How to block spoof/spam mails?

 
How to block spoof/spam mails?



Even though spamming cannot be stopped fully, it can be reduced up to an extend.  Cpanel have a couple of SPAM Blocking tools.

1. SPAM Assassin - which is a sort of a SPAM Checking filter, that trains itself over time to detect new kinds of Spams and traps most of it. You don't need to turn it on individually for all your accounts - once turned on it'll act simultaneously on all the accounts you've created from cPanel.

Source & more info.: http://www.spamassassin.org

2. The second tool you have is called SPAM Box. Enabling this, won't delete your SPAM mails but instead deliver them automatically to a separate folder called SPAM under your mailbox. You can then study them and take suitable action.

The combination of both will help you to quite an extent in battling SPAM - although it won't be a 100% hit rate. We have ensured that both of the above tools are enabled.

Next is Email filters. You can use email filters to filter out spam mails on the basis of subject/body contents. Please see http://kb.deru.net/?View=entry&EntryID=26  for more details on email filter. Use common word or phrases to filter out the spam.


Here are some example of filters:

If you use to receive spam mails which are coming from your self address itself, you can block them using the following filter rule to the following file.
=====================
/etc/cpanel_exim_system_filter
=====================

Here is the filter rule.


========================================
#domainname.com   to reject Spoof Mails
if
 $header_from: contains "user@domainname.com"
 and $header_to: contains "user@domainname.com"
then
    fail
   seen finish
endif
========================================

If you are receiving so many spam mails here is a good filter to block them.

====================
# Exim filter

if not first_delivery and error_message then finish endif

if
 $header_subject: contains "Rep1icaWatches"
 or $header_subject: contains "Submariner SS"
 or $header_subject: contains "pharmacy"
 or $message_body contains " Pharmaceutical Technology"
 or $message_body contains "AARP"
 or $message_body contains "MSN Featured Offers"
 or $message_body contains "penis"
 or $message_body contains "pharmacy"
 or $message_body contains "sexual"
 or $message_body contains "viagra"
 or $message_body contains "with CountryCode"
 or $message_headers contains "acai"
 or $message_headers contains "user@spamdomain.com"
 or $message_headers contains "viagra"
then
 save "/dev/null" 660
endif
====================

You have to add it at the following file.
/etc/vfilters/domainname.com


Here are some Some useful general variables through you can create those filters.

A complete list of the available variables is given in the Exim documentation. This shortened list contains the ones that are most likely to be useful in personal filter files:

$body_linecount: The number of lines in the body of the message.

$body_zerocount: The number of binary zero characters in the body of the message.

$home: In conventional configurations, this variable normally contains the user’s home directory. The system administrator can, however, change this.

$local_part: The part of the email address that precedes the @ sign – normally the user’s login name. If support for multiple personal mailboxes is enabled (see section 3.31 below) and a prefix or suffix for the local part was recognized, it is removed from the string in this variable.

$local_part_prefix: If support for multiple personal mailboxes is enabled (see section 3.31 below), and a local part prefix was recognized, this variable contains the prefix. Otherwise it contains an empty string.

$local_part_suffix: If support for multiple personal mailboxes is enabled (see section 3.31 below), and a local part suffix was recognized, this variable contains the suffix. Otherwise it contains an empty string.

$message_body: The initial portion of the body of the message. By default, up to 500 characters are read into this variable, but the system administrator can configure this to some other value. Newlines in the body are converted into single spaces.

$message_body_end: The final portion of the body of the message, formatted and limited in the same way as $message_body.

$message_body_size: The size of the body of the message, in bytes.

$message_exim_id: The message’s local identification string, which is unique for each message handled by a single host.

$message_headers: The header lines of the message, concatenated into a single string, with newline characters between them.

$message_size: The size of the entire message, in bytes.

$original_local_part: When an address that arrived with the message is being processed, this contains the same value as the variable $local_part. However, if an address generated by an alias, forward, or filter file is being processed, this variable contains the local part of the original address.

$reply_address: The contents of the Reply-to: header, if the message has one; otherwise the contents of the From: header. It is the address to which normal replies to the message should be sent.

$return_path: The return path – that is, the sender field that will be transmitted as part of the message’s envelope if the message is sent to another host. This is the address to which delivery errors are sent. In many cases, this variable has the same value as $sender_address, but if, for example, an incoming message to a mailing list has been expanded, $return_path may have been changed to contain the address of the list maintainer.

$sender_address: The sender address that was received in the envelope of the message. This is not necessarily the same as the contents of the From: or Sender: header lines. For delivery error messages (“bounce messages”) there is no sender address, and this variable is empty.

$tod_full: A full version of the time and date, for example: Wed, 18 Oct 1995 09:51:40 +0100. The timezone is always given as a numerical offset from GMT.

$tod_log: The time and date in the format used for writing Exim’s log files, without the timezone, for example: 1995-10-12 15:32:29.

$tod_zone: The local timezone offset, for example: +0100.


That's all.