Stock Spam Filtering With Antivirus.exim

[Un Area]

I want to share with you this simple rule that allow you to get rid off stock spam messages (text mode)

1 - Go to /var/log folder
2 - Create a file running: touch blfilter.log
3 - Open /etc/antivirus.exim
4 - Insert the following rule to your antivirus.exim file (there are already some stock spam words used frequently)

logfile /var/log/blfilter.log 0644
if (
$message_body: contains "PHYA" or
$message_body: contains "GTEM" or
$message_body: contains "Cialis" or
$message_body: contains "UTVG" or
$message_body: contains "RRLB" or
$message_body: contains "VTSS" or
$message_body: contains "LYJN" or
$message_body: contains "EPRT" or
$message_body: contains "SFWJ" or
$message_body: contains "FCCN" or
$message_body: contains "HWYI" or
$message_body: contains "probityvc" or
$message_body: contains "HXPN" or
$message_body: contains "WHKA.PK" or
$message_body: contains "VMSI" or
$message_body: contains "HER-2" or
$message_body: contains "BLNM" or
$message_body: contains "VIxAGxRA" or
$message_body: contains "CIxALxIS" or
$message_body: contains "VAxLIxUM" or
$message_body: contains "AMxBIxEN" or
$message_body: contains "SOxMA" or
$message_body: contains "PCAI.PK" or
$message_body: contains "AUNI-OTC-BB" or
$message_body: contains "V1AG_GRA" or
$message_body: contains "Vi_aagra" or
$message_body: contains "AUNI" or
$message_body: contains "Via_zgra" or
$message_body: contains "Viazzgra" or
$message_body: contains "NMXC" or
$message_body: contains "WEXE" or
$message_body: contains "LOMJ" or
$message_body: contains "Good day," or
$message_body: contains "MHII" or
$message_body: contains "UTEV" or
$message_body: contains "ledrx" or
$message_body: contains "Victory Energy Corp." or
$message_body: contains "GDKI" or
$message_body: contains "CBRJ"
) then
logwrite "$tod_log $header_from $header_subject is usign a blacklisted word"
seen finish
endif

5 - Check your /var/log/blfilter.log file to see the results.

Tip: the last blacklisted word, in this case $message_body: contains "CBRJ" doesnt must contain "or" at the end. Always keep the last one without or

Thanks!

[AndyReed]

I want to share with you this simple rule that allow you to get rid off stock spam messages (text mode)

[B]logfile /var/log/blfilter.log 0644
if (
$message_body: contains "PHYA" or

These are great entries and will definitely help. In addition, your SpamAssassin and supporting applications including Payzor, Razor, DCC, SA Conf file and rules should be configured and activated to get even better results.

[bsasninja]

logwrite "$tod_log $header_from $header_subject is usign a blacklisted word"

is there a way to print in the logfile the word that was filtered??

Thanks

[brendanrtg]

What about those with graphical attachments?

[bsasninja]

those are hard to fight, cause they insert you a gif file and bellow some news texts, so the antispam software cant delete it.
Until a good and estable OCR antispam patch be added to spamassasin or other antispam soft, there is a rude way to stop them by blocking .gif attachments in the server.
You can refuse them with a message telling the sender that gif attachments are not allowed in this server and they have to send them zipped or rared.
Of course let your customers know before you get lots of complaints.

Thanks.

[kemis]

I'm loving this idea. Up until now, I just had my own custom SA rule that weeded out the latest stock symbols.

Two things, though:

1) I had hoped that this antivirus filter would happen *before* SpamAssassin had a chance to review it. If it worked that way, server load would theoretically decrease since the message wouldn't have to be processed by SpamAssassin. I just implemented this, though, & checked with a simple message containing "GDKI" & noted that the log file showed the subject of my message to already contain the SA "spam" tag, indicating that SA processed it before the antivirus filter did. Any way to get antivirus filter to check & discard *before* SA has to process it?

2) I found an awesome site today that details ALL the stock symbols targeted by spam & tracks their prevalence: http://www.qwoter.com/spam.php What we need is a script that can capture the symbols from Qwoter's excellent database & auto-add them to a custom antivirus.exim filter! Is this a new idea, or has someone already done something similar?

THANKS!!!
Matt

[bornonline]

I manage several Ironmail servers and we have had some success filtering stock image spam with this header analysis rule.

Substring Header Scan for
6c822ecf

I have blocked 10637 stock spam emails in the last few days with that.

What about those with graphical attachments?

[mickalo]

I manage several Ironmail servers and we have had some success filtering stock image spam with this header analysis rule.

Substring Header Scan for
6c822ecf

I have blocked 10637 stock spam emails in the last few days with that.

How did you setup this type of substring in your filter file ??

Mickalo

[brendanrtg]

those are hard to fight, cause they insert you a gif file and bellow some news texts, so the antispam software cant delete it.
Until a good and estable OCR antispam patch be added to spamassasin or other antispam soft, there is a rude way to stop them by blocking .gif attachments in the server.
You can refuse them with a message telling the sender that gif attachments are not allowed in this server and they have to send them zipped or rared.
Of course let your customers know before you get lots of complaints.

Thanks.

This is probably old news to many users here but we have been googling for solutions to disable attachments completely or to a select mime type but to no avail.

Care to shed some light, please?

[bsasninja]

In the rule posted at the top, do you know which is the variable that prints the contained blacklisted word in the log file?

I tried $message_body but it prints the message source at the log and I only want to print the word that was detected.

Thanks again