The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Add a Global mail Filter for WHM and accounts

Discussion in 'E-mail Discussions' started by VirtuaLira, Jul 24, 2006.

  1. VirtuaLira

    VirtuaLira Well-Known Member

    Joined:
    Feb 1, 2004
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chile
    Hi all,

    I seeking for a global filter for add in the mail server or spamassassin, to filter emails of the server (including all accounts). How can I do this?

    Its better to do this in Exim config? or with Spamassassin?

    Thanks
     
  2. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Users can disable spamassassin via their accounts.

    You can use the global filter called /etc/antivirus.exim
     
  3. VirtuaLira

    VirtuaLira Well-Known Member

    Joined:
    Feb 1, 2004
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chile
    How I can add some filters in that file? I need a specific instructions?
     
  4. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    http://www.webhostgear.com/338.html

    Be careful if you screw up a rule here it can delete all the servers incoming/outgoing mail. Make sure you know what rules you're adding. :eek:
     
  5. VirtuaLira

    VirtuaLira Well-Known Member

    Joined:
    Feb 1, 2004
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chile
    OK,

    I found this config, I will post here for someone with the same problem or issue.

    Based on the original:

    Code:
    ### CUSTOM WEBHOSTGEAR.COM FILTERS by Steven Leggett info@webhostgear.com
    ######################################################
    # START
    # Filters all incoming an outgoing mail
    logfile /var/log/filter.log 0644
    ## Common Spam
    if
    # Header Spam
    	$header_subject: contains "Pharmaceutical" or
    	$header_subject: contains "Viagra" or
    	$header_subject: contains "Cialis" or
    	$header_subject: is "The Ultimate Online Pharmaceutical" or
    	$header_subject: contains "***SPAM***" or
    	$header_subject: contains "[SPAM]" or
    	$header_subject: contains "{Definitely Spam?}" or
    # Body Spam
    	$message_body: contains "Cialis" or
    	$message_body: contains "Viagra" or
    	$message_body: contains "Leavitra" or
    	$message_body: contains "St0ck" or
    	$message_body: contains "Viaagrra" or
    	$message_body: contains "Cia1iis" or
    	$message_body: contains "URGENT BUSINESS PROPOSAL" or
    	$message_body matches "angka[^s]+[net|com|org|biz|info|us|name]+?" or
    	$message_body matches "v(i|1)agra|vag(i|1)n(a|4)|pen(  |1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok" or
    	$message_body: contains "URGENT BUSINESS PROPOSAL" or
    	$message_body: contains "click here if you"
    then
    # Log Message - SENDS RESPONSE BACK TO SENDER
    # SUGGESTED TO LEAVE OFF to prevent fail loops
    # and more work for the mail system
    # fail text "Message has been rejected because it hasn
    #           triggered our central filter."
    logwrite "$tod_log $message_id from $sender_address contained spam keywords"
    seen finish
    endif
    # END
    # Filters all incoming an outgoing mail
    # START
    # All outgoing mail on the server only - what is sent out
    #Check forwarders so it doesn't get blocked
    #Forwarders still work =)
    ## FINANCIAL FAKE SENDERS
    ## Log all outgoing mail from server that matches rules
    logfile /var/log/filter.log 0644
    if      (
             $received_protocol is "local" or
             $received_protocol is "esmtpa"        
    	) and (
             $header_from contains "@citibank.com" or
             $header_from contains "@bankofamerica.com" or
             $header_from contains "@wamu.com" or
             $header_from contains "@ebay.com" or
             $header_from contains "@chase.com" or
             $header_from contains "@paypal.com" or
             $header_from contains "@wellsfargo.com" or
             $header_from contains "@bankunited.com" or
             $header_from contains "@bankerstrust.com" or
             $header_from contains "@bankfirst.com" or
             $header_from contains "@capitalone.com" or 
             $header_from contains "@citizensbank.com" or
             $header_from contains "@jpmorgan.com" or
             $header_from contains "@wachovia.com" or
             $header_from contains "@bankone.com" or
             $header_from contains "@suntrust.com" or
             $header_from contains "@amazon.com" or
             $header_from contains "@banksecurity.com" or
             $header_from contains "@visa.com" or
             $header_from contains "@mastercard.com" or
             $header_from contains "@mbna.com"
    )  then
         logwrite "$tod_log $message_id from $sender_address is fraud"
         seen finish
      endif
    ## OTHER FAKE SENDERS SPAM
    ## Enable this to prevent users using @domain from addresses
    ## Not recommended since users do use from addresses not on the server
    ## Log all outgoing mail from server that matches rules
    logfile /var/log/filter.log 0644
    if      (
             $received_protocol is "local" or
             $received_protocol is "esmtpa"
            ) and (
             $header_from contains "@hotmail.com" or
             $header_from contains "@yahoo.com" or
             $header_from contains "@aol.com"
    )  then
         logwrite "$tod_log $message_id from $sender_address is forged fake"
         seen finish
      endif
    ## KNOWN FAKE PHISHING
    ### Log all outgoing mail from server that matches rules
    logfile /var/log/filter.log 0644
    if      (
             $received_protocol is "local" or
             $received_protocol is "esmtpa"
            ) and (
    #Paypal
            $message_body: contains "Dear valued PayPal member" or
            $message_body: contains "Dear valued PayPal customer" or
            $message_body: contains "Dear Paypal" or
            $message_body: contains "The PayPal Team" or
            $message_body: contains "Dear Paypal Customer" or
            $message_body: contains "Paypal Account Review Department" or
    #Ebay
            $message_body: contains "Dear eBay member" or
            $message_body: contains "Dear eBay User" or
            $message_body: contains "The eBay team" or
            $message_body: contains "Dear eBay Community Member" or
    #Banks
            $message_body: contains "Dear Charter One Customer" or
            $message_body: contains "Dear wamu.com customer" or
            $message_body: contains "Dear valued Citizens Bank member" or
            $message_body: contains "Dear Visa" or
            $message_body: contains "Dear Citibank" or
            $message_body: contains "Citibank Email" or
            $message_body: contains "Dear customer of Chase Bank" or
            $message_body: contains "Dear Bank of America customer" or
    #ISPs
            $message_body: contains "Dear AOL Member" or
            $message_body: contains "Dear AOL Customer"
    )  then
    	logwrite "$tod_log $message_id from $sender_address is phishing"
         	seen finish
      endif
    # END
    # All outgoing mail on the server only - what is sent out
    
    credits to:
    CUSTOM WEBHOSTGEAR.COM FILTERS by Steven Leggett info@webhostgear.com
     
    #5 VirtuaLira, Jul 24, 2006
    Last edited: Jul 24, 2006
  6. xisn

    xisn Well-Known Member

    Joined:
    Dec 4, 2004
    Messages:
    128
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Nice!

    Thanks Steve !
     
  7. mohit

    mohit Well-Known Member

    Joined:
    Jul 12, 2005
    Messages:
    553
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sticky On Internet
    can this be just re-placed

    hi,
    do you mean that anybody can save this as "antivirus.exim" and use it directly ??


    see ya,
    mohit
     
  8. VirtuaLira

    VirtuaLira Well-Known Member

    Joined:
    Feb 1, 2004
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chile
    yup

    And now, any one knows how to enable certains domain for by discarted from the antivirus.exim file?
     
  9. VirtuaLira

    VirtuaLira Well-Known Member

    Joined:
    Feb 1, 2004
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chile
    Where goes the rejected emails?
    Its posible to check the emails processed by the filters?

    Some important emails are rejected by spam words...

    Thanks
     
  10. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    They get deleted immediately and are not stored. /dev/nulled

    You can, of course, log the entire message as well:

    EG:

    if (
    filter
    )
    then
    logwrite "$tod_log $message_id from $sender_address is malicious"
    logwrite "$header_subject with $message_body"
    seen finish
    endif


    >> logwrite "$header_subject with $message_body" this part logs the message subject and body of message to your logfile.
     
  11. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    disabling global filter for certain domains

    You can probably disable global filtering for certain domains : eg whitelist them from antivirus.exim by doing the following

    Note: This is just after some quick research but hasn't been tried.

    Try a nested if/else within the filters.

    # Exim filter
    if

    $message_headers: contains "@userdomain1.com" or
    $message_headers: contains "@userdomain2.com" or
    $message_headers: contains "@userdomain3.com"
    then

    # Ignore filters do nothing


    else


    logfile /var/log/filter.log 0644
    ## Common Spam
    if
    # Header Spam
    $header_subject: contains "Pharmaceutical" or
    $header_subject: contains "Viagra" or
    $header_subject: contains "Cialis" or
    $header_subject: is "The Ultimate Online Pharmaceutical" or
    $header_subject: contains "***SPAM***" or
    $header_subject: contains "[SPAM]" or
    $header_subject: contains "{Definitely Spam?}" or
    # Body Spam
    $message_body: contains "Cialis" or
    $message_body: contains "Viagra" or
    $message_body: contains "Leavitra" or
    $message_body: contains "St0ck" or
    $message_body: contains "Viaagrra" or
    $message_body: contains "Cia1iis" or
    $message_body: contains "URGENT BUSINESS PROPOSAL" or
    $message_body matches "angka[^s]+[net|com|org|biz|info|us|name]+?" or
    $message_body matches "v(i|1)agra|vag(i|1)n(a|4)|pen( |1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok" or
    $message_body: contains "URGENT BUSINESS PROPOSAL" or
    $message_body: contains "click here if you"
    then
    # Log Message - SENDS RESPONSE BACK TO SENDER
    # SUGGESTED TO LEAVE OFF to prevent fail loops
    # and more work for the mail system
    # fail text "Message has been rejected because it hasn
    # triggered our central filter."
    logwrite "$tod_log $message_id from $sender_address contained spam keywords"
    seen finish
    endif



    endif
     
  12. MPCN_Russ1

    MPCN_Russ1 Member

    Joined:
    Jun 26, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Hey all,

    Anyone know how to show the ip address of the sending party, rather then posting the full header. Logging anything like the body will kinda bog down your machine. But this will prevent any filtered email from being unviewable. One problem I encounter is the email addresses I'm filtering are abuse addresses for example, and we can't exactely misplace an email.

    I'm thinking of writing up an app in php to pipe the filtered mail into, but I'm not sure if that is really necessary. The whole point of filtering in the first place is so you DON'T have to view or handle the SPAM. But in my case, it's just to keep it from our ticket system so we can better assist the legitimate complaints.

    Thanks,
    Russ
     
  13. VirtuaLira

    VirtuaLira Well-Known Member

    Joined:
    Feb 1, 2004
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chile
    How can I by pass the comon SPAM section for the local domains??, exist a form to read the localdomains file and check all the domains in the bypass part?

    I dont know if the filters or spam words are ok, always is the same thing, some emails without that "words" are detected as spam.

    If anyone knows please, help.

    Thanks
     
  14. MPCN_Russ1

    MPCN_Russ1 Member

    Joined:
    Jun 26, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    One thing I noticed on one of our machines is, some emails that are blocked out arn't necessarily blocked by this filtering mod. They were blocked by other applications such as spamassassin. One example was a few mailing lists for which had sent a weekly notice and got tossed in to the spam log file. I'm just filtering out about 12 email addresses now rather then every address at 2 of our domains. I'm actually having quite a good success with it. Only 1 false positive when I blocked "software" and that was because of a mailing list. The other emails that were blocked had nothing to do with my filters.

    As for automatically bypassing localdomains, Not too sure how to get that done. Perhaps parse the file from a script on cron to update the antivirus.exim file occasionally? Anyone else have a bit more knowledge for a better idea? I just started with this filtering myself... So hopefully, someone else has more experience with it.

    Hope this might help.

    Thanks,
    Russ

    PS :: I thought I'de include my current filter set for you all :) Have fun with it... But please make a note, this filter set is based on spam WE received and don't want to view.
    PHP:
    ---
    ### Check message sender
      
    $header_fromcontains ".ne.jp"
      
    or $header_fromcontains "@0451.com"
      
    or $header_fromcontains "@0733.com"
      
    or $header_fromcontains "@pistonheads.biz"
      
    or $header_fromcontains "@esp2office.biz"
      
    or $header_fromcontains "@pellicano.biz"
      
    or $header_fromcontains "@perlite.biz"
      
    or $header_fromcontains "@pradella.biz"
      
    or $header_fromcontains "@j-j.jp"
      
    or $header_fromcontains "@mymadonna.jp"
      
    or $header_fromcontains "@quasarman.biz"
      
    or $header_fromcontains "@prostateforum.biz"
      
    or $header_fromcontains "@0-0.com"
      
    or $header_fromcontains "@garageservice.biz"
      
    or $header_fromcontains "@garageservices.biz"
      
    or $header_fromcontains "@53.com"
      
    or $header_fromcontains "@scandinavian-seed.biz"
      
    or $header_fromcontains "@paramed.biz"
      
    or $header_fromcontains "tknowles@"
      
    or $header_fromcontains "@scandinavianseed.biz"
      
    or $header_fromcontains "@first2office.biz"
      
    or $header_fromcontains "@hehe.com"
      
    or $header_fromcontains "@yahoo.co.jp"
      
    or $header_fromcontains "@yahoo.co.kr"
      
    or $header_fromcontains "@yahoo.it"
      
    or $header_fromcontains "@yahoo.ca"
      
    or $header_fromcontains "@yahoo.fr"
      
    or $header_fromcontains "@yahoo.es"
      
    or $header_fromcontains "@citiz.net"
      
    or $header_fromcontains "@tpnet.pl"

      
    ### Check message subject
      
    or $header_subjectcontains "ephedra"
      
    or $header_subjectcontains "microcap"
      
    or $header_subjectcontains "slimmer"
      
    or $header_subjectcontains "swiss"
      
    or $header_subjectcontains "promotion"
      
    or $header_subjectcontains "degree"
      
    or $header_subjectcontains "diploma"
      
    or $header_subjectcontains "mortgage"
      
    or $header_subjectcontains "t-shirts"
      
    or $header_subjectcontains "refinance"
      
    or $header_subjectcontains "watches"
      
    or $header_subjectcontains "medicine"
      
    or $header_subjectcontains "0em"
      
    or $header_subjectcontains "oem"
      
    or $header_subjectcontains "herb"
      
    or $header_subjectcontains "4ve"
      
    or $header_subjectcontains "s0ftw4re"
      
    or $header_subjectcontains "0ff"
      
    or $header_subjectcontains "darling"
      
    or $header_subjectcontains "overdose"
      
    or $header_subjectcontains "girl"
      
    or $header_subjectcontains "soft"
      
    or $header_subjectcontains "%o!<"
      
    or $header_subjectmatches "v(i|1|jl|lji| i|iaj|ij|ji|jj|ii)ag(r| r)a|amb(i|1|jl|lji|iaj|ij|ji|jj|ii)en|val(i|1|jl|lji|iaj|ij|ji|jj|ii)um|cia(l | ul)(i|1|jl|lji|iaj|ij|ji|jj|ii)s|d(r| r)(u|@|u )g|s(e|3)xy|p(i|-i|1)(l|-l|1)(l|-l|1)|e(r| r)(e| e)(c| c)(t| t)(i| i)(o| o)(n| n)|st(o|0)ck|r(o|jo|oj)lex|ph(a|@)rm|disc(o|8o)unt|m(e|je|ej)d|r(e|ej|je)plica|cr(e|je|ej)dit"
      
    or $header_subjectis "Our store is your cureall!"
      
    or $header_subjectis "urgent asisstance"
      
    or $header_subjectis "Wall Street News"
      
    or $header_subjectis "We cure any desease!"
      
    or $header_subjectis "Full of health? Then don't click!"
      
    or $header_subjectis "All products for your health!"

      
    ### Check message body
      
    or $message_bodycontains "girl"
      
    or $message_bodymatches "v(i|1|jl|lji| i|iaj|ij|ji|jj|ii)ag(r| r)a|amb(i|1|jl|lji|iaj|ij|ji|jj|ii)en|val(i|1|jl|lji|iaj|ij|ji|jj|ii)um|cia(l | ul)(i|1|jl|lji|iaj|ij|ji|jj|ii)s|d(r| r)(u|@|u )g|s(e|3)xy|p(i|-i)(l|-l)(l|-l)|e(r| r)(e| e)(c| c)(t| t)(i| i)(o| o)(n| n)|st(o|0)ck|r(o|jo|oj)lex|ph(a|@)rm|disc(o|8o)unt|m(e|je|ej)ds|r(e|ej|je)plica|cr(e|je|ej)dit"
      
    or $message_bodycontains "This Is Going To Explode"
    ---
     
  15. VirtuaLira

    VirtuaLira Well-Known Member

    Joined:
    Feb 1, 2004
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chile
    Good Work Russ, but is very restrictive :P

    you must remember some words with the filter contains can deleted some solicited email like the problem with "cialist", this filter delete the headers with "specialist" or "especialista" (spanish), and a lot of other combinations.

    and yes, exist a form to read the file of the localdomains, but I dont a master on the bin coding, in some sections I see some people can read files and take data from a line with a command, I hope some one can help on this.

    for the filters and other programs filtering, my answer is no, the antivirus.exim is filtering some emails and I can't get the word or phrase filtered, I add the:

    Code:
    logwrite "$header_subject with $message_body"
    and in the logfile says spamword filter, and the subject & content of the email, but I don't know for what word or thing this messages are filtered.

    :(
     
  16. mohit

    mohit Well-Known Member

    Joined:
    Jul 12, 2005
    Messages:
    553
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sticky On Internet
    why this filter occurs twice ?

    Hi,
    i may be wrong but i want to know why is this filter used twice.

    Code:
    	[COLOR="Red"]$message_body: contains "URGENT BUSINESS PROPOSAL" or[/COLOR]
    	$message_body matches "angka[^s]+[net|com|org|biz|info|us|name]+?" or
    	$message_body matches "v(i|1)agra|vag(i|1)n(a|4)|pen(  |1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok" or
    [COLOR="Red"]	$message_body: contains "URGENT BUSINESS PROPOSAL" or[/COLOR]
    	$message_body: contains "click here if you"

    I added most common spam keywords and phrases in my filter but bit worried if its having some adverse issue but didn't had complains from hosted users yet, some happy with new filters.

    thanks to "ramprage" for his expert comments. :cool:

    thanx,
    mohit
     
  17. VirtuaLira

    VirtuaLira Well-Known Member

    Joined:
    Feb 1, 2004
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chile
    its a copy paste error.

    sorry :P
     
  18. mohit

    mohit Well-Known Member

    Joined:
    Jul 12, 2005
    Messages:
    553
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sticky On Internet
    another line has problems

    hi,

    Code:
    [COLOR="Red"]$message_body matches "v(i|1)agra|vag(i|1)n(a|4)|pen(  |1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok" or[/COLOR]
    also filters some of mails which has nothing to do with spam, some of them were for full backup completed notifications.

    I tried the above code and mails were filtered and i reviewed every line and then removing this one did saved my imp. mails from getting discarded.

    see ya,
    mohit
     
  19. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    Is it possible to get the 'antivirus.exim' file working when Mailscanner is installed ??

    I already had some rules in the file when using Spam Assassin, but since moving to Mailscanner, the rules seem to be ignored....

    Any ideas ??

    Thanks in advance,
    Daniel
     
  20. VirtuaLira

    VirtuaLira Well-Known Member

    Joined:
    Feb 1, 2004
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chile
    thats rare, maybe is a broken line without a or or something...
     
Loading...

Share This Page