Global Email Filters issue with multiple filters

[rusty99]

I have a personal domain name with multiple accounts. It gets a ton of spam which I have been dealing with over the years, but I tend to get deluged by spammers using TLDs such as .club, .sale, .work that they keep changing. When a wave comes through I send them all to dev/null? (discard message). However, the latest one, .sale, I can't seem to get it to go there. It is instead sent to a spam catchall account I have to check for patterns of incoming spam. I'm not sure how to get it to work like the previous TLDs that get discarded. Here is a sample of the output from Test Filter.

Match expanded arguments:
Subject = " Kenny Love" <[email protected]>
Pattern = .+@.+\.shop
Sub-condition is true: $header_from: matches .+@.+\\.shop
This is the action - the last delivery GLOBAL SPAM is where I send spam I want to check before deleting

Headers charset "UTF-8"
Save message to: /dev/null 0660
Save message to: /dev/null 0660
Save message to: /dev/null 0660
Deliver message to: "user+GLOBAL SPAM"@mydomain.net
Filtering set up at least one significant delivery or other action.
No other deliveries will occur.

I use the Global Email Filters user interface in cPanel and have created a single regex for .sale and moved it to the top to see if that works, which it hasn't. Hopefully someone can advise what is happening here. If there is a conflict with another filter where is there a text file for this filter config on the server?

 

[cPRex]

Hey there! This does look like a filter conflict according to those last two lines. If you wanted to see them in plain text, they are stored in individual files inside /etc/vfilters/domain.com. Can you check that area to see if you can find the conflict?

 

[rusty99]

Hey there! This does look like a filter conflict according to those last two lines. If you wanted to see them in plain text, they are stored in individual files inside /etc/vfilters/domain.com. Can you check that area to see if you can find the conflict?

Thanks - after poking around I found the hosting company has the filters under .cpanel in the account root, rather than inside etc/. What seems to be happening is that these emails are matching multiple criteria in the filters list. I have .+@.+\.shop as the first criteria to match but the emails also have tinnitus in the subject and other text matches in the body, so they can match 3 criteria strings at once. Is it correct that the filter is doing multiple actions on each email, such as sending a copy to dev/null AND another copy to my GLOBAL SPAM catchall account? I wish it would just dev/null which is the first match and go no further.

 

[cPRex]

Yes, it can definitely match on multiple filters. It sounds like this may have been created as one large filter, instead of individual filters. For example, you can have multiple matches in one filter as shown here:



or you can create individual filters. I'd recommend setting up individual filters instead of one large one to ensure they get processed how you expect.

 

[rusty99]

Yes, it can definitely match on multiple filters. It sounds like this may have been created as one large filter, instead of individual filters. For example, you can have multiple matches in one filter as shown here:

View attachment 81301

or you can create individual filters. I'd recommend setting up individual filters instead of one large one to ensure they get processed how you expect.

I do have individual filters and they are ranked so that the dev/nul ones are at the top. It used to work where the new annoying TLDs were deleted but for some reason this time its not working as expected.

 

[cPRex]

I can't say for sure what the issue could be without checking out the system. If you have root access to the machine we'd be happy to take a look, but if you only have access to cPanel you'd need to speak to your hosting provider or datacenter to have them check the system.