Re: [exim] nice news

Top Page
Delete this message
Reply to this message
Author: Lena
Date:  
To: exim-users
Subject: Re: [exim] nice news
For this type spam (works not always, but better than nothing):

acl_check_mime:
  deny    condition = ${if eq{$mime_content_type}{text/plain}}
    !hosts = +whitelisted_hosts
    !sender_domains = returns.groups.yahoo.com : groups.io
    !authenticated = *
    condition = ${if !def:header_List-ID:}
    set acl_m_fakedom = ${if match{$message_headers_raw}{\N\nReceived: \
                    .*?(?:\n\s.*?)*?\
      (?:helo=|HELO |EHLO |from )([a-z]{4,6}\.(?:com|net|org))\
                    .*?(?:\n\s.*?)*?\
      (?i)(?:smtpsa|bizsmtp)\
                    .*?(?:\n\s.*?)*?\
      \n[^R\s]\N}{$1}}
    condition = ${if def:acl_m_fakedom}
    mime_regex = https?.//
    !mime_regex = (?s)https?.//.+https?.//
    condition = ${if eq{}{${lookup dnsdb{defer_never,a=$acl_m_fakedom}}}}
    condition = ${if eq{}{${lookup dnsdb{defer_never,mxh=$acl_m_fakedom}}}}
    message = trojan link suspected: \
      ${if match{$message_body}{\N(https?://[^>\s]+)\N}{$1}} \
      rcpthelo=$acl_m_fakedom recipients=$recipients