[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Spamassassin tests help please



On Thu, Apr 25, 2002 at 09:14:32AM +0100, Patrick Kirk wrote:

Do you use exim?  Some of this stuff can be done at that level.

In /etc/exim/exim.conf include something like this (may need to be
adjusted for version 3.x) :

    system_filter = /etc/exim/system.filter
    system_filter_user = nobody
    system_filter_group = nogroup

Then put the snippets below in /etc/exim/system.filter.


| I have given up on using my .forward as a spam filter because I've now
| gone up to over 40 spam pieces a day and its a pain to keep adding
| conditions on each .forward on each account.
| 
| Just to make clear, my particular desire to stop stuff from Korean and
| Taiwan is that I speak neither Korean nor Chinese.  
| 
| I wonder if anyone can help with these tests:
| 
| 1. I am on numerous Korean spam lists.  So I want to exclude all email
| with Korean charsets.  How do I set $h_Content-Type: contains
| "ks_c_5601-1987" to score 20?

# I actually have this in my filter
if
    "$h_Content-Type: $h_Subject:" contains "ks_c_5601-1987"
        or
    $h_Content-Type: contains "EUC-KR"
then

    # use 'fail' if you want to send back a bounce message
    #fail "<<incomprehensible foreign charset>>"

    # this is a black hole
    seen finish

endif


| 3. How can I blacklist specific names?  For example, esavingszone send
| me two messages every day and I want them automatically blocked.  But
| they use differing domain nemaes so I want to block
| esavingszone@foo.net. esavingszone@bar.net and every other
| esavingszone@anything.anything
 
In SA use the blacklist_from directive.  (this checks the From: header)


In exim version 4 you can include this in an acl :

  deny senders = \N^esavingszone@.*$\N

(This checks the envelope sender.)
If the envelope sender is predictable, then IMO this is the best
solution, and can be extended to look up addresses from a file.


In a system filter (exim 3 or 4) :

if
    ${local_part:$sender_address} is "esavingszone"
        or
    ${local_part:$h_From:} is "esavingszone"
then
    fail "<<$sender_address , $h_From:>> \
            You have been blocked by the administrator."
    seen finish
endif

(this checks both the envelope sender and the From: header)


| 2. I get a lot of stuff from Taiwan.  Is it poossible to simply
| blacklist all mail relayed from ISPs with .tw tld?

| 4. The ISP that uses hanmail.net and daum.net is the single worst
| offender.  Can I block all mail relayed theough these domains?

# I haven't tested this regex.  Exim uses "pcre" (perl-compatible), but
# I'm more familiar with the old-school dialect used by vim, sed and grep.
if
    "$h_Received:" matches "[a-zA-Z_]+\.tw\b"
        or
    "$h_Received:" matches "(hanmail|daum)\.net\b"
then
    seen finish
endif


As an alternative to checking Received: headers, if you receive the
spam directly you can simply reject connections at SMTP time. 
(or even firewall them)

HTH,
-D

-- 

Religion that God our Father accepts as pure and faultless is this: to
look after orphans and widows in their distress and to keep oneself from
being polluted by the world.
        James 1:27
 
GnuPG key : http://dman.ddts.net/~dman/public_key.gpg

Attachment: pgpS_XXywVDB1.pgp
Description: PGP signature


Reply to: