:..net

Matthew B-M: Mailfilter: Full Version

Home Page
Domains
Software
Perl Hacker
UNIX C
Matthew B-M
Links

(please note: the regexps and spamtraps I use on this version of the page are different to the ones I use for my own personal email, I strongly recommend that you don't use the ones here...)

In order to get this to work, you will need the following components:

 $ mkdir ~/mailfilter
 $ touch ~/mailfilter/black.list
 $ touch ~/mailfilter/black.domains
 $ touch ~/mailfilter/black.servers
 $ touch ~/mailfilter/grey.servers
 $ touch ~/mailfilter/use.once

and you will have had to create the files:

  • ~/mailfilter/bl-bounce
    Sender already blacklisted
  • ~/mailfilter/bld-bounce
    Sender domain already blacklisted
  • ~/mailfilter/blh-bounce
    Host already blacklisted
  • ~/mailfilter/used-bounce
    Reuse of a one-use address
  • ~/mailfilter/spam-bounce
    Sender has sent to bait address and been blacklisted
  • ~/mailfilter/rbl-bounce
    Host listed on an RBL type list: you may want to include $header_X-RBL-Warning in the mail.
  • ~/mailfilter/time-bounce
    Time-limited address no longer valid
  • ~/mailfilter/score-bounce
    Message failed score checking
If you just want the mail filter in text format, you can click here.
# Exim filter

# Allow mail delivery failures through
if error_message then
	finish
endif

# Allow postmaster access
if $original_local_part is postmaster then
	finish
endif

# if we have blacklisted this server, send the sender
# a message telling them so.
if ("${lookup{$sender_host_address} lsearch {$home/mailfilter/black.servers}{$value}}" is "black")
	then
	seen mail expand file $home/mailfilter/blh-bounce
		to $return_path return message
		subject "Returned mail: blacklisted"
	logfile $home/mailfilter/reject.log 0644
	logwrite "[$tod_log] ${lc:$sender_address} [$sender_host_address] -> ${lc:$original_local_part}@${lc:$original_domain}: host already blacklisted"
	finish
endif

# if we have blacklisted this sender's domain, then send them
# a mail telling them so.
if ("${lookup{${domain:${lc:$sender_address}}} lsearch {$home/mailfilter/black.domains}{$value}}" is "black")
	then
	seen mail expand file $home/mailfilter/bld-bounce
		to $return_path return message
		subject "Returned mail: blacklisted domain"
	logfile $home/mailfilter/reject.log 0644
	logwrite "[$tod_log] ${lc:$sender_address} [$sender_host_address] -> ${lc:$original_local_part}@${lc:$original_domain}: already blacklisted"
	if("${lookup{$sender_host_address} lsearch {$home/mailfilter/grey.servers}{$value}}" is "grey")
		then
		logwrite "[$tod_log] *** [$sender_host_address]: blacklisted host"
		logfile $home/mailfilter/black.servers 0644
		logwrite "$sender_host_address: black"
	else
		if("${lookup{$sender_host_address} lsearch {$home/mailfilter/grey.servers}{$value}}" is "")
		then
			logfile $home/mailfilter/grey.servers 0644
			logwrite "$sender_host_address: grey"
		endif
	endif
	finish
endif

# if we have blacklisted this sender, then send them
# a mail telling them so.
if ("${lookup{${lc:$sender_address}} lsearch {$home/mailfilter/black.list}{$value}}" is "black")
	then
	seen mail expand file $home/mailfilter/bl-bounce
		to $return_path return message
		subject "Returned mail: blacklisted"
	logfile $home/mailfilter/reject.log 0644
	logwrite "[$tod_log] ${lc:$sender_address} [$sender_host_address] -> ${lc:$original_local_part}@${lc:$original_domain}: already blacklisted"
	if("${lookup{$sender_host_address} lsearch {$home/mailfilter/grey.servers}{$value}}" is "grey")
		then
		logwrite "[$tod_log] *** [$sender_host_address]: blacklisted host"
		logfile $home/mailfilter/black.servers 0644
		logwrite "$sender_host_address: black"
	else
		if("${lookup{$sender_host_address} lsearch {$home/mailfilter/grey.servers}{$value}}" is "")
		then
			logfile $home/mailfilter/grey.servers 0644
			logwrite "$sender_host_address: grey"
		endif
	endif
	finish
endif

# if we have seen this address in the use once list, it
# is no longer valid.
if ( ${lc:$original_local_part} matches "^(.*?)(-[a-z0-9-+=]*)?\\\$" )
	then
	if ("${lookup{${lc:$1}} lsearch {$home/mailfilter/use.once}{$value}}" is "used")
		then
		seen mail expand file $home/mailfilter/used-bounce
			to $return_path return message
			subject "Returned mail: address no longer valid"
		logfile $home/mailfilter/reject.log 0644
		logwrite "[$tod_log] ${lc:$sender_address} [$sender_host_address] -> ${lc:$original_local_part}@${lc:$original_domain}: reuse of a single-use address"
		finish
	endif
endif

# spambait addresses, will automatically blacklist you and mark
# your server down as being grey or black
if ( ${lc:$original_local_part} is "spamdump" or
	${lc:$original_local_part} matches ^\\d?[a-z]{3}\\d+(-[a-z0-9+=-]*)?\$)
	then
	seen mail expand file $home/mailfilter/spam-bounce
		to $return_path return message
		subject "Returned mail: blacklisted"
	logfile $home/mailfilter/black.list 0644
	logwrite "${lc:$sender_address}: black"
	logfile $home/mailfilter/reject.log 0644
	logwrite "[$tod_log] ${lc:$sender_address} [$sender_host_address] -> ${lc:$original_local_part}@${lc:$original_domain}: blacklisted"
	if("${lookup{$sender_host_address} lsearch {$home/mailfilter/grey.servers}{$value}}" is "grey")
		then
		logwrite "[$tod_log] *** [$sender_host_address]: blacklisted host"
		logfile $home/mailfilter/black.servers 0644
		logwrite "$sender_host_address: black"
	else
		if("${lookup{$sender_host_address} lsearch {$home/mailfilter/grey.servers}{$value}}" is "")
		then
			logfile $home/mailfilter/grey.servers 0644
			logwrite "$sender_host_address: grey"
		endif
	endif
	finish
endif

# open relay warnings. If your server is already listed as
# grey, then it is blacklisted by this.
if ( $header_X-RBL-Warning contains "mail-abuse.org" )
	then
	seen mail expand file $home/mailfilter/rbl-bounce
		to $return_path return message
		subject "Returned mail: blacklisted"
	logfile $home/mailfilter/reject.log 0644
	if ( $header_X-RBL-Warning contains "mail-abuse.org" ) then
		logwrite "[$tod_log] ${lc:$sender_address} [$sender_host_address] -> ${lc:$original_local_part}@${lc:$original_domain}: on rbl (MAPS ONLY)"
	endif
	if("${lookup{$sender_host_address} lsearch {$home/mailfilter/grey.servers}{$value}}" is "grey")
		then
		logwrite "[$tod_log] *** [$sender_host_address]: blacklisted host"
		logfile $home/mailfilter/black.servers 0644
		logwrite "$sender_host_address: black"
	endif
	finish
endif

# this is a use-once address, deliver it as normal, but
# log the use of the address.
if ( ${lc:$original_local_part} matches ^(^[a-z]{2}\\d{2}[a-z]{3}\\d{2})(-[a-z0-9+=-]*)?\$)
	then
	logfile $home/mailfilter/use.once 0644
	logwrite "${lc:$1}: used"
endif

add 0 to n1
add 0 to n2
add 0 to n3

if ( $tod_log matches "^(\\\\d{4})-0*(\\\\d+)-0*(\\\\d)\\\\s" ) then
	add $1 to n1
	add $2 to n2
	add $3 to n3
endif

if ( ${lc:$original_local_part} matches "^\\\\$0*(\\\\d+)\\\\$0*(\\\\d+)[a-z]0*(\\\\d+)\\\\d\\$(-[a-z0-9-+=]*)?\\\$" ) then
	add $1 to n6
	add $2 to n4
	add $3 to n5
	add 1977 to n4
	add -52 to n5
	add -9 to n6
	if ( ( $n1 is above $n4 ) or
		( $n1 is $n4 and $n2 is above $n5 ) or
		( $n1 is $n4 and $n2 is $n5 and $n3 is above $n6 ) or
		( $n4 is below 1 or $n5 is below 1 or $n6 is below 1 ) )
		then
		seen mail expand file $home/mailfilter/time-bounce
			to $return_path return message
			subject "Returned mail: address no longer valid"
		logfile $home/mailfilter/reject.log 0644
		logwrite "[$tod_log] ${lc:$sender_address} [$sender_host_address] -> ${lc:$original_local_part}@${lc:$original_domain}: address timed out (expired $n4-$n5-$n6)"
		finish
	endif
endif


# scoring algorithms, I don't tend to get these in legitimate mail.
# we'll use n9 for scoring - 100 and we reject the mail
if( ${lc:$message_body} matches "a\\\\shref=(['\"])mailto:([^@]@[^@])\$1" and
	$2 is not {$lc:$return_path} and $2 is not {$lc:$sender_address})
	then
	add 60 to n9
endif

if (${lc:$message_body} matches "<html>")
	then
	add 60 to n9
endif

if (${lc:$message_body} matches "<script")
	then
	add 90 to n9
endif

if (${lc:$message_body} matches "checks?\\\\spayable\\\\sto.*for \\\\\\$\\\\d+")
	then
	add 90 to n9
endif

if($message_body matches "Dear Friend,")
	then
	add 80 to n9
endif

if(${lc:$header_subject} matches "\\\\s\\\\s\\\\s\\\\s+(\\\\(\\\\d+\\\\)|\\\\d+)\\\$")
	then
	add 40 to n9
endif

if(${lc:$header_to} matches "friend@" or ${lc:$header_from} matches "friend@")
	then
	add 90 to n9
endif

if(${lc:$header_to} matches "@public.com")
	then
	add 90 to n9
endif

if(${lc:$message_body} matches "not spam" or ${lc:$message_body} matches "spam free")
	then
	add 80 to n9
endif

if(${lc:$message_body} matches "not junk mail")
	then
	add 80 to n9
endif

if(${lc:$message_body} matches "university diploma")
	then
	add 80 to n9
endif

if(${domain:${lc:$header_to}} is "")
	then
	add 30 to n9
endif

if(${lc:$sender_address} matches "([a-z\\\\d]+)@(lycos|hotmail|aol|yahoo|msn)\\\\.co(\\\\..*|m)" and
	$1 matches \\d)
	then
	add 40 to n9
endif

if($header_subject matches \\\$\\\$+)
	then
	add 50 to n9
endif

if(${lc:$sender_host_name} matches "ppp" or ${lc:$sender_host_name} matches "dial-?up")
	then
	add 50 to n9
endif

if($n9 is above 99)
	then
	seen mail expand file $home/mailfilter/score-bounce
		to $return_path return message
		subject "Returned mail: failed score checking"
		logfile $home/mailfilter/reject.log 0644
		logwrite "[$tod_log] ${lc:$sender_address} [$sender_host_address] -> ${lc:$original_local_part}@${lc:$original_domain}: score failure"
	finish
endif


Valid XHTML 1.0!

This page last modified on Monday, 05-Feb-2018 19:43:34 UTC
Contact <webmaster@colondot.net> for more information about this site, or <plunder@colondot.net> if you want not to be able to send any more mail to this machine.