Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Spam bypassing account level and user-level filters

Discussion in 'E-mail Discussion' started by openaccess, Jul 30, 2014.

  1. openaccess

    openaccess Active Member

    Joined:
    Jan 22, 2006
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    156
    Two separate situations, same type of problem:

    Issue #1: account-level and user-level both have a filter to Discard messages with a From field ending with .eu.
    Result: some get through. Examples:

    Code:
    2014-07-30 07:18:31 1XCUi4-0002VC-Dx H=(f7dcvqfg.annabba.eu) [191.101.52.64]:57772 Warning: "SpamAssassin as benchmar detected message as NOT spam (0.8)"
    2014-07-30 07:18:31 1XCUi4-0002VC-Dx H=(f7dcvqfg.annabba.eu) [191.101.52.64]:57772 Warning: Message has been scanned: no virus or other harmful content was found
    2014-07-30 07:18:31 1XCUi4-0002VC-Dx <= Hookup@annabba.eu H=(f7dcvqfg.annabba.eu) [191.101.52.64]:57772 P=esmtp S=11372 id=350817414972390350820219111191664@f7dcvqfg.annabba.eu T="Find the Hottest Hookups Tonight!" for <Removed for privacy>
    2014-07-30 07:18:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XCUi4-0002VC-Dx
    2014-07-30 07:18:31 1XCUi4-0002VC-Dx => <Removed for privacy> R=virtual_user T=virtual_userdelivery
    2014-07-30 07:18:31 1XCUi4-0002VC-Dx Completed
    
    2014-07-30 08:33:45 1XCVsc-00036n-I7 H=(jhzw9jqn2.hedwom.eu) [191.101.52.69]:60208 Warning: "SpamAssassin as benchmar detected message as NOT spam (0.6)"
    2014-07-30 08:33:45 1XCVsc-00036n-I7 H=(jhzw9jqn2.hedwom.eu) [191.101.52.69]:60208 Warning: Message has been scanned: no virus or other harmful content was found
    2014-07-30 08:33:45 1XCVsc-00036n-I7 <= WoodMilk@hedwom.eu H=(jhzw9jqn2.hedwom.eu) [191.101.52.69]:60208 P=esmtp S=9926 id=3513174149723903513874911657@jhzw9jqn2.hedwom.eu T="How nice is the wood in your home?" for <Removed for privacy>
    2014-07-30 08:33:45 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XCVsc-00036n-I7
    2014-07-30 08:33:45 1XCVsc-00036n-I7 => <Removed for privacy> R=virtual_user T=virtual_userdelivery
    2014-07-30 08:33:45 1XCVsc-00036n-I7 Completed
    
    Example of a filtered email:
    Code:
    2014-07-30 10:03:00 1XCXHB-0006ER-Gu H=(4978r1.setr.eu) [191.101.52.75]:47442 Warning: "SpamAssassin as benchmar detected message as spam (1.6)"
    2014-07-30 10:03:00 1XCXHB-0006ER-Gu H=(4978r1.setr.eu) [191.101.52.75]:47442 Warning: Message has been scanned: no virus or other harmful content was found
    2014-07-30 10:03:00 1XCXHB-0006ER-Gu <= SimpleSolution@setr.eu H=(4978r1.setr.eu) [191.101.52.75]:47442 P=esmtp S=11388 id=351917414972390351916015111071650@4978r1.setr.eu T="Read this - Your body is depending on it!" for <Removed for privacy>
    2014-07-30 10:03:00 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XCXHB-0006ER-Gu
    2014-07-30 10:03:00 1XCXHB-0006ER-Gu => /dev/null <Removed for privacy> R=central_filter T=**bypassed**
    2014-07-30 10:03:00 1XCXHB-0006ER-Gu Completed
    
    Note: we have a spam bar discard filter for anything with one + in it, so I think it is matching that filter and not the .eu, as indicated by the difference in spam score between the first two and this filtered message.
    I may have just realized the issue: do I need to escape the period? It should work either way... Right now it is "From ends with" and ".eu" in the text box.

    Issue #2: messages bypassing account-level filters when sent to a forwarder address.
    If you have a user-level or account level filter and a forwarder to the address with filters on it, messages will not be filtered. Ideas?
     
  2. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    575
    Likes Received:
    20
    Trophy Points:
    143
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Feel free to open a support ticket for these issues. You can use the link in my signature, then please post the ticket numbers here so we can update this thread accordingly. It should be 2 different tickets, because it's technically two different issues.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. openaccess

    openaccess Active Member

    Joined:
    Jan 22, 2006
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    156
    Solution worked out via support ticket is to use:
    From match regex
    \.eu$

    Where \ escapes the period. Without an escape, the period acts as wildcard, which would also work in this situation, but with other strings it could cause other TLDs to possibly match.

    $ forces this string to only match at the end of the email address.
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,802
    Likes Received:
    1,895
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    I am happy to see the issue was resolved. Thank you for updating us with the outcome.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. openaccess

    openaccess Active Member

    Joined:
    Jan 22, 2006
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    156
    After additional cPanel ticket discussions, an even better regex was decided upon:
    \.eu(\>)?$

    This is necessary because the string pulled from the From address is not always consistent. Sometimes it is as you would think, "username@domain.tld", but sometimes it is "<username@domain.tld>". This regex matches both, so none can bypass the filter due to behind the scenes string differences. This sort of identifies a cPanel bug (cPanel filters should automatically exclude the less than or greater than signs when comparing the string to the filter).
     
  6. toplisek

    toplisek Well-Known Member

    Joined:
    Jan 7, 2010
    Messages:
    139
    Likes Received:
    8
    Trophy Points:
    68

    So, I should put for all discarded messages the following:
    Rules: From, Matches regex
    \.link(\>)?$
    \.us(\>)?$


    Is this correct?
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice