The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need to filter ALL email

Discussion in 'E-mail Discussions' started by jols, May 27, 2013.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    I thought I had it for a while. Was setting up rules in antivirus.exim that included this:

    or $header_from: ends ".pw"
    or $return_path: ends ".pw"

    But spam keeps getting though with address like this in the header:

    Return-path: <ciga261526@glacaderog.pw>


    So, could it be that I just need to add the bracket? Like so:

    or $return_path: ends ".pw>"

    Or would this totally mess things up?

    Anyone?

    Thanks.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can try using a custom system filter for Exim to prevent emails to/from the ".pw" TLD. To start, you would copy over the existing Exim filter to the new location:

    Code:
    # cp -a /etc/cpanel_exim_system_filter /etc/cpanel_exim_system_filter_custom
    Then, configure the custom filter file as the default filter via the "System Filter File" option under the "Filters" tab in:

    "WHM Home » Service Configuration » Exim Configuration Manager"

    Within the "/etc/cpanel_exim_system_filter_custom" file, you can add an entry such as:

    Code:
    if first_delivery
    and ("$h_to:, $h_cc:" contains ".pw")
    or ("$h_from:" contains ".pw")
    then
    seen finish
    endif
    
    Thank you.
     
    #2 cPanelMichael, May 27, 2013
    Last edited: May 27, 2013
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Hey thanks!
     
  4. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    How can that kind of filter be done on an account by account or domain by domain basis ?
     
  5. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    anyone ?

    looking for help blocking spam coming from the lesser TLDs
    BUt I want to be able to let customers CHOOSE To implement the block from within Cpanel
     
  6. Vinayak

    Vinayak Well-Known Member

    Joined:
    Jun 27, 2003
    Messages:
    267
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Bharat
    cPanel Access Level:
    Root Administrator
    Instead of copying and editing /etc/cpanel_exim_system_filter

    Follow the instructions as written in /etc/cpanel_exim_system_filter
     
  7. StoneyCreeker

    StoneyCreeker Well-Known Member

    Joined:
    Oct 17, 2006
    Messages:
    50
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Upper-East TN
    cPanel Access Level:
    Root Administrator
    This works pretty good except if you try to block .co (Columbia). It also then blocks .com too. How can i get around this?

    I also added the "deliver" to my rules so I could track what emails are being blocked.

    Code:
    
    if first_delivery
    and ("$h_to:, $h_cc:" contains ".co")
    or ("$h_from:" contains ".co")
    then
    deliver "Global Spam <globalspam@xxxxxx.com>"
    seen finish
    endif
    
    
    Thank you.
     
  8. kona333

    kona333 Member

    Joined:
    Jul 9, 2014
    Messages:
    9
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hi,

    So I've duplicated the cpanel_exim_system_filter and named it cpanel_exim_system_filter_blacklist (no extension on the end).

    I set the custom filter to my new file under exim config /etc/cpanel_exim_system_filter_blacklist. Then in my file added the following near the top:


    # Only process once (this part was already there) #
    # #
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    #For blocking all incoming and outgoing russian emails
    if first_delivery
    and ("$h_to:, $h_cc:" contains ".ru")
    or ("$h_from:" contains ".ru")
    then
    seen finish
    endif
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    #For blocking all incoming and outgoing pw emails
    if first_delivery
    and ("$h_to:, $h_cc:" contains ".pw")
    or ("$h_from:" contains ".pw")
    then
    seen finish
    endif
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

    Restarted exim. Waited 10 mins and watched while zero emails got through and all clogged up the mail queue saying "processing". Obviously something went wrong. I reverted back, restarted exim and email resumed as normal.

    What did I do wrong? I'm a bit of a noob with this stuff btw... Thanks
     
  9. Vinayak

    Vinayak Well-Known Member

    Joined:
    Jun 27, 2003
    Messages:
    267
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Bharat
    cPanel Access Level:
    Root Administrator
    Instead of copying and editing /etc/cpanel_exim_system_filter

    Follow the instructions as written in /etc/cpanel_exim_system_filter
     
  10. kona333

    kona333 Member

    Joined:
    Jul 9, 2014
    Messages:
    9
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Thanks Vinayak. I've re-read that a number of times but can't make sense of it.

    /usr/local/cpanel/etc/exim/sysfilter/options/
    Enable or disable the custom block in WHM using:
    Service Configuration => Exim Configuration Manager => Filters => Custom Filter: [your unique file]

    For instance do I create one single file under there ie
    "/usr/local/cpanel/etc/exim/sysfilter/options/blacklist"

    Then put exactly that under exim manager filters.

    Then do I put the same code in that as I pasted above?
    Or do I just put each domain on it's own line that I want to block?

    Do I need to put a separate "if first_delivery" for every blocked address?
     
  11. Vinayak

    Vinayak Well-Known Member

    Joined:
    Jun 27, 2003
    Messages:
    267
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Bharat
    cPanel Access Level:
    Root Administrator
    First take a note that you are no longer required to touch cpanel_exim_system_filter file.

    Now, create a new blank file at "/usr/local/cpanel/etc/exim/sysfilter/options/" name it anything, say "my_custom_filter" or separate files per filter custom like "custom_filter_pw" & "custom_filter_ru"

    Each rule has to be complete, so

    Code:
    #For blocking all incoming and outgoing RUSSIAN emails
    if first_delivery
    and ("$h_to:, $h_cc:" contains ".ru")
    or ("$h_from:" contains ".ru")
    then
    seen finish
    endif
    Code:
    #For blocking all incoming and outgoing PW emails
    if first_delivery
    and ("$h_to:, $h_cc:" contains ".pw")
    or ("$h_from:" contains ".pw")
    then
    seen finish
    endif
    Once you have created those files, visit "Service Configuration => Exim Configuration Manager" in WHM as root and you will see those files mentioned as custom filter under "Filters" section.

    You can now enable/disable them.
     
  12. kona333

    kona333 Member

    Joined:
    Jul 9, 2014
    Messages:
    9
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Thanks Vinayak that seems more straightforward. Unfortunately, it didn't seem to work.

    I tried one using my own external email address but it stills accepts emails through from it. No warning or anything. I uploaded a single file (no extension) to that folder, it was already ticked as ON in exim, filters are set to enabled, restarted exim but the emails still get through.

    The filename has no odd characters, only underscore. There's no @ symbol in the 'contains' part. Normal exim filter is set as the default/original.

    Is there something else I need to do to get this to work?

    It's a shame whm provides no simple method for blocking addresses or domains.
     
  13. HostedPro

    HostedPro Member

    Joined:
    Sep 8, 2006
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    East Texas
    cPanel Access Level:
    Root Administrator
    I've been struggling with this as well. I created seperate rule files in /usr/local/cpanel/etc/exim/sysfilter/options/, e.g. block_tld_ru, block_tld_cn, block_tld_tk, block_tld_asia. They are shown in the Exim config > Filter as enabled. The file contents are like this for each tld...

    Code:
    if first_delivery
    and ("$h_to:, $h_cc:" contains ".ru")
    or ("$h_from:" contains ".ru")
    then
    seen finish
    endif
    
    I'm still seeing these come through. I just checked the mail queue and saw many .asia that boxtrapper caught & is sending the challenge to.

    Any more thoughts on this issue? Possible I've something else in my config that's not allowing the rules to work?

    Thanks
    Karl
     
  14. HostedPro

    HostedPro Member

    Joined:
    Sep 8, 2006
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    East Texas
    cPanel Access Level:
    Root Administrator
    After more monitoring I think it may be doing what it's supposed to. Seeing either "Connection refused" or "Connection timed out" or "lost" on the filtered tlds using grep -F '.tk [' /var/log/exim_mainlog. Maybe it works after all ;)
     
  15. StoneyCreeker

    StoneyCreeker Well-Known Member

    Joined:
    Oct 17, 2006
    Messages:
    50
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Upper-East TN
    cPanel Access Level:
    Root Administrator
    I am using the " make a backup copy first and then rename root/etc/cpanel_exim_system_file to cpanel_exim_system_file_custom method. Be sure to change it in your WHM under "Service Configuration > Exim Configuration Manager > Filters" under System Filter File and add the code to the end of the file.

    WARNING! This will affect all email accounts on your email server. I highly recommend tracking your filters to a separate account to check for false positives. To see if you have made a misteak :) open your WHM to " Email > Mail Queue Manager" and run a report. If there are any messages in the queue, try to send one and it will tell you the line number of the broken rule in your cpanel_exim_system_file_custom file.

    I have been playing with this for several weeks now and this is the best syntax so far....

    Code:
    #Block Palau (Spammers use this a lot)
    if first_delivery
    and ("$h_from:" matches " .+@.+\.pw")
    then
     headers add "SpamRule: EXIM FILTER Block Palau (was: $h_subject:)"
    deliver "Global Spam <globalspam@mydomain.com>"
    seen finish
    endif
    The "headers_add" adds a new header to the email so I can track the rule name and the "deliver" sends the email to an account so I can check for false positives.

    I am also blocking the most spam on my server with:
    Code:
    #NEW Block Europe rule
    #Block Europe using new syntax .+@.+\.eu
    if first_delivery
    and ("$h_from:" matches " .+@.+\.eu")
      or ("$h_to:" matches " .+@.+\.eu")
    then
     headers add "SpamRule: EXIM FILTER Block Europe New Syntax (was: $h_subject:)"
    deliver "Global Spam <globalspam@mydomain.com>"
    seen finish
    endif
    Hope this helps.

    PS

    I have been having trouble blocking Argentina spam, ("ar" is very common), and I am trying a new syntax that seems to be working so far. I got it from Phillip Hazel's EXIM manual.

    Code:
    #Block Argentina
    if first_delivery
    and $h_from matches " \\N\\.ar$\\N"
    then
     headers add "SpamRule: EXIM FILTER Block Argentina (was: $h_subject:)"
    deliver "Global Spam <globalspam@mydomain.com>"
    seen finish
    endif
    So far it has not produced any false positives but I am keeping my eye on it. ;)
     
    #15 StoneyCreeker, Oct 14, 2014
    Last edited: Oct 14, 2014
  16. IGonza

    IGonza Member

    Joined:
    Dec 6, 2014
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    I blocked ".link" as described for ".ar". I don't see any emails from ".link" domains, and also I don't get any email to "Global spam" account. Also... I couldn't find any log about it...
    Where should I look for results of that filter checks?
     
  17. IGonza

    IGonza Member

    Joined:
    Dec 6, 2014
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Today I've receive emails with ".link" sender's domain... so seems the filter does not work.

     
  18. IGonza

    IGonza Member

    Joined:
    Dec 6, 2014
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Ok, I almost gave up on custom filter and found "have to know" thing:

    If you change your custom filter file, you MUST click Save in Exim Configuration cpanel page to update global filter configuration file.
     
  19. alinford

    alinford Well-Known Member

    Joined:
    Nov 4, 2006
    Messages:
    50
    Likes Received:
    1
    Trophy Points:
    8
    I am looking for a way to block specific characters in the email address, such as '='.

    The code below does not work:
    Code:
    if first_delivery
    and ("$h_to:, $h_cc:" contains "=")
    or ("$h_from:" contains "=")
    then
    seen finish
    endif
    
     
  20. alinford

    alinford Well-Known Member

    Joined:
    Nov 4, 2006
    Messages:
    50
    Likes Received:
    1
    Trophy Points:
    8
    I did not get a response, so I will ask the question in a different way.

    This worked for blocking email from the .link tld and was modified to also block .rocks:
    Code:
    if first_delivery
    and ("$h_to:, $h_cc:" contains ".link")
    or ("$h_from:" contains ".link")
    then
    seen finish
    endif
    I am trying to block email with recipient addresses that look like this:
    random_word-email_user=domain1.com@domain2.com

    domain1.com is always a domain on our server, while domain2.com is not

    I tried blocking the '=' sign like this, but it did not work:
    Code:
    if first_delivery
    and ("$h_to:, $h_cc:" contains "=")
    or ("$h_from:" contains "=")
    then
    seen finish
    endif
    Any other ideas?
     
Loading...

Share This Page