~semi-hallikas/sspamm/3.0-devel

« back to all changes in this revision

Viewing changes to sspamm.conf

  • Committer: Sami-Pekka Hallikas
  • Date: 2010-11-24 10:21:50 UTC
  • Revision ID: semi@hallikas.com-20101124102150-ey73bv22ypi3wb47
Again, lots of bug hunting and fixing.

Added 'big' features are:
 - RRD
   Keeps RRD database of messages, used to generate graphics
 - CRC
   Blocking by message body SHA1 cheksum. Save all SHA1 CRC's of messages.
   Expire from database last seen after >12h (configurable).
   Keeps CRC in file, so keeps database even on restart.
   If message is blocked or flagged 1 to 5 times in 'crc hours'. Flag it.
   If message is blocked or flagged > 5 times in 'crc hours', do 'crc action'.

Show diffs side-by-side

added added

removed removed

Lines of Context:
12
12
# time. Negative effect with threads is that you can't use signals and not
13
13
# even CTRL-C to quit. Even then, you SHOULD use childs.
14
14
childs:         True
15
 
#childs:                False
16
15
#
17
16
# In /etc/mail/sendmail.mc you should define same port, here is also
18
17
# information about flags used in 'INPUT_MAIL_FILTER' macro:
64
63
# original name. This allows logrotate.
65
64
logfile:        sspamm.log
66
65
 
67
 
###
68
 
### On/Off parameters can be used with values: False, No, 0 or True, Yes, 1
69
 
###
70
 
 
71
 
#### timeme and syslog is going to be removed?
72
 
# Path to create mail 'var' files (for debug purpouses)
73
 
savedir:        saved
74
 
 
75
 
# Save information about time spend in different steps while filtering
76
 
# Times are shown on saved .var file, or on debug log with higher verbose
77
 
# level.
78
 
timeme:         Yes
79
 
 
80
66
# Verbose is numerical value. Verbose levels are:
81
67
#       0 - No output at all
82
68
#       1 - warning conditions, error, critical
86
72
#       5 - quickview of filtering, without debug
87
73
#       6 - log output
88
74
#
89
 
verbose:        2
 
75
verbose:        1
 
76
 
 
77
#### timeme and syslog is going to be removed?
 
78
# Path to create mail 'var' files (for debug purpouses)
 
79
savedir:        saved
 
80
# Save unsure and HAM messages only. Usefull for training purpouses.
 
81
nonspamonly:    True
 
82
 
 
83
###
 
84
### On/Off parameters can be used with values: False, No, 0 or True, Yes, 1
 
85
###
 
86
 
 
87
# Save information about time spend in different steps while filtering
 
88
# Times are shown on saved .var file, or on debug log with higher verbose
 
89
# level.
 
90
timeme:         Yes
 
91
 
 
92
##
 
93
## Keep checksum database of passed message body. Also makes crc test possible.
 
94
##
 
95
crcsave:        True
 
96
crchours:       12
90
97
 
91
98
# If WatchMode is True, all mails are passed without modifying anything, only
92
99
# logging would take place
108
115
# bayesian      Bayesian SPAM/HAM probability
109
116
# wordscan      Scan message body for strings
110
117
#
111
 
defaulttests: connect, helo, accept, dyndns, block, samefromto, ipfromto, headers, dyndns, wordscan, charset, bayesian, rbl
 
118
defaulttests: connect, helo, accept, samefromto, crc, block, dyndns, ipfromto, headers, wordscan, charset, bayesian, rbl
112
119
 
113
120
domains:
114
121
### TODO: Samples how these matches
142
149
#               sample2.org: all,+charset
143
150
#
144
151
# Note: .* below matches ALL ADDRESS
145
 
                hallikas.com
146
152
                .*
147
153
 
148
154
rules:
165
171
dyndns:         Flag
166
172
rbl:            Delete
167
173
charset:        Flag
168
 
headers:        Delete
169
 
wordscan:       Delete
 
174
headers:        Flag
 
175
wordscan:       Flag
170
176
bayesian:       Flag
 
177
crc:            Delete
171
178
 
172
179
[settings]
173
180
maxbodysize:    1024
174
181
ipservers:
 
182
# Level 3, ISP Block
 
183
                dnsbl-3.uceprotect.net
 
184
# Level 2, Network Block
 
185
                dnsbl-2.uceprotect.net
 
186
# Level 1, Host block
175
187
                dnsbl-1.uceprotect.net
176
 
                dnsbl-2.uceprotect.net
177
 
                dnsbl-3.uceprotect.net
178
 
                bl.spamcop.net
179
 
                b.barracudacentral.org
180
 
                xbl.spamhaus.org
181
 
                zen.spamhaus.org
182
 
                cbl.abuseat.org
183
 
                psbl.surriel.com
184
 
                sbl.spamhaus.org
 
188
#               bl.spamcop.net
 
189
#               b.barracudacentral.org
 
190
#               xbl.spamhaus.org
 
191
#               zen.spamhaus.org
 
192
#               cbl.abuseat.org
 
193
#               psbl.surriel.com
 
194
#               sbl.spamhaus.org
185
195
 
186
196
 
187
197
### NOTE! comments in rules!
239
249
## for only first recipient.
240
250
##
241
251
accept:
 
252
                (?#flag):abuse@
 
253
#
242
254
                (?#skip):(hostmaster|postmaster|webmaster|website)@hallikas.com$
243
255
                (?#skip):(wlan|wlan2|secure|symbian|giveaway|notify|iphone|growl|blog)@hallikas.com$
244
256
                (?#skip):(root|semi|sami|samipekka.hallikas|sami-pekka.hallikas|hilkka|jonne|jaska|mari|ville|laura|lasse)@hallikas.com$
245
257
#               (?#skip):([A-Za-z]+\.[A-Za-z]+|[a-z]+)@hallikas.com$
246
258
# If sender/recipient is abuse@ flag it. (Should code have flag+accept?)
247
 
                (?#flag):abuse@
248
 
#               (?#flag):abuse@[\w\d]\.(\w\w)(\w)?$
249
259
                (?#break)@hallikas.com$
250
 
                (.iki.fi|(email-\d\d\d|outbound\d.den|mx\d.\w\w\w).paypal.com):(payment@|paypal@email.|service@intl.)paypal.com:
251
 
                .tfbnw.net:notification[\d\w._-]+@facebookmail.com:
252
 
                (.iki.fi|(email-\d\d\d|outbound\d.den|mx\d.\w\w\w).paypal.com):(payment@|paypal@email.|service@intl.)paypal.com:
 
260
#
 
261
# Known services, commonly phished, should be added here. Like real address for paypal:
 
262
# PAYPAL
 
263
                ^(email|outbound|mx).+.paypal.com:(payment@|paypal@email.|service@intl.)paypal.com:
 
264
# EBAY
 
265
                (smfcamppool\d\d.emailebay.com|emasmail\d.emarsys.net):ebay.*(@reply\d\.ebay\.com|@ebay\.emarsys\.net):
253
266
                mx(smf)?pool\d\d.ebay.com:(checkout|status|member|ebay|[\d\w._-]+)@.*ebay\.\w\w(\w)?:
254
 
                (smfcamppool\d\d.emailebay.com|emasmail\d.emarsys.net):ebay.*(@reply\d\.ebay\.com|@ebay\.emarsys\.net):
 
267
# VALVE/Steam
255
268
                wcmx\d.valvesoftware.com:.*@valvesoftware.com:
256
 
                (.iki.fi|itmsout.apple.com|.apple.com):([\d\w._-]+@insideapple.|do_not_reply@)apple.com:
 
269
#
 
270
# Apple
 
271
                (mail-out\d)?.apple.com:(repair2-feedback|do_not_reply_con_en|[A-Za-z0-9_-]+)@euro.apple.com:
 
272
                .apple.com:([\d\w._-]+@insideapple.|do_not_reply@)apple.com:
 
273
# Ticketmaster
 
274
                (sms1-els\d\d\d-\d\d\d.mm)?.ticketmaster.com:[A-Za-z0-9_.=@+-]ticketmaster.com:
 
275
                (sms1-els\d\d\d-\d\d\d.mm)?.ticketmaster.com:.*ticketmaster.com:
257
276
                ticketmaster.com:.*ticketmaster.com:
 
277
# Facebook
 
278
                (out(camp)?mail0\d\d.snc\d)?.facebook.com:(notification|update)+.*@facebookmail.com:
 
279
                (out(camp)?mail0\d\d.snc\d)?.facebook.com:.*facebookmail.com:
 
280
                .tfbnw.net:^(notification|update)?.*@facebookmail.com:
258
281
 
259
282
##
260
283
block:
261
284
# This should/could be in ipfromto, but we must make as quick match as possible.
262
285
# Matches as sender AND recipient
263
 
                firstname.(last|sure)name@|etunimi.sukunimi@
264
 
# Matches as recipient, note end of line mark ($).
 
286
                (?#delete)firstname.(last|sure)name(\w)?@|etunimi.sukunimi(\w)?@
 
287
                (?#delete)@rolex.com:
 
288
# SpamTrap. Matches as recipient, note end of line mark ($).
265
289
                spamtrap@somewhere.net$
266
 
                (unknown.user|another.one).*@somedomain.org$
267
 
                (?#delete)@hallikas.com$
268
 
                (?#delete)firstname.(last|sure)name@|etunimi.sukunimi@
269
 
                (?#reject)roskaposti@hallikas.com$
270
 
                (?#reject)@disabled.recipient-domain.com$
271
 
# Not real mail domain
272
 
                @mail-disabled.com$
273
 
# OK #
274
 
                (?#delete)@hallikas.com$
275
 
                (?#delete)firstname.(last|sure)name@|etunimi.sukunimi@
276
 
                (?#reject)roskaposti@hallikas.com$
 
290
                (?#reject)roskaposti@hallikas.com$
 
291
# All messages to hallikas.com will be deleted! Note, there is (?#skip) rule
 
292
# in accept, if that rule matches, it will skip blocking. But all other
 
293
# tests are done.
 
294
#####           (?#delete)@hallikas.com$
277
295
 
278
296
##
279
297
ipfromto:
280
298
                (?#skip)(support|abuse|postmaster)@target.org$
281
 
                (?#accept)(email-\d\d\d|outbound\d.den|mx\d.\w\w\w).paypal.com:(payment@|paypal@email.|service@intl.)paypal.com:
282
 
                (?#accept)mx(smf)?pool\d\d.ebay.com:(checkout|status|member|ebay|[\d\w._-]+)@.*ebay\.\w\w(\w)?:
283
 
                (?#accept)(smfcamppool\d\d.emailebay.com|emasmail\d.emarsys.net):ebay.*(@reply\d\.ebay\.com|@ebay\.emarsys\.net):
284
299
                (?#skip)^(smtp-gw1.crescom.fi|80.81.171.48):
285
 
                (?#accept)(.facebook.com|.tfbnw.net):notification\[\d\w_+-]@facebookmail.com:
286
 
                (?#accept)(wcmx\d)?.valvesoftware.com:.*@valvesoftware.com:
287
 
                (?#accept)ticketmaster.com:.*ticketmaster.com:
288
 
                (?#accept)(itmsout)?.apple.com:([\d\w._-]+@insideapple.|do_not_reply@)apple.com:
289
 
 
 
300
                (?#flag)@(paypal.com|facebook.com|ebay.com|apple.com):
290
301
charset:
291
302
                (?#skip)(utf-8|iso-8859-1|us-ascii)
292
 
                (?#flag)windows-1250|windows-1251|windows-1252
 
303
                (?#flag)(windows-1250|windows-1251|windows-1252)
293
304
                (?#reject)(iso-2022-jp|shift_jis|big5|GB2312|koi8-r)
294
305
 
295
306
#
296
307
# Note! This is does not include headers that has duplicate keys, like Received.
297
308
headers:
 
309
                (?#delete)(?i)From:.*(Viagra|Rolex|Pfizer)
298
310
                (?#reject)\<(halen@iki.fi|samipekka.hallikas@nic.fi)\>
299
 
                (?#delete)(?i)From:(.*?)(VIAGRA)
300
 
                (?#delete)(Received: from google.com|\(HELO google.com\))
 
311
                (?#flag)(Received: from google.com|\(HELO google.com\))
301
312
                (?#flag)X-Spam-Flag: YES
302
313
 
303
314
dyndns:
304
315
###
305
316
### authmx - define mail relay hosts, that can/would accept 'dyndns'. Don't do dyndns check after match.
306
317
###
307
 
                (?#authmx)(mail|smtp)(in|out)?(-gw)?(\d+)?\.
308
318
                (?#authmx)^(\w)?(mail|smtp(in|out)?|out|mx|mq|secmx|post|relay|proxy|ns|gw|list|mta|pop|imap|sender|spamgw|filter|filtteri|gate|posti|(e|www)mail)(\d)?(\d)?
309
319
# Known relay domains
310
 
                (?#authmx)\.iki\.fi|\.hotmail\.com|\.gmail\.com|\.google\.com|\.yahoo\.com|\.sth\.basefarm\.net|\.fre\.skanova\.net
311
 
                (?#authmx)^(smtpout|smgw\d\d|memailout\d\d.|eni-mailout\d\d|fmmailgate\d\d|hnexfw\d\d|bbnrelbas\d\d)\.
 
320
#               (?#authmx)\.iki\.fi|\.hotmail\.com|\.gmail\.com|\.google\.com|\.yahoo\.com|\.sth\.basefarm\.net|\.fre\.skanova\.net
 
321
#               (?#authmx)^(smtpout|smgw\d\d|memailout\d\d.|eni-mailout\d\d|fmmailgate\d\d|hnexfw\d\d|bbnrelbas\d\d)\.
312
322
 
313
323
# You can use NAME
314
324
#       client194-14-197-6.exicom.se
323
333
### skip - Do not make dyndns test for match. If recursive mode is enabled,
324
334
###        skip to next received host.
325
335
###
326
 
                (?#skip)(?#too many false blocking).*dnainternet.net|.*\.sta(tic)?\.(smilehouse.com|louhi.net|ac-net.se|estpak.ee)
327
 
                (?#skip).(smilehouse.com|louhi.net|ac-net.se|estpak.ee|dnainternet.net)
328
 
                (?#skip)(?#diamo.se)88.131.23.18|(?#dpu.se)82.182.83.75|(?#mbcint.se)82.182.83.75|(?#autoexperten.nu)213.150.159.45
329
 
                (?#skip)(?#smilehouse.com)193.94.205.129|(?#tamroshop.fi)193.65.59.129|(?#mail.duodecim.fi)195.236.0.9
 
336
#               (?#skip)(?#too many false blocking).*dnainternet.net|.*\.sta(tic)?\.(smilehouse.com|louhi.net|ac-net.se|estpak.ee)
 
337
#               (?#skip).(smilehouse.com|louhi.net|ac-net.se|estpak.ee|dnainternet.net)
 
338
#               (?#skip)(?#diamo.se)88.131.23.18|(?#dpu.se)82.182.83.75|(?#mbcint.se)82.182.83.75|(?#autoexperten.nu)213.150.159.45
 
339
#               (?#skip)(?#smilehouse.com)193.94.205.129|(?#tamroshop.fi)193.65.59.129|(?#mail.duodecim.fi)195.236.0.9
330
340
 
331
341
### Regexp rules how to detect "dynamic" hostnames. If dynamic host should be
332
342
### allowed, hostname should be allowed in skip_dns (RBL section).
333
343
 
334
344
### TODO? Also RBL checkin' is skiped for those.
335
345
# DNS names to be blocked
336
 
                \d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]
 
346
                (?#flag)\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]
 
347
 
 
348
blockwords:
 
349
                (?#reject)Penetrate this site
 
350
                (?#delete)Pharmacy(USA|Canada)|http://pharma