[exim] New Successful Spam Filter Rule

Startseite
Nachricht löschen
Nachricht beantworten
Autor: curtis
Datum:  
To: exim-users
Betreff: [exim] New Successful Spam Filter Rule
Howdy!

I am fairly new to EXIM rule syntax and still have a lot to learn.

Lately I have noticed a new rash of spams getting through spamassassin so I
have been adding rules to my "cpanel_exim_system_filter_custom" file and it
has grown quite large. I know I am fighting a losing battle mostly but I did
add some rules lately that have caught more spam than all the others
combined and I would like to share them.

I call them "newfangled" domains because they include domains like .space,
.link , .work, .click, .rocks and .science so I have been experimenting
with regex expressions to try to catch them with the least false positives
and after several tries here is the best so far:
============================
# Block Newfangled Domains
if first_delivery
and (
("$h_from:" matches " .+@.+\.space[^a-zA-Z0-9_]")
or ("$h_from:" matches " .+@.+\.work[^a-zA-Z0-9_]")
or ("$h_from:" matches " .+@.+\.click[^a-zA-Z0-9_]")
or ("$h_from:" matches " .+@.+\.link[^a-zA-Z0-9_]")
or ("$h_from:" matches " .+@.+\.rocks[^a-zA-Z0-9_]")
or ("$h_from:" matches " .+@.+\.science[^a-zA-Z0-9_]")
)
then
headers add "SpamRule: EXIM FILTER Block Newfangled Domains (was:
$h_subject:)"
deliver "Blacklisted Domains <blacklisteddomains@???>"
seen finish
endif

==============================
After the "then" I add a new header with the rule name, copy the old subject
to the new subject so I can see what it was and send them to an email
address on my server so I can check them for false positives. Then the "seen
finish" stops the rules from running and the "endif" completes this set of
rules.

In 2 days with thousands of re-directed caught spam I have not seen 1 false
positive... Yet :)

NOTE! These rules can cause false positives and the results should be
examined carefully.

To set up the "cpanel_exim_system_filter_custom" file first you must have
administrator privileges and be able to get to the root directory. Most
shared hosting plans do not let you do this. I FTP'd into my "root/etc"
directory and copied and renamed the "cpanel_exim_system_filter" to
"cpanel_exim_system_filter_custom". Make sure you have an original copy in
case things go very bad. If they do all your email can/will stop being
transported.

Then login to WHM as root:
Go to:
Main >> Service Configuration >> Exim Configuration Editor >> Basic Editor

Check the name & location of "System Filter File" under "Filters", mine is
at /etc/cpanel_exim_system_filter.
Change it to /etc/cpanel_exim_system_filter_custom
Don't forget to restart Exim. It should restart when you click "Save" at
the bottom of the page.

I edit the /etc/cpanel_exim_system_filter_custom file using my ftp program's
text editor and added my new rules after the final line in the original
file.

To verify I have not made a syntax error and stopped all mail delivery I
constantly have a browser window open to my WHM at: Home » Email » Mail
Queue Manager and run a report every time I save the ...custom file. Make
sure the start and end date and time are valid and if anything is stuck, (or
hundreds of them), try to deliver one of them. If there is an error in your
syntax it will tell you the approximate line and sometimes what the error
is. When you get it fixed and one email is delivered, then click "Deliver
All".

There are probably better ways to edit it, but it works for me.

CurtisW