Greatgonzo

Member
Dec 1, 2004
9
0
151
Hi

I'm trying to block a prolific email spammer... To cut it short, I have identified a somewhat unique snippet pattern in source of the html.

I have tried using the plain HTML and a regular expression of this snippet and neither are working... I'll try pasting the HTML here, but I'll also attach a .png of the 100% correct snippet just in case.

HTML:
color:#fff;text-decoration:none;'></a><br /><img style='width:1px;height:1px;'
Can someone please advise me on the correct filter to use to catch this.

Thank you!
 

Attachments

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
4,151
523
273
cPanel Access Level
Root Administrator
Hey there! Using a single pixel link is kind of old-school, but it still can cause issues. I would recommend making sure you have the following option enabled in WHM >> Tweak Settings:

Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak)

as that will keep automated scripts and forms from being able to send mail. That may be all you need to get this taken care of. It would also be good to know how the HTML code injection is happening in the first place, so having your users that have access to that account perform a local scan of their machine may also be a good plan.
 

Greatgonzo

Member
Dec 1, 2004
9
0
151
Hi, thank you for replying.

I don't know if I'm misunderstanding what you're saying. I'm trying to BLOCK all emails which have that HTML code snippet embedded. I'm getting bombarded by emails, obviously originating from the same sender, but the content is very different.

The format of these emails however is always the same... and only only consistent snippet (that I can tell wouldn't impact banning other HTML emails) is this..

HTML:
color:#fff;text-decoration:none;'></a><br /><img style='width:1px;height:1px;'
Do you know what filter I could set in cpanel to make sure I can block incoming emails with this snippet?

Thank you!

Hey there! Using a single pixel link is kind of old-school, but it still can cause issues. I would recommend making sure you have the following option enabled in WHM >> Tweak Settings:

Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak)

as that will keep automated scripts and forms from being able to send mail. That may be all you need to get this taken care of. It would also be good to know how the HTML code injection is happening in the first place, so having your users that have access to that account perform a local scan of their machine may also be a good plan.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
4,151
523
273
cPanel Access Level
Root Administrator
Hey there! Is the sender is always the same, could you not block the IP address to keep the connection from that user blocked entirely? Or does the IP address sending the messages change?

For filtering by content, I'd recommend the Global Email Filters area inside the cPanel interface:


although you may need to play with the values there to see if it will catch the HTMl code you are looking for.

You may want to consider the Greylisting feature if you don't have that enabled already:


This will help stop messages from spammers by essentially making them send the message twice to provide they are a valid email server sending a legitimate message.

You could also make sure the "Introduce a delay into the SMTP transaction for unknown hosts and messages detected as spam" option is enabled, as that is also a tool we have to verify if the message is coming from a legitimate mail server.