always have virus email in mail queue

[promak]

Hi ,

any idea for Exim to check non valid domain or email address , and it will auto delete and not hold on mail queue.

I found Many Virus Email send to Server Domain user with invalid email address , and hold many return message there due to non valid domain or non exist email.

I have the following in antivirus.exim.

++++++++++++++++++
if not first_delivery
then
finish
endif

if ${length_80:$header_date:} is not $header_date:
then
fail text "This message has been rejected because it has\n\
an overlength date field which can be used\n\
to subvert Microsoft mail programs\n\
The following URL has further information\n\
http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61"
seen finish
endif

if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
then
fail text "This message has been rejected because it has\n\
potentially executable content $1\n\
This form of attachment has been used by\n\
recent viruses or other malware.\n\
If you meant to send this file then please\n\
package it up as a zip file and resend it."
seen finish
endif
# same again using unquoted filename [content_type_unquoted_fn_match]
if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))"
then
fail text "This message has been rejected because it has\n\
potentially executable content $1\n\
This form of attachment has been used by\n\
recent viruses or other malware.\n\
If you meant to send this file then please\n\
package it up as a zip file and resend it."
seen finish
endif


## -----------------------------------------------------------------------
# Attempt to catch embedded VBS attachments
# in emails. These were used as the basis for
# the ILOVEYOU virus and its variants - many many varients
# Quoted filename - [body_quoted_fn_match]
if $message_body matches "(?:Content-(?:Type?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"
then
fail text "This message has been rejected because it has\n\
a potentially executable attachment $1\n\
This form of attachment has been used by\n\
recent viruses or other malware.\n\
If you meant to send this file then please\n\
package it up as a zip file and resend it."
seen finish
endif
# same again using unquoted filename [body_unquoted_fn_match]
if $message_body matches "(?:Content-(?:Type?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"
then
fail text "This message has been rejected because it has\n\
a potentially executable attachment $1\n\
This form of attachment has been used by\n\
recent viruses or other malware.\n\
If you meant to send this file then please\n\
package it up as a zip file and resend it."
seen finish
endif
## -----------------------------------------------------------------------


### CUSTOM WEBHOSTGEAR.COM FILTERS by Steven Leggett info@webhostgear.com
######################################################
# START
# Filters all incoming an outgoing mail

logfile /var/log/filter.log 0644
## Common Spam
if

# Header Spam
$header_subject: contains "Viagra"
or $header_subject: contains "Cialis"
or $header_subject: is "The Ultimate Online Pharmaceutical"
#or $header_subject: contains "***SPAM***"
#or $header_subject: contains "[SPAM]"

# Body Spam
or $message_body: contains "Cialis"
or $message_body: contains "Viagra"
or $message_body: contains "Leavitra"
or $message_body: contains "St0ck"
or $message_body: contains "Viaagrra"
or $message_body: contains "Cia1iis"
or $message_body: contains ".pif"
or $message_body: contains "Cia1iis"
or $message_body: contains ".pif"
or $message_body: contains "your_letter.pif"
or $message_body: contains ".scr"
or $message_body: contains "message.scr"
or $message_body: contains "qualified personnel to staff"

then
# Log Message - SENDS RESPONSE BACK TO SENDER
# SUGGESTED TO LEAVE OFF to prevent fail loops
# and more work for the mail system
#fail text "Message has been rejected because it hasn
# triggered our central filter."
logwrite "$tod_log $message_id from $sender_address contained spam keywords"

seen finish

endif

# END
# Filters all incoming an outgoing mail

# START
# All outgoing mail on the server only - what is sent out
#Check forwarders so it doesn't get blocked
#Forwarders still work =)

## FINANCIAL FAKE SENDERS
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if ( $received_protocol is "local" or
$received_protocol is "esmtpa"
) and (
$header_from contains "@citibank.com" or
$header_from contains "@bankofamerica.com" or
$header_from contains "@wamu.com" or
$header_from contains "@ebay.com" or
$header_from contains "@chase.com" or
$header_from contains "@paypal.com" or
$header_from contains "@wellsfargo.com" or
$header_from contains "@bankunited.com" or
$header_from contains "@bankerstrust.com" or
$header_from contains "@bankfirst.com" or
$header_from contains "@capitalone.com" or
$header_from contains "@citizensbank.com" or
$header_from contains "@jpmorgan.com" or
$header_from contains "@wachovia.com" or
$header_from contains "@bankone.com" or
$header_from contains "@suntrust.com" or
$header_from contains "@amazon.com" or
$header_from contains "@banksecurity.com" or
$header_from contains "@visa.com" or
$header_from contains "@mastercard.com" or
$header_from contains "@mbna.com"
)
then
logwrite "$tod_log $message_id from $sender_address is fraud"
seen finish
endif
## OTHER FAKE SENDERS SPAM
## Enable this to prevent users using @domain from addresses
## Not recommended since users do use from addresses not on the server
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if ( $received_protocol is "local" or
$received_protocol is "esmtpa"
) and (
$header_from contains "@hotmail.com" or
$header_from contains "@yahoo.com" or
$header_from contains "@aol.com"
)
then
logwrite "$tod_log $message_id from $sender_address is forged fake"
seen finish
endif

## KNOWN FAKE PHISHING
### Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if ( $received_protocol is "local" or
$received_protocol is "esmtpa"
) and (
#Paypal
$message_body: contains "Dear valued PayPal member" or
$message_body: contains "Dear valued PayPal customer" or
$message_body: contains "Dear Paypal" or
$message_body: contains "The PayPal Team" or
$message_body: contains "Dear Paypal Customer" or
$message_body: contains "Paypal Account Review Department" or

#Ebay
$message_body: contains "Dear eBay member" or
$message_body: contains "Dear eBay User" or
$message_body: contains "The eBay team" or
$message_body: contains "Dear eBay Community Member" or

#Banks
$message_body: contains "Dear Charter One Customer" or
$message_body: contains "Dear wamu.com customer" or
$message_body: contains "Dear valued Citizens Bank member" or
$message_body: contains "Dear Visa" or
$message_body: contains "Dear Citibank" or
$message_body: contains "Citibank Email" or
$message_body: contains "Dear customer of Chase Bank" or
$message_body: contains "Dear Bank of America customer" or

#ISPs
$message_body: contains "Dear AOL Member" or
$message_body: contains "Dear AOL Customer"

)
then
logwrite "$tod_log $message_id from $sender_address is phishing"
seen finish
endif

# END
# All outgoing mail on the server only - what is sent out
++++++++++++++++++++++++++++++++++++++++++++++

[chirpy]

Just make sure you're not using :blackhole: anywhere and swtitch them to :fail:

[lloyd_tennison]

Also, if you are using one of the standard installations for clam, it is setup to check for all those attachments and filenames. No need to check for them twice.

I also have this in mine:

Code:

# Email filter to block messages with "re [##]" subject

if
$header_subject: matches "\\N^((?i)re)(\\s|)+\\[([0-9])+\\](:|)\$\\N"
then
seen finish
endif

[lloyd_tennison]

Could the whole section on

Code:

if ( $received_protocol is "local" or
$received_protocol is "esmtpa"

be changed to only allow domains in localdomains? Is that valid in a filter? If so, I think that would prevent having to keep adding to the filter of "bad" domains.

[ramprage]

That antivirus.exim looks familiar

The filter above checks to make sure the user is authenticated. Why do you want to check localdomains?