jan 11, 2014
23
2
3
cPanel Access Level
Root Administrator
Thank you very much for this solution, but what if the client uses more than one address, for example [email protected], [email protected], [email protected], etc. Then how can we change the code, such as;

if $reply_address contains "@example.com" and
$reply_address does not contain "[email protected]" or
$reply_address does not contain "[email protected]" or
$reply_address does not contain "[email protected]"
then
seen finish
endif
if $sender_address contains "@example.com" and
$sender_address does not contain "[email protected]" or
$sender_address does not contain "[email protected]" or
$sender_address does not contain "[email protected]"

Is it OK?
 

Dent

Member
Dec 16, 2015
10
1
3
Earth
cPanel Access Level
Root Administrator
Great question! I would imagine that it is possible to add multiple keywords, but I am unsure about the exact syntax for exim filter. I think you can use and and or as you did but Im not sure how it should be specified exactly.

The way you have specified it would probably not work.

Maybe this works but you would have to test:


if $reply_address contains "@example.com" and
$reply_address does not contain "[email protected]" or "[email protected]" or "[email protected]"
then
seen finish
endif
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463