Exim Spam Filters for Websites with CPanel
Exim Spam Filters for Websites with CPanel
If you have a website that uses cPanel as the control panel and it has email filtering enabled, on an account-wide basis, the rules below will reduce the amount of spam you see, dramatically.
First of all, you should be aware that not all cPanel icon layouts are the same, nor are all of the same options available from various hosting companies. I have my websites hosted at Bluehost and enjoy lots of user configurable options, including account-wide user-created email filter rules. I gain access to the email filters by following this path: Login to cPanel > "Home" > "Mail" section > "Account Level Filtering" icon. This opens a new cPanel page with the heading: "Edit Filters for All Mail On Your Account" - "In this area you can manage filters for your main account. Note, that if you have add-on domains hosted under the main account, their email accounts will also be covered by these filters. My cPanel also has an icon that when clicked upon allows me to create filters on an individual account basis. This way I can apply more restrictive rules to the accounts receiving the most spam, leaving the others to be filtered less drastically.
For simplicity sake I have grouped all of my various account rules into one set, which can be applied site-wide. You'll still see some spam, but not nearly as much as you do before applying these rules.
On the cPanel "Account Level Filtering" page, click the button labeled "Create a new Filter." The first input field is labeled: "Filter Name:" and you should type in the name you want to assign to each rule, or use mine, shown below. Each rule must have a unique filter name.
The next section down is labeled "Rules" and is where you select the various criteria for the rules. The options list on the left is where you choose which part of the email message the rule on that line will apply to. Use the down-arrow button to open the options list. Most commonly used filter selections are: "From, Subject, To, Body and Any Header."
The options list on the right side of Rules section determines how that rule will be applied. The options in the flyout list are: "Equals, Matches Regex, Contains, Does Not Contain, Begins With, Ends With, Does Not Begin With, Does Not End With, Does Not Match."
The actual rule text goes into the input field under the flyout options. Type, or copy and paste my rules below, into the input field for each rule. Next, under Actions, choose Discard Message, then click on the button labeled: "Activate." You will be taken to a page reporting that rule "such and such" was successfully created, and which contains a button to take you back to the main Filters page. There, under "Filter Test," you can test your rules in the test message area. Just enter text, or headers to be tested into the appropriate section, adding to or replacing what is already there, then press the "Test Filter" button. The results page will tell you what, if any filter rule has been matched and that the results would be a delivery to "/dev/null" (the bit bucket).
If the results of a filter test are "Normal Delivery," for a filtered spam message, something is wrong with your input selections. Use the Edit button next to the filter that should have applied and check your options settings and look for typos in the actual rule text. Save changes by clicking the Activate button, then test again. You'll get it right eventually. Trust me, I know - I've gone through this already.
Every rule group has a plus and a minus button on the right side. These are used to add additional criteria to the rule set. Plus adds a new rule, while minus removes the last rule. Each rule can apply to a different part of the message and have a different matching criteria. Theoretically, one could apply all of my rules to one filter set, but that would make it very hard to debug if legitimate email gets sent to the bit bucket in the sky. Keep the rules separate and properly labeled to make it easy to edit or remove them, if it becomes necessary.
See my extended comments in the section below, for the actual rules.
Wizcrafts' cPanel spam filter rules
The # sign indicates the title of the spam filter rule. Copy and paste it into the Filter Name field.
The words on the next line, beginning with a $ and sometimes ending with a colon, followed by a space, indicate the criteria selection option (what part of the message to apply the rule to). e.g: "$From:" indicates that the rule is to applied to the From field in the email message, while "$message_headers" means any header.
The word following the criteria descriptor, followed by a space, is the type of match to be performed; such as: "contains, equals, or matches."
Finally, the actual rule text, or regular expression, will follow the method criteria, and will be enclosed in quotes, which should be removed (the quote marks). e.g: "<(_|-).+@.+>" should be pasted in as: <(_|-).+@.+>
If there are multiple rules in one set they will appear on a new line, preceded by the word "or."
Please check the criteria in each rule to see if any of them may apply to legitimate messages you might normally receive. For instance, if you receive email from senders having email accounts at freenet.de, you won't want to use the rule that deletes those messages! These rules were developed in the USA, based on my own preferences, and may not agree with yours. Feel free to edit, or delete any rules that you don't think are safe in your situation. Any message sent to /dev/null is unrecoverable.
I apologize in advance for the duplications in the list below. I merged both site wide and an individual account into one group, which resulted in some duplicate rules, or rules that override others. At least the overrides will block the unwanted sender domains.
#Forged sender begins with dash or underscore
$From: matches "<(_|-).+@.+>"
#German domain sender
$From: matches ".+@.+\.de"
#From: .cn
$From: matches ".+@.+\.cn"
#From: yahoo.fr
$From: contains "@yahoo.fr"
#server4you.de in Any Headers
$message_headers contains "server4you.de"
#From: @yahoo.co.in
$From: contains "@yahoo.co.in"
#Debt consolidation
$header_subject: contains "debt consolidation"
#Blocked Country From domains
$From: matches ".+@.+\.(ru|es|th|sk|pl|\.co\.uk|ro)"
#Dearest Friend
$header_subject: matches "^Dearest\ Friend,?"
#Blocked country in headers
$message_headers contains ".tpnet.pl"
#From: yahoo.co.uk
$From: matches ".+@yahoo\.co\.uk"
or $reply_address: contains "@yahoo.co.uk"
#Known Spam Subjects
$header_subject: contains "RE: Discount. Coupon #"
or $header_subject: contains "student loan"
or $header_subject: contains "CONTACT FEDEX EXPRESS COURIER COMPANY"
or $header_subject: contains "CONTACT HER IMMEDIATELY"
or $header_subject: matches "debt\ cons[io0]lidation"
or $header_subject: matches "[7-9][0-9]%\ discount\.\ Coupon\ #"
or $header_subject: contains "YOUR CONTRACT PAYMENT"
or $header_subject: contains "Contact FedEx Service Courier Company"
#From yahoo.it - yahoo.in
$From: matches ".+@yahoo\.i[nt]"
#The United States National Medical Association
$header_subject: contains "The United States National Medical Association"
#The Ultimate Online Pharmaceutical
$header_subject: contains "The Ultimate Online Pharmaceutical"
#Block Nigerian senders in the 82.128.0.0/16 CIDR
$message_headers contains "Received: from [82.128."
#Block IPPlanet satellite service to Nigeria: 81.199.0.0/16
$message_headers contains "Received: from 81.199."
#Block Russian Senders in 89.178.0.0/16 CIDR
$message_headers contains "Received: from 89.178."
#From: mail.ru
$From: matches ".+@mail\..*ru"
#Received from Brazil
$message_headers matches "^Received:\ from\ .+\.dsl\.telesp\.net\.br\ "
#From: matches dw.+m@.+
$From: matches "dw.+m@.+"
#From: matches lin.+met@.+\.de
$From: matches "lin.+met@.+\.de"
#From: matches tequil.?a.+@.+\.com
$From: matches "tequil.?a.+@.+\.com"
#From begins with dash or underscore
$From: begins "-"
or $From: begins "_"
or $From: matches "^(_|-).+@.+"
#Admin ® Official Site
$From: contains "Admin ® Official Site"
#Freenet.de
$From: matches ".+@freenet\.de"
#Blocked Countries in Headers
if
$message_headers matches "Received:\ from\ .+\.adsl\.tpnet\.pl"
or $message_headers matches "Received:\ from\ .+\.veloxzone\.com\.br"
or $message_headers contains ".ttnet.net.tr"
or $message_headers contains ".ono.com"
or $message_headers is ".telefonica.es"
#Nigerian 419 scams
$header_subject: contains "YOUR E-MAIL HAS WON"
#Subject contains Penis
$header_subject: matches "p[e3]n[i1]s"
#Counterfeit watches, shoes and clothing
$header_subject: matches "replica|watches|//atch|Rolex"
#MED...SHOP
$header_subject: matches ".*(?-i)MED.*SHOP.*"
DISCARD MESSAGE
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.