Skip to main content

Filter Incoming Emails by Domain

Comments

17 comments

  • cPanelLauren
    The wildcard can only be used on its own in the field so compario*.com won't work but *.compario.com or *.compario (if compario were a valid tld) would work For this, you'd probably be better off using the system filter so you can customize it a bit more
    0
  • keat63
    These were all coming from somewhere like Brazil, so in the short term I blocked the IP subnet in CSF. However, I guess there's a chance that it will shift servers, and possible start all over again with a different domain name. The word compario appeared ai all the sent from addresses, but they changed the domain name slightly in each one. literally along the lines of info@compariomailer.com another@comapriosender.com account@compariosomething.com Each time the IP changed, each time the email address changed slightly. We got bombarded for a while.
    0
  • keat63
    adding *.compario didn't work. Lets see what a custom filter does instead
    0
  • cPanelLauren
    adding *.compario didn't work.

    Right, because it's not a valid tld
    Lets see what a custom filter does instead

    I feel like that will do the trick in this instance.
    0
  • keat63
    I had a custom filter based on a TLD /usr/local/cpanel/etc/exim/sysfilter/options/inbound_tld_block file and add following code if first_delivery and ("$h_to:, $h_cc:" contains ".icu") or ("$h_from:" contains ".icu") then seen finish endif
    This was working well to block .icu domains I modified this to if first_delivery and ("$h_to:, $h_cc:" contains ".icu") or ("$h_from:" contains ".icu") or ("$h_to:, $h_cc:" contains "no-reply@compario") or ("$h_from:" contains "no-reply@compario") then seen finish endif
    Now it doesn't work at all, not only does it not block the compario emails, the .icu ones are now getting through. Any ideas.
    0
  • keat63
    This just got strange now. The rule I had working a few days ago worked a treat on .icu tld's. I messed about with it to restrict something else, where upon it stopped working. Today I rolled back to just the .icu tld, but this isn't workning either now. if first_delivery and ("$h_to:, $h_cc:" contains ".icu") or ("$h_from:" contains ".icu") then seen finish endif
    Can anyone spot anything wrong or offer any advice why it should have stopped working ? I've re-saved exim config and restarted exim. I do use CSF maulscanner, can this have any bearing ? although it worked great a few days ago.
    0
  • keat63
    Further update. I noticed last night that exim config has the system filter file as etc/antivirus.empty (maybe a mailscanner thing ?) I checked that file and my code is listed inside this file. Yet I came in this morning to another 30 or so spammy emails from .icu domains When I started toying with the exim filter last week, I removed the .icu entry from 'filter incoming emails by domain' So this morning I re-added it, and now .icu domains are being blocked. My conclusion is that either the system filter just doesn't work, or it doesn't work based on the above rule set.
    0
  • cPanelLauren
    Hey @keat63 When you're editing the system filter file you have in place, what is the process you're completing after you update the file?
    0
  • keat63
    I'm not quite sure exactly what you mean, so here goes. Using ConfigServer Explorer, I'm editing the file /usr/local/cpanel/etc/exim/sysfilter/options/inbound_tld_block and adding the above ruleset. Go to exim config and ensure the file is defined and enabled in the filters tab. Save exim config, which regenerates the config and restars exim, and for good measure re-starting mailscanner. Again using CS Explorer, locate and open the file /etc/antivirus.empty, to confirm that my ruleset is defined. During the regen, I can see a message about /etc/antivirus.empty being switched to on.
    0
  • cPanelLauren
    Save exim config, which regenerates the config and restars exim, and for good measure re-starting mailscanner.

    This is what I was looking for. I wanted primarily to see if the configuration was being rebuilt. Because you're running MailScanner I'm actually a bit concerned these changes aren't being recognized by it properly. Since everything goes into antivirus.empty. What version of Exim and MailScanner are you on?
    0
  • keat63
    Exim version 4.92 #2 built 27-Sep-2019 MailScanner - v5.0.2
    0
  • cPanelLauren
    I don't run mailscanner and I do run an edge server. Though right now edge is v86 which is also RELEASE and CURRENT (we've just released today) so everyone should be on the same version of exim I am: exim --version Exim version 4.93 #2 built 23-Dec-2019 18:18:10
    I noticed you're on a lower version, what version of cPanel are you on? And I'm not having this issue with my custom filters, so I am concerned either there's an older case regarding MailScanner that is affecting you or something is up with the version of MailScanner you're using which is a bit behind their current stable release 5.2.1-1
    0
  • keat63
    I was on 84.something, but this evening I just updated to 86.0.4 Exim version 4.93 #2 built 23-Dec-2019 18:18:10 I'm not seeing any notice about an update to mailscanner though, and I only installed this about 3 maybe 4 weeks ago when I migrated servers. I just forced an upgrade and I'm still on 5.0.2 I spotted 5.2.1-1 on Github, but I think maybe there's another application named mailscanner, and we are looking at the wrong one.
    0
  • keat63
    Going slightly off track, but ulimately it's probably all related. It seems that 5.2.1-1 may be the same mailscanner. I assumed it was branded by CSF !!! The MSFE install page (where I installed Mailscanner from), suggests that thier install script might not be the most current version, hence 5.0.2. Ugrading to 5.2.1 though is a mine field. I spent the best part of an hour trying to figure out how to perform this and ended up nowhere. Reply from CSF 'We do not use the Mailscanner script that is developed and published on Github. We forked our own version a few years ago . We monitor the "official" MailScanner but at this time there are no new features or fixes that affect the use of MailScanner on cPanel servers. '
    0
  • cPanelLauren
    That's super odd because I got the MailScanner site from ConfigServer where they link to it - ConfigServer MailScanner Front-End for cPanel [QUOTE]installer
    So I assumed since they were linking to it they were using that version, mistakenly I guess. There are some changes in v86 that will impact MailScanner (I believe) since we changed some libraries' exim depends on. What is the status of the filters now?
    0
  • keat63
    Since I couldn't get the filter to work, I'm back to using 'filter by domain' (gone full circle) I'm on a war path at current, so I'll get a chance to have a play with the filters when I next see a bombardment.
    0
  • keat63
    Am I correct in assuming that the tool 'filter by domain' won't work for mailing list handlers, eg Mailchimp type. If the sender is someone@some-company.com, but usuing mailchimp, the tool would pick up the sending domain name and not the sending server ?? Received: from emx121.instillerhq.com ([185.105.64.121]:32805) by myserver with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from )
    I'm currently at war with these mailing houses. Whilst they claim to be ethical, we get tons of unsolicited marketting junk, so quite clearly not ethical enough. It would be good to banish the whole mailing house, regardless of who sent it.
    0

Please sign in to leave a comment.