The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

always have virus email in mail queue

Discussion in 'E-mail Discussions' started by promak, Jul 4, 2006.

  1. promak

    promak Well-Known Member

    Joined:
    Oct 6, 2001
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
    Hi ,

    any idea for Exim to check non valid domain or email address , and it will auto delete and not hold on mail queue.

    I found Many Virus Email send to Server Domain user with invalid email address , and hold many return message there due to non valid domain or non exist email.

    I have the following in antivirus.exim.

    ++++++++++++++++++
    if not first_delivery
    then
    finish
    endif

    if ${length_80:$header_date:} is not $header_date:
    then
    fail text "This message has been rejected because it has\n\
    an overlength date field which can be used\n\
    to subvert Microsoft mail programs\n\
    The following URL has further information\n\
    http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61"
    seen finish
    endif

    if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
    then
    fail text "This message has been rejected because it has\n\
    potentially executable content $1\n\
    This form of attachment has been used by\n\
    recent viruses or other malware.\n\
    If you meant to send this file then please\n\
    package it up as a zip file and resend it."
    seen finish
    endif
    # same again using unquoted filename [content_type_unquoted_fn_match]
    if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))"
    then
    fail text "This message has been rejected because it has\n\
    potentially executable content $1\n\
    This form of attachment has been used by\n\
    recent viruses or other malware.\n\
    If you meant to send this file then please\n\
    package it up as a zip file and resend it."
    seen finish
    endif


    ## -----------------------------------------------------------------------
    # Attempt to catch embedded VBS attachments
    # in emails. These were used as the basis for
    # the ILOVEYOU virus and its variants - many many varients
    # Quoted filename - [body_quoted_fn_match]
    if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"
    then
    fail text "This message has been rejected because it has\n\
    a potentially executable attachment $1\n\
    This form of attachment has been used by\n\
    recent viruses or other malware.\n\
    If you meant to send this file then please\n\
    package it up as a zip file and resend it."
    seen finish
    endif
    # same again using unquoted filename [body_unquoted_fn_match]
    if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"
    then
    fail text "This message has been rejected because it has\n\
    a potentially executable attachment $1\n\
    This form of attachment has been used by\n\
    recent viruses or other malware.\n\
    If you meant to send this file then please\n\
    package it up as a zip file and resend it."
    seen finish
    endif
    ## -----------------------------------------------------------------------


    ### CUSTOM WEBHOSTGEAR.COM FILTERS by Steven Leggett info@webhostgear.com
    ######################################################
    # START
    # Filters all incoming an outgoing mail

    logfile /var/log/filter.log 0644
    ## Common Spam
    if

    # Header Spam
    $header_subject: contains "Viagra"
    or $header_subject: contains "Cialis"
    or $header_subject: is "The Ultimate Online Pharmaceutical"
    #or $header_subject: contains "***SPAM***"
    #or $header_subject: contains "[SPAM]"

    # Body Spam
    or $message_body: contains "Cialis"
    or $message_body: contains "Viagra"
    or $message_body: contains "Leavitra"
    or $message_body: contains "St0ck"
    or $message_body: contains "Viaagrra"
    or $message_body: contains "Cia1iis"
    or $message_body: contains ".pif"
    or $message_body: contains "Cia1iis"
    or $message_body: contains ".pif"
    or $message_body: contains "your_letter.pif"
    or $message_body: contains ".scr"
    or $message_body: contains "message.scr"
    or $message_body: contains "qualified personnel to staff"

    then
    # Log Message - SENDS RESPONSE BACK TO SENDER
    # SUGGESTED TO LEAVE OFF to prevent fail loops
    # and more work for the mail system
    #fail text "Message has been rejected because it hasn
    # triggered our central filter."
    logwrite "$tod_log $message_id from $sender_address contained spam keywords"

    seen finish

    endif

    # END
    # Filters all incoming an outgoing mail

    # START
    # All outgoing mail on the server only - what is sent out
    #Check forwarders so it doesn't get blocked
    #Forwarders still work =)

    ## FINANCIAL FAKE SENDERS
    ## Log all outgoing mail from server that matches rules
    logfile /var/log/filter.log 0644
    if ( $received_protocol is "local" or
    $received_protocol is "esmtpa"
    ) and (
    $header_from contains "@citibank.com" or
    $header_from contains "@bankofamerica.com" or
    $header_from contains "@wamu.com" or
    $header_from contains "@ebay.com" or
    $header_from contains "@chase.com" or
    $header_from contains "@paypal.com" or
    $header_from contains "@wellsfargo.com" or
    $header_from contains "@bankunited.com" or
    $header_from contains "@bankerstrust.com" or
    $header_from contains "@bankfirst.com" or
    $header_from contains "@capitalone.com" or
    $header_from contains "@citizensbank.com" or
    $header_from contains "@jpmorgan.com" or
    $header_from contains "@wachovia.com" or
    $header_from contains "@bankone.com" or
    $header_from contains "@suntrust.com" or
    $header_from contains "@amazon.com" or
    $header_from contains "@banksecurity.com" or
    $header_from contains "@visa.com" or
    $header_from contains "@mastercard.com" or
    $header_from contains "@mbna.com"
    )
    then
    logwrite "$tod_log $message_id from $sender_address is fraud"
    seen finish
    endif
    ## OTHER FAKE SENDERS SPAM
    ## Enable this to prevent users using @domain from addresses
    ## Not recommended since users do use from addresses not on the server
    ## Log all outgoing mail from server that matches rules
    logfile /var/log/filter.log 0644
    if ( $received_protocol is "local" or
    $received_protocol is "esmtpa"
    ) and (
    $header_from contains "@hotmail.com" or
    $header_from contains "@yahoo.com" or
    $header_from contains "@aol.com"
    )
    then
    logwrite "$tod_log $message_id from $sender_address is forged fake"
    seen finish
    endif

    ## KNOWN FAKE PHISHING
    ### Log all outgoing mail from server that matches rules
    logfile /var/log/filter.log 0644
    if ( $received_protocol is "local" or
    $received_protocol is "esmtpa"
    ) and (
    #Paypal
    $message_body: contains "Dear valued PayPal member" or
    $message_body: contains "Dear valued PayPal customer" or
    $message_body: contains "Dear Paypal" or
    $message_body: contains "The PayPal Team" or
    $message_body: contains "Dear Paypal Customer" or
    $message_body: contains "Paypal Account Review Department" or

    #Ebay
    $message_body: contains "Dear eBay member" or
    $message_body: contains "Dear eBay User" or
    $message_body: contains "The eBay team" or
    $message_body: contains "Dear eBay Community Member" or

    #Banks
    $message_body: contains "Dear Charter One Customer" or
    $message_body: contains "Dear wamu.com customer" or
    $message_body: contains "Dear valued Citizens Bank member" or
    $message_body: contains "Dear Visa" or
    $message_body: contains "Dear Citibank" or
    $message_body: contains "Citibank Email" or
    $message_body: contains "Dear customer of Chase Bank" or
    $message_body: contains "Dear Bank of America customer" or

    #ISPs
    $message_body: contains "Dear AOL Member" or
    $message_body: contains "Dear AOL Customer"

    )
    then
    logwrite "$tod_log $message_id from $sender_address is phishing"
    seen finish
    endif

    # END
    # All outgoing mail on the server only - what is sent out
    ++++++++++++++++++++++++++++++++++++++++++++++
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Just make sure you're not using :blackhole: anywhere and swtitch them to :fail:
     
  3. lloyd_tennison

    lloyd_tennison Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    698
    Likes Received:
    1
    Trophy Points:
    18
    Also, if you are using one of the standard installations for clam, it is setup to check for all those attachments and filenames. No need to check for them twice.

    I also have this in mine:

    Code:
    # Email filter to block messages with "re [##]" subject
    
    if
    $header_subject: matches "\\N^((?i)re)(\\s|)+\\[([0-9])+\\](:|)\$\\N"
    then
    seen finish
    endif
     
    #3 lloyd_tennison, Jul 5, 2006
    Last edited: Jul 5, 2006
  4. lloyd_tennison

    lloyd_tennison Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    698
    Likes Received:
    1
    Trophy Points:
    18
    Could the whole section on
    Code:
    if ( $received_protocol is "local" or
    $received_protocol is "esmtpa"
    be changed to only allow domains in localdomains? Is that valid in a filter? If so, I think that would prevent having to keep adding to the filter of "bad" domains.
     
    #4 lloyd_tennison, Jul 5, 2006
    Last edited: Jul 5, 2006
  5. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    That antivirus.exim looks familiar ;)

    The filter above checks to make sure the user is authenticated. Why do you want to check localdomains?
     
Loading...

Share This Page