Skip to main content

Global email filter - block .co email addresses

commanderclif
I've tried to set up a global email filter to block .co emails which I've been getting a lot of Spam from lately. Typically, if I see spam coming from an email address like address@something.monster I'll create a filter to block - "From contains .monster". Can't do that with .co or I'll block .com. However, the dropdown for "ends with" doesn't see to work. So a filter "From ends with .co" I still get the messages arriving in the SPAM folder. So settings on the server are decent at flagging and tagging ***SPAM*** messages so this is just spam box control where I like to keep it so nothing even lands in there either.

Comments

50 comments

Date Votes
  • d_j_wills
    Next, I investigated Spam Experts. At first I thought this would be a great tool. Unfortunately, there is almost no documentation on how to use it (available to me, at least). For example, there are multiple selections for blacklist. Which one to use? And when I configured it, the configurations would disappear (i.e., no Save button). It looks like this would be a great spam blocking tool, if it was documented and it works. I never used Spam Assassin because even at reasonable levels it would declare valid emails as possible spam. It does this by putting lots of junk headers into the email. (I was being spammed by Spam Assassin!) And then if you reply to that email without editing the headers, your reply has the same spam in it that Spam Assassin added to the incoming mail. Not a good thing when replying to customers. I might have stumbled into a solution that might work. (I still need to confirm it isn't blocking valid mail.) Spam Assassin has a blacklist that appears to work, unlike Spam Experts or Global Email Filter. So I set the Spam Assassin threshold really high (20) so almost nothing is declared spam, and then added the bogus domains like .buzz to the Spam Assassin blacklist. I still use Global Email filters to block spam from repeat spammers who use domains I care about, such as .com and others. YMMV. Dave
    0
  • commanderclif
    commanderclif, I am not a cpanel expert, nor do I play one on TV. I believe your filter will work, but it will have other (possibly unintended) consequences. Not only will it block all email from somebody@somewhere.buzz, but it will also block all email from aldrin.buzz@nasa.org. Maybe you don't care about .buzz, but other domains will cause deletion of probably desired email. It would be pretty easy to get an email from somebody.co@somewhere.com. Have you ever gotten CpanelLauren's regex filter to work? Dave

    I can confirm I've not gotten any SPAM as of late from a .co but unsure if it is the regex that is catching it or just senders not using that lately. I can admit I hadn't thought about aldrin.buzz emailing me...he usually uses his buzz.aldrin account when he hits me up, hehe but I do take your point. Since its just my wife and I using this cpanel email account and us being a tiny company, I'm more interested in locking things down then possibly hanging someone up. But to your point, if the spam filter tool of "ends in" worked, which I seem to have not been able to get to work successfully, then "from" "ends with" .buzz would be the best fix.
    0
  • d_j_wills
    AFAIK, cPanel has not given an answer that resolves this. I think I said before I'm not a regex expert, but I'm certain that the regex filter "^.*\.buzz$" does not work. I've looked more into regex to confirm that the '\' escapes special characters. I believe the '.' (dot) character means match any single character ('*' for one character). so "\." should match a dot. And that makes me believe "ends with" "\.buzz" should work. I've created multiple Global Email Filters that contain "ends with" "\." and I can see that at least *some* of the spam is getting through. (I say "some" because it's not clear if spam is being deleted or none is coming in. I have questions about Track Delivery which I will post elsewhere.) Dave
    0
  • Postpit
    You can do it through filter by blocking user IP address.
    0
  • d_j_wills
    My last post on this thread... Blocking by IP address isn't a good solution (for me). There are too many IP addresses from foreign countries to block. Even .htaccess isn't a good solution because you (I) need to update too often. After much help from my domain host, I've found a couple filters that "seem" to work: "matches regex" .+@.+\. or for more unique filters: "matches regex" .+@. Dave
    0
  • commanderclif
    Hey Dave - Been awhile since I hit this page. I don't get email notifications to replies here, I'll figure out if that is something I can fix later, but can you give me any understanding to what the regex is you did here to get it working? I'm a noob at regex so looking at this I'm not sure what I would leave as is vs. what I would change to make a new filter. Like if I wanted to filter .co ending without .com or if I wanted to use this to block .deal or something. Thanks for keeping the thread alive!
    0
  • cPanelLauren
    The TLD portion of the filter @d_j_wills notes can be any tld so .com or co would work Also @commanderclif you can change your notification preferences for the forums by clicking your username on the top menu bar -> Select Preferences -> scroll down to Content Options You'll see setting for the following:
    • Automatically watch content you create"
      • and receive email notifications
    • Automatically watch content you interact with"
      • and receive email notifications
    Select which you'd like and for new posts, you'll get notified according to these. I took the liberty of selecting yes for you on Automatically watch content you create and Automatically watch content you interact with, but I left the email notifications set to no as I feel that is something you should choose for yourself.
    0
  • d_j_wills
    Hey Dave - Been awhile since I hit this page. I don't get email notifications to replies here, I'll figure out if that is something I can fix later, but can you give me any understanding to what the regex is you did here to get it working? I'm a noob at regex so looking at this I'm not sure what I would leave as is vs. what I would change to make a new filter. Like if I wanted to filter .co ending without .com or if I wanted to use this to block .deal or something. Thanks for keeping the thread alive!

    Sorry, I didn't get an email from your post either. (Looked at Lauren's note, but all my checkboxes are checked saying I should get emails. ???) The regex filters are too generic for me to want to use them because they occasionally block valid emails. I've determined how to block bogus or unwanted domains, but it's cumbersome. With Lauren's help, I found email coming from user@somewhere.buzz (as an example), could also come from . But an ends with filter on ".buzz" would not catch an ends with ".buzz>", and an ends with ".buzz>" would not catch an ends with ".buzz". If you can get either in the from address, you need to have 2 different filters. Once doing this, I was able to cut spam way down. Dave
    0
  • commanderclif
    Interesting Dave! I'll look to add that for future extensions I want to block. THANKS!
    0
  • d_j_wills
    NP, but the thumbs up goes to Lauren. d.
    0
  • SamA
    Hello, I'm glad that Lauren was able to be of assistance! I'll go ahead and close this thread.
    0
  • Yasser Gomaa
    Try \.co\>
    0
  • commanderclif
    Well for some reasons .co email addresses have started showing back up again in Spam. Not sure what changed but I'd like to stop any and all emails that end in .co addresses and obviously not block .com addresses. Any thoughts?
    0
  • commanderclif
    Hmm better yet, maybe I just need to block the range of IP addresses. I've not done that before but looking in to it. I se that all these .co Spam emails come from same set of first 3 sets of numbers the same with the last three changing each message.
    0
  • Mise
    spam ips from .co domain are changing. I have .co domain inside file /etc/blocked_incoming_email_domains, and all spam is blocked without exception. I have this accumulated list from long time ago and all messages are rejected. And no complaints from customers about missed messages *.accountant *.bid *.biz *.business *.buzz *.cam *.cf *.christmas *.click *.club *.co *.co.kr *.country *.cricket *.cyou *.date *.desi *.durban *.faith *.fit *.fun *.ga *.gdn *.gq *.gr *.icu *.kim *.life *.live *.loan *.lol *.men *.ml *.mom *.monster *.nagoya *.ninja *.okinawa *.online *.ooo *.pro *.racing *.review *.rocks *.site *.space *.stream *.tel *.tk *.today *.top *.us *.webcam *.win *.work *.world *.xyz *.zip
    just save inside /etc/blocked_incoming_email_domains, and rebuild and restart: # /scripts/buildeximconf; service exim restart log rejection messages are like "Sender domain is banned" hope it helps
    0
  • commanderclif
    Thank you Mise! I still don't get email notifications for messages here but you are correct, I blocked the IP address, they just moved to a different IP address but it was pretty consistant that messages were all coming from .co addresses. Three times now I've added the first 3 sets of numbers of the IP address which was blocking them for a time so came back to see if any additional solutions. Thanks for what you've shared! I"m by no means a cpanel expert but I believe I done your steps correctly. I created a new text file in the etc folder as you mentioned and put your code lines of domains in that file. I then used the EXIM restart from WHM. Everything said okay except I did get the following warnings: Starting clamd: LibClamAV Warning: ************************************************** LibClamAV Warning: *** The virus database is older than 7 days! *** LibClamAV Warning: *** Please update it as soon as possible. *** LibClamAV Warning: ************************************************** After EXIM started back up I did send a test email from a different account and verified that .com address still went through at least and now I'll keep an eye on Spam folder to hopefully never see a .co email ever again!
    0
  • commanderclif
    well I guess I did something wrong. I just received a .co email in SPAM. These get marked ***SPAM*** but my preference is they just get discarded.
    0
  • commanderclif
    I think I got the .co emails to stop. In Global Email filters I have added a filter for any .co> in the header to discard it. Haven't gotten on since but keeping my eye on that Spam box!
    0
  • james-f
    Thanks for the pointers above, just sharing that I needed to use the following regex match to block only '.co' but ensure '.com', 'co.nz' and '.com.au' continued to get delivered. .+@.+\.co$ Make sure your testing your filters and not inadvertently sending more than you expect to /dev/null!
    0
  • d_j_wills
    You all are way over my head in experience. But I think I solved this some time ago on a different thread. Or at least, I think I fixed it for me. Here is the from address from above: I believe my problem was "ends with" ".co" didn't work because of the '>'. So to block spam from addresses ending in ".co" I had to create 2 different filters, "ends with" ".co" and "ends with" ".co>". It's been a long time since I discussed this with cPanel, but I seem to remember that I suggested this might be a shortcoming in global filters. But then again, I could be wrong. YMMV. d.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post