How block domains that uses amazones in "Filter Incoming Emails by Domain"

Secmas

• January 14, 2021 11:52

There are a lot of spammers that are using amazones to hide under that service, I tried to use the "Filter Incoming Emails by Domain" writing there the email address that the customer sees like per example: enco.com.gt but that email address is using all the following addresses from amazones and the above filter didn't work: 010f0176fca7e7d7-c2531a6a-0856-4275-937c-17beb16e16bf-000000@us-east-2.amazonses.com 010f0176fcaa8ff8-d5b179ba-750c-4cc6-b981-763e48346c68-000000@us-east-2.amazonses.com 010f0176fcaaa1f1-06c84868-e6b5-4e9b-9472-bca03e32e754-000000@us-east-2.amazonses.com 010f0176fcabb6ea-caa9e324-c33c-499c-ba42-2fd2953876ff-000000@us-east-2.amazonses.com 010f0176fcac16af-4c1be214-95eb-4133-afb2-38f414f2db47-000000@us-east-2.amazonses.com 010f0176fcac3a11-8388dbbd-4ffa-4e92-8fd6-dff479cf807c-000000@us-east-2.amazonses.com 010f0176fcac4649-bd1d0c3e-1dab-4fc4-97fe-21c787ed2980-000000@us-east-2.amazonses.com 010f0176fcac87a8-7a513e64-e2f5-414a-b3ac-dc7854063793-000000@us-east-2.amazonses.com 010f0176fcad57d1-b48f4ae2-9461-4efb-b7c8-f2770f26c8f0-000000@us-east-2.amazonses.com 010f0176fcae56cb-88c852e9-0a33-4990-9410-eb235d8cd7ba-000000@us-east-2.amazonses.com 010f0176fcb13be8-56ff84a4-37b0-42ad-84f2-f20fb5912d39-000000@us-east-2.amazonses.com 010f0176fcb8a789-41983972-38b7-4a40-8e55-60b13360d6ec-000000@us-east-2.amazonses.com 010f0176fcba4b7d-47468ebf-9658-4e26-8e1d-a12d6e458874-000000@us-east-2.amazonses.com 010f0176fcc18085-be8aad52-003c-428e-9aff-3d9144ed7785-000000@us-east-2.amazonses.com 010f0176fcc1ff11-df9bd034-b17c-4b32-b9c6-6c82e602930c-000000@us-east-2.amazonses.com 010f0176fccc7ed4-a654bf8f-0bdb-40c6-a51a-0dbbb5292f59-000000@us-east-2.amazonses.com 010f0176fccca177-d19893a5-65f0-497f-9719-25c08544f312-000000@us-east-2.amazonses.com 010f0176fccd9e85-a50cc5da-2d73-4c84-af64-ca0aa79de7bf-000000@us-east-2.amazonses.com 010f0176fcd1afda-480e1d94-aded-48b7-88de-453ff70fc6c5-000000@us-east-2.amazonses.com 010f0176fcd586f8-97e46e67-40a6-4b82-8142-e8c89ce14844-000000@us-east-2.amazonses.com 010f0176fcd5918d-3d87fd44-9649-4a05-be4b-d8efb09d803f-000000@us-east-2.amazonses.com 010f0176fcd9f97f-6643e436-62b2-435a-9396-190166980af5-000000@us-east-2.amazonses.com 010f0176fcddd8dc-19698cbe-c43f-4f10-8d5a-94a0d33b426f-000000@us-east-2.amazonses.com 010f0176fce9ceaa-46cb5d0b-68fc-4069-a9bb-a99e24c76d14-000000@us-east-2.amazonses.com 010f0176fcec5dc1-1f1187f8-38ee-47b9-af80-df3183d06aec-000000@us-east-2.amazonses.com The only part of the email that is kind of common from those senders is: ='010f0176fc....@us-east-2.amazonses.com'>010f0176fc ... @us-east-2.amazonses.com So, How may I can block that emails in "Filter Incoming Emails by Domain"? I tired: 010f0176fc*='.@us-east-2.amazonses.com'>.us-east-2.amazonses.com but the filter shows an error. Any idea? Thanks in advance for your inputs.

• 

  cPRex Jurassic Moderator

  • January 14, 2021 18:25

  Hey there! In that interface you can't enter anything before the wildcard. You can try just using *='.@us-east-2.amazonses.com'>.us-east-2.amazonses.com on that page and that will work well. Can you try that instead?

  0
• 

  Secmas

  • January 14, 2021 19:18

  @cPRex Thank you for answering back. I know I can do that but I didn't want to go for that option as I don't know if legit users from amazones are using that email server. Instead I have created an SpamAssassin rule that is blocking that account, but I really like how the cPanel plugin works as it is a EXIM step while SpamAssassin is not. Any idea why the cPanel app didn't block the domain that appears under the From: header as well? That will be great.

  0
• 

  cPRex Jurassic Moderator

  • January 14, 2021 19:29

  I'm not completely sure what your last sentence means with regards to the From header settings. Can you get me more details on that?

  0
• 

  Secmas

  • January 15, 2021 00:33

  Sure, when I check the emails that enters into my servers, I can see the headers of the emails. Per example, using the same info about what we are talking (I have modified some info): Received: from e226-3.smtp-out.us-east-2.amazonses.com ([23.251.226.3]:41197) by server.myserver.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (Exim 4.93) (envelope-from <010f01770344955b-21f50095-f523-4f56-856d-xxxxxxxxx-yyyyyyyyy@us-east-2.amazonses.com>) Date: Thu, 14 Jan 2021 23:39:22 +0000 To: myuser@userdomain.com From: ENCO Reply-To: ENCO Subject: =?UTF-8?Q?[Conecta_con_m=C3=A1s_clientes_desde_la_palma_de_tu_mano]?=
  So, if you see the "From:" it shows the domain name that I want to block and that I have written into "Filter Incoming Emails by Domain" but it never gets blocked. I assume that cPanel addon looks for the "evelope-from:" section of the email instead of looking into the "From:" header. It will be great that "Filter Incoming Emails by Domain" could check for both, the envelope-from and the From: to block what we want.

  0
• 

  cPRex Jurassic Moderator

  • January 15, 2021 13:26

  That sounds like a good feature request :D For more advanced filter rules that let you choose what you block, you can do it in the account level through the Global Filers tool in cPanel, but there isn't an equivalent tool at the WHM level.

  0
• 

  Secmas

  • January 15, 2021 14:19

  Well, for now I have just wrote my own SpamAssassin rule that is global and it is working, but it is easier to add domains to the WHM plugin. Hope cPanel could check on this. Regards, Sergio

  0
• 

  cPRex Jurassic Moderator

  • January 15, 2021 14:28

  It would be best to use the link in my signature to submit a feature request, as our development team approves those and it will also let other cPanel users vote on it.

  0
• 

  Secmas

  • January 15, 2021 15:41

  Ok, doing it now. Thanks.

  0
• 

  keat63

  • January 15, 2021 16:41

  If you can't get any of the above suggestions to work for any reason, this has been discussed on the CSF forum.

  0
• 

  Secmas

  • January 15, 2021 17:41

  Thank you, @keat63. That thread in ConfigServer is mine, I am the one that started that thread and wrote some of my rules in there. What I am asking here is a little bit different. As you know emails have a few steps when entering into the server, the First Step is mostly managed by EXIM and the fastest way to block spammers is to manage the spammer IPs in the /etc/spammeripblocks, that blocks right in the act the emails sent by the IPs that are in there. It also will block IPs that are in Barracuda, SpamCop or any other Black List that you have set in there. Then, if the IP is not in there, the next steps will follow. One of the steps is to check the list of domains that the cPanel plugin saves at /etc/blocked_incoming_email_domains, so it doesn't require to much time from server than checking on the list if the domain is blocked there. If the email is not blocked by EXIM, then the email will be checked by SpamAssassin rules and then any other option that you write as the REGEX rules. In the case that I am asking, using a REGEX is out of option, as the REGEX will block the IP in the firewall and I don't want to block AMAZONES IPs, what I want is to block the offending domain. Sorry if I extended a bit my reply :)

  0

Please sign in to leave a comment.