Need to filter ALL email

[jols]

I thought I had it for a while. Was setting up rules in antivirus.exim that included this:

or $header_from: ends ".pw"
or $return_path: ends ".pw"

But spam keeps getting though with address like this in the header:

Return-path: <[email protected]>


So, could it be that I just need to add the bracket? Like so:

or $return_path: ends ".pw>"

Or would this totally mess things up?

Anyone?

Thanks.

 

[cPanelMichael]

Hello

You can try using a custom system filter for Exim to prevent emails to/from the ".pw" TLD. To start, you would copy over the existing Exim filter to the new location:

# cp -a /etc/cpanel_exim_system_filter /etc/cpanel_exim_system_filter_custom

Then, configure the custom filter file as the default filter via the "System Filter File" option under the "Filters" tab in:

"WHM Home » Service Configuration » Exim Configuration Manager"

Within the "/etc/cpanel_exim_system_filter_custom" file, you can add an entry such as:

if first_delivery
and ("$h_to:, $h_cc:" contains ".pw")
or ("$h_from:" contains ".pw")
then
seen finish
endif

Thank you.

 

[jols]

Hey thanks!

 

[Silver_2000]

How can that kind of filter be done on an account by account or domain by domain basis ?

 

[Silver_2000]

anyone ?

looking for help blocking spam coming from the lesser TLDs
BUt I want to be able to let customers CHOOSE To implement the block from within Cpanel

 

[Vinayak]

Instead of copying and editing /etc/cpanel_exim_system_filter

Follow the instructions as written in /etc/cpanel_exim_system_filter

Place each sysfilter block you wish to include in a unique file at:
/usr/local/cpanel/etc/exim/sysfilter/options/
Enable or disable the custom block in WHM using:
Service Configuration => Exim Configuration Manager => Filters => Custom Filter: [your unique file]

 

[StoneyCreeker]

This works pretty good except if you try to block .co (Columbia). It also then blocks .com too. How can i get around this?

I also added the "deliver" to my rules so I could track what emails are being blocked.

if first_delivery
and ("$h_to:, $h_cc:" contains ".co")
or ("$h_from:" contains ".co")
then
deliver "Global Spam <[email protected]>"
seen finish
endif

Thank you.

 

[kona333]

Hi,

So I've duplicated the cpanel_exim_system_filter and named it cpanel_exim_system_filter_blacklist (no extension on the end).

I set the custom filter to my new file under exim config /etc/cpanel_exim_system_filter_blacklist. Then in my file added the following near the top:


# Only process once (this part was already there) #
# #
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#For blocking all incoming and outgoing russian emails
if first_delivery
and ("$h_to:, $h_cc:" contains ".ru")
or ("$h_from:" contains ".ru")
then
seen finish
endif
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#For blocking all incoming and outgoing pw emails
if first_delivery
and ("$h_to:, $h_cc:" contains ".pw")
or ("$h_from:" contains ".pw")
then
seen finish
endif
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

Restarted exim. Waited 10 mins and watched while zero emails got through and all clogged up the mail queue saying "processing". Obviously something went wrong. I reverted back, restarted exim and email resumed as normal.

What did I do wrong? I'm a bit of a noob with this stuff btw... Thanks

 

[Vinayak]

Instead of copying and editing /etc/cpanel_exim_system_filter

Follow the instructions as written in /etc/cpanel_exim_system_filter

Place each sysfilter block you wish to include in a unique file at:

/usr/local/cpanel/etc/exim/sysfilter/options/
Enable or disable the custom block in WHM using:
Service Configuration => Exim Configuration Manager => Filters => Custom Filter: [your unique file]

Hi,

So I've duplicated the cpanel_exim_system_filter and named it cpanel_exim_system_filter_blacklist (no extension on the end).

I set the custom filter to my new file under exim config /etc/cpanel_exim_system_filter_blacklist. Then in my file added the following near the top:


# Only process once (this part was already there) #
# #
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#For blocking all incoming and outgoing russian emails
if first_delivery
and ("$h_to:, $h_cc:" contains ".ru")
or ("$h_from:" contains ".ru")
then
seen finish
endif
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#For blocking all incoming and outgoing pw emails
if first_delivery
and ("$h_to:, $h_cc:" contains ".pw")
or ("$h_from:" contains ".pw")
then
seen finish
endif
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

Restarted exim. Waited 10 mins and watched while zero emails got through and all clogged up the mail queue saying "processing". Obviously something went wrong. I reverted back, restarted exim and email resumed as normal.

What did I do wrong? I'm a bit of a noob with this stuff btw... Thanks

 

[kona333]

Thanks Vinayak. I've re-read that a number of times but can't make sense of it.

/usr/local/cpanel/etc/exim/sysfilter/options/
Enable or disable the custom block in WHM using:
Service Configuration => Exim Configuration Manager => Filters => Custom Filter: [your unique file]

For instance do I create one single file under there ie
"/usr/local/cpanel/etc/exim/sysfilter/options/blacklist"

Then put exactly that under exim manager filters.

Then do I put the same code in that as I pasted above?
Or do I just put each domain on it's own line that I want to block?

Do I need to put a separate "if first_delivery" for every blocked address?

 

[Vinayak]

First take a note that you are no longer required to touch cpanel_exim_system_filter file.

Now, create a new blank file at "/usr/local/cpanel/etc/exim/sysfilter/options/" name it anything, say "my_custom_filter" or separate files per filter custom like "custom_filter_pw" & "custom_filter_ru"

Each rule has to be complete, so

#For blocking all incoming and outgoing RUSSIAN emails
if first_delivery
and ("$h_to:, $h_cc:" contains ".ru")
or ("$h_from:" contains ".ru")
then
seen finish
endif

#For blocking all incoming and outgoing PW emails
if first_delivery
and ("$h_to:, $h_cc:" contains ".pw")
or ("$h_from:" contains ".pw")
then
seen finish
endif

Once you have created those files, visit "Service Configuration => Exim Configuration Manager" in WHM as root and you will see those files mentioned as custom filter under "Filters" section.

You can now enable/disable them.

 

[kona333]

Thanks Vinayak that seems more straightforward. Unfortunately, it didn't seem to work.

I tried one using my own external email address but it stills accepts emails through from it. No warning or anything. I uploaded a single file (no extension) to that folder, it was already ticked as ON in exim, filters are set to enabled, restarted exim but the emails still get through.

The filename has no odd characters, only underscore. There's no @ symbol in the 'contains' part. Normal exim filter is set as the default/original.

Is there something else I need to do to get this to work?

It's a shame whm provides no simple method for blocking addresses or domains.

 

[HostedPro]

I've been struggling with this as well. I created seperate rule files in /usr/local/cpanel/etc/exim/sysfilter/options/, e.g. block_tld_ru, block_tld_cn, block_tld_tk, block_tld_asia. They are shown in the Exim config > Filter as enabled. The file contents are like this for each tld...

if first_delivery
and ("$h_to:, $h_cc:" contains ".ru")
or ("$h_from:" contains ".ru")
then
seen finish
endif

I'm still seeing these come through. I just checked the mail queue and saw many .asia that boxtrapper caught & is sending the challenge to.

Any more thoughts on this issue? Possible I've something else in my config that's not allowing the rules to work?

Thanks
Karl

 

[HostedPro]

After more monitoring I think it may be doing what it's supposed to. Seeing either "Connection refused" or "Connection timed out" or "lost" on the filtered tlds using grep -F '.tk [' /var/log/exim_mainlog. Maybe it works after all

 

[StoneyCreeker]

After more monitoring I think it may be doing what it's supposed to. Seeing either "Connection refused" or "Connection timed out" or "lost" on the filtered tlds using grep -F '.tk [' /var/log/exim_mainlog. Maybe it works after all

I am using the " make a backup copy first and then rename root/etc/cpanel_exim_system_file to cpanel_exim_system_file_custom method. Be sure to change it in your WHM under "Service Configuration > Exim Configuration Manager > Filters" under System Filter File and add the code to the end of the file.

WARNING! This will affect all email accounts on your email server. I highly recommend tracking your filters to a separate account to check for false positives. To see if you have made a misteak open your WHM to " Email > Mail Queue Manager" and run a report. If there are any messages in the queue, try to send one and it will tell you the line number of the broken rule in your cpanel_exim_system_file_custom file.

I have been playing with this for several weeks now and this is the best syntax so far....

#Block Palau (Spammers use this a lot)
if first_delivery
and ("$h_from:" matches " [email protected]+\.pw")
then
 headers add "SpamRule: EXIM FILTER Block Palau (was: $h_subject:)"
deliver "Global Spam <[email protected]>"
seen finish
endif

The "headers_add" adds a new header to the email so I can track the rule name and the "deliver" sends the email to an account so I can check for false positives.

I am also blocking the most spam on my server with:

#NEW Block Europe rule
#Block Europe using new syntax [email protected]+\.eu
if first_delivery
and ("$h_from:" matches " [email protected]+\.eu")
  or ("$h_to:" matches " [email protected]+\.eu")
then
 headers add "SpamRule: EXIM FILTER Block Europe New Syntax (was: $h_subject:)"
deliver "Global Spam <[email protected]>"
seen finish
endif

Hope this helps.

PS

I have been having trouble blocking Argentina spam, ("ar" is very common), and I am trying a new syntax that seems to be working so far. I got it from Phillip Hazel's EXIM manual.

#Block Argentina
if first_delivery
and $h_from matches " \\N\\.ar$\\N"
then
 headers add "SpamRule: EXIM FILTER Block Argentina (was: $h_subject:)"
deliver "Global Spam <[email protected]>"
seen finish
endif

So far it has not produced any false positives but I am keeping my eye on it.

 

[IGonza]

I blocked ".link" as described for ".ar". I don't see any emails from ".link" domains, and also I don't get any email to "Global spam" account. Also... I couldn't find any log about it...
Where should I look for results of that filter checks?

 

[IGonza]

Today I've receive emails with ".link" sender's domain... so seems the filter does not work.

I blocked ".link" as described for ".ar". I don't see any emails from ".link" domains, and also I don't get any email to "Global spam" account. Also... I couldn't find any log about it...
Where should I look for results of that filter checks?

 

[IGonza]

Ok, I almost gave up on custom filter and found "have to know" thing:

If you change your custom filter file, you MUST click Save in Exim Configuration cpanel page to update global filter configuration file.

 

[alinford]

I am looking for a way to block specific characters in the email address, such as '='.

The code below does not work:

if first_delivery
and ("$h_to:, $h_cc:" contains "=")
or ("$h_from:" contains "=")
then
seen finish
endif

 

[alinford]

I did not get a response, so I will ask the question in a different way.

This worked for blocking email from the .link tld and was modified to also block .rocks:

if first_delivery
and ("$h_to:, $h_cc:" contains ".link")
or ("$h_from:" contains ".link")
then
seen finish
endif

I am trying to block email with recipient addresses that look like this:
[email protected]

domain1.com is always a domain on our server, while domain2.com is not

I tried blocking the '=' sign like this, but it did not work:

if first_delivery
and ("$h_to:, $h_cc:" contains "=")
or ("$h_from:" contains "=")
then
seen finish
endif

Any other ideas?