Skip to main content

Global email filter - block .co email addresses

commanderclif
I've tried to set up a global email filter to block .co emails which I've been getting a lot of Spam from lately. Typically, if I see spam coming from an email address like address@something.monster I'll create a filter to block - "From contains .monster". Can't do that with .co or I'll block .com. However, the dropdown for "ends with" doesn't see to work. So a filter "From ends with .co" I still get the messages arriving in the SPAM folder. So settings on the server are decent at flagging and tagging ***SPAM*** messages so this is just spam box control where I like to keep it so nothing even lands in there either.

Comments

50 comments

Date Votes
  • cPanelLauren
    Can you show me the exact filter text that you have created thus far?
    0
  • commanderclif
    Sure thing! Screenshot below!
    0
  • keat63
    Just as a matter of interest, are these coming from 170.130.212.xxx
    0
  • commanderclif
    Yes! Yes they are coming from 170.130.212.xxx
    0
  • keat63
    me too, i've blocked the subnet in my firewall, but today they are coming from 91.151.90.xxx
    0
  • commanderclif
    I've not blocked a subnet via the firewall yet, any link or advice how to do that for the this 170.130.212.xxx? I'm sure the problem can be addressed different ways, I know while some folks want to keep things more open, I'm good with tightening things down. I've even thought that if I could do something that blocked anything that wasn't .com, .net, .gov, .edu etc. then I'd consider it since I've set up so many filters for the .moster etc. domains that I don't think any legit email I'm going to get.
    0
  • keat63
    if you have csf add the following to the "Firewall Deny IP" list 170.130.212.0/24 # do not delete
    0
  • commanderclif
    Thanks keat63. I did not have CSF installed but went in to my WHM, got it installed and pasted that line in to the list. Turned off test mode so "I THINK" I've got it set and will keep an eye out for emails from that IP to see if I did anything wrong or hopefully, ever see one from there again. Two questions please! RESTRICT_SYSLOG says it is disabled by default. Leave that off? I'm a bit fuzzy on the "do not delete" for the line I added, could you explain? THANKS!
    0
  • commanderclif
    Found this in the support doc for CSF: "If you don't want csf to rotate a particular IP in csf.deny if the line limit is reach you can do so by adding "do not delete" within the comment field," So I guess I don't understand what rotate a particular IP means.
    Thanks keat63. I did not have CSF installed but went in to my WHM, got it installed and pasted that line in to the list. Turned off test mode so "I THINK" I've got it set and will keep an eye out for emails from that IP to see if I did anything wrong or hopefully, ever see one from there again. Two questions please! RESTRICT_SYSLOG says it is disabled by default. Leave that off? I'm a bit fuzzy on the "do not delete" for the line I added, could you explain? THANKS!

    0
  • commanderclif
    Just got a SPAM message from a .co email address so at first thought the CSF filter wasn't working but this came in from 185.249.203.11 according to the email header. SO I guess I can just keep adding IP addresses eh? I never heard anything back regarding why the global email filter wasn't working for email address when using the "ending in" filtering. Any thoughts on why that is?
    0
  • cPanelLauren
    I tested this using the filter trace and the exact filter you used: -48-01.png">66993 Sub-condition is false: not first_delivery Condition is false: not first_delivery and error_message Condition is true: $header_from: ends .co Return-path copied from sender Sender = test@something.co Recipient = myuser@mydomain.net Testing Exim filter file "/etc/vfilters/mydomain.net" Headers charset "UTF-8" Save message to: /dev/null 0660 Filtering set up at least one significant delivery or other action. No other deliveries will occur.
    So, I'm unsure why your filter didn't catch this. What is in the actual headers for these in some examples you've received (be sure to change your domain/server information). My assumption is the actual header From: line does not end in .co
    0
  • cPanelLauren
    To add to that last response, if my assumption is correct, maybe matching regex is the way to go? I did this as a quick and dirty version of it that will match *.co
    0
  • commanderclif
    Thank you Lauren. I actually googled Regex before I ever came to this forum and what I read made me go.....huh?! But I did wonder if that was something that could be leveraged. As to your previous comment about .co working, I'm looking at a email header here but as far as I can read it, looks like its coming from a .co unless I'm missing something. I'll paste a header below. Content-Type: multipart/alternative; boundary="------------893596661600190599490218" Mime-Version: 1.0 Envelope-To: xxxxxxx@xxxxxxx.com X-Spam-Report: Spam detection software, running on the system "xxx.xxxxxxxx.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: So it's a good balance This would require auditing the carbon footprint of the supply chain of everything sold in the UK, including imports We have had to hire people for snow removal, says Renewables [...] Content analysis details: (16.0 points, 3.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.2 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist [URIs: defeatrank.co] 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: defeatrank.co] -0.5 BAYES_05 BODY: Bayes spam probability is 1 to 5% [score: 0.0218] 4.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=defeatrank.co;ip=185.249.203.6;r=xxx.xxxxxxxx.com] 4.0 SPF_FAIL SPF: sender does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=aware%40defeatrank.co;ip=185.249.203.6;r=xxx.xxxxxxxx.com] 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to background 0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 1.9 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 2.0 RDNS_NONE Delivered to internal network by a host with no rDNS 0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe 2.4 NORDNS_LOW_CONTRAST No rDNS + hidden text X-Spam-Status: Yes, score=16.0 X-Spam-Bar: ++++++++++++++++ X-Spam-Score: 160 Return-Path: Return-Path: X-Spam-Flag: YES Delivery-Date: Wed, 29 Jul 2020 13:23:09 -0500 Received: from xxx.xxxxxxxx.com by xxx.xxxxxxxx.com with LMTP id 4N+iKY2+IV+UIAAAXIk9kg (envelope-from ) for ; Wed, 29 Jul 2020 13:23:09 -0500 Received: from [185.249.203.6] (port=53450 helo=defeatrank.co) by xxx.xxxxxxxx.com with esmtp (Exim 4.93) (envelope-from ) id 1k0qik-00029n-OO for xxxxxxx@xxxxxxx.com; Wed, 29 Jul 2020 13:23:09 -0500 Delivered-To: xxxxxxx+spam@xxxxxxx.com
    0
  • cPanelLauren
    Yea, to be honest, I am downright awful with regex it's just not a strong suit of my though I try and force myself to get better with it. So this looks like just part of the headers but the matching is very exact in the "ends with" and From: portions. The line needs to end with .co none of this shows the From: line that looks like this: From: Lauren Date: Thu, 2 Jul 2020 15:11:56 -0700 Message-ID: Subject: Undeliverable To: morticia@mydomain.net
    0
  • commanderclif
    Okay so instead of showing headers, I viewed message raw source and I see this there that is most similar to your example: From: " Phillip Ramirez" Date: Wed, 29 Jul 2020 13:07:52 -0500 MIME-Version: 1.0 To: Message-ID: Content-Type: multipart/alternative; boundary="------------893596661600190599490218"
    0
  • keat63
    Off-topic, but On the CSF thing, there are some preset profiles that you can play with. I'm guessing that it comes out of the box with a conservative profile. Make sure you whitelist your own IP address or subnet etc, just in case you lock yourself out. Give yourself a back door, like your home IP/subnet and your office IP etc. Regarding the rotate. CSF will monitor for attacks, depending on the profile you use, it will start to blacklist IP addresses that it sees as being an attack of some sort. It stores these in a table. Once this table is full, IP's will start to fall off the edge to make way for new ones coming in. This is good in the respect that the rotation could take a few weeks or a month, meaning the attacker is locked out for this period. CSF is highly configurable and is a great tool to help keep out hackers etc. On the original subject, i'm keen to learn why it doesn't work. My attack plan differs from yours, so I haven't created a filter.
    0
  • commanderclif
    Thanks for that, I did inadvertently block my backup system from being able to access their sites after setting up the firewall so thanks for this info, now that I've been through fixing that I should be able to add some other IPs easily enough.
    0
  • commanderclif
    20 SPAM messages from .co in the last 24 hours so the regex Global Email Filter isn't working. I mean there has GOT to be a way to get the filter to capture these no? Got one two days ago from a .buzz, made a filter for it, no more .buzz emails in junk folder. Please share any ideas but I'm thinking for now I might try a filter that only lets .com .net etc. come through and see how that goes.
    0
  • keat63
    would a space at the end of the filter make any difference ? ie .co (space)
    0
  • d_j_wills
    I have this same problem. I don't want to block .co, but I would like to block .buzz and a bunch of other bogus domains. And doing the same type of filter such as ends in .buzz, discard does not work! I've spent hours with my hosting company and they have no answer. Sorry to learn when coming to cpanel forums that this is a more wide-spread problem. d.
    0
  • d_j_wills
    Hmmm... Anybody have a solution?
    0
  • cPanelLauren
    To add to that last response, if my assumption is correct, maybe matching regex is the way to go? I did this as a quick and dirty version of it that will match *.co -03-55.png">66997

    The regex example I used here should work did you not try this?
    0
  • d_j_wills
    The regex example I used here should work did you not try this?

    Hi Lauren, Thanks for the reply. I installed the filter shown in the attached picture last night. This morning I received spam from this domain. Here is the spam, with my private information removed: From john.sartoris-************@improssifish.work Fri Aug 07 08:41:11 2020 Received: from [170.130.213.54] (port=54760 helo=mail.improssifish.work) by ********** with esmtp (Exim 4.93) (envelope-from ) id 1k44UZ-009x82-HS for *******; Fri, 07 Aug 2020 08:41:11 -0700 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=improssifish.work; h=Date:From:To:Subject:MIME-Version:Content-Type:List-Unsubscribe:Message-ID; i=john.sartoris@improssifish.work; bh=TZO+wy759zAJiYaw3e7QXevcY5E=; b=Z/J2f/nKkelAd+An8wGC07ocvZLRl+ddWfHU3D5+bMwYWBcePYTFFgh3PXxEgp4bMsB7AwF3xHTp AGRmD3KQOPOv//1z0EeBiyNfgFQ4VI8AK0T3WDGFMeYE+vCfgZqq+1vvDOo8n1PHQD2OwukYFReB JVBWohuG76nlmnWxuEQ= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=improssifish.work; b=KgsiioLjUFdTxwdZh3H3trDojsCGzRrPWrwB55MVJpu4T7AiqELJymmOD5b3AkGt37YOPzWv0hHz pXb1cOiNDtPddos5TwUG7P00k4481tEUhWG00OqTwz9+7DAPGj41RM4HIz3eeHQ2N7eCZZMjJ/k7 rKTGBvOdHtqo9ej8FH8=; Received: by mail.improssifish.work id h5m8r00001g0 for <*******>; Fri, 7 Aug 2020 13:35:45 -0400 (envelope-from ) Date: Fri, 7 Aug 2020 13:35:45 -0400 From: "John Sartoris" To: <*******> Subject: You've Been Nominated for inclusion with Who's Who… Thanks again for your help! Regards, Dave
    0
  • cPanelLauren
    What is the output when you put john.sartoris@improssifish.work in the Filter Test box in the Create a New Filter screen?? I wonder if something like this would work better:
    0
  • d_j_wills
    What is the output when you put john.sartoris@improssifish.work in the Filter Test box in the Create a New Filter screen?? I wonder if something like this would work better:
    0
  • d_j_wills
    I continue to get spam from email addresses that show as sent to /dev/null if I test them. This is 3 hours after I installed the filters. This is the lastest one captured by Track Delivery:
    bobby-coleman-=.com@pliquing.work Aug 7, 2020, 3:26:15 PM @com Accepted
    I assume (?) that BoxTrapper is running after Track Delivery. Regardless, the spam is reaching my inbox even though BoxTrapper is configured to delete. ?
    0
  • d_j_wills
    Is there anything else I can do in cpanel to track down why these filters are not working? Thanks, Dave
    0
  • d_j_wills
    Looks like nobody, including cpanel, really knows what's going on here. Let me review the problem: A global email filter can be created using regex to delete spam with a filter such as "^.*\.buzz$" The filter can be tested and does indicate the spam will be delivered to /dev/null 0660. But even though the filter sees the spam, it is still delivered to the recipient and not /dev/null. I believe I've shown this in my posts. (PLEASE correct me if I'm wrong!) So that indicates there is a failure in BoxTrapper. Help!
    0
  • commanderclif
    I'm fairly certain that when I create a unique .something email filter that it blocks those from going to my SPAM folder. Attaching what I just added for .buzz since I don't see where I've made one of those in the past, nor think I've been getting any from that but will keep an eye and see if any make it through. I'm still waiting to see if I get .co ones to come in, I've had a few days of nothing but in SPAM right now are 35 messages form the last two days or so that all have .com endings. sighhh I hate spam. At one point I even turned on some filter that mail can only come from certain countries of origin but I'm sure a simple VPN set up would allow SPAMers to get around that.
    0
  • d_j_wills
    I'm fairly certain that when I create a unique .something email filter that it blocks those from going to my SPAM folder. Attaching what I just added for .buzz since I don't see where I've made one of those in the past, nor think I've been getting any from that but will keep an eye and see if any make it through. I'm still waiting to see if I get .co ones to come in, I've had a few days of nothing but in SPAM right now are 35 messages form the last two days or so that all have .com endings. sighhh I hate spam. At one point I even turned on some filter that mail can only come from certain countries of origin but I'm sure a simple VPN set up would allow SPAMers to get around that.

    commanderclif, I am not a cpanel expert, nor do I play one on TV. I believe your filter will work, but it will have other (possibly unintended) consequences. Not only will it block all email from somebody@somewhere.buzz, but it will also block all email from aldrin.buzz@nasa.org. Maybe you don't care about .buzz, but other domains will cause deletion of probably desired email. It would be pretty easy to get an email from somebody.co@somewhere.com. Have you ever gotten CpanelLauren's regex filter to work? Dave
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post