Working on mail filters, I am still searching for definitive info on syntax, but have discovered the following:
Syntax is supposed to be "Perl Regex". (From Exim documentation.)
Contents of .filter are read and displayed when filters page is refreshed. When a rule is added or deleted, those contents are parsed and used to rewrite contents of /etc/vfilters/<domain-name>. If you edit .filter or restore from a saved version, you must add/delete a dummy from the Mail Filters page (the vfilters file is read-only on my host).
The number of escape characters "\" required appears to vary depending on where used. Trying to block a set of domains, I wanted to require a leading "." and trailing ")" in one rule.
Rules that worked for a broad set follows:
any_header matches_regex .*\\\\.(ar|cc|ch|cn|de|es|fr|il|info|jp|kr|mt|nl|nz|pl|ru|sk|tv|uk|za)\\\\).*
any_header matches_regex .*@.*\\\\.(ar|cc|ch|cn|de|es|fr|il|info|jp|kr|mt|nl|nz|pl|ru|sk|tv|uk|za)>.*
Four escape characters were required for the "." and ")". The second rule trolls for e-mail addresses from banned domains in other headers.
It is worth noting that the leading and trailing ".*" are not required, since "matches regex" actually performs a "contains regex" (at least on my host). I have not found a way to require strict matching.
Only one (1) escape is required for some special characters within a 'class'. I have found this true for [\-\*\.] on my host...your mileage may vary.
Filters get lines converted to lower case, but not before special character conversions have been done. For instance, you cannot successfully search for charset=windows-1251 is a subject line. (I wanted to drop any e-mail using any of a set of foreign characters, but the strings were converted before being compared.) My work-around blocks mail containing certain extended characters like (û|ó|ñ|Á|Ó|ð|å|ê|ë|à|ê|î|ì|ï|à|í|è|å|é).
Admins from my host, sent examples using 2 and 3 escape characters--none worked. But they also modified one of my examples so that it blocked all mail to my domain (my domain name contains one of the two-character domains that I wanted to block). (I reported a bug, and they apparently interpreted that as 'do testing on my production site' and 'leave untested rules behind.')
A search on this forum found several inquiries on filter syntax, but no responses.
The current config on my host is:
Operating system Linux
Kernel version 2.4.21-20.EL
Apache version 1.3.33 (Unix)
PERL version 5.8.4
PHP version 4.3.10
MySQL version 4.0.22-standard
cPanel Build 10.0.0-CURRENT
Theme cPanel X v2.5.0