Email filters in cPanel

Last updated: 9 March 2022

Email filters are used to create rules for how incoming emails are processed. They are mostly used to block emails from a specific email address or to weed out spam but they have other uses as well. For instance, you can create a filter that delivers emails from a particular address to a specific folder.

cPanel has two interfaces for email filters:

• Global Email Filters let you create and manage rules that apply to all email addresses in your cPanel account.
• Email Filters is used to create and manage filters for an individual mailbox.

Both interfaces are identical. In this article I only look at managing filters for a single email address, but the same principles apply to global email filters.

Image: the ‘Email Filters’ interface shows all email addresses. Click on ‘Manage Filters’ to create or edit filters for an email address.

Creating a filter rule

The Manage Filters link lets you create a new filter and edit, delete or test existing filters. I will look at testing a filter rule later. First, let’s create some filters: click the Create a New Filter button to do so.

The form to create a filter rule has three parts:

Filter name

The Filter Name is the administrative name for the filter. The name can be anything you like and is used purely for you own reference. When you got lots of filter rules it is handy if the filters have names that describe what they do.

Rules

The Rules field defines what should be matched. There are two drop-down lists and a text field:

• The first drop-down list lets you select an email element, such as the From header, subject line or the body of the email.
• The second drop-down list is used to select an operator, such as “contains”, “equals” or “begins with”.
• Finally, the text field defines the text that should be matched.

It is possible to create multiple rules by clicking on the “plus” button. In general, this is not recommended. Simple rules are easier to administer and are processed faster.

Similarly, if you know your regular expressions you may be tempted to use the “matches regex” operator. As a rule of thumb, you should only do this if the standard operators are unworkable for what you are trying to achieve.

Actions

The action defines what needs to be done if a rule is matched. You can select an action from the drop-down list. Actions include “discard message”, “fail with message” and “deliver to folder”.

The default action is “discard message”. This option purges the email, and the sender will not get a bounce message. Often, “fail with message” is a better option. The email is still purged, but the sender will receive a bounce message. You can enter a custom bounce message, such as “Your email has not been delivered because it looks like spam”.

Filter examples

cPanel’s email filters are quite flexible. To give you an idea of what you can do I will create three filters. Along the way I will talk about some common pitfalls as well.

Blocking senders

Let’s start with a filter that purges all emails from newsletter@evilcorp.biz.

Image: discarding emails from newsletter@evilcorp.biz.

As you can see, the rule is as follows:

Name: Discard Evil Corp (newsletter@evilcorp.biz)
Rule: From contains newsletter@evilcorp.biz
Action: Discard message

If you want to block all emails from the domain evilcorp.biz then you can match @evilcorp.biz instead:

Name: Discard Evil Corp (@evilcorp.biz)
Rule: From contains @evilcorp.biz
Action: Discard message

If you want you can even block the .biz top-level domain (TLD). In that case you want to use the “ends with” operator to only match strings that end with “.biz”. By only matching the end of the string you make sure you don’t accidentally block emails that have “.biz” elsewhere in the email address. For instance, you don’t want your rule to match “lee.bizkari@example.net“.

Name: Discard .biz
Rule: From ends with .biz
Action: Discard message

Of course, there is now a risk that genuine emails are purged. The .biz TLD is widely used by spammers but there are legitimate users as well. Discarding an entire TLD because you are receiving lots of spam emails from certain TLDs is a very crude way of battling spam. I don’t recommend it.

Filtering body content

The below image shows an example of another bad filter rule. We are looking for the string “bitcoin” in the body of the email, and if it is found the email is purged (without a bounce message). As an aside, the string is case-insensitive: it also matches strings like “Bitcoin” and “bItCoIn”.

Image: discarding emails containing the string “bitcoin”.

The idea here is to weed out sextortion emails. This is common type of spam / scam email in which the the sender claims to have hacked your computer and used your web cam to make an embarrassing video of you. Typically, these emails demand a payment in Bitcoin. You should always ignore these emails and there is no issue with purging them. However, there is an issue with creating a rule that simply purges any email containing the word “bitcoin”.

Why? Well, the string ‘bitcoin’ can appear in genuine emails. A friend may make a joke about investing in Bitcoins, for instance. Or perhaps you have decided that crytocurrencies are not a ponzi scheme after all and want to set up a Bitcoin wallet. Weeding out spam by matching a single word is usually a bad idea.

The most famous example of a string that should not be blocked is “sex”. Simply blocking that string also blocks emails containing the word “Essex”, “Sussex” or “Middlesex”, among many others. This type of unintentional blocking is known as the Scunthorpe problem.

In general, if you want to match words in the body of an email then it is best to use the “Deliver to folder” action. Selecting that option lets you select a folder, such as your Spam folder. That way the emails won’t be purged, but they also don’t appear in your inbox.

Image: delivering bitcoin emails to the “Spam” folder.

Redirecting emails

So far I looked at blocking emails. Of course, that is not the only function of filter rules; you can also use filter rules to for instance deliver emails from certain senders to specific folders.

For the below example I created an email folder named “Unicorns”. I then created a filter that delivers all emails from @unicornfactory.ru addresses to the Unicorns folder.

Image: delivering unicorn emails to the “Unicorns” folder.

Clashing filters

Earlier, I mentioned that it is best to keep filter rules simple. Instead of using one filter with lots of rules you should use lots of filters with one rule. This makes the rules easier to understand, and it avoids conflicting rules.

That said, if you have lots of filters you may end up with conflicting filters. To illustrate, let’s have another look at the filters I created:

• We are purging emails from newsletter@evilcorp.biz.
• Emails with the string “bitcoin” in the body are moved to the “Spam” folder.
• Emails from @unicornfactory.ru are moved to the “Unicorn” folder.

Filter rules are processed in order: the first rule is processed first and the last rule is processed last. If you have lots of filters then you may need to make sure that the order makes sense. For instance, the Unicorns rule should probably come before the Bitcoin rule. An email from an @unicornfactory.ru address should be delivered to our “Unicorn” folder, even it contains the string “bitcoin”.

Testing filters

In practice, though, both filters are processed. You can test this using the “filter test” on the Email Filters page. In the below image I tested an email from sales@unicornfactory.ru that has the word “bitcoin” in the body of the email:

Image: testing email filters.

In this case the rule is matched twice and the email is delivered twice: to the Spam folder and to the Unicorns folder:

Image: the result of the filter test.

The output of the test isn’t very pretty and readable. However, it does show that two filters were matched. The most important information are the two “Deliver message to” lines. It shows that the test email would be delivered to both the “spam” and “Unicorn” folder.

This is counter-intuitive but it is how cPanel handles filters. In fact, the same happens when the Bitcoin rule discards emails containing the string “bitcoin”. Odd as it sounds, the email will first be discarded and then delivered to the “Unicorns” folder. In other words, filter clashes are rare. Still, it is good practice to have a logical order in your filter rules.

Using multiple filter rules

Finally, the last example shows a good use-case for having multiple filters. To avoid the clash between the two filters you can use two rules, as shown in the below image:

Image: a filter with two rules.

The filter is only applied if both rules are matched:

Rule 1: Body contains “bitcoin”
Rule 2: From does not contain “@unicornfactory.ru”

In other words, any email with the word “bitcoin” in the body will be purged, apart from emails sent from an @unicornfactory.ru address. As mentioned before, it is best to keep rules simple, but you can create more complex rules where is makes sense.