LinkBack URL
About LinkBacksHi all,
I seeking for a global filter for add in the mail server or spamassassin, to filter emails of the server (including all accounts). How can I do this?
Its better to do this in Exim config? or with Spamassassin?
Thanks
Add a Global mail Filter for WHM and accounts
Hi all,
I seeking for a global filter for add in the mail server or spamassassin, to filter emails of the server (including all accounts). How can I do this?
Its better to do this in Exim config? or with Spamassassin?
Thanks
Evolution Technology Web Hosting Support.
MSN: webmaster@scqcc.cl
Users can disable spamassassin via their accounts.
You can use the global filter called /etc/antivirus.exim
Upload Guardian 2.0 - Sign up for our early beta
ServerProgress - Server security, consulting and assistance
How I can add some filters in that file? I need a specific instructions?
Evolution Technology Web Hosting Support.
MSN: webmaster@scqcc.cl
http://www.webhostgear.com/338.html
Be careful if you screw up a rule here it can delete all the servers incoming/outgoing mail. Make sure you know what rules you're adding.
Upload Guardian 2.0 - Sign up for our early beta
ServerProgress - Server security, consulting and assistance
OK,
I found this config, I will post here for someone with the same problem or issue.
Based on the original:
credits to:Code:### CUSTOM WEBHOSTGEAR.COM FILTERS by Steven Leggett info@webhostgear.com ###################################################### # START # Filters all incoming an outgoing mail logfile /var/log/filter.log 0644 ## Common Spam if # Header Spam $header_subject: contains "Pharmaceutical" or $header_subject: contains "Viagra" or $header_subject: contains "Cialis" or $header_subject: is "The Ultimate Online Pharmaceutical" or $header_subject: contains "***SPAM***" or $header_subject: contains "[SPAM]" or $header_subject: contains "{Definitely Spam?}" or # Body Spam $message_body: contains "Cialis" or $message_body: contains "Viagra" or $message_body: contains "Leavitra" or $message_body: contains "St0ck" or $message_body: contains "Viaagrra" or $message_body: contains "Cia1iis" or $message_body: contains "URGENT BUSINESS PROPOSAL" or $message_body matches "angka[^s]+[net|com|org|biz|info|us|name]+?" or $message_body matches "v(i|1)agra|vag(i|1)n(a|4)|pen( |1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok" or $message_body: contains "URGENT BUSINESS PROPOSAL" or $message_body: contains "click here if you" then # Log Message - SENDS RESPONSE BACK TO SENDER # SUGGESTED TO LEAVE OFF to prevent fail loops # and more work for the mail system # fail text "Message has been rejected because it hasn # triggered our central filter." logwrite "$tod_log $message_id from $sender_address contained spam keywords" seen finish endif # END # Filters all incoming an outgoing mail # START # All outgoing mail on the server only - what is sent out #Check forwarders so it doesn't get blocked #Forwarders still work =) ## FINANCIAL FAKE SENDERS ## Log all outgoing mail from server that matches rules logfile /var/log/filter.log 0644 if ( $received_protocol is "local" or $received_protocol is "esmtpa" ) and ( $header_from contains "@citibank.com" or $header_from contains "@bankofamerica.com" or $header_from contains "@wamu.com" or $header_from contains "@ebay.com" or $header_from contains "@chase.com" or $header_from contains "@paypal.com" or $header_from contains "@wellsfargo.com" or $header_from contains "@bankunited.com" or $header_from contains "@bankerstrust.com" or $header_from contains "@bankfirst.com" or $header_from contains "@capitalone.com" or $header_from contains "@citizensbank.com" or $header_from contains "@jpmorgan.com" or $header_from contains "@wachovia.com" or $header_from contains "@bankone.com" or $header_from contains "@suntrust.com" or $header_from contains "@amazon.com" or $header_from contains "@banksecurity.com" or $header_from contains "@visa.com" or $header_from contains "@mastercard.com" or $header_from contains "@mbna.com" ) then logwrite "$tod_log $message_id from $sender_address is fraud" seen finish endif ## OTHER FAKE SENDERS SPAM ## Enable this to prevent users using @domain from addresses ## Not recommended since users do use from addresses not on the server ## Log all outgoing mail from server that matches rules logfile /var/log/filter.log 0644 if ( $received_protocol is "local" or $received_protocol is "esmtpa" ) and ( $header_from contains "@hotmail.com" or $header_from contains "@yahoo.com" or $header_from contains "@aol.com" ) then logwrite "$tod_log $message_id from $sender_address is forged fake" seen finish endif ## KNOWN FAKE PHISHING ### Log all outgoing mail from server that matches rules logfile /var/log/filter.log 0644 if ( $received_protocol is "local" or $received_protocol is "esmtpa" ) and ( #Paypal $message_body: contains "Dear valued PayPal member" or $message_body: contains "Dear valued PayPal customer" or $message_body: contains "Dear Paypal" or $message_body: contains "The PayPal Team" or $message_body: contains "Dear Paypal Customer" or $message_body: contains "Paypal Account Review Department" or #Ebay $message_body: contains "Dear eBay member" or $message_body: contains "Dear eBay User" or $message_body: contains "The eBay team" or $message_body: contains "Dear eBay Community Member" or #Banks $message_body: contains "Dear Charter One Customer" or $message_body: contains "Dear wamu.com customer" or $message_body: contains "Dear valued Citizens Bank member" or $message_body: contains "Dear Visa" or $message_body: contains "Dear Citibank" or $message_body: contains "Citibank Email" or $message_body: contains "Dear customer of Chase Bank" or $message_body: contains "Dear Bank of America customer" or #ISPs $message_body: contains "Dear AOL Member" or $message_body: contains "Dear AOL Customer" ) then logwrite "$tod_log $message_id from $sender_address is phishing" seen finish endif # END # All outgoing mail on the server only - what is sent out
CUSTOM WEBHOSTGEAR.COM FILTERS by Steven Leggett info@webhostgear.com
Last edited by VirtuaLira; 07-24-2006 at 09:29 PM.
Evolution Technology Web Hosting Support.
MSN: webmaster@scqcc.cl
Nice!
Thanks Steve !
can this be just re-placed
hi,
do you mean that anybody can save this as "antivirus.exim" and use it directly ??
see ya,
mohit
Learn atleast A word Daily
7+1 Dedicated Boxes with cPanel...
yup
And now, any one knows how to enable certains domain for by discarted from the antivirus.exim file?
Evolution Technology Web Hosting Support.
MSN: webmaster@scqcc.cl
Where goes the rejected emails?
Its posible to check the emails processed by the filters?
Some important emails are rejected by spam words...
Thanks
Evolution Technology Web Hosting Support.
MSN: webmaster@scqcc.cl
They get deleted immediately and are not stored. /dev/nulled
You can, of course, log the entire message as well:
EG:
if (
filter
)
then
logwrite "$tod_log $message_id from $sender_address is malicious"
logwrite "$header_subject with $message_body"
seen finish
endif
>> logwrite "$header_subject with $message_body" this part logs the message subject and body of message to your logfile.
Upload Guardian 2.0 - Sign up for our early beta
ServerProgress - Server security, consulting and assistance
disabling global filter for certain domains
You can probably disable global filtering for certain domains : eg whitelist them from antivirus.exim by doing the following
Note: This is just after some quick research but hasn't been tried.
Try a nested if/else within the filters.
# Exim filter
if
$message_headers: contains "@userdomain1.com" or
$message_headers: contains "@userdomain2.com" or
$message_headers: contains "@userdomain3.com"
then
# Ignore filters do nothing
else
logfile /var/log/filter.log 0644
## Common Spam
if
# Header Spam
$header_subject: contains "Pharmaceutical" or
$header_subject: contains "Viagra" or
$header_subject: contains "Cialis" or
$header_subject: is "The Ultimate Online Pharmaceutical" or
$header_subject: contains "***SPAM***" or
$header_subject: contains "[SPAM]" or
$header_subject: contains "{Definitely Spam?}" or
# Body Spam
$message_body: contains "Cialis" or
$message_body: contains "Viagra" or
$message_body: contains "Leavitra" or
$message_body: contains "St0ck" or
$message_body: contains "Viaagrra" or
$message_body: contains "Cia1iis" or
$message_body: contains "URGENT BUSINESS PROPOSAL" or
$message_body matches "angka[^s]+[net|com|org|biz|info|us|name]+?" or
$message_body matches "v(i|1)agra|vag(i|1)n(a|4)|pen( |1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok" or
$message_body: contains "URGENT BUSINESS PROPOSAL" or
$message_body: contains "click here if you"
then
# Log Message - SENDS RESPONSE BACK TO SENDER
# SUGGESTED TO LEAVE OFF to prevent fail loops
# and more work for the mail system
# fail text "Message has been rejected because it hasn
# triggered our central filter."
logwrite "$tod_log $message_id from $sender_address contained spam keywords"
seen finish
endif
endif
Upload Guardian 2.0 - Sign up for our early beta
ServerProgress - Server security, consulting and assistance
Hey all,
Anyone know how to show the ip address of the sending party, rather then posting the full header. Logging anything like the body will kinda bog down your machine. But this will prevent any filtered email from being unviewable. One problem I encounter is the email addresses I'm filtering are abuse addresses for example, and we can't exactely misplace an email.
I'm thinking of writing up an app in php to pipe the filtered mail into, but I'm not sure if that is really necessary. The whole point of filtering in the first place is so you DON'T have to view or handle the SPAM. But in my case, it's just to keep it from our ticket system so we can better assist the legitimate complaints.
Thanks,
Russ
How can I by pass the comon SPAM section for the local domains??, exist a form to read the localdomains file and check all the domains in the bypass part?
I dont know if the filters or spam words are ok, always is the same thing, some emails without that "words" are detected as spam.
If anyone knows please, help.
Thanks
Evolution Technology Web Hosting Support.
MSN: webmaster@scqcc.cl
Hello,
One thing I noticed on one of our machines is, some emails that are blocked out arn't necessarily blocked by this filtering mod. They were blocked by other applications such as spamassassin. One example was a few mailing lists for which had sent a weekly notice and got tossed in to the spam log file. I'm just filtering out about 12 email addresses now rather then every address at 2 of our domains. I'm actually having quite a good success with it. Only 1 false positive when I blocked "software" and that was because of a mailing list. The other emails that were blocked had nothing to do with my filters.
As for automatically bypassing localdomains, Not too sure how to get that done. Perhaps parse the file from a script on cron to update the antivirus.exim file occasionally? Anyone else have a bit more knowledge for a better idea? I just started with this filtering myself... So hopefully, someone else has more experience with it.
Hope this might help.
Thanks,
Russ
PS :: I thought I'de include my current filter set for you allHave fun with it... But please make a note, this filter set is based on spam WE received and don't want to view.
PHP Code:---
### Check message sender
$header_from: contains ".ne.jp"
or $header_from: contains "@0451.com"
or $header_from: contains "@0733.com"
or $header_from: contains "@pistonheads.biz"
or $header_from: contains "@esp2office.biz"
or $header_from: contains "@pellicano.biz"
or $header_from: contains "@perlite.biz"
or $header_from: contains "@pradella.biz"
or $header_from: contains "@j-j.jp"
or $header_from: contains "@mymadonna.jp"
or $header_from: contains "@quasarman.biz"
or $header_from: contains "@prostateforum.biz"
or $header_from: contains "@0-0.com"
or $header_from: contains "@garageservice.biz"
or $header_from: contains "@garageservices.biz"
or $header_from: contains "@53.com"
or $header_from: contains "@scandinavian-seed.biz"
or $header_from: contains "@paramed.biz"
or $header_from: contains "tknowles@"
or $header_from: contains "@scandinavianseed.biz"
or $header_from: contains "@first2office.biz"
or $header_from: contains "@hehe.com"
or $header_from: contains "@yahoo.co.jp"
or $header_from: contains "@yahoo.co.kr"
or $header_from: contains "@yahoo.it"
or $header_from: contains "@yahoo.ca"
or $header_from: contains "@yahoo.fr"
or $header_from: contains "@yahoo.es"
or $header_from: contains "@citiz.net"
or $header_from: contains "@tpnet.pl"
### Check message subject
or $header_subject: contains "ephedra"
or $header_subject: contains "microcap"
or $header_subject: contains "slimmer"
or $header_subject: contains "swiss"
or $header_subject: contains "promotion"
or $header_subject: contains "degree"
or $header_subject: contains "diploma"
or $header_subject: contains "mortgage"
or $header_subject: contains "t-shirts"
or $header_subject: contains "refinance"
or $header_subject: contains "watches"
or $header_subject: contains "medicine"
or $header_subject: contains "0em"
or $header_subject: contains "oem"
or $header_subject: contains "herb"
or $header_subject: contains "4ve"
or $header_subject: contains "s0ftw4re"
or $header_subject: contains "0ff"
or $header_subject: contains "darling"
or $header_subject: contains "overdose"
or $header_subject: contains "girl"
or $header_subject: contains "soft"
or $header_subject: contains "%o!<"
or $header_subject: matches "v(i|1|jl|lji| i|iaj|ij|ji|jj|ii)ag(r| r)a|amb(i|1|jl|lji|iaj|ij|ji|jj|ii)en|val(i|1|jl|lji|iaj|ij|ji|jj|ii)um|cia(l | ul)(i|1|jl|lji|iaj|ij|ji|jj|ii)s|d(r| r)(u|@|u )g|s(e|3)xy|p(i|-i|1)(l|-l|1)(l|-l|1)|e(r| r)(e| e)(c| c)(t| t)(i| i)(o| o)(n| n)|st(o|0)ck|r(o|jo|oj)lex|ph(a|@)rm|disc(o|8o)unt|m(e|je|ej)d|r(e|ej|je)plica|cr(e|je|ej)dit"
or $header_subject: is "Our store is your cureall!"
or $header_subject: is "urgent asisstance"
or $header_subject: is "Wall Street News"
or $header_subject: is "We cure any desease!"
or $header_subject: is "Full of health? Then don't click!"
or $header_subject: is "All products for your health!"
### Check message body
or $message_body: contains "girl"
or $message_body: matches "v(i|1|jl|lji| i|iaj|ij|ji|jj|ii)ag(r| r)a|amb(i|1|jl|lji|iaj|ij|ji|jj|ii)en|val(i|1|jl|lji|iaj|ij|ji|jj|ii)um|cia(l | ul)(i|1|jl|lji|iaj|ij|ji|jj|ii)s|d(r| r)(u|@|u )g|s(e|3)xy|p(i|-i)(l|-l)(l|-l)|e(r| r)(e| e)(c| c)(t| t)(i| i)(o| o)(n| n)|st(o|0)ck|r(o|jo|oj)lex|ph(a|@)rm|disc(o|8o)unt|m(e|je|ej)ds|r(e|ej|je)plica|cr(e|je|ej)dit"
or $message_body: contains "This Is Going To Explode"
---
Good Work Russ, but is very restrictive :P
you must remember some words with the filter contains can deleted some solicited email like the problem with "cialist", this filter delete the headers with "specialist" or "especialista" (spanish), and a lot of other combinations.
and yes, exist a form to read the file of the localdomains, but I dont a master on the bin coding, in some sections I see some people can read files and take data from a line with a command, I hope some one can help on this.
for the filters and other programs filtering, my answer is no, the antivirus.exim is filtering some emails and I can't get the word or phrase filtered, I add the:
and in the logfile says spamword filter, and the subject & content of the email, but I don't know for what word or thing this messages are filtered.Code:logwrite "$header_subject with $message_body"
Evolution Technology Web Hosting Support.
MSN: webmaster@scqcc.cl
Reply With Quote
