Skip to main content

Custom exim system filter not working

Comments

9 comments

  • rpvw
    @cPanelLauren gave us this tip which works extremely well: [quote] What I normally do to ensure that it's syntactically correct is create the filter in cPanel>>Mail>>Global Email Filters then once it's finished grab the data written to /etc/vfilters/domain.tld for it and add it to the sysfilter.
    You can then test all the parts of the filter using the Filter test in cPanel
    0
  • Elliot Hagerty
    @cPanelLauren gave us this tip which works extremely well: You can then test all the parts of the filter using the Filter test in cPanel

    Ah, didn't even think about doing that! Great tip, just done as suggested, copied it over to my sysfilter with the same formatting and it's working fine now! I had also noticed on line 6, I'd forgotten an 'or' which wasn't helping either. Thanks @cPanelLauren & @rpvw On a seperate note, I'm trying to block incoming spam spoofing from my email address. I thought I'd be able to stop this by searching the email body. This works fine when I manually send an email. However when viewing the raw source of the spammers email, it contains the following strange formatting, which makes it hard to try and stop, as each time the formatting is slightly different. You m=D0=B0=E2=80=8By n=D0=BE=E2=80=8Bt kn=D0=BE=E2=80=8Bw me =D0=B0=E2=80= =8Bnd y=D0=BE=E2=80=8Bu =D0=B0=E2=80=8Br=D0=B5=E2=80=8B prob=D0=B0=E2=80=8B= bly wondering why =D1=83=E2=80=8B=D0=BE=E2=80=8Bu =D0=B0=E2=80=8Br=D0=B5=E2= =80=8B getting this =D0=B5=E2=80=8B mail, right?
    0
  • rpvw
    Your code example is a mixture of plain text and Quoted-Printable encoding, and once decoded, tuns into [quote]You m?y n?t kn?w me ?nd y?u ?r? prob?bly wondering why ??u ?r? getting this ? mail, right?
    ..... and they often follow it with some claim about how they activated your web-cam and have a video of you doing something you wouldn't want your friends to see - and demand a payment not to send the fictitious video to all your contacts ! :eek: or some equally unlikely claim that is designed to trick you into guilty compliance. The spammers and scammers are increasingly using this technique to obfuscate their content, and evade spam and content filtering. There is little one can easily do to prevent it due to the variety and complexity of the encoding available to them You might find the encode/decode utilities useful ; available on-line at h t t p s://toolbox.googleapps.com/apps/encode_decode/ and the utf-8 encoder/decoder at h t t p s://mothereff.in/utf-8
    0
  • Elliot Hagerty
    Your code example is a mixture of plain text and Quoted-Printable encoding, and once decoded, tuns into ..... and they often follow it with some claim about how they activated your web-cam and have a video of you doing something you wouldn't want your friends to see - and demand a payment not to send the fictitious video to all your contacts ! :eek: The spammers and scammers are increasingly using this technique to obfuscate their content, and evade spam and content filtering. There is little one can easily do to prevent it due to the variety and complexity of the encoding available to them You might find the encode/decode utilities useful ; available on-line at h t t p s://toolbox.googleapps.com/apps/encode_decode/ and the utf-8 encoder/decoder at h t t p s://mothereff.in/utf-8

    Yes, you're exactly right. It's a pain that I can't easily search the message body as plain text, as that would solve the issue! I think I read another post from someone who's having a similar issue with spam emails looking like it's being sent from there self with a similar message. Is there a good exim rule to use? Here's a header example from a typical spam email: Return-Path: Delivered-To: myemail@address.co.uk Received: from myserver.com by myserver.com with LMTP id 8LjyCa3YUFzpVwAAPb2kjA for ; Tue, 29 Jan 2019 22:50:21 +0000 Return-path: Envelope-to: myemail@address.co.uk Delivery-date: Tue, 29 Jan 2019 22:50:21 +0000 Received: from apn-46-xx-xx-xxx.static.gprs.plus.pl ([46.xx.xx.xxx]:33980 helo=iquersant.us) by myserver.com with esmtp (Exim 4.91) (envelope-from ) id 1goaXN-0000a0-J7 for myemail@address.co.uk; Tue, 29 Jan 2019 21:03:18 +0000 Received: from [24.xx.xx.xx] (helo=[192.168.1.00]) by relay.gaonet.gov with esmtpa envelope from authenticated with wissclor@calhouncountyal.gov message id 1goaX7-0000ul-pc for myemail@address.co.uk; Tue, 29 Jan 2019 22:32:25 +0200 Received: from [08.xx.xx.xx] (helo=[192.168.1.03]) by relay.doralpd-fl.gov with esmtpa envelope from authenticated with bloonkmapt@franklincountyga.gov message id 1goaX7-0000dg-az for myemail@address.co.uk; Tue, 29 Jan 2019 22:32:25 +0200 Date: Wed, 30 Jan 2019 00:03:01 +0300 X-grahfreng: dengzask X-jushdol: yandkuk Mime-Version: 1.0 Content-Type: text/html; charset="utf-8" From: "My Name"
    0
  • rpvw
    The holy grail of GLOBAL spam filtering is to block spam that uses your email address as the spoofed 'from' address, and delivers it you your account, and originates from a remote Sender User. Shouldn't be a problem should it ? The issue is to determine if the Sender User is remote or an actual user on your server. Whilst one could do something like Pseudo Code if "$h_to:, $h_from:" contains me@domain.example then ...
    this is only practical at user level, and may block you from sending a genuine copy of an email to yourself. There are a couple of other threads you may like to read through If you work out how to do it - please let us know :-D
    0
  • Elliot Hagerty
    The holy grail of GLOBAL spam filtering is to block spam that uses your email address as the spoofed 'from' address, and delivers it you your account, and originates from a remote Sender User. Shouldn't be a problem should it ? The issue is to determine if the Sender User is remote or an actual user on your server. Whilst one could do something like Pseudo Code if "$h_to:, $h_from:" contains me@domain.example then ...
    this is only practical at user level, and may block you from sending a genuine copy of an email to yourself. There are a couple of other threads you may like to read through If you work out how to do it - please let us know :-D

    See my first idea was the following if $header_from matches $header_to and $reply_address: does not match $header_from then
    Which in my head makes sense? As I thought '$reply_address' would be 'Return-Path'... or am I being stupid? :-D
    0
  • rpvw
    The problem I have experienced so far, is that I have been unable to get the content of one variable to be tested against the content of another variable. So: $header_from matches $header_to does not work - tries to match the content of $header_from to the string $header_to (as opposed to the content of the variable $header_to) I have not been able to determine if the problem is my syntax, or if the exim filter just doesn't work that way o_O The docs are clear that for a "matches" test, after expansion of both strings, the second one is interpreted as a regular expression, but the statement that An "is" test does an exact match between the strings, having first expanded both strings.suggests that each variable(string) should be expanded .......... I just have never made it work :( [quote] $return_path When a message is being delivered, this variable contains the return path " the sender field that will be sent as part of the envelope. It is not enclosed in <> characters. At the start of routing an address, $return_path has the same value as $sender_address, but if, for example, an incoming message to a mailing list has been expanded by a router which specifies a different address for bounce messages, $return_path subsequently contains the new bounce address, whereas $sender_address always contains the original sender address that was received with the message. In other words, $sender_address contains the incoming envelope sender, and $return_path contains the outgoing envelope sender.
    [quote] $reply_address When a message is being processed, this variable contains the contents of the Reply-To: header line if one exists and it is not empty, or otherwise the contents of the From: header line. Apart from the removal of leading white space, the value is not processed in any way. In particular, no RFC 2047 decoding or character code translation takes place.
    Hope you have better luck !
    0
  • Elliot Hagerty
    The problem I have experienced so far, is that I have been unable to get the content of one variable to be tested against the content of another variable. So: $header_from matches $header_to does not work - tries to match the content of $header_from to the string $header_to (as opposed to the content of the variable $header_to) I have not been able to determine if the problem is my syntax, or if the exim filter just doesn't work that way o_O The docs are clear that for a "matches" test, after expansion of both strings, the second one is interpreted as a regular expression, but the statement that An "is" test does an exact match between the strings, having first expanded both strings.suggests that each variable(string) should be expanded .......... I just have never made it work :( Hope you have better luck !

    So I've managed to get the following working fine for me: if $header_from matches $header_to and $return_path: does not contain "amazonmail" or $header_from matches $header_to and $return_path: does not contain "companyname" then fail text "Your message was detected as spam. If this was by mistake, please call and inform us of the issue. Company Name." seen finish endif
    We send our outgoing mail through either amazon mail or our own server, hence the two. I've thoroughly tested this, going to a different contact, then sending an email to my self on either outgoing server, and it's working absolutely fine. The next test, will be if I still receive the spam emails. Not sure if this will help anyone?
    0
  • cPanelLauren
    Thanks @cPanelLauren & @rpvw

    Awesome I'm glad @rpvw sent you that. To confirm all is working well now? Also @rpvw your help here is fantastic, thanks!
    0

Please sign in to leave a comment.