Spam bypassing account level and user-level filters

[openaccess]

Two separate situations, same type of problem:

Issue #1: account-level and user-level both have a filter to Discard messages with a From field ending with .eu.
Result: some get through. Examples:

2014-07-30 07:18:31 1XCUi4-0002VC-Dx H=(f7dcvqfg.annabba.eu) [191.101.52.64]:57772 Warning: "SpamAssassin as benchmar detected message as NOT spam (0.8)"
2014-07-30 07:18:31 1XCUi4-0002VC-Dx H=(f7dcvqfg.annabba.eu) [191.101.52.64]:57772 Warning: Message has been scanned: no virus or other harmful content was found
2014-07-30 07:18:31 1XCUi4-0002VC-Dx <= [email protected] H=(f7dcvqfg.annabba.eu) [191.101.52.64]:57772 P=esmtp S=11372 [email protected] T="Find the Hottest Hookups Tonight!" for <Removed for privacy>
2014-07-30 07:18:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XCUi4-0002VC-Dx
2014-07-30 07:18:31 1XCUi4-0002VC-Dx => <Removed for privacy> R=virtual_user T=virtual_userdelivery
2014-07-30 07:18:31 1XCUi4-0002VC-Dx Completed

2014-07-30 08:33:45 1XCVsc-00036n-I7 H=(jhzw9jqn2.hedwom.eu) [191.101.52.69]:60208 Warning: "SpamAssassin as benchmar detected message as NOT spam (0.6)"
2014-07-30 08:33:45 1XCVsc-00036n-I7 H=(jhzw9jqn2.hedwom.eu) [191.101.52.69]:60208 Warning: Message has been scanned: no virus or other harmful content was found
2014-07-30 08:33:45 1XCVsc-00036n-I7 <= [email protected] H=(jhzw9jqn2.hedwom.eu) [191.101.52.69]:60208 P=esmtp S=9926 [email protected] T="How nice is the wood in your home?" for <Removed for privacy>
2014-07-30 08:33:45 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XCVsc-00036n-I7
2014-07-30 08:33:45 1XCVsc-00036n-I7 => <Removed for privacy> R=virtual_user T=virtual_userdelivery
2014-07-30 08:33:45 1XCVsc-00036n-I7 Completed

Example of a filtered email:

2014-07-30 10:03:00 1XCXHB-0006ER-Gu H=(4978r1.setr.eu) [191.101.52.75]:47442 Warning: "SpamAssassin as benchmar detected message as spam (1.6)"
2014-07-30 10:03:00 1XCXHB-0006ER-Gu H=(4978r1.setr.eu) [191.101.52.75]:47442 Warning: Message has been scanned: no virus or other harmful content was found
2014-07-30 10:03:00 1XCXHB-0006ER-Gu <= [email protected] H=(4978r1.setr.eu) [191.101.52.75]:47442 P=esmtp S=11388 [email protected] T="Read this - Your body is depending on it!" for <Removed for privacy>
2014-07-30 10:03:00 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XCXHB-0006ER-Gu
2014-07-30 10:03:00 1XCXHB-0006ER-Gu => /dev/null <Removed for privacy> R=central_filter T=**bypassed**
2014-07-30 10:03:00 1XCXHB-0006ER-Gu Completed

Note: we have a spam bar discard filter for anything with one + in it, so I think it is matching that filter and not the .eu, as indicated by the difference in spam score between the first two and this filtered message.
I may have just realized the issue: do I need to escape the period? It should work either way... Right now it is "From ends with" and ".eu" in the text box.

Issue #2: messages bypassing account-level filters when sent to a forwarder address.
If you have a user-level or account level filter and a forwarder to the address with filters on it, messages will not be filtered. Ideas?

 

[cPanelPeter]

Hello,

Feel free to open a support ticket for these issues. You can use the link in my signature, then please post the ticket numbers here so we can update this thread accordingly. It should be 2 different tickets, because it's technically two different issues.

 

[openaccess]

Solution worked out via support ticket is to use:
From match regex
\.eu$

Where \ escapes the period. Without an escape, the period acts as wildcard, which would also work in this situation, but with other strings it could cause other TLDs to possibly match.

$ forces this string to only match at the end of the email address.

 

[cPanelMichael]

I am happy to see the issue was resolved. Thank you for updating us with the outcome.

 

[openaccess]

After additional cPanel ticket discussions, an even better regex was decided upon:
\.eu(\>)?$

This is necessary because the string pulled from the From address is not always consistent. Sometimes it is as you would think, "[email protected]", but sometimes it is "<[email protected]>". This regex matches both, so none can bypass the filter due to behind the scenes string differences. This sort of identifies a cPanel bug (cPanel filters should automatically exclude the less than or greater than signs when comparing the string to the filter).

 

[toplisek]

\.eu(\>)?$

So, I should put for all discarded messages the following:
Rules: From, Matches regex
\.link(\>)?$
\.us(\>)?$

Is this correct?