The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Stock Spam Filtering With Antivirus.exim

Discussion in 'General Discussion' started by Un Area, Feb 23, 2007.

  1. Un Area

    Un Area Well-Known Member

    Joined:
    Nov 16, 2006
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    I want to share with you this simple rule that allow you to get rid off stock spam messages (text mode)

    1 - Go to /var/log folder
    2 - Create a file running: touch blfilter.log
    3 - Open /etc/antivirus.exim
    4 - Insert the following rule to your antivirus.exim file (there are already some stock spam words used frequently)

    logfile /var/log/blfilter.log 0644
    if (
    $message_body: contains "PHYA" or
    $message_body: contains "GTEM" or
    $message_body: contains "Cialis" or
    $message_body: contains "UTVG" or
    $message_body: contains "RRLB" or
    $message_body: contains "VTSS" or
    $message_body: contains "LYJN" or
    $message_body: contains "EPRT" or
    $message_body: contains "SFWJ" or
    $message_body: contains "FCCN" or
    $message_body: contains "HWYI" or
    $message_body: contains "probityvc" or
    $message_body: contains "HXPN" or
    $message_body: contains "WHKA.PK" or
    $message_body: contains "VMSI" or
    $message_body: contains "HER-2" or
    $message_body: contains "BLNM" or
    $message_body: contains "VIxAGxRA" or
    $message_body: contains "CIxALxIS" or
    $message_body: contains "VAxLIxUM" or
    $message_body: contains "AMxBIxEN" or
    $message_body: contains "SOxMA" or
    $message_body: contains "PCAI.PK" or
    $message_body: contains "AUNI-OTC-BB" or
    $message_body: contains "V1AG_GRA" or
    $message_body: contains "Vi_aagra" or
    $message_body: contains "AUNI" or
    $message_body: contains "Via_zgra" or
    $message_body: contains "Viazzgra" or
    $message_body: contains "NMXC" or
    $message_body: contains "WEXE" or
    $message_body: contains "LOMJ" or
    $message_body: contains "Good day," or
    $message_body: contains "MHII" or
    $message_body: contains "UTEV" or
    $message_body: contains "ledrx" or
    $message_body: contains "Victory Energy Corp." or
    $message_body: contains "GDKI" or
    $message_body: contains "CBRJ"
    ) then
    logwrite "$tod_log $header_from $header_subject is usign a blacklisted word"
    seen finish
    endif


    5 - Check your /var/log/blfilter.log file to see the results.

    Tip: the last blacklisted word, in this case $message_body: contains "CBRJ" doesnt must contain "or" at the end. Always keep the last one without or

    Thanks!
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    These are great entries and will definitely help. In addition, your SpamAssassin and supporting applications including Payzor, Razor, DCC, SA Conf file and rules should be configured and activated to get even better results.
     
  3. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    logwrite "$tod_log $header_from $header_subject is usign a blacklisted word"

    is there a way to print in the logfile the word that was filtered??

    Thanks
     
  4. brendanrtg

    brendanrtg Well-Known Member

    Joined:
    Oct 4, 2006
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    What about those with graphical attachments?
     
  5. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    those are hard to fight, cause they insert you a gif file and bellow some news texts, so the antispam software cant delete it.
    Until a good and estable OCR antispam patch be added to spamassasin or other antispam soft, there is a rude way to stop them by blocking .gif attachments in the server.
    You can refuse them with a message telling the sender that gif attachments are not allowed in this server and they have to send them zipped or rared.
    Of course let your customers know before you get lots of complaints.

    Thanks.
     
  6. kemis

    kemis Well-Known Member

    Joined:
    Feb 17, 2005
    Messages:
    104
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Georgetown, TX
    I'm loving this idea. Up until now, I just had my own custom SA rule that weeded out the latest stock symbols.

    Two things, though:

    1) I had hoped that this antivirus filter would happen *before* SpamAssassin had a chance to review it. If it worked that way, server load would theoretically decrease since the message wouldn't have to be processed by SpamAssassin. I just implemented this, though, & checked with a simple message containing "GDKI" & noted that the log file showed the subject of my message to already contain the SA "spam" tag, indicating that SA processed it before the antivirus filter did. Any way to get antivirus filter to check & discard *before* SA has to process it?

    2) I found an awesome site today that details ALL the stock symbols targeted by spam & tracks their prevalence: http://www.qwoter.com/spam.php What we need is a script that can capture the symbols from Qwoter's excellent database & auto-add them to a custom antivirus.exim filter! Is this a new idea, or has someone already done something similar?

    THANKS!!!
    Matt
     
  7. bornonline

    bornonline Well-Known Member

    Joined:
    Nov 19, 2004
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Earth
    I manage several Ironmail servers and we have had some success filtering stock image spam with this header analysis rule.

    Substring Header Scan for
    6c822ecf

    I have blocked 10637 stock spam emails in the last few days with that.

     
  8. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    How did you setup this type of substring in your filter file ??

    Mickalo
     
  9. brendanrtg

    brendanrtg Well-Known Member

    Joined:
    Oct 4, 2006
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    This is probably old news to many users here but we have been googling for solutions to disable attachments completely or to a select mime type but to no avail.

    Care to shed some light, please?
     
  10. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    question

    In the rule posted at the top, do you know which is the variable that prints the contained blacklisted word in the log file?

    I tried $message_body but it prints the message source at the log and I only want to print the word that was detected.

    Thanks again
     
Loading...

Share This Page