I need help writing a global email rule to filter spam.

michiana

Registered
Mar 1, 2002
2
0
301
I would like to add a statement to my global email filter that drops emails that contains the recipient’s email information in the format used by a group of spammers that are a real nuisance. They use a new IP address for every message via relays all over the world and always use a unique from address in the format listed below.

I see a great deal of spam that has a similar format being sent to hundreds of users in my system. Here is an example of how these spams are formatted:

To: [email protected]
From: sign-up-now-for-free-installation-glennfire=[email protected]

As you can see, the spammer has rewritten the from address to include the address of the intended recipient. The spam emails always have this format, with the intended recipient’s email address included in the from address. The from address is always rewritten by incorporating the recipient’s address like this:

[email protected]
is rewritten as
[email protected]

I need a statement that I can add to my global email filter that will detect this format and discard the email. Can anyone help with this?

Thanks in advance for any assistance.
 
Last edited by a moderator:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,252
313
Houston
Is that in the header like that exactly? If so you might be able to create a rule using the guide to filters in the exim documentation: 3. Exim filter files

A really remedial example of this might be:

Code:
if
$header_from: contains "domain1"
or $header_from: contains "domain2"
or $header_from: contains "domain3"
then
save "/dev/null" 660
endif