How to filter outgoing spam emails using cpanel_exim_system_filter
Hello,
I have had problems with some shared webhosting clients constantly getting their Joomla installs hacked and used for relaying spam emails. Even though I teach the clients how to prevent getting hacked, upgrade to latest versions, use anti-virus on home comp, use hard passwords etc etc, it still happens to a few of them too many times already.
I figured that even if I cant prevent the site owners from getting hacked at all times, I can prevent my servers from spitting out hundreds of thousands of spam emails if it happens.
I can then calmly clean and remove the infected files and contact site owner etc. without having to worry about my server IP getting banned.
I have stopped the outgoing emails using different methods but i find this one is the smartest, at least for me in this case. I publish my solution here so that anybody else having same problem can try this solution and hopefully also save their IP's from getting banned or similar problems.
---
How to..
Lets say that the site that has been infected more then once is the website example.com, just as an example.
The relayed spam emails sent out would typically look like lorena_decker@. In this example I will use lorena_decker@example.com[/EMAIL]
Check what emails your client is using for the site. My client in this example only uses info@example.com[/EMAIL] as only email connected to the domain. So I create a filter that will discard all other sender or reply email addresses. This is how to do it:
You need root access to your server.
Access and edit the file /etc/cpanel_exim_system_filter
Add the following :
I have tested to make sure this works. (I am sorry for the bad words they put in theirs spam, I have ** it to not offend anybody here)
Emails discarded! :) I saw in Sent Summary in this case that 187,810 emails where discarded. I can calmly remove the infected files and be happy none of those emails where actually sent out :) My 2 cent
# BEGIN - Included from /usr/local/cpanel/etc/exim/sysfilter/options/cpanel_exim_system_filter
# (Use the Basic Editor in the Exim Configuration Manager in WHM to change)
# or manually edit /etc/exim.conf.localopts and run /scripts/buildeximconf
# Exim filter to throw away all mail from one site, except from info
if $reply_address contains "@example.com" and
$reply_address does not contain "info@"
then
seen finish
endif
if $sender_address contains "@example.com" and
$sender_address does not contain "info@"
then
seen finish
endif
# END - Included from /usr/local/cpanel/etc/exim/sysfilter/options/cpanel_exim_system_filter
I have tested to make sure this works. (I am sorry for the bad words they put in theirs spam, I have ** it to not offend anybody here)
exigrep lorena_decker@example.com /var/log/exim_mainlog
2015-12-16 19:01:53 cwd=/home/example/public_html/templates/beez_20/images/system 4 args: /usr/sbin/sendmail -t -i florena_decker@example.com
2015-12-16 19:01:53 1a9HKj-0000yx-GQ <= lorena_decker@example.com U=example P=local S=886 T="blah blah blah xxxxxxx@hotmail.com
2015-12-16 19:01:53 1a9HKj-0000yx-GQ => discarded (system filter)
2015-12-16 19:01:53 1a9HKj-0000yx-GQ Completed
2015-12-16 19:01:53 cwd=/home/example/public_html/templates/beez_20/images/system 4 args: /usr/sbin/sendmail -t -i -florena_decker@example.com
2015-12-16 19:01:53 1a9HKj-0000z9-IS <= lorena_decker@example.com U=example P=local S=874 T="He he Babe * for xxxxxxx@hotmail.com
2015-12-16 19:01:53 1a9HKj-0000z9-IS => discarded (system filter)
2015-12-16 19:01:53 1a9HKj-0000z9-IS Completed
Emails discarded! :) I saw in Sent Summary in this case that 187,810 emails where discarded. I can calmly remove the infected files and be happy none of those emails where actually sent out :) My 2 cent
-
Hello :) I am happy to see you were able to find a solution that worked successfully. Thank you for posting it here for others to see. 0 -
Thank you Michael. I figure if we all post our solutions somewhere online when we have them we can all find the solutions faster if same things happens to you. Sharing is caring :) 0 -
Thank you very much for this solution, but what if the client uses more than one address, for example info@example.com, sales@example.com, import@example.com, etc. Then how can we change the code, such as; if $reply_address contains "@example.com" and $reply_address does not contain "info@" or $reply_address does not contain "sales@" or $reply_address does not contain "import@" then seen finish endif if $sender_address contains "@example.com" and $sender_address does not contain "info@" or $sender_address does not contain "sales@" or $sender_address does not contain "import@" Is it OK? 0 -
Great question! I would imagine that it is possible to add multiple keywords, but I am unsure about the exact syntax for exim filter. I think you can use and and or as you did but Im not sure how it should be specified exactly. The way you have specified it would probably not work. Maybe this works but you would have to test: if $reply_address contains "@example.com" and $reply_address does not contain "info@" or "sales@" or "import@" then seen finish endif 0 -
Hello Can anyone confirm ? Thanks 0 -
The following documents offer some examples on how to implement custom filter rules: How to Customize the Exim System Filter File - cPanel Knowledge Base - cPanel Documentation How to Configure Mail Filters - cPanel Knowledge Base - cPanel Documentation Or, you could try the example in the earlier response. Thank you. 0
Please sign in to leave a comment.
Comments
6 comments