Email filter not working
I have an email filter for one account that is if body contains bitcoin delete.
Pretty simple filter but cpanel gets it wrong.
When I test using the provided filter test it works, but in reality these stupid bitcoin emails keep coming in.
Spam assassin does identify them as spam, however, I can't take the risk of deleting all spam-identified email, some must go through for the user to decide.
The emails are forged as originating from the recipients email address.
Here is a mail_log snippet:
I found yaml filters and here is what they contain:
[root@xxxx log]# exigrep -l cluypran exim_mainlog
2019-01-25 19:36:32 1gnBxX-0000oR-6D H=(out.example.com) [14.186.xxx.x]:38207 Warning: "SpamAssassin as xxxx detected message as spam (35.4)"
2019-01-25 19:36:32 1gnBxX-0000oR-6D <= someusrs@out.example.com H=(out.example.com) [14.186.212.8]:38207 P=esmtp S=14530 id=plgabjkfznyp-zliygba-x@out.example.com T="accounts cluypran" for xxx@xxxxx.com
2019-01-25 19:36:32 1gnBxX-0000oR-6D => xxx R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 < 6JisNpCrS1xeDAAAdBzxuw Saved"
2019-01-25 19:36:32 1gnBxX-0000oR-6D Completed
I found yaml filters and here is what they contain:
[xxxxxxx.com@xxxxxxx xxxxxxx]# more filter.yaml
---
filter:
-
actions:
-
action: save
dest: /dev/null
filtername: Bitcoin then delete
rules:
-
match: contains
opt: or
part: $message_body
val: Bitcoin
unescaped: 1
version: '2.2'
[xxxxxxx.com@xxxxxxx xxxxxxx]# pwd
/home/xxxxxxx/etc/xxxxxxxxxxxxxx.com/xxxxxxx
[xxxxxxx.com@xxxxxxx xxxxxxx]# ls
filter filter.cache filter.yaml
[xxxxxxx.com@xxxxxxx xxxxxxx]# more filter.cache
{"version":2.2,"filter":[{"unescaped":1,"actions":[{"dest":"/dev/null","action":"save"}],"rules":[{"opt":"or","part":"$message_body","val":"Bitcoin","match":"contains"}],"filtername":"Bi
tcoin then delete"}]}
[xxxxxxx.com@xxxxxxx xxxxxxx]# more filter
# Exim filter - auto-generated by cPanel.
#
# Do not manually edit this file; instead, use cPanel APIs to manipulate
# email filters. MANUAL CHANGES TO THIS FILE WILL BE OVERWRITTEN.
#
headers charset "UTF-8"
if not first_delivery and error_message then finish endif
#Bitcoin then delete
if
$message_body contains "Bitcoin"
then
save "/dev/null" 660
endif
[xxxxxxx@xxxxxxx xxxxxxx]# more filter.cache
{"version":2.2,"filter":[{"unescaped":1,"actions":[{"dest":"/dev/null","action":"save"}],"rules":[{"opt":"or","part":"$message_body","val":"Bitcoin","match":"contains"}],"filtername":"Bi
tcoin then delete"}]}
-
Are you sure that the body actually contains the phrase. I had something similar that I could never get to work, it's as if the phrase I was trying to filter out was embedded inside an html block of code. 0 -
Ah ha! I just checked and looks like you are correct. I'll filter on any header going forward as that does contain the word bitcoin. Thank you for pointing that out. Do you know of anyway to decode that encoded string equaling "bitcoin"? Spam assassin must do it as it does show in the spam assassin header. 0 -
I gave up, I found the IP source of the offenders, and blocked them in CSF. 0 -
You might find the encode/decode utilities useful ; available on-line at h t t p s://toolbox.googleapps.com/apps/encode_decode/ and the utf-8 encoder/decoder at h t t p s://mothereff.in/utf-8 You might need to include an 'or' rule that handles both lower case and upper case 'B' etc 0 -
The messages I get have changing ip's. Might be best to filter on any header contains "OBFU_BITCOIN". 0 -
Let us know if the changes you made help @jeffschips also I would base any filtering off of IP solely its unreliable because of the ability to change the originating IP address, you're on the right track though. 0
Please sign in to leave a comment.
Comments
6 comments