Re: [EXIM] filter questions

Top Page
Delete this message
Reply to this message
Author: F. Jacot Guillarmod
Date:  
To: exim-users
Subject: Re: [EXIM] filter questions
Having received lots of helpful replies from this list in the past, it's my turn
to contribute something. My interest in filtering to control spam is fairly
recent. I've been relying on reject lists of one sort or another, but they're a
never ending battle to keep up to date, and you always seem to be one step
behind. With content filters, one can be pro-active.

>QUESTION 1:


>I am getting some spam where the "from" and "to" are identical, as in the
>following:


>From:        ney47@??? (Stickems)
>To:          ney47@???
>Subject:     GET 3 BILL CLINTON BUMPER STICKERS FOR ONLY $5.00
>Date:        Fri, 3 Apr 1998 08:48:12 -0800


>I want to create a filter that kills these spams, by tracking whether the
>"from" is included in the "to" or vice versa. I'm getting more and more of
>these in.


I've found filtering on this criterion alone problematic, because a surprising
number of local users forward or resend to themselves from different accounts
or using pop. Either that, or I'm misunderstanding what the structure
of a locally resent or forwarded message looks like.

>The relevant full header in my /var/spool/mail/jmshack file is:


>>From ney47@??? Fri Apr 03 11:28:16 1998
>Return-path: <ney47@???>
>Envelope-to: jmshack@???
>Delivery-date: Fri, 3 Apr 1998 11:28:16 -0600
>Received: from ...
>Date: Fri, 3 Apr 1998 08:48:12 -0800
>To: ney47@???
>From: ney47@??? (Stickems)
>Comments: Authenticated sender is <ney47@???>
>Subject: GET 3 BILL CLINTON BUMPER STICKERS FOR ONLY $5.00
>Message-Id: <199804032128YAA13937@???>
>Status: RO
>X-Status:
>X-UID: 614


There's a "better" way to kill this particular example - the
"authenticated sender" is a dead give away of spam. If you exclude
stuff sent by Pegasus, apparently nothing else "legitimate" inserts this
type of information into the headers of a message. Similarly with an
"X-uidl" header...

Here's four checks installed in our system wide filter that knock out
a lot of otherwise hard to detect rubbish - and would handle the above
example. The most interesting one is the hotmail.com "validity check".

# ===========================================================================
# authenticated sender, but not from pegasus
#-------------------------------------------
elif "$h_comments" contains "authenticated sender" and
     "$h_x-mailer" does not contain "pegasus" then


    log "$tod_log $message_id SPAMAUTHS: sender=$sender_address \
     subject=$header_subject: recipients_count=$recipients_count \
     recipients=$recipients"
    save /usr/local/lib/mail/spam


# claims to be from hotmail.com
#------------------------------
elif "$h_from" contains "hotmail.com" and
     "${if !def:header_x-originating-ip {nospam}}" is nospam then


    log "$tod_log $message_id SPAMHOTMAIL: sender=$sender_address \
     subject=$header_subject: recipients_count=$recipients_count \
     recipients=$recipients"
    save /usr/local/lib/mail/spam


# claims to be from juno.com
#------------------------------
elif "$h_from" contains "juno.com" and
     "${if def:header_x-mailer {juno} {spam}}" is spam then


    log "$tod_log $message_id SPAMJUNO: sender=$sender_address \
     subject=$header_subject: recipients_count=$recipients_count \
     recipients=$recipients"
    save /usr/local/lib/mail/spam


# spam X-UIDL header found
# ------------------------
elif "${if def:header_x-uidl {spam}}" is spam then

    log "$tod_log $message_id SPAM-X-UIDL: sender=$sender_address \
     subject=$header_subject: recipients_count=$recipients_count \
     recipients=$recipients"
    save /usr/local/lib/mail/spam
# ===========================================================================


>I've written this filter command:


>if $sender_address_local_part contains $local_part or $local_part
>contains $sender_address_local_part
>then
> seen finish
>endif


>Is this close? If not, could someone please let me know which variables to use
>to accomplish this? Thanks


The following rule seems to work (but I don't use it, for reasons detailed above):

# either To: is contained in From: or there is no To: line
# --------------------------------------------------------
elif $h_from contains $h_to then

     log "$tod_log $message_id SPAM-TOEQFRM: sender=$sender_address \
      subject=$header_subject: recipients_count=$recipients_count \
      recipients=$recipients"
     save /usr/local/lib/mail/spam
# --------------------------------------------------------


>QUESTION 3:


>Is there any place where I could get "sample" .forward filters? I have read
>the filter documentation, and while there are some good examples in there, I
>would appreciate being able to see more extensive examples of what can be done
>with a .forward filter. I'm new to this, so its not intuitive. If there is a
>place to go, I'd like to know about it. If not, if anyone wishes to "forward
>their .forward" file to me (barring any security concerns, of course), I'd
>appreciate seeing what others have done, ESPECIALLY in the domain of spam
>control, which is why I'm running exim.


Here's parts of my personal .forward file - I'm relying on the system wide exim
configs to zap spam, and only do the old fashioned stuff to whatever gets
through:

#==========================================================================
# Exim filter            <<== do not edit or remove this line


if error_message then finish endif

logfile $home/eximfilter.log

# Mail from support system
if $header_subject contains "[Help #"
then
save $home/Mail/in.support

# Mail from squid mailing list to local newsgroup
elif $header_subject contains "squid-users-digest"
then
deliver "<ru-list-squid@???>"

# Mail from exim-users mailing list to local newsgroup
elif $return_path contains "exim-users-request"
then
deliver "<ru-list-exim-users@???>"

# Stuff to be thrown away
if $header_subject contains "Warning From uucp"
then
seen finish
endif

#==========================================================================

Hope these help? I'm sure there are more cunning uses of filters, and I look
forward to seeing some!

The basics of our system wide filter are adapted from the information posted to
this list a while back by Ephraim Silverberg, and combined with a list of non
exim filtering criterion that I picked up from a URL that escapes me for the
moment... but could be tracked down when I'm at work, if anyone is interested.

========================================================
>From ru.list.exim-users Sun Mar 22 13:24:24 1998

Path: quagga.ru.ac.za!exim.org!exim-users-request!already-seen-ignore
Date: Tue, 17 Feb 1998 12:55:55 +0200 (IST)
From: ephraim@??? (Ephraim Silverberg)
Message-ID: <Pine.SGI.3.91-heb-2.05.980217110725.9270A-100000@???>
Subject: [EXIM] example spam-catching system message filter
Newsgroups: ru.list.exim-users
Approved: usenet@???
Organization: Rhodes University mail -> news gateway
Lines: 53

We're using Exim 1.82 and have written a message filter to intercept spam
messages that RBL doesn't catch. Since we have met with reasonable success
since installing (and refining) the filter -- 566 genuine spam messages
intercepted during a time period where there were 67 RBL rejections -- I
thought that the rest of the list may be interested in reviewing our filter
as a starting point for their own system message filter.

[...]


The sample filter package is at ftp://ftp.cs.huji.ac.il/pub/exim/spam_filter/

Comments and suggestions are welcome.

N.B. When testing with 'exim -bf' you will get

    Filter error: [...] : unknown variable: recipients


     every time something is flagged as suspected spam
     so one can just ignore the error message.
___________________________________________________________________________
Ephraim Silverberg, CS System Group,          Phone number:   972-2-6585521
Hebrew University, Jerusalem, Israel.         Fax number:     972-2-6585439
WWW: http://www.cs.huji.ac.il/~ephraim        E-mail: ephraim@???


--
*** Exim information can be found at http://www.exim.org/ ***
========================================================

Regards,
--
F.F. Jacot Guillarmod - Information Technology - Rhodes University - Grahamstown
    Internet: Jacot@???  Phone: +27 46 303 8284  Fax: +27 46 622 7764
   The views expressed above are not necessarily those of Rhodes University


--
*** Exim information can be found at http://www.exim.org/ ***