Skip to main content

Filtered SPAM gets still in inbox

Gerard Vanderveken

Hi, I have a form on my site, which is filled by spammers and sent to the host mail account. There is a global filter to put such spam in a Junk folder. When I test the filter in cPanel with the source text of the message, the result is True and the action to put the message in Junk is announced.

However, when this message arrives, it is simply in the inbox and not put in the Junk folder.

Is there a difference in the test and real life processing?

(I suspect the new lines)

This is what is in place: for the Filter:

Rules:

Spam-Status: begins Ja or 
Spam-Bar: contains ++++ or
body matches Adres:.*(http).*Telefoon:

Some similar body rules are there, but they are all ORed and therefore not relevant

Actions:

Deliver to folder Junk
Stop processing rules

I specified 'Stop processing rules' for following filter files not to be processed.

Then in Roundcube I selected such a Spam email message, which is wrongly in the inbox and do 'show source'. I do 'select all' and 'copy'.

In cPanel at the global filter page, I go below to the test filter form.

With 'select all' and 'paste', I replace the example text with the full email source (headers + body) and click 'test filter'.

Results:

Legend:

DOMAIN USER SERVER SPAM 999999 : anonimised text

Bold: Generated from the contact form

Italic: Filled in by the spammer (I know, it's disturbed)

Above 2 are the email body

Bold Italic: Report from the filter tool

In reality it is all unformatted text. Just tought this would be more readable.

../.. 1 similar filter rule ommitted for clarity: result was falsel

Algemene e-mailfilters

Resultaten filtertracering:

read_message_body 103
 Sub-condition is false: not first_delivery 
 Condition is false: not first_delivery and error_message 
 Sub-condition is false: $h_X-Spam-Status: begins Ja 
 Sub-condition is false: $h_X-Spam-Bar: contains ++++ 
 Sub-condition is false: $h_X-Spam-Status: begins Ja or $h_X-Spam-Bar: contains ++++ 
../..
 Match expanded arguments:
   Subject = SPAMMER met email SPAMMER@gmail.com heeft volgende informatie toegevoegd:
 Adres:
 Hello,
 
 Wehve a proomootional offer for your website DOMAIN.com.
 
 Sel ithout  Liimis Rebrand Like a Pro. Cash In  oon Every Sale!
 Launh Your Ownn Triing Video Empire
 he Ultimattee  Learning Library with Unrestrictd PLR
 Over 1,600 remmium trainning videos
 in red-ot nichhes ready for instant monetization!
 
 Seei in acttioon: https://SPAMSITE.pro/TheUltimateLearningLibbrary
 
 You are reciviing this mesge because wee  believe our offer may be relevant to you. 
 If yo onot wissh to receive furtherr  communications from us, please clck here to UNSUBSCRIBE:
 https://SPAMSITE.pro/unsubscribe?domain=DOMAIN.com
 Address: 99 SPAM Street SPAM Park, M 99999
 Lookingg ot foor you, SPAMMER
 Telefoon:
 999999999
 Fax:
 999999999
 Bericht:
 Hello,
 
 We hv a proomootional offer for your website DOMAIN.com.
 
 Sell ihout  Liimits. Rebrand Like a Pro. Cash In on Every Sale!
 LaunchYour Ownn Training Video Empire
 he Ultimate Leearning Library with Unrestricted PLR
 Over 1,600 pemmium trainingvideos
 in red-hotnichhes readyy for instant monetization!
 
 Seeiti actiionn: https://SPAMSITE.pro/TheUltimateLearningLibrar
 
 You are receiving this message because we bbeelieve our offer may be relevant to you. 
 If you d not wwish to receive further communications from us, please click here to UNSUBSCRIBE:
 https:/SPAMSITE.ppro/unsubscribe?domain=DOMAIN.com
 Address: 99SPAM Street SPAM Park, MI 99999
 Looking  ou foor you, SPAMMER
                     

                     
   Pattern = Adres:.*(http).*Telefoon:
 Sub-condition is true: $message_body matches Adres:.*(http).*Telefoon: 
 Sub-condition is true: (($h_X-Spam-Status: begins Ja or $h_X-Spam-Bar: contains ++++) or $message_body matches .*(http).*met email) or $message_body matches Adres:.*(http).*Telefoon: 
 Sub-condition is true: ((($h_X-Spam-Status: begins Ja or $h_X-Spam-Bar: contains ++++) or $message_body matches .*(http).*met email) or $message_body matches Adres:.*(http).*Telefoon:) or $message_body matches Telefoon:\\s*9[0-9]{10}\\s*Fax: 
 Sub-condition is true: (((($h_X-Spam-Status: begins Ja or $h_X-Spam-Bar: contains ++++) or $message_body matches .*(http).*met email) or $message_body matches Adres:.*(http).*Telefoon:) or $message_body matches Telefoon:\\s*9[0-9]{10}\\s*Fax:) or $message_body matches Adres:\\s*(.{70,})\\s*Telefoon: 
 Condition is true: ((((($h_X-Spam-Status: begins Ja or $h_X-Spam-Bar: contains ++++) or $message_body matches .*(http).*met email) or $message_body matches Adres:.*(http).*Telefoon:) or $message_body matches Telefoon:\\s*9[0-9]{10}\\s*Fax:) or $message_body matches Adres:\\s*(.{70,})\\s*Telefoon:) or $message_body matches Adres:(.{70,})Telefoon: 
Return-path taken from "Return-path:" header line
Return-path taken from "Return-path:" header line
Return-path = USER@SERVER.com
Sender      = USER@SERVER.com
Recipient   = USER@SERVER.com
Testing Exim filter file "/etc/vfilters/DOMAIN.com"

Headers charset "UTF-8"
Deliver message to: "USER+Junk"@HOST.com
Finish
Filtering set up at least one significant delivery or other action.
No other deliveries will occur.
Why is the rule body matches Adres:.*(http).*Telefoon: not working for real email messages?
Other rules in the same filter; like body matches Telefoon:\s*9[0-9]{10}\s*Fax: do!

Comments

4 comments

Date Votes
  • cPRex Jurassic Moderator

    Hey there!  It seems like you've done everything correctly based on the details here.  I'd recommend creating a ticket so this can be investigated directly on the server so the issue can be found.

    0
  • Gerard Vanderveken

    I don"t know if I can file tickets. I'm not a cPanel customer or so. Just a user of a website where cPanel is used to manage it. (Didn"t see anything about tickets on the cPanel home page either.)

    0
  • Gerard Vanderveken

    Meanwhile, I investigated further on the problem and it turns out that for multiline matching in regex, 

    [\s\S]*

    should be used instead of

    .*

    So, I modified my rule to:

    Body matches Adres:[\s\S]*(http)[\s\S]*Telefoon:

    This works in the test filter but also IRL. My SPAM detection problem is solved!

    It seems the Test tool in cPanel is more relaxed then the actual filtering itself and gives thus false positive results.

    A second remark is in the test result report, where is stated:

    Match expanded arguments:
   Subject = SPAMMER met email SPAMMER@gmail.com heeft volgende informatie toegevoegd:

    In stead of Subject, I should expect Body = etc. because that was the item selected in my rule. You could understand Subject as parameter under test, but I find it confusing with the email subject.

    0
  • cPRex Jurassic Moderator

    While you may not be able to submit a ticket with us directly, your license provider is always the point of contact for any issues, and then they would escalate the issue to us if necessary.

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post