Spam bypassing account level and user-level filters
Two separate situations, same type of problem:
Issue #1: account-level and user-level both have a filter to Discard messages with a From field ending with .eu.
Result: some get through. Examples:
Example of a filtered email:
Note: we have a spam bar discard filter for anything with one + in it, so I think it is matching that filter and not the .eu, as indicated by the difference in spam score between the first two and this filtered message. I may have just realized the issue: do I need to escape the period? It should work either way... Right now it is "From ends with" and ".eu" in the text box. Issue #2: messages bypassing account-level filters when sent to a forwarder address. If you have a user-level or account level filter and a forwarder to the address with filters on it, messages will not be filtered. Ideas?
2014-07-30 07:18:31 1XCUi4-0002VC-Dx H=(f7dcvqfg.annabba.eu) [191.101.52.64]:57772 Warning: "SpamAssassin as benchmar detected message as NOT spam (0.8)"
2014-07-30 07:18:31 1XCUi4-0002VC-Dx H=(f7dcvqfg.annabba.eu) [191.101.52.64]:57772 Warning: Message has been scanned: no virus or other harmful content was found
2014-07-30 07:18:31 1XCUi4-0002VC-Dx <= Hookup@annabba.eu H=(f7dcvqfg.annabba.eu) [191.101.52.64]:57772 P=esmtp S=11372 id=350817414972390350820219111191664@f7dcvqfg.annabba.eu T="Find the Hottest Hookups Tonight!" for
2014-07-30 07:18:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XCUi4-0002VC-Dx
2014-07-30 07:18:31 1XCUi4-0002VC-Dx => R=virtual_user T=virtual_userdelivery
2014-07-30 07:18:31 1XCUi4-0002VC-Dx Completed
2014-07-30 08:33:45 1XCVsc-00036n-I7 H=(jhzw9jqn2.hedwom.eu) [191.101.52.69]:60208 Warning: "SpamAssassin as benchmar detected message as NOT spam (0.6)"
2014-07-30 08:33:45 1XCVsc-00036n-I7 H=(jhzw9jqn2.hedwom.eu) [191.101.52.69]:60208 Warning: Message has been scanned: no virus or other harmful content was found
2014-07-30 08:33:45 1XCVsc-00036n-I7 <= WoodMilk@hedwom.eu H=(jhzw9jqn2.hedwom.eu) [191.101.52.69]:60208 P=esmtp S=9926 id=3513174149723903513874911657@jhzw9jqn2.hedwom.eu T="How nice is the wood in your home?" for
2014-07-30 08:33:45 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XCVsc-00036n-I7
2014-07-30 08:33:45 1XCVsc-00036n-I7 => R=virtual_user T=virtual_userdelivery
2014-07-30 08:33:45 1XCVsc-00036n-I7 Completed
Example of a filtered email:
2014-07-30 10:03:00 1XCXHB-0006ER-Gu H=(4978r1.setr.eu) [191.101.52.75]:47442 Warning: "SpamAssassin as benchmar detected message as spam (1.6)"
2014-07-30 10:03:00 1XCXHB-0006ER-Gu H=(4978r1.setr.eu) [191.101.52.75]:47442 Warning: Message has been scanned: no virus or other harmful content was found
2014-07-30 10:03:00 1XCXHB-0006ER-Gu <= SimpleSolution@setr.eu H=(4978r1.setr.eu) [191.101.52.75]:47442 P=esmtp S=11388 id=351917414972390351916015111071650@4978r1.setr.eu T="Read this - Your body is depending on it!" for
2014-07-30 10:03:00 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XCXHB-0006ER-Gu
2014-07-30 10:03:00 1XCXHB-0006ER-Gu => /dev/null R=central_filter T=**bypassed**
2014-07-30 10:03:00 1XCXHB-0006ER-Gu Completed
Note: we have a spam bar discard filter for anything with one + in it, so I think it is matching that filter and not the .eu, as indicated by the difference in spam score between the first two and this filtered message. I may have just realized the issue: do I need to escape the period? It should work either way... Right now it is "From ends with" and ".eu" in the text box. Issue #2: messages bypassing account-level filters when sent to a forwarder address. If you have a user-level or account level filter and a forwarder to the address with filters on it, messages will not be filtered. Ideas?
-
Hello, Feel free to open a support ticket for these issues. You can use the link in my signature, then please post the ticket numbers here so we can update this thread accordingly. It should be 2 different tickets, because it's technically two different issues. 0 -
Solution worked out via support ticket is to use: From match regex \.eu$ Where \ escapes the period. Without an escape, the period acts as wildcard, which would also work in this situation, but with other strings it could cause other TLDs to possibly match. $ forces this string to only match at the end of the email address. 0 -
I am happy to see the issue was resolved. Thank you for updating us with the outcome. 0 -
After additional cPanel ticket discussions, an even better regex was decided upon: \.eu(\>)?$ This is necessary because the string pulled from the From address is not always consistent. Sometimes it is as you would think, "username@domain.tld", but sometimes it is "". This regex matches both, so none can bypass the filter due to behind the scenes string differences. This sort of identifies a cPanel bug (cPanel filters should automatically exclude the less than or greater than signs when comparing the string to the filter). 0 -
[quote="openaccess, post: 1735432"> \.eu(\>)?$
So, I should put for all discarded messages the following: Rules: From, Matches regex \.link(\>)?$ \.us(\>)?$ Is this correct?0
Please sign in to leave a comment.
Comments
5 comments