Email filters are used to create rules for how incoming emails should be processed. They are mostly used to block emails from a specific email address or to weed out spam.
cPanel has two interfaces for email filters:
Both interfaces are identical. In this article I will only look at managing filters for a single email address, but the same principles apply to global email filters.
Image: the ‘Email Filters’ interface shows all email addresses. Click on ‘Manage Filters’ to create or edit filters for an email address.
The Manage Filters link lets you create a new filter and edit, delete or test existing filters. I will look at testing a filter rule later. First, lets create some filters: click the Create a New Filter button to do so.
The form to create a filter rule has three parts:
The Filter Name is the administrative name for the filter. The name can be anything you like and is used purely for you own reference. When you got lots of filter rules it is handy if the filters have names that describe what they do.
The Rules field defines what should be matched. There are two drop-down lists and a text field:
It is possible to create multiple rules by clicking on the “plus” button. In general, this is not recommended. Simple rules are easier to administer and are processed faster.
Similarly, if you know your regular expressions you may be tempted to use the “matches regex” operator. As a rule of thumb, you should only do this if the standard operators are unworkable for what you are trying to achieve.
Some action needs to be taken if a rule is matched. You can select an action from the drop-down list. Actions include “discard message”, “fail with message” and “deliver to folder”.
The default action is “discard message”. This option purges the email, and the sender will not receive a bounce message. Often, “fail with message” is a better option. The email is still purged, but the sender will receive a bounce message. You can enter a custom bounce message, such as “Your email has not been delivered because it looks like spam”.
cPanel’s email filters are quite flexible. To give you an idea of what you can do I will create three filters. Along the way I will talk about some common pitfalls as well.
Lets start with a filter that purges all emails from email@example.com.
Image: discarding emails from firstname.lastname@example.org.
As you can see, the rule is as follows:
Name: Discard Evil Corp (email@example.com)
Rule: From contains firstname.lastname@example.org
Action: Discard message
If you want to block all emails from the domain evilcorp.biz then you can match @evilcorp.biz instead:
Name: Discard Evil Corp (@evilcorp.biz)
Rule: From contains @evilcorp.biz
Action: Discard message
If you want you can even block the .biz top-level domain (TLD). In that case you want to use the “ends with” operator to only match strings that end with “.biz”. By only matching the end of the string you make sure you don’t accidentally block emails that have “.biz” elsewhere in the email address. For instance, you don’t want your rule to match “email@example.com“.
Name: Discard .biz
Rule: From ends with .biz
Action: Discard message
Of course, there is now a risk that genuine emails are purged. The .biz TLD is widely used by spammers but there are legitimate users as well. Discarding an entire TLD because you are receiving lots of spam emails from certain TLDs is a very crude way of battling spam. I don’t recommend it.
The below image shows an example of another bad filter rule. We are looking for the string “bitcoin” in the body of the email, and if it is found the email is purged (without a bounce message). As an aside, the string is case-insensitive: it will also match stings like “Bitcoin” and “bItCoIn”.
Image: discarding emails containing the string “bitcoin”.
The idea here is to weed out sextortion emails. This is common type of spam / scam email in which the the sender claims to have hacked your computer and used your web cam to make an embarrassing video of you. Typically, these emails demand a payment in Bitcoin. You should always ignore these emails and there is no issue with purging the emails. However, there is an issue with creating a rule that simply purges any email containing the word “bitcoin”.
Why? Well, the string ‘bitcoin’ can appear in a legitimate email. A friend or colleague may make a joke about investing in Bitcoins, for instance.
There are many other word that should not be simply blocked. The most famous example is the string “sex”. Simply blocking that string also blocks emails that contain the string “Essex”, “Sussex” or “Middlesex”, among many others. This type of unintentional blocking is known as the Scunthorpe problem.
In general, if you want to match words in the body of an email then it is best to use the “Deliver to folder” action. Selecting that option lets you select a folder, such as your Spam folder. That way the emails won’t be purged, but they also don’t appear in your inbox.
Image: delivering bitcoin emails to the “Spam” folder.
So far I looked at blocking emails. Of course, that is not the only function of filter rules; you can also use filter rules to for instance deliver emails from certain senders to specific folders.
For the below example I created an email folder named “Unicorns”. I then created a filter that delivers all emails from @unicornfactory.ru addresses to the Unicorns folder.
Image: delivering unicorn emails to the “Unicorns” folder.
Earlier, I mentioned that it is best to keep filter rules simple. Instead of using one filter with lots of rules you should use lots of filters with one rule. This makes the rules easier to understand, and it avoids conflicting rules.
That said, if you have lots of filters you may end up with conflicting filters. To illustrate, lets have another look at the filters I created:
Filter rules are processed in order: the first rule is processed first and the last rule is processed last. If you have lots of filters then you may need to make sure that the order makes sense. For instance, the Unicorns rule should probably come before the bitcoin rule. An email from an @unicornfactory.ru address should be delivered to our “Unicorn” folder, even it contains the string “bitcoin”.
In practice, though, both filters are processed. You can test this using the “filter test” on the Email Filters page. In the below screenshot I tested an email from firstname.lastname@example.org that has the word “bitcoin” in the body of the email:
Image: testing email filters.
In this case the rule is matched twice and the email is delivered twice: to the Spam folder and to the Unicorns folder:
Image: the result of the filter test.
The output of the test isn’t very pretty and readable. However, it does show that two filters were matched. The most important information are the two “Deliver message to” lines. It shows that the test email would be delivered to both the “spam” and “Unicorn” folders.
This is counter-intuitive but it is how cPanel handles filters. In fact, the same happens when the bitcoin rule discards emails containing the string “bitcoin”. Odd as it sounds, the email will first be discarded and then delivered to the “Unicorns” folder. In other words, filter clashing are rare. Still, it is good practice to have a logical order in the filter rules.
Finally, the last example shows a good use-case for having multiple filters. To avoid the clash between the two filters you can use two rules, as shown in the below screenshot:
Image: a filter with two rules.
The filter is only applied if both rules are matched:
Rule 1: Body contains “bitcoin”
Rule 2: From does not contain “@unicornfactory.ru”
In other words, any email with the word “bitcoin” in the body will be purged, apart from emails sent from an @unicornfactory.ru address. As mentioned before, it is best to keep rules simple, but if you need to you can create more complex rules.