Add a Global mail Filter for WHM and accounts

VirtuaLira

Well-Known Member
Feb 1, 2004
148
0
166
Chile
Hi all,

I seeking for a global filter for add in the mail server or spamassassin, to filter emails of the server (including all accounts). How can I do this?

Its better to do this in Exim config? or with Spamassassin?

Thanks
 

VirtuaLira

Well-Known Member
Feb 1, 2004
148
0
166
Chile
OK,

I found this config, I will post here for someone with the same problem or issue.

Based on the original:

Code:
### CUSTOM WEBHOSTGEAR.COM FILTERS by Steven Leggett [email protected]
######################################################
# START
# Filters all incoming an outgoing mail
logfile /var/log/filter.log 0644
## Common Spam
if
# Header Spam
	$header_subject: contains "Pharmaceutical" or
	$header_subject: contains "Viagra" or
	$header_subject: contains "Cialis" or
	$header_subject: is "The Ultimate Online Pharmaceutical" or
	$header_subject: contains "***SPAM***" or
	$header_subject: contains "[SPAM]" or
	$header_subject: contains "{Definitely Spam?}" or
# Body Spam
	$message_body: contains "Cialis" or
	$message_body: contains "Viagra" or
	$message_body: contains "Leavitra" or
	$message_body: contains "St0ck" or
	$message_body: contains "Viaagrra" or
	$message_body: contains "Cia1iis" or
	$message_body: contains "URGENT BUSINESS PROPOSAL" or
	$message_body matches "angka[^s]+[net|com|org|biz|info|us|name]+?" or
	$message_body matches "v(i|1)agra|vag(i|1)n(a|4)|pen(  |1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok" or
	$message_body: contains "URGENT BUSINESS PROPOSAL" or
	$message_body: contains "click here if you"
then
# Log Message - SENDS RESPONSE BACK TO SENDER
# SUGGESTED TO LEAVE OFF to prevent fail loops
# and more work for the mail system
# fail text "Message has been rejected because it hasn
#           triggered our central filter."
logwrite "$tod_log $message_id from $sender_address contained spam keywords"
seen finish
endif
# END
# Filters all incoming an outgoing mail
# START
# All outgoing mail on the server only - what is sent out
#Check forwarders so it doesn't get blocked
#Forwarders still work =)
## FINANCIAL FAKE SENDERS
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if      (
         $received_protocol is "local" or
         $received_protocol is "esmtpa"        
	) and (
         $header_from contains "@citibank.com" or
         $header_from contains "@bankofamerica.com" or
         $header_from contains "@wamu.com" or
         $header_from contains "@ebay.com" or
         $header_from contains "@chase.com" or
         $header_from contains "@paypal.com" or
         $header_from contains "@wellsfargo.com" or
         $header_from contains "@bankunited.com" or
         $header_from contains "@bankerstrust.com" or
         $header_from contains "@bankfirst.com" or
         $header_from contains "@capitalone.com" or 
         $header_from contains "@citizensbank.com" or
         $header_from contains "@jpmorgan.com" or
         $header_from contains "@wachovia.com" or
         $header_from contains "@bankone.com" or
         $header_from contains "@suntrust.com" or
         $header_from contains "@amazon.com" or
         $header_from contains "@banksecurity.com" or
         $header_from contains "@visa.com" or
         $header_from contains "@mastercard.com" or
         $header_from contains "@mbna.com"
)  then
     logwrite "$tod_log $message_id from $sender_address is fraud"
     seen finish
  endif
## OTHER FAKE SENDERS SPAM
## Enable this to prevent users using @domain from addresses
## Not recommended since users do use from addresses not on the server
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if      (
         $received_protocol is "local" or
         $received_protocol is "esmtpa"
        ) and (
         $header_from contains "@hotmail.com" or
         $header_from contains "@yahoo.com" or
         $header_from contains "@aol.com"
)  then
     logwrite "$tod_log $message_id from $sender_address is forged fake"
     seen finish
  endif
## KNOWN FAKE PHISHING
### Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if      (
         $received_protocol is "local" or
         $received_protocol is "esmtpa"
        ) and (
#Paypal
        $message_body: contains "Dear valued PayPal member" or
        $message_body: contains "Dear valued PayPal customer" or
        $message_body: contains "Dear Paypal" or
        $message_body: contains "The PayPal Team" or
        $message_body: contains "Dear Paypal Customer" or
        $message_body: contains "Paypal Account Review Department" or
#Ebay
        $message_body: contains "Dear eBay member" or
        $message_body: contains "Dear eBay User" or
        $message_body: contains "The eBay team" or
        $message_body: contains "Dear eBay Community Member" or
#Banks
        $message_body: contains "Dear Charter One Customer" or
        $message_body: contains "Dear wamu.com customer" or
        $message_body: contains "Dear valued Citizens Bank member" or
        $message_body: contains "Dear Visa" or
        $message_body: contains "Dear Citibank" or
        $message_body: contains "Citibank Email" or
        $message_body: contains "Dear customer of Chase Bank" or
        $message_body: contains "Dear Bank of America customer" or
#ISPs
        $message_body: contains "Dear AOL Member" or
        $message_body: contains "Dear AOL Customer"
)  then
	logwrite "$tod_log $message_id from $sender_address is phishing"
     	seen finish
  endif
# END
# All outgoing mail on the server only - what is sent out
credits to:
CUSTOM WEBHOSTGEAR.COM FILTERS by Steven Leggett [email protected]
 
Last edited:

mohit

Well-Known Member
Jul 12, 2005
553
0
166
Sticky On Internet
can this be just re-placed

hi,
do you mean that anybody can save this as "antivirus.exim" and use it directly ??


see ya,
mohit
 

VirtuaLira

Well-Known Member
Feb 1, 2004
148
0
166
Chile
Where goes the rejected emails?
Its posible to check the emails processed by the filters?

Some important emails are rejected by spam words...

Thanks
 

ramprage

Well-Known Member
Jul 21, 2002
655
0
166
Canada
They get deleted immediately and are not stored. /dev/nulled

You can, of course, log the entire message as well:

EG:

if (
filter
)
then
logwrite "$tod_log $message_id from $sender_address is malicious"
logwrite "$header_subject with $message_body"
seen finish
endif


>> logwrite "$header_subject with $message_body" this part logs the message subject and body of message to your logfile.
 

ramprage

Well-Known Member
Jul 21, 2002
655
0
166
Canada
disabling global filter for certain domains

You can probably disable global filtering for certain domains : eg whitelist them from antivirus.exim by doing the following

Note: This is just after some quick research but hasn't been tried.

Try a nested if/else within the filters.

# Exim filter
if

$message_headers: contains "@userdomain1.com" or
$message_headers: contains "@userdomain2.com" or
$message_headers: contains "@userdomain3.com"
then

# Ignore filters do nothing


else


logfile /var/log/filter.log 0644
## Common Spam
if
# Header Spam
$header_subject: contains "Pharmaceutical" or
$header_subject: contains "Viagra" or
$header_subject: contains "Cialis" or
$header_subject: is "The Ultimate Online Pharmaceutical" or
$header_subject: contains "***SPAM***" or
$header_subject: contains "[SPAM]" or
$header_subject: contains "{Definitely Spam?}" or
# Body Spam
$message_body: contains "Cialis" or
$message_body: contains "Viagra" or
$message_body: contains "Leavitra" or
$message_body: contains "St0ck" or
$message_body: contains "Viaagrra" or
$message_body: contains "Cia1iis" or
$message_body: contains "URGENT BUSINESS PROPOSAL" or
$message_body matches "angka[^s]+[net|com|org|biz|info|us|name]+?" or
$message_body matches "v(i|1)agra|vag(i|1)n(a|4)|pen( |1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok" or
$message_body: contains "URGENT BUSINESS PROPOSAL" or
$message_body: contains "click here if you"
then
# Log Message - SENDS RESPONSE BACK TO SENDER
# SUGGESTED TO LEAVE OFF to prevent fail loops
# and more work for the mail system
# fail text "Message has been rejected because it hasn
# triggered our central filter."
logwrite "$tod_log $message_id from $sender_address contained spam keywords"
seen finish
endif



endif
 

MPCN_Russ1

Member
Jun 26, 2003
19
0
151
Hey all,

Anyone know how to show the ip address of the sending party, rather then posting the full header. Logging anything like the body will kinda bog down your machine. But this will prevent any filtered email from being unviewable. One problem I encounter is the email addresses I'm filtering are abuse addresses for example, and we can't exactely misplace an email.

I'm thinking of writing up an app in php to pipe the filtered mail into, but I'm not sure if that is really necessary. The whole point of filtering in the first place is so you DON'T have to view or handle the SPAM. But in my case, it's just to keep it from our ticket system so we can better assist the legitimate complaints.

Thanks,
Russ
 

VirtuaLira

Well-Known Member
Feb 1, 2004
148
0
166
Chile
How can I by pass the comon SPAM section for the local domains??, exist a form to read the localdomains file and check all the domains in the bypass part?

I dont know if the filters or spam words are ok, always is the same thing, some emails without that "words" are detected as spam.

If anyone knows please, help.

Thanks
 

MPCN_Russ1

Member
Jun 26, 2003
19
0
151
Hello,

One thing I noticed on one of our machines is, some emails that are blocked out arn't necessarily blocked by this filtering mod. They were blocked by other applications such as spamassassin. One example was a few mailing lists for which had sent a weekly notice and got tossed in to the spam log file. I'm just filtering out about 12 email addresses now rather then every address at 2 of our domains. I'm actually having quite a good success with it. Only 1 false positive when I blocked "software" and that was because of a mailing list. The other emails that were blocked had nothing to do with my filters.

As for automatically bypassing localdomains, Not too sure how to get that done. Perhaps parse the file from a script on cron to update the antivirus.exim file occasionally? Anyone else have a bit more knowledge for a better idea? I just started with this filtering myself... So hopefully, someone else has more experience with it.

Hope this might help.

Thanks,
Russ

PS :: I thought I'de include my current filter set for you all :) Have fun with it... But please make a note, this filter set is based on spam WE received and don't want to view.
PHP:
---
### Check message sender
  $header_from: contains ".ne.jp"
  or $header_from: contains "@0451.com"
  or $header_from: contains "@0733.com"
  or $header_from: contains "@pistonheads.biz"
  or $header_from: contains "@esp2office.biz"
  or $header_from: contains "@pellicano.biz"
  or $header_from: contains "@perlite.biz"
  or $header_from: contains "@pradella.biz"
  or $header_from: contains "@j-j.jp"
  or $header_from: contains "@mymadonna.jp"
  or $header_from: contains "@quasarman.biz"
  or $header_from: contains "@prostateforum.biz"
  or $header_from: contains "@0-0.com"
  or $header_from: contains "@garageservice.biz"
  or $header_from: contains "@garageservices.biz"
  or $header_from: contains "@53.com"
  or $header_from: contains "@scandinavian-seed.biz"
  or $header_from: contains "@paramed.biz"
  or $header_from: contains "[email protected]"
  or $header_from: contains "@scandinavianseed.biz"
  or $header_from: contains "@first2office.biz"
  or $header_from: contains "@hehe.com"
  or $header_from: contains "@yahoo.co.jp"
  or $header_from: contains "@yahoo.co.kr"
  or $header_from: contains "@yahoo.it"
  or $header_from: contains "@yahoo.ca"
  or $header_from: contains "@yahoo.fr"
  or $header_from: contains "@yahoo.es"
  or $header_from: contains "@citiz.net"
  or $header_from: contains "@tpnet.pl"

  ### Check message subject
  or $header_subject: contains "ephedra"
  or $header_subject: contains "microcap"
  or $header_subject: contains "slimmer"
  or $header_subject: contains "swiss"
  or $header_subject: contains "promotion"
  or $header_subject: contains "degree"
  or $header_subject: contains "diploma"
  or $header_subject: contains "mortgage"
  or $header_subject: contains "t-shirts"
  or $header_subject: contains "refinance"
  or $header_subject: contains "watches"
  or $header_subject: contains "medicine"
  or $header_subject: contains "0em"
  or $header_subject: contains "oem"
  or $header_subject: contains "herb"
  or $header_subject: contains "4ve"
  or $header_subject: contains "s0ftw4re"
  or $header_subject: contains "0ff"
  or $header_subject: contains "darling"
  or $header_subject: contains "overdose"
  or $header_subject: contains "girl"
  or $header_subject: contains "soft"
  or $header_subject: contains "%o!<"
  or $header_subject: matches "v(i|1|jl|lji| i|iaj|ij|ji|jj|ii)ag(r| r)a|amb(i|1|jl|lji|iaj|ij|ji|jj|ii)en|val(i|1|jl|lji|iaj|ij|ji|jj|ii)um|cia(l | ul)(i|1|jl|lji|iaj|ij|ji|jj|ii)s|d(r| r)(u|@|u )g|s(e|3)xy|p(i|-i|1)(l|-l|1)(l|-l|1)|e(r| r)(e| e)(c| c)(t| t)(i| i)(o| o)(n| n)|st(o|0)ck|r(o|jo|oj)lex|ph(a|@)rm|disc(o|8o)unt|m(e|je|ej)d|r(e|ej|je)plica|cr(e|je|ej)dit"
  or $header_subject: is "Our store is your cureall!"
  or $header_subject: is "urgent asisstance"
  or $header_subject: is "Wall Street News"
  or $header_subject: is "We cure any desease!"
  or $header_subject: is "Full of health? Then don't click!"
  or $header_subject: is "All products for your health!"

  ### Check message body
  or $message_body: contains "girl"
  or $message_body: matches "v(i|1|jl|lji| i|iaj|ij|ji|jj|ii)ag(r| r)a|amb(i|1|jl|lji|iaj|ij|ji|jj|ii)en|val(i|1|jl|lji|iaj|ij|ji|jj|ii)um|cia(l | ul)(i|1|jl|lji|iaj|ij|ji|jj|ii)s|d(r| r)(u|@|u )g|s(e|3)xy|p(i|-i)(l|-l)(l|-l)|e(r| r)(e| e)(c| c)(t| t)(i| i)(o| o)(n| n)|st(o|0)ck|r(o|jo|oj)lex|ph(a|@)rm|disc(o|8o)unt|m(e|je|ej)ds|r(e|ej|je)plica|cr(e|je|ej)dit"
  or $message_body: contains "This Is Going To Explode"
---
 

VirtuaLira

Well-Known Member
Feb 1, 2004
148
0
166
Chile
Good Work Russ, but is very restrictive :P

you must remember some words with the filter contains can deleted some solicited email like the problem with "cialist", this filter delete the headers with "specialist" or "especialista" (spanish), and a lot of other combinations.

and yes, exist a form to read the file of the localdomains, but I dont a master on the bin coding, in some sections I see some people can read files and take data from a line with a command, I hope some one can help on this.

for the filters and other programs filtering, my answer is no, the antivirus.exim is filtering some emails and I can't get the word or phrase filtered, I add the:

Code:
logwrite "$header_subject with $message_body"
and in the logfile says spamword filter, and the subject & content of the email, but I don't know for what word or thing this messages are filtered.

:(
 

mohit

Well-Known Member
Jul 12, 2005
553
0
166
Sticky On Internet
why this filter occurs twice ?

Hi,
i may be wrong but i want to know why is this filter used twice.

Code:
	[COLOR="Red"]$message_body: contains "URGENT BUSINESS PROPOSAL" or[/COLOR]
	$message_body matches "angka[^s]+[net|com|org|biz|info|us|name]+?" or
	$message_body matches "v(i|1)agra|vag(i|1)n(a|4)|pen(  |1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok" or
[COLOR="Red"]	$message_body: contains "URGENT BUSINESS PROPOSAL" or[/COLOR]
	$message_body: contains "click here if you"

I added most common spam keywords and phrases in my filter but bit worried if its having some adverse issue but didn't had complains from hosted users yet, some happy with new filters.

thanks to "ramprage" for his expert comments. :cool:

thanx,
mohit
 

mohit

Well-Known Member
Jul 12, 2005
553
0
166
Sticky On Internet
another line has problems

hi,

Code:
[COLOR="Red"]$message_body matches "v(i|1)agra|vag(i|1)n(a|4)|pen(  |1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok" or[/COLOR]
also filters some of mails which has nothing to do with spam, some of them were for full backup completed notifications.

I tried the above code and mails were filtered and i reviewed every line and then removing this one did saved my imp. mails from getting discarded.

see ya,
mohit
 

djblamire

Well-Known Member
May 3, 2003
255
1
168
Is it possible to get the 'antivirus.exim' file working when Mailscanner is installed ??

I already had some rules in the file when using Spam Assassin, but since moving to Mailscanner, the rules seem to be ignored....

Any ideas ??

Thanks in advance,
Daniel