Blocking email with Exim4 using the IP

sting01

• October 19, 2018 05:06

Hello, we are under a spam campaign with the infamous blackmailing ($524). Personaly I do not give sh*t, but my boss for various legal reasons it afraid the news of it will pop up. After examination I found only one common thing : while emails do have the FROM : myEmail@myCompany.com, the RECEIVED : from is clearly not our IP : Received: from [14.189.127.50] (helo=static.vnpt.vn) Assuming outr IP is 54.xxx.xxx.xxx that one is obviously coming from outside (Haiphong in Vietnam in that case). What is the correct spelling of the corresponding Header Variable? Is it $header_received_from? Or somehting else (please notice the full column after Received). Thanks very much Sting

• 

  keat63

  • October 19, 2018 10:23

  If you have CSF installed, you could add the offending IP the the CSF blocklist. One thing I find with frequent spam though, is that it's usually done by bots, where the IP will change, so whilst adding the IP may fix the issue today, it's likley to resurface from another source tomorrow. The way I normally get around this would be to create a global filter in cpanel, along the lines: If body contains "some common phrase" Then fail and discard the message. I guess you could just discard the message without the fail, but i live in hope that somewhere, someone will see the fail and realise his server/pc/email address may have been hacked and fix it.

  0
• 

  cPanelLauren

  • October 23, 2018 15:15

  I'd also like to add that when you create a global filter through the cPanel UI it uses: $header_from or $message_headers

  0

Please sign in to leave a comment.