The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam bypassing account level and user-level filters

Discussion in 'E-mail Discussions' started by openaccess, Jul 30, 2014.

  1. openaccess

    openaccess Active Member

    Joined:
    Jan 22, 2006
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Two separate situations, same type of problem:

    Issue #1: account-level and user-level both have a filter to Discard messages with a From field ending with .eu.
    Result: some get through. Examples:

    Code:
    2014-07-30 07:18:31 1XCUi4-0002VC-Dx H=(f7dcvqfg.annabba.eu) [191.101.52.64]:57772 Warning: "SpamAssassin as benchmar detected message as NOT spam (0.8)"
    2014-07-30 07:18:31 1XCUi4-0002VC-Dx H=(f7dcvqfg.annabba.eu) [191.101.52.64]:57772 Warning: Message has been scanned: no virus or other harmful content was found
    2014-07-30 07:18:31 1XCUi4-0002VC-Dx <= Hookup@annabba.eu H=(f7dcvqfg.annabba.eu) [191.101.52.64]:57772 P=esmtp S=11372 id=350817414972390350820219111191664@f7dcvqfg.annabba.eu T="Find the Hottest Hookups Tonight!" for <Removed for privacy>
    2014-07-30 07:18:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XCUi4-0002VC-Dx
    2014-07-30 07:18:31 1XCUi4-0002VC-Dx => <Removed for privacy> R=virtual_user T=virtual_userdelivery
    2014-07-30 07:18:31 1XCUi4-0002VC-Dx Completed
    
    2014-07-30 08:33:45 1XCVsc-00036n-I7 H=(jhzw9jqn2.hedwom.eu) [191.101.52.69]:60208 Warning: "SpamAssassin as benchmar detected message as NOT spam (0.6)"
    2014-07-30 08:33:45 1XCVsc-00036n-I7 H=(jhzw9jqn2.hedwom.eu) [191.101.52.69]:60208 Warning: Message has been scanned: no virus or other harmful content was found
    2014-07-30 08:33:45 1XCVsc-00036n-I7 <= WoodMilk@hedwom.eu H=(jhzw9jqn2.hedwom.eu) [191.101.52.69]:60208 P=esmtp S=9926 id=3513174149723903513874911657@jhzw9jqn2.hedwom.eu T="How nice is the wood in your home?" for <Removed for privacy>
    2014-07-30 08:33:45 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XCVsc-00036n-I7
    2014-07-30 08:33:45 1XCVsc-00036n-I7 => <Removed for privacy> R=virtual_user T=virtual_userdelivery
    2014-07-30 08:33:45 1XCVsc-00036n-I7 Completed
    
    Example of a filtered email:
    Code:
    2014-07-30 10:03:00 1XCXHB-0006ER-Gu H=(4978r1.setr.eu) [191.101.52.75]:47442 Warning: "SpamAssassin as benchmar detected message as spam (1.6)"
    2014-07-30 10:03:00 1XCXHB-0006ER-Gu H=(4978r1.setr.eu) [191.101.52.75]:47442 Warning: Message has been scanned: no virus or other harmful content was found
    2014-07-30 10:03:00 1XCXHB-0006ER-Gu <= SimpleSolution@setr.eu H=(4978r1.setr.eu) [191.101.52.75]:47442 P=esmtp S=11388 id=351917414972390351916015111071650@4978r1.setr.eu T="Read this - Your body is depending on it!" for <Removed for privacy>
    2014-07-30 10:03:00 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XCXHB-0006ER-Gu
    2014-07-30 10:03:00 1XCXHB-0006ER-Gu => /dev/null <Removed for privacy> R=central_filter T=**bypassed**
    2014-07-30 10:03:00 1XCXHB-0006ER-Gu Completed
    
    Note: we have a spam bar discard filter for anything with one + in it, so I think it is matching that filter and not the .eu, as indicated by the difference in spam score between the first two and this filtered message.
    I may have just realized the issue: do I need to escape the period? It should work either way... Right now it is "From ends with" and ".eu" in the text box.

    Issue #2: messages bypassing account-level filters when sent to a forwarder address.
    If you have a user-level or account level filter and a forwarder to the address with filters on it, messages will not be filtered. Ideas?
     
  2. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    569
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Feel free to open a support ticket for these issues. You can use the link in my signature, then please post the ticket numbers here so we can update this thread accordingly. It should be 2 different tickets, because it's technically two different issues.
     
  3. openaccess

    openaccess Active Member

    Joined:
    Jan 22, 2006
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Solution worked out via support ticket is to use:
    From match regex
    \.eu$

    Where \ escapes the period. Without an escape, the period acts as wildcard, which would also work in this situation, but with other strings it could cause other TLDs to possibly match.

    $ forces this string to only match at the end of the email address.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. openaccess

    openaccess Active Member

    Joined:
    Jan 22, 2006
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    After additional cPanel ticket discussions, an even better regex was decided upon:
    \.eu(\>)?$

    This is necessary because the string pulled from the From address is not always consistent. Sometimes it is as you would think, "username@domain.tld", but sometimes it is "<username@domain.tld>". This regex matches both, so none can bypass the filter due to behind the scenes string differences. This sort of identifies a cPanel bug (cPanel filters should automatically exclude the less than or greater than signs when comparing the string to the filter).
     
  6. toplisek

    toplisek Active Member

    Joined:
    Jan 7, 2010
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6

    So, I should put for all discarded messages the following:
    Rules: From, Matches regex
    \.link(\>)?$
    \.us(\>)?$


    Is this correct?
     
Loading...

Share This Page