Re: [Exim] Exim Spam Filter Example

Page principale
Supprimer ce message
Répondre à ce message
Auteur: P Kirk
Date:  
À: Marc Perkel
CC: exim-users
Sujet: Re: [Exim] Exim Spam Filter Example
Here's mine based on a very clever scoring system by MBM.

It has two weaknesses:

1. Chinese spam always gets through and I seem to be on a Taiwan based
spam list. I need to find a way to block "charset=BIG5"

2. Sometimes stuff gets through because it is delivered but has nothing
that gets caught by the filter. I would love to find a way to say at
the end of .forward, "anything not processed so far must be spam".
Procmail does this with the DEFAULT=~/dir setting in .procmailrc

The good thing is the scoring system allows you to filter out html spam
from yahoo accounts while receiving mail from clients who use yahoo
web-mail.

Patrick


# Exim filter
# Error trapping
if error_message then finish endif



# Scoring spam filters

# Note - this is based on http

# Step 1
# Things that are definitely spam because its either
# a spam trap mailbox or because they keep sending me unwanted mail.

if ${lc:$h_To:} matches "pkirk" 
or ${lc:$h_To:} matches "pkgames" 
or $h_To: matches "inbox@???" 
or ${lc:$h_To:} matches "friend"    # Not your friend
or ${lc:$h_From:} matches "friend"    # Not my friend
or $message_body matches "Dear Friend," # Sickening
or $h_From: contains "wotch.com"    # Just won't go away
or $h_subject: contains "ADV "
or $h_subject: contains "[ADV]"
or $h_subject: contains "ADV:"
then
    add 1100 to n9
endif



# Step 2
# Things that are often spam. It's 2 strikes and you're out
# on this list

if $h_subject: contains "Viagra"    # Real men don’t need it
or ($h_Subject: matches \\\$\\\$+)    # No dollars for me
or $h_subject: contains "Card"    # Credit card scams
or $h_subject: contains "Weight loss Offer" # Fat is a sign of maturity
or $h_subject: contains "Lowest Mortgage Rates"    # Got my mortgage
or $h_subject: contains "Free Pics"        # Avoid RSI today
# Score the mail
        then
        add 62 to n9    # 62 might be too high?
endif




if (${lc:$message_body} matches "<script")    # javascript mail
then add 62 to n9 endif


if ${lc:$message_body_end} matches "to be removed"# amazing this works
then add 62 to n9 endif

if ${lc:$message_body} matches "not junk mail"    # Trust me
then add 62 to n9 endif


if ${lc:$message_body} matches "spam free" # Nothing is free
then add 62 to n9 endif

# If we find a "mailto:" link for which the address is not
# the same as the sender address or return path.
if (${lc:$message_body} matches "a\\\\shref=(['\"])mailto:([^@]@[^@])\$1"
and $2 is not {$lc:$return_path}
and $2 is not {$lc:$sender_address})


# Score the mail
    then
    add 62 to n9
endif



# Step 3
# There are a lot of legitimate users of hotmail and
# of html mail. There are other indications that hint
# that are not conclusive.
# So its now 3 strikes and you’re out

if(${lc:$sender_address} matches
"([a-z\\\\d]+)@(lycos|hotmail|aol|yahoo|msn)\\\\.co(\\\\..*|m)" and $1 matches \\d)

    then
    add 41 to n9
endif


if (${lc:$message_body} matches "<html>")        # html mail
        then
        add 41 to n9
endif


# If the To: box is empty, that's suspicious
if(${domain:${lc:$h_To:}} is "")
        then
        add 41 to n9
endif


#  A lot of spams seem to have a subject which has a number
# (possibly in brackets) at the right-hand side, this is 
#  designed to catch this
if(${lc:$h_Subject:} matches "\\\\s\\\\s\\\\s\\\\s+(\\\\(\\\\d+\\\\)|\\\\d+)\\\$")  
or (${domain:${lc:$h_To:}} is " ")    # To: is empty
    then
    add 41 to n9
endif
# Now neatly put all the spam in its own special
# mailbox and log what's happened


if($n9 is above 99)
    then save
    $home/mail/junkmail


logfile $home/mail/.spam 0644 
logwrite "[$tod_log] ${lc:$h_From:} ${lc:$h_Subject:} $n9: Filtered spam"    
    finish
endif


# Set up logging for non-spam emails

logfile $home/mail/.mail 0644 # ... so i can still "mailstat ~/mail/.mail"

# Allow postmaster access
if $original_local_part is postmaster
    then save $home/mail/enterprise-hr.com
    logwrite "[$tod_log] ${lc:$h_From:} ${lc:$h_Subject:} $n9: Postmaster"
endif



# All that pesty useful info from root and cron...
if $h_From: contains "root"
    then save $home/mail/rootmail
    logwrite "[$tod_log] $n9: Root message"
endif


if $h_Sender: contains "exim-users-admin@???"
    then save $home/mail/lists
    logwrite "[$tod_log] ${lc:$h_From:} ${lc:$h_Subject:} $n9: Exim User"



# Getting the speedtouch modem working under Linux
elif $h_To:,$h_Cc:,$h_From: contains "speedtouch"
    then save $home/mail/enterprise-hr.com
    logwrite "[$tod_log] ${lc:$h_From:} ${lc:$h_Subject:}: Speedtouch"


# Linux from Scratch
elif $h_Reply-To: contains "lfs-"
    then save $home/mail/lfs
    logwrite "[$tod_log] ${lc:$h_From:} ${lc:$h_Subject:}: LFS"


# Debian - of course
elif $h_To:,$h_Cc:,$h_From: contains "debian-user"
    then save $home/mail/lists
    logwrite "[$tod_log] ${lc:$h_From:} ${lc:$h_Subject:} $n9: Debian User"


# Deliveries to my enterprise-hr.com domain
elif $h_To:,$h_Cc: contains "patrick@???" 
    then save $home/mail/enterprise-hr.com
    logwrite "[$tod_log] ${lc:$h_From:} ${lc:$h_Subject:} $n9: enterprise-hr.com"


endif

# Deliveries to my kirks.net domain
if $h_To:,$h_Cc: contains "patrick@???" 
    then save $home/mail/kirks.net
    logwrite "[$tod_log] ${lc:$h_From:} ${lc:$h_Subject:} $n9: kirks.net "


endif