Spam bypassing account level and user-level filters

openaccess

Active Member
Jan 22, 2006
32
0
156
Two separate situations, same type of problem:

Issue #1: account-level and user-level both have a filter to Discard messages with a From field ending with .eu.
Result: some get through. Examples:

Code:
2014-07-30 07:18:31 1XCUi4-0002VC-Dx H=(f7dcvqfg.annabba.eu) [191.101.52.64]:57772 Warning: "SpamAssassin as benchmar detected message as NOT spam (0.8)"
2014-07-30 07:18:31 1XCUi4-0002VC-Dx H=(f7dcvqfg.annabba.eu) [191.101.52.64]:57772 Warning: Message has been scanned: no virus or other harmful content was found
2014-07-30 07:18:31 1XCUi4-0002VC-Dx <= [email protected] H=(f7dcvqfg.annabba.eu) [191.101.52.64]:57772 P=esmtp S=11372 [email protected] T="Find the Hottest Hookups Tonight!" for <Removed for privacy>
2014-07-30 07:18:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XCUi4-0002VC-Dx
2014-07-30 07:18:31 1XCUi4-0002VC-Dx => <Removed for privacy> R=virtual_user T=virtual_userdelivery
2014-07-30 07:18:31 1XCUi4-0002VC-Dx Completed

2014-07-30 08:33:45 1XCVsc-00036n-I7 H=(jhzw9jqn2.hedwom.eu) [191.101.52.69]:60208 Warning: "SpamAssassin as benchmar detected message as NOT spam (0.6)"
2014-07-30 08:33:45 1XCVsc-00036n-I7 H=(jhzw9jqn2.hedwom.eu) [191.101.52.69]:60208 Warning: Message has been scanned: no virus or other harmful content was found
2014-07-30 08:33:45 1XCVsc-00036n-I7 <= [email protected] H=(jhzw9jqn2.hedwom.eu) [191.101.52.69]:60208 P=esmtp S=9926 [email protected] T="How nice is the wood in your home?" for <Removed for privacy>
2014-07-30 08:33:45 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XCVsc-00036n-I7
2014-07-30 08:33:45 1XCVsc-00036n-I7 => <Removed for privacy> R=virtual_user T=virtual_userdelivery
2014-07-30 08:33:45 1XCVsc-00036n-I7 Completed
Example of a filtered email:
Code:
2014-07-30 10:03:00 1XCXHB-0006ER-Gu H=(4978r1.setr.eu) [191.101.52.75]:47442 Warning: "SpamAssassin as benchmar detected message as spam (1.6)"
2014-07-30 10:03:00 1XCXHB-0006ER-Gu H=(4978r1.setr.eu) [191.101.52.75]:47442 Warning: Message has been scanned: no virus or other harmful content was found
2014-07-30 10:03:00 1XCXHB-0006ER-Gu <= [email protected] H=(4978r1.setr.eu) [191.101.52.75]:47442 P=esmtp S=11388 [email protected] T="Read this - Your body is depending on it!" for <Removed for privacy>
2014-07-30 10:03:00 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XCXHB-0006ER-Gu
2014-07-30 10:03:00 1XCXHB-0006ER-Gu => /dev/null <Removed for privacy> R=central_filter T=**bypassed**
2014-07-30 10:03:00 1XCXHB-0006ER-Gu Completed
Note: we have a spam bar discard filter for anything with one + in it, so I think it is matching that filter and not the .eu, as indicated by the difference in spam score between the first two and this filtered message.
I may have just realized the issue: do I need to escape the period? It should work either way... Right now it is "From ends with" and ".eu" in the text box.

Issue #2: messages bypassing account-level filters when sent to a forwarder address.
If you have a user-level or account level filter and a forwarder to the address with filters on it, messages will not be filtered. Ideas?
 

cPanelPeter

Senior Technical Analyst
Staff member
Sep 23, 2013
576
19
143
cPanel Access Level
Root Administrator
Hello,

Feel free to open a support ticket for these issues. You can use the link in my signature, then please post the ticket numbers here so we can update this thread accordingly. It should be 2 different tickets, because it's technically two different issues.
 

openaccess

Active Member
Jan 22, 2006
32
0
156
Solution worked out via support ticket is to use:
From match regex
\.eu$

Where \ escapes the period. Without an escape, the period acts as wildcard, which would also work in this situation, but with other strings it could cause other TLDs to possibly match.

$ forces this string to only match at the end of the email address.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,219
463
I am happy to see the issue was resolved. Thank you for updating us with the outcome.
 

openaccess

Active Member
Jan 22, 2006
32
0
156
After additional cPanel ticket discussions, an even better regex was decided upon:
\.eu(\>)?$

This is necessary because the string pulled from the From address is not always consistent. Sometimes it is as you would think, "[email protected]", but sometimes it is "<[email protected]>". This regex matches both, so none can bypass the filter due to behind the scenes string differences. This sort of identifies a cPanel bug (cPanel filters should automatically exclude the less than or greater than signs when comparing the string to the filter).