86
72
# 5 - quickview of filtering, without debug
77
#### timeme and syslog is going to be removed?
78
# Path to create mail 'var' files (for debug purpouses)
80
# Save unsure and HAM messages only. Usefull for training purpouses.
84
### On/Off parameters can be used with values: False, No, 0 or True, Yes, 1
87
# Save information about time spend in different steps while filtering
88
# Times are shown on saved .var file, or on debug log with higher verbose
93
## Keep checksum database of passed message body. Also makes crc test possible.
91
98
# If WatchMode is True, all mails are passed without modifying anything, only
92
99
# logging would take place
108
115
# bayesian Bayesian SPAM/HAM probability
109
116
# wordscan Scan message body for strings
111
defaulttests: connect, helo, accept, dyndns, block, samefromto, ipfromto, headers, dyndns, wordscan, charset, bayesian, rbl
118
defaulttests: connect, helo, accept, samefromto, crc, block, dyndns, ipfromto, headers, wordscan, charset, bayesian, rbl
114
121
### TODO: Samples how these matches
239
249
## for only first recipient.
242
254
(?#skip):(hostmaster|postmaster|webmaster|website)@hallikas.com$
243
255
(?#skip):(wlan|wlan2|secure|symbian|giveaway|notify|iphone|growl|blog)@hallikas.com$
244
256
(?#skip):(root|semi|sami|samipekka.hallikas|sami-pekka.hallikas|hilkka|jonne|jaska|mari|ville|laura|lasse)@hallikas.com$
245
257
# (?#skip):([A-Za-z]+\.[A-Za-z]+|[a-z]+)@hallikas.com$
246
258
# If sender/recipient is abuse@ flag it. (Should code have flag+accept?)
248
# (?#flag):abuse@[\w\d]\.(\w\w)(\w)?$
249
259
(?#break)@hallikas.com$
250
(.iki.fi|(email-\d\d\d|outbound\d.den|mx\d.\w\w\w).paypal.com):(payment@|paypal@email.|service@intl.)paypal.com:
251
.tfbnw.net:notification[\d\w._-]+@facebookmail.com:
252
(.iki.fi|(email-\d\d\d|outbound\d.den|mx\d.\w\w\w).paypal.com):(payment@|paypal@email.|service@intl.)paypal.com:
261
# Known services, commonly phished, should be added here. Like real address for paypal:
263
^(email|outbound|mx).+.paypal.com:(payment@|paypal@email.|service@intl.)paypal.com:
265
(smfcamppool\d\d.emailebay.com|emasmail\d.emarsys.net):ebay.*(@reply\d\.ebay\.com|@ebay\.emarsys\.net):
253
266
mx(smf)?pool\d\d.ebay.com:(checkout|status|member|ebay|[\d\w._-]+)@.*ebay\.\w\w(\w)?:
254
(smfcamppool\d\d.emailebay.com|emasmail\d.emarsys.net):ebay.*(@reply\d\.ebay\.com|@ebay\.emarsys\.net):
255
268
wcmx\d.valvesoftware.com:.*@valvesoftware.com:
256
(.iki.fi|itmsout.apple.com|.apple.com):([\d\w._-]+@insideapple.|do_not_reply@)apple.com:
271
(mail-out\d)?.apple.com:(repair2-feedback|do_not_reply_con_en|[A-Za-z0-9_-]+)@euro.apple.com:
272
.apple.com:([\d\w._-]+@insideapple.|do_not_reply@)apple.com:
274
(sms1-els\d\d\d-\d\d\d.mm)?.ticketmaster.com:[A-Za-z0-9_.=@+-]ticketmaster.com:
275
(sms1-els\d\d\d-\d\d\d.mm)?.ticketmaster.com:.*ticketmaster.com:
257
276
ticketmaster.com:.*ticketmaster.com:
278
(out(camp)?mail0\d\d.snc\d)?.facebook.com:(notification|update)+.*@facebookmail.com:
279
(out(camp)?mail0\d\d.snc\d)?.facebook.com:.*facebookmail.com:
280
.tfbnw.net:^(notification|update)?.*@facebookmail.com:
261
284
# This should/could be in ipfromto, but we must make as quick match as possible.
262
285
# Matches as sender AND recipient
263
firstname.(last|sure)name@|etunimi.sukunimi@
264
# Matches as recipient, note end of line mark ($).
286
(?#delete)firstname.(last|sure)name(\w)?@|etunimi.sukunimi(\w)?@
287
(?#delete)@rolex.com:
288
# SpamTrap. Matches as recipient, note end of line mark ($).
265
289
spamtrap@somewhere.net$
266
(unknown.user|another.one).*@somedomain.org$
267
(?#delete)@hallikas.com$
268
(?#delete)firstname.(last|sure)name@|etunimi.sukunimi@
269
(?#reject)roskaposti@hallikas.com$
270
(?#reject)@disabled.recipient-domain.com$
271
# Not real mail domain
274
(?#delete)@hallikas.com$
275
(?#delete)firstname.(last|sure)name@|etunimi.sukunimi@
276
(?#reject)roskaposti@hallikas.com$
290
(?#reject)roskaposti@hallikas.com$
291
# All messages to hallikas.com will be deleted! Note, there is (?#skip) rule
292
# in accept, if that rule matches, it will skip blocking. But all other
294
##### (?#delete)@hallikas.com$
280
298
(?#skip)(support|abuse|postmaster)@target.org$
281
(?#accept)(email-\d\d\d|outbound\d.den|mx\d.\w\w\w).paypal.com:(payment@|paypal@email.|service@intl.)paypal.com:
282
(?#accept)mx(smf)?pool\d\d.ebay.com:(checkout|status|member|ebay|[\d\w._-]+)@.*ebay\.\w\w(\w)?:
283
(?#accept)(smfcamppool\d\d.emailebay.com|emasmail\d.emarsys.net):ebay.*(@reply\d\.ebay\.com|@ebay\.emarsys\.net):
284
299
(?#skip)^(smtp-gw1.crescom.fi|80.81.171.48):
285
(?#accept)(.facebook.com|.tfbnw.net):notification\[\d\w_+-]@facebookmail.com:
286
(?#accept)(wcmx\d)?.valvesoftware.com:.*@valvesoftware.com:
287
(?#accept)ticketmaster.com:.*ticketmaster.com:
288
(?#accept)(itmsout)?.apple.com:([\d\w._-]+@insideapple.|do_not_reply@)apple.com:
300
(?#flag)@(paypal.com|facebook.com|ebay.com|apple.com):
291
302
(?#skip)(utf-8|iso-8859-1|us-ascii)
292
(?#flag)windows-1250|windows-1251|windows-1252
303
(?#flag)(windows-1250|windows-1251|windows-1252)
293
304
(?#reject)(iso-2022-jp|shift_jis|big5|GB2312|koi8-r)
296
307
# Note! This is does not include headers that has duplicate keys, like Received.
309
(?#delete)(?i)From:.*(Viagra|Rolex|Pfizer)
298
310
(?#reject)\<(halen@iki.fi|samipekka.hallikas@nic.fi)\>
299
(?#delete)(?i)From:(.*?)(VIAGRA)
300
(?#delete)(Received: from google.com|\(HELO google.com\))
311
(?#flag)(Received: from google.com|\(HELO google.com\))
301
312
(?#flag)X-Spam-Flag: YES
305
316
### authmx - define mail relay hosts, that can/would accept 'dyndns'. Don't do dyndns check after match.
307
(?#authmx)(mail|smtp)(in|out)?(-gw)?(\d+)?\.
308
318
(?#authmx)^(\w)?(mail|smtp(in|out)?|out|mx|mq|secmx|post|relay|proxy|ns|gw|list|mta|pop|imap|sender|spamgw|filter|filtteri|gate|posti|(e|www)mail)(\d)?(\d)?
309
319
# Known relay domains
310
(?#authmx)\.iki\.fi|\.hotmail\.com|\.gmail\.com|\.google\.com|\.yahoo\.com|\.sth\.basefarm\.net|\.fre\.skanova\.net
311
(?#authmx)^(smtpout|smgw\d\d|memailout\d\d.|eni-mailout\d\d|fmmailgate\d\d|hnexfw\d\d|bbnrelbas\d\d)\.
320
# (?#authmx)\.iki\.fi|\.hotmail\.com|\.gmail\.com|\.google\.com|\.yahoo\.com|\.sth\.basefarm\.net|\.fre\.skanova\.net
321
# (?#authmx)^(smtpout|smgw\d\d|memailout\d\d.|eni-mailout\d\d|fmmailgate\d\d|hnexfw\d\d|bbnrelbas\d\d)\.
313
323
# You can use NAME
314
324
# client194-14-197-6.exicom.se
323
333
### skip - Do not make dyndns test for match. If recursive mode is enabled,
324
334
### skip to next received host.
326
(?#skip)(?#too many false blocking).*dnainternet.net|.*\.sta(tic)?\.(smilehouse.com|louhi.net|ac-net.se|estpak.ee)
327
(?#skip).(smilehouse.com|louhi.net|ac-net.se|estpak.ee|dnainternet.net)
328
(?#skip)(?#diamo.se)88.131.23.18|(?#dpu.se)82.182.83.75|(?#mbcint.se)82.182.83.75|(?#autoexperten.nu)213.150.159.45
329
(?#skip)(?#smilehouse.com)193.94.205.129|(?#tamroshop.fi)193.65.59.129|(?#mail.duodecim.fi)195.236.0.9
336
# (?#skip)(?#too many false blocking).*dnainternet.net|.*\.sta(tic)?\.(smilehouse.com|louhi.net|ac-net.se|estpak.ee)
337
# (?#skip).(smilehouse.com|louhi.net|ac-net.se|estpak.ee|dnainternet.net)
338
# (?#skip)(?#diamo.se)88.131.23.18|(?#dpu.se)82.182.83.75|(?#mbcint.se)82.182.83.75|(?#autoexperten.nu)213.150.159.45
339
# (?#skip)(?#smilehouse.com)193.94.205.129|(?#tamroshop.fi)193.65.59.129|(?#mail.duodecim.fi)195.236.0.9
331
341
### Regexp rules how to detect "dynamic" hostnames. If dynamic host should be
332
342
### allowed, hostname should be allowed in skip_dns (RBL section).
334
344
### TODO? Also RBL checkin' is skiped for those.
335
345
# DNS names to be blocked
336
\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]
346
(?#flag)\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]
349
(?#reject)Penetrate this site
350
(?#delete)Pharmacy(USA|Canada)|http://pharma