Add a Global mail Filter for WHM and accounts

[VirtuaLira]

Hi all,

I seeking for a global filter for add in the mail server or spamassassin, to filter emails of the server (including all accounts). How can I do this?

Its better to do this in Exim config? or with Spamassassin?

Thanks

 

[ramprage]

Users can disable spamassassin via their accounts.

You can use the global filter called /etc/antivirus.exim

 

[VirtuaLira]

How I can add some filters in that file? I need a specific instructions?

 

[ramprage]

http://www.webhostgear.com/338.html

Be careful if you screw up a rule here it can delete all the servers incoming/outgoing mail. Make sure you know what rules you're adding.

 

[VirtuaLira]

OK,

I found this config, I will post here for someone with the same problem or issue.

Based on the original:

### CUSTOM WEBHOSTGEAR.COM FILTERS by Steven Leggett [email protected]
######################################################
# START
# Filters all incoming an outgoing mail
logfile /var/log/filter.log 0644
## Common Spam
if
# Header Spam
	$header_subject: contains "Pharmaceutical" or
	$header_subject: contains "Viagra" or
	$header_subject: contains "Cialis" or
	$header_subject: is "The Ultimate Online Pharmaceutical" or
	$header_subject: contains "***SPAM***" or
	$header_subject: contains "[SPAM]" or
	$header_subject: contains "{Definitely Spam?}" or
# Body Spam
	$message_body: contains "Cialis" or
	$message_body: contains "Viagra" or
	$message_body: contains "Leavitra" or
	$message_body: contains "St0ck" or
	$message_body: contains "Viaagrra" or
	$message_body: contains "Cia1iis" or
	$message_body: contains "URGENT BUSINESS PROPOSAL" or
	$message_body matches "angka[^s]+[net|com|org|biz|info|us|name]+?" or
	$message_body matches "v(i|1)agra|vag(i|1)n(a|4)|pen(  |1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok" or
	$message_body: contains "URGENT BUSINESS PROPOSAL" or
	$message_body: contains "click here if you"
then
# Log Message - SENDS RESPONSE BACK TO SENDER
# SUGGESTED TO LEAVE OFF to prevent fail loops
# and more work for the mail system
# fail text "Message has been rejected because it hasn
#           triggered our central filter."
logwrite "$tod_log $message_id from $sender_address contained spam keywords"
seen finish
endif
# END
# Filters all incoming an outgoing mail
# START
# All outgoing mail on the server only - what is sent out
#Check forwarders so it doesn't get blocked
#Forwarders still work =)
## FINANCIAL FAKE SENDERS
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if      (
         $received_protocol is "local" or
         $received_protocol is "esmtpa"        
	) and (
         $header_from contains "@citibank.com" or
         $header_from contains "@bankofamerica.com" or
         $header_from contains "@wamu.com" or
         $header_from contains "@ebay.com" or
         $header_from contains "@chase.com" or
         $header_from contains "@paypal.com" or
         $header_from contains "@wellsfargo.com" or
         $header_from contains "@bankunited.com" or
         $header_from contains "@bankerstrust.com" or
         $header_from contains "@bankfirst.com" or
         $header_from contains "@capitalone.com" or 
         $header_from contains "@citizensbank.com" or
         $header_from contains "@jpmorgan.com" or
         $header_from contains "@wachovia.com" or
         $header_from contains "@bankone.com" or
         $header_from contains "@suntrust.com" or
         $header_from contains "@amazon.com" or
         $header_from contains "@banksecurity.com" or
         $header_from contains "@visa.com" or
         $header_from contains "@mastercard.com" or
         $header_from contains "@mbna.com"
)  then
     logwrite "$tod_log $message_id from $sender_address is fraud"
     seen finish
  endif
## OTHER FAKE SENDERS SPAM
## Enable this to prevent users using @domain from addresses
## Not recommended since users do use from addresses not on the server
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if      (
         $received_protocol is "local" or
         $received_protocol is "esmtpa"
        ) and (
         $header_from contains "@hotmail.com" or
         $header_from contains "@yahoo.com" or
         $header_from contains "@aol.com"
)  then
     logwrite "$tod_log $message_id from $sender_address is forged fake"
     seen finish
  endif
## KNOWN FAKE PHISHING
### Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if      (
         $received_protocol is "local" or
         $received_protocol is "esmtpa"
        ) and (
#Paypal
        $message_body: contains "Dear valued PayPal member" or
        $message_body: contains "Dear valued PayPal customer" or
        $message_body: contains "Dear Paypal" or
        $message_body: contains "The PayPal Team" or
        $message_body: contains "Dear Paypal Customer" or
        $message_body: contains "Paypal Account Review Department" or
#Ebay
        $message_body: contains "Dear eBay member" or
        $message_body: contains "Dear eBay User" or
        $message_body: contains "The eBay team" or
        $message_body: contains "Dear eBay Community Member" or
#Banks
        $message_body: contains "Dear Charter One Customer" or
        $message_body: contains "Dear wamu.com customer" or
        $message_body: contains "Dear valued Citizens Bank member" or
        $message_body: contains "Dear Visa" or
        $message_body: contains "Dear Citibank" or
        $message_body: contains "Citibank Email" or
        $message_body: contains "Dear customer of Chase Bank" or
        $message_body: contains "Dear Bank of America customer" or
#ISPs
        $message_body: contains "Dear AOL Member" or
        $message_body: contains "Dear AOL Customer"
)  then
	logwrite "$tod_log $message_id from $sender_address is phishing"
     	seen finish
  endif
# END
# All outgoing mail on the server only - what is sent out

credits to:
CUSTOM WEBHOSTGEAR.COM FILTERS by Steven Leggett [email protected]

 

[xisn]

Nice!

Thanks Steve !

 

[mohit]

can this be just re-placed

hi,
do you mean that anybody can save this as "antivirus.exim" and use it directly ??


see ya,
mohit

 

[VirtuaLira]

yup

And now, any one knows how to enable certains domain for by discarted from the antivirus.exim file?

 

[VirtuaLira]

Where goes the rejected emails?
Its posible to check the emails processed by the filters?

Some important emails are rejected by spam words...

Thanks

 

[ramprage]

They get deleted immediately and are not stored. /dev/nulled

You can, of course, log the entire message as well:

EG:

if (
filter
)
then
logwrite "$tod_log $message_id from $sender_address is malicious"
logwrite "$header_subject with $message_body"
seen finish
endif


>> logwrite "$header_subject with $message_body" this part logs the message subject and body of message to your logfile.

 

[ramprage]

disabling global filter for certain domains

You can probably disable global filtering for certain domains : eg whitelist them from antivirus.exim by doing the following

Note: This is just after some quick research but hasn't been tried.

Try a nested if/else within the filters.

# Exim filter
if

$message_headers: contains "@userdomain1.com" or
$message_headers: contains "@userdomain2.com" or
$message_headers: contains "@userdomain3.com"
then

# Ignore filters do nothing


else


logfile /var/log/filter.log 0644
## Common Spam
if
# Header Spam
$header_subject: contains "Pharmaceutical" or
$header_subject: contains "Viagra" or
$header_subject: contains "Cialis" or
$header_subject: is "The Ultimate Online Pharmaceutical" or
$header_subject: contains "***SPAM***" or
$header_subject: contains "[SPAM]" or
$header_subject: contains "{Definitely Spam?}" or
# Body Spam
$message_body: contains "Cialis" or
$message_body: contains "Viagra" or
$message_body: contains "Leavitra" or
$message_body: contains "St0ck" or
$message_body: contains "Viaagrra" or
$message_body: contains "Cia1iis" or
$message_body: contains "URGENT BUSINESS PROPOSAL" or
$message_body matches "angka[^s]+[net|com|org|biz|info|us|name]+?" or
$message_body matches "v(i|1)agra|vag(i|1)n(a|4)|pen( |1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok" or
$message_body: contains "URGENT BUSINESS PROPOSAL" or
$message_body: contains "click here if you"
then
# Log Message - SENDS RESPONSE BACK TO SENDER
# SUGGESTED TO LEAVE OFF to prevent fail loops
# and more work for the mail system
# fail text "Message has been rejected because it hasn
# triggered our central filter."
logwrite "$tod_log $message_id from $sender_address contained spam keywords"
seen finish
endif



endif

 

[MPCN_Russ1]

Hey all,

Anyone know how to show the ip address of the sending party, rather then posting the full header. Logging anything like the body will kinda bog down your machine. But this will prevent any filtered email from being unviewable. One problem I encounter is the email addresses I'm filtering are abuse addresses for example, and we can't exactely misplace an email.

I'm thinking of writing up an app in php to pipe the filtered mail into, but I'm not sure if that is really necessary. The whole point of filtering in the first place is so you DON'T have to view or handle the SPAM. But in my case, it's just to keep it from our ticket system so we can better assist the legitimate complaints.

Thanks,
Russ

 

[VirtuaLira]

How can I by pass the comon SPAM section for the local domains??, exist a form to read the localdomains file and check all the domains in the bypass part?

I dont know if the filters or spam words are ok, always is the same thing, some emails without that "words" are detected as spam.

If anyone knows please, help.

Thanks

 

[MPCN_Russ1]

Hello,

One thing I noticed on one of our machines is, some emails that are blocked out arn't necessarily blocked by this filtering mod. They were blocked by other applications such as spamassassin. One example was a few mailing lists for which had sent a weekly notice and got tossed in to the spam log file. I'm just filtering out about 12 email addresses now rather then every address at 2 of our domains. I'm actually having quite a good success with it. Only 1 false positive when I blocked "software" and that was because of a mailing list. The other emails that were blocked had nothing to do with my filters.

As for automatically bypassing localdomains, Not too sure how to get that done. Perhaps parse the file from a script on cron to update the antivirus.exim file occasionally? Anyone else have a bit more knowledge for a better idea? I just started with this filtering myself... So hopefully, someone else has more experience with it.

Hope this might help.

Thanks,
Russ

PS :: I thought I'de include my current filter set for you all Have fun with it... But please make a note, this filter set is based on spam WE received and don't want to view.

---
### Check message sender
  $header_from: contains ".ne.jp"
  or $header_from: contains "@0451.com"
  or $header_from: contains "@0733.com"
  or $header_from: contains "@pistonheads.biz"
  or $header_from: contains "@esp2office.biz"
  or $header_from: contains "@pellicano.biz"
  or $header_from: contains "@perlite.biz"
  or $header_from: contains "@pradella.biz"
  or $header_from: contains "@j-j.jp"
  or $header_from: contains "@mymadonna.jp"
  or $header_from: contains "@quasarman.biz"
  or $header_from: contains "@prostateforum.biz"
  or $header_from: contains "@0-0.com"
  or $header_from: contains "@garageservice.biz"
  or $header_from: contains "@garageservices.biz"
  or $header_from: contains "@53.com"
  or $header_from: contains "@scandinavian-seed.biz"
  or $header_from: contains "@paramed.biz"
  or $header_from: contains "tknowles@"
  or $header_from: contains "@scandinavianseed.biz"
  or $header_from: contains "@first2office.biz"
  or $header_from: contains "@hehe.com"
  or $header_from: contains "@yahoo.co.jp"
  or $header_from: contains "@yahoo.co.kr"
  or $header_from: contains "@yahoo.it"
  or $header_from: contains "@yahoo.ca"
  or $header_from: contains "@yahoo.fr"
  or $header_from: contains "@yahoo.es"
  or $header_from: contains "@citiz.net"
  or $header_from: contains "@tpnet.pl"

  ### Check message subject
  or $header_subject: contains "ephedra"
  or $header_subject: contains "microcap"
  or $header_subject: contains "slimmer"
  or $header_subject: contains "swiss"
  or $header_subject: contains "promotion"
  or $header_subject: contains "degree"
  or $header_subject: contains "diploma"
  or $header_subject: contains "mortgage"
  or $header_subject: contains "t-shirts"
  or $header_subject: contains "refinance"
  or $header_subject: contains "watches"
  or $header_subject: contains "medicine"
  or $header_subject: contains "0em"
  or $header_subject: contains "oem"
  or $header_subject: contains "herb"
  or $header_subject: contains "4ve"
  or $header_subject: contains "s0ftw4re"
  or $header_subject: contains "0ff"
  or $header_subject: contains "darling"
  or $header_subject: contains "overdose"
  or $header_subject: contains "girl"
  or $header_subject: contains "soft"
  or $header_subject: contains "%o!<"
  or $header_subject: matches "v(i|1|jl|lji| i|iaj|ij|ji|jj|ii)ag(r| r)a|amb(i|1|jl|lji|iaj|ij|ji|jj|ii)en|val(i|1|jl|lji|iaj|ij|ji|jj|ii)um|cia(l | ul)(i|1|jl|lji|iaj|ij|ji|jj|ii)s|d(r| r)(u|@|u )g|s(e|3)xy|p(i|-i|1)(l|-l|1)(l|-l|1)|e(r| r)(e| e)(c| c)(t| t)(i| i)(o| o)(n| n)|st(o|0)ck|r(o|jo|oj)lex|ph(a|@)rm|disc(o|8o)unt|m(e|je|ej)d|r(e|ej|je)plica|cr(e|je|ej)dit"
  or $header_subject: is "Our store is your cureall!"
  or $header_subject: is "urgent asisstance"
  or $header_subject: is "Wall Street News"
  or $header_subject: is "We cure any desease!"
  or $header_subject: is "Full of health? Then don't click!"
  or $header_subject: is "All products for your health!"

  ### Check message body
  or $message_body: contains "girl"
  or $message_body: matches "v(i|1|jl|lji| i|iaj|ij|ji|jj|ii)ag(r| r)a|amb(i|1|jl|lji|iaj|ij|ji|jj|ii)en|val(i|1|jl|lji|iaj|ij|ji|jj|ii)um|cia(l | ul)(i|1|jl|lji|iaj|ij|ji|jj|ii)s|d(r| r)(u|@|u )g|s(e|3)xy|p(i|-i)(l|-l)(l|-l)|e(r| r)(e| e)(c| c)(t| t)(i| i)(o| o)(n| n)|st(o|0)ck|r(o|jo|oj)lex|ph(a|@)rm|disc(o|8o)unt|m(e|je|ej)ds|r(e|ej|je)plica|cr(e|je|ej)dit"
  or $message_body: contains "This Is Going To Explode"
---

 

[VirtuaLira]

Good Work Russ, but is very restrictive :P

you must remember some words with the filter contains can deleted some solicited email like the problem with "cialist", this filter delete the headers with "specialist" or "especialista" (spanish), and a lot of other combinations.

and yes, exist a form to read the file of the localdomains, but I dont a master on the bin coding, in some sections I see some people can read files and take data from a line with a command, I hope some one can help on this.

for the filters and other programs filtering, my answer is no, the antivirus.exim is filtering some emails and I can't get the word or phrase filtered, I add the:

logwrite "$header_subject with $message_body"

and in the logfile says spamword filter, and the subject & content of the email, but I don't know for what word or thing this messages are filtered.

 

[mohit]

why this filter occurs twice ?

Hi,
i may be wrong but i want to know why is this filter used twice.

	[COLOR="Red"]$message_body: contains "URGENT BUSINESS PROPOSAL" or[/COLOR]
	$message_body matches "angka[^s]+[net|com|org|biz|info|us|name]+?" or
	$message_body matches "v(i|1)agra|vag(i|1)n(a|4)|pen(  |1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok" or
[COLOR="Red"]	$message_body: contains "URGENT BUSINESS PROPOSAL" or[/COLOR]
	$message_body: contains "click here if you"

I added most common spam keywords and phrases in my filter but bit worried if its having some adverse issue but didn't had complains from hosted users yet, some happy with new filters.

thanks to "ramprage" for his expert comments.

thanx,
mohit

 

[VirtuaLira]

its a copy paste error.

sorry :P

 

[mohit]

another line has problems

hi,

[COLOR="Red"]$message_body matches "v(i|1)agra|vag(i|1)n(a|4)|pen(  |1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok" or[/COLOR]

also filters some of mails which has nothing to do with spam, some of them were for full backup completed notifications.

I tried the above code and mails were filtered and i reviewed every line and then removing this one did saved my imp. mails from getting discarded.

see ya,
mohit

 

[HappymanUK]

Is it possible to get the 'antivirus.exim' file working when Mailscanner is installed ??

I already had some rules in the file when using Spam Assassin, but since moving to Mailscanner, the rules seem to be ignored....

Any ideas ??

Thanks in advance,
Daniel

 

[VirtuaLira]

thats rare, maybe is a broken line without a or or something...