The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to filter outgoing spam emails using cpanel_exim_system_filter

Discussion in 'E-mail Discussions' started by Dent, Dec 16, 2015.

  1. Dent

    Dent Registered

    Joined:
    Dec 16, 2015
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Earth
    cPanel Access Level:
    Root Administrator
    Hello,

    I have had problems with some shared webhosting clients constantly getting their Joomla installs hacked and used for relaying spam emails. Even though I teach the clients how to prevent getting hacked, upgrade to latest versions, use anti-virus on home comp, use hard passwords etc etc, it still happens to a few of them too many times already.

    I figured that even if I cant prevent the site owners from getting hacked at all times, I can prevent my servers from spitting out hundreds of thousands of spam emails if it happens.

    I can then calmly clean and remove the infected files and contact site owner etc. without having to worry about my server IP getting banned.

    I have stopped the outgoing emails using different methods but i find this one is the smartest, at least for me in this case. I publish my solution here so that anybody else having same problem can try this solution and hopefully also save their IP's from getting banned or similar problems.

    ---
    How to..

    Lets say that the site that has been infected more then once is the website example.com, just as an example.
    The relayed spam emails sent out would typically look like lorena_decker@. In this example I will use lorena_decker@example.com

    Check what emails your client is using for the site. My client in this example only uses info@example.com as only email connected to the domain. So I create a filter that will discard all other sender or reply email addresses. This is how to do it:

    You need root access to your server.

    Access and edit the file /etc/cpanel_exim_system_filter

    Add the following :

    Code:
    # BEGIN - Included from /usr/local/cpanel/etc/exim/sysfilter/options/cpanel_exim_system_filter
    # (Use the Basic Editor in the Exim Configuration Manager in WHM to change)
    # or manually edit /etc/exim.conf.localopts and run /scripts/buildeximconf
    # Exim filter to throw away all mail from one site, except from info
    if $reply_address contains "@example.com" and
      $reply_address does not contain "info@"
    then
      seen finish
    endif
    if $sender_address contains "@example.com" and
      $sender_address does not contain "info@"
    then
      seen finish
    endif
    # END - Included from /usr/local/cpanel/etc/exim/sysfilter/options/cpanel_exim_system_filter
    
    
    I have tested to make sure this works.

    (I am sorry for the bad words they put in theirs spam, I have ** it to not offend anybody here)


    Code:
    exigrep lorena_decker@example.com /var/log/exim_mainlog
    
    
    2015-12-16 19:01:53 cwd=/home/example/public_html/templates/beez_20/images/system 4 args: /usr/sbin/sendmail -t -i florena_decker@example.com
    2015-12-16 19:01:53 1a9HKj-0000yx-GQ <= lorena_decker@example.com U=example P=local S=886 T="blah blah blah xxxxxxx@hotmail.com
    2015-12-16 19:01:53 1a9HKj-0000yx-GQ => discarded (system filter)
    2015-12-16 19:01:53 1a9HKj-0000yx-GQ Completed
    2015-12-16 19:01:53 cwd=/home/example/public_html/templates/beez_20/images/system 4 args: /usr/sbin/sendmail -t -i -florena_decker@example.com
    2015-12-16 19:01:53 1a9HKj-0000z9-IS <= lorena_decker@example.com U=example P=local S=874 T="He he Babe * for xxxxxxx@hotmail.com
    2015-12-16 19:01:53 1a9HKj-0000z9-IS => discarded (system filter)
    2015-12-16 19:01:53 1a9HKj-0000z9-IS Completed
    
    

    Emails discarded! :)

    I saw in Sent Summary in this case that 187,810 emails where discarded. I can calmly remove the infected files and be happy none of those emails where actually sent out :)

    My 2 cent
     
    #1 Dent, Dec 16, 2015
    Last edited by a moderator: Dec 16, 2015
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I am happy to see you were able to find a solution that worked successfully. Thank you for posting it here for others to see.
     
    Dent likes this.
  3. Dent

    Dent Registered

    Joined:
    Dec 16, 2015
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Earth
    cPanel Access Level:
    Root Administrator
    Thank you Michael. I figure if we all post our solutions somewhere online when we have them we can all find the solutions faster if same things happens to you. Sharing is caring :)
     
  4. hayridumanli

    hayridumanli Registered

    Joined:
    Jan 11, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thank you very much for this solution, but what if the client uses more than one address, for example info@example.com, sales@example.com, import@example.com, etc. Then how can we change the code, such as;

    if $reply_address contains "@example.com" and
    $reply_address does not contain "info@" or
    $reply_address does not contain "sales@" or
    $reply_address does not contain "import@"
    then
    seen finish
    endif
    if $sender_address contains "@example.com" and
    $sender_address does not contain "info@" or
    $sender_address does not contain "sales@" or
    $sender_address does not contain "import@"

    Is it OK?
     
  5. Dent

    Dent Registered

    Joined:
    Dec 16, 2015
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Earth
    cPanel Access Level:
    Root Administrator
    Great question! I would imagine that it is possible to add multiple keywords, but I am unsure about the exact syntax for exim filter. I think you can use and and or as you did but Im not sure how it should be specified exactly.

    The way you have specified it would probably not work.

    Maybe this works but you would have to test:


    if $reply_address contains "@example.com" and
    $reply_address does not contain "info@" or "sales@" or "import@"
    then
    seen finish
    endif
     
  6. estemismo

    estemismo Registered

    Joined:
    Jun 6, 2016
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    España
    cPanel Access Level:
    Root Administrator
    Hello

    Can anyone confirm ?

    Thanks
     
Loading...

Share This Page