~semi-hallikas/sspamm/3.0-devel

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
###
### Configuration file for Semi's Spam Milter
###
### When filter starts configuration file (sspamm.conf) would be searched
### from paths in this order: Current directory, /etc/sspamm and /etc
###
[main]
# Name of our filter, must be same as defined in sendmail
name:		sspamm
#
# In /etc/mail/sendmail.mc you should define same port, here is also
# information about flags used in 'INPUT_MAIL_FILTER' macro:
#
# /********************* This stuff goes to sendmail.mc ********************
#
#dnl # F=
#dnl # (If a filter is unavailable or unresponsive and no 'F'lags have been
#dnl #  specified, the MTA will continue normal handling of the current
#dnl #  connection. The MTA will try to contact the filter again on each
#dnl #  new connection.)
#dnl # T - TempFail
#dnl # R - Reject
#dnl # T=
#dnl # C - Connection
#dnl # S - Sending Data
#dnl # R - Reading Data
#dnl # E - Overall timeout between sending end-of-message to filter and waiting for the final acknowledgment.
#
#define(`MILTER', 1)
#define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name}, {if_name}, {if_addr}')dnl
#define(`confMILTER_MACROS_HELO',`s, {tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer}')dnl
#define(`confMILTER_MACROS_ENVFROM',`i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr}')dnl
#define(`confMILTER_MACROS_ENVRCPT',`{rcpt_mailer}, {rcpt_host}, {rcpt_addr}')dnl
#
#INPUT_MAIL_FILTER(`sspamm', `S=inet:7999@localhost, F=T, T=C:10m;E:10m;R:10m;S:5m')dnl
#
# ********************* This stuff goes to sendmail.mc ********************/
#
# Define port/socket that filter would listen.
port:		inet:7999
#port:		local:/tmp/sspamm.sock

###
### Files and Paths
###
#
# If sspamdir path is not defined, files would be used/saved/created in same
# that that configuration file is in.
sspammdir:	.
tmpdir:		/dev/shm
#pid:		sspamm.pid
logfile:	sspamm.log

##
## On/Off parameters can be used with values: False, No, 0 or True, Yes, 1
##

#### timeme and syslog is going to be removed?
#
# Define debugfile if you want debug logging into file
debugfile:	debug.log

# Path to create mail 'var' files (for debug purpouses)
savedir:	saved

# Save information about time spend in different steps while filtering
# Times are shown on saved .var file, or on debug log with higher verbose
# level.
timeme:		Yes

# Verbose is numerical value. Verbose levels are:
#	0 - No debug logging at all
#	1 - warning conditions, error, critical
#	2 - Informational or normal but significant condition
#	3 - debug-level messages
verbose:	3

# If WatchMode is True, all mails are passed without modifying anything, only
# logging would take place
#
#
# ***** NOTICE, YOU SHOULD DISABLE THIS AFTER YOU HAVE CONFIGURED FILTER *****
#
watchmode:	Yes

##############################################################################
[filter]
#
# We define default tests here. Possible values are:
# connect	Our white-/blacklisting
# helo		Imitates to be us
# ipfromto	Sender/Recipient matching
# rbl		Blacklisting
# dyndns	Dynamic DNS-name
# bayesian	Bayesian SPAM/HAM probability
# wordscan	Scan message body for strings
#
defaulttests:		connect, helo, accept, block, samefromto ipfromto
#, headers, dyndns, rbl, wordscan, bayesian, charset
#
# Note! If bayesian is before RBL/DynDNS mail with 'HAM' class is passed as
# 'UNSURE' if RBL/DynDNS matches... If Bayesian is after them, test rules
# are used.


domains:
### TODO: Samples how these matches
#
# We only filter for these domains. It is possible to define different rules for domains.
# You can define scans to use with domain match (below, only those 3 tests are done):
# 	foobar.com, ourdomain.org:	connect, helo
# ... append 'non default' test for domain:
#	tests: connect, helo, ipfromto
#	domains:
#		ourdomain.org:	+rbl
#		.*
# Or opt-out scans from default tests:
#	other.com:			!bayesian
#
# Domains can be defined here in (real) regexp. Note, first match breaks.
#		somedomain1.(net|fi|se|as|ch|be|gr): ipfromto
#		test.com
#		(guest1|guest2|guest3).com
#		(fi.|se.)?(customer|alias).com: !charset
#		foobar.net|foo.net|foo.com|thisisfoo.org
#		domain2.(com|net|fi|se|dk): accept, samefromto, connect, helo, block, ipfromto, dyndns, headers, wordscan, bayesian, rbl, charset
#		ourdomain.org, someother.net, anyone.com
#		blocked.com: block
# All these three are same:
#		sample1.org: all,-helo
#		sample1.net: -helo
#		sample1.com: !helo
# Also these two:
#		sample2.org: +charset
#		sample2.org: all,+charset
#
# Note: .* below matches ALL ADDRESS
		.*

rules:
### TODO: Samples how these matches
#
# It is possible to define few special things on domains. These are made in
# filter/rules section. It is possible to group multiple domains to single
# name, so there are not multiple 'domaindb' files for same (real) domain
# with multiple domain names. Rules section does not affect what domains are
# filtered.
	sspamm.*|sspamm(-)?filter.*: name=sspamm
#
# Other rules available:
#	(!)watch	You can (un)set 'debugmode' for individual domain
#	flagall		Flag EVERY action, all mails are passed but flagged.
#
# Test based parameters that can be used here:
#	Bayesian:	ratio=[value], msgsneeded=[value], (!)usedomaindb, (!)dbtrain, (!)savembox
#
		testdomain.org: flagall
## ALWAYS filter this domain, even in watch mode!
		^somedomain1.: name=somedomain1, !watch
		^(guest1|guest2).: name=guest, msgsneeded=4000, ratio=500:500
		(domain2|another).com: msgsneeded=100
		(.)?foobar.: name=foobar
		^ourdomain.*: name=our

[actions]
samefromto:	Flag
connect:	Flag
helo:		Flag
accept:		Accept
block:		Discard
ipfromto:	Flag

[connect]
# Outgoing mail is always ACCEPTED without logging. Note! If mail goes thru
# smtp-gateway which has private IP to us. Remove it from list, or all mails
# from it would be accepted silently.
ignore_ip:	127.0.0.1|192.168.|10.|42.42.4[1-2].

[rules]
##
## NOTE!
## You can use multiple comments on one line, but if you START regexp line with comment,
## it is used as 'action' what LINE (not single rule) should do!
## So look carefully on next examples:
#
# If first does not match, but second does. Mail WOULD BE REJECTED!
#		(?#reject)smtp-gw\d.crescom.fi|(?#accept)^smtp
# This is correct way to write above
#		(?#reject)smtp-gw\d.crescom.fi
#		(?#accept)^smtp
# 
# This is valid line. All matches on this line, is detected as authmx host.
#		(?#authmx)(?#smilehouse.com)193.94.205.129|(?#datacapture.co.uk)adsl-217.146.111.67.merula.net|(?#mail.nordvalls.se)85.30.130.17
#
# This is bit dangerous, because system parses first comment as action:
#		(?#smilehouse.com)193.94.205.129|(?#datacapture.co.uk)adsl-217.146.111.67.merula.net|(?#mail.nordvalls.se)85.30.130.17
# If must start with comment, but without action, this is beter way to write it:
#		(?#)(?#smilehouse.com)193.94.205.129|(?#datacapture.co.uk)adsl-217.146.111.67.merula.net|(?#mail.nordvalls.se)85.30.130.17

# Hide rules make possible to hide hosts from received/ipfromto tests. You
# should add hosts here, that relays email to your system often. gmail and
# iki.fi for example.
hide:
		^10\.|^192\.168\.
		crescom.fi
		jatkuu.iki.fi

connect:
# ignore = accept without logging. "Outgoing"
#		(?#ignore)(127.0.0.1|192.168.|10.|42.42.4[1-2].)
# skip/pass/relay = skip this test without resolution, continue with next test
		(?#relay)(80.81.171.48|jatkuu.iki.fi)
#		(?#block)5.4.3.2
#		(?#ignore)127.0.0.1|our.client.org
# Our IP/DNS Blacklist
#		(?#block)5.4.3.2

##
## accept/block/ipfromto - test [ip/dns]:[from]:[to] combinations for match.
##
## Accept and Block are tested with all [ip/dns]:[from]:[to] combinations,
## These two MUST keep as light as possible. Mostly these are used for quick
## block of recipients. Note these usually should have recipient to match.
##
## Most rules should be in ipfromto because that is tested for only
## first recipient.
##

##
accept:
		do_not_block_me@somewhere.net

##
block:
# This should/could be in ipfromto, but we must make as quick match as possible.
# Matches as sender AND recipient
		firstname.(last|sure)name@|etunimi.sukunimi@
# Matches as recipient, note end of line mark ($).
		spamtrap@somewhere.net$
		(unknown.user|another.one).*@somedomain.org$
		(?#reject)@disabled.recipient-domain.com$
# Not real mail domain
		@mail-disabled.com$

##
ipfromto:
		(?#skip)(support|abuse|postmaster)@target.org$
		(?#accept)(email-\d\d\d|outbound\d.den|mx\d.\w\w\w).paypal.com:(payment@|paypal@email.|service@intl.)paypal.com:
		(?#accept)mx(smf)?pool\d\d.ebay.com:(checkout|status|member|ebay|[\d\w._-]+)@.*ebay\.\w\w(\w)?:
		(?#accept)(smfcamppool\d\d.emailebay.com|emasmail\d.emarsys.net):ebay.*(@reply\d\.ebay\.com|@ebay\.emarsys\.net):
		(?#skip)^(smtp-gw1.crescom.fi|80.81.171.48):
		(?#accept)(.facebook.com|.tfbnw.net):notification\[\d\w_+-]@facebookmail.com:
		(?#accept)(wcmx\d)?.valvesoftware.com:.*@valvesoftware.com:
		(?#accept)ticketmaster.com:.*ticketmaster.com:
		(?#accept)(itmsout)?.apple.com:([\d\w._-]+@insideapple.|do_not_reply@)apple.com:

#
# Note! This is does not include headers that has duplicate keys, like Received.
headers:
		(?#reject)\<(halen@iki.fi|samipekka.hallikas@nic.fi)\>
		(?#delete)From:(.*?)(<|\.)(happened|72hours|upto72hours|sex(machine|life)|causinganerection|enjoyablesex|sperm(volume)?|sexual|erection|erectile|rock-solid|penis|seductive|prolonged|viagpure|movingsex)(\.|@)(.*?)$
		(?#delete)From:(.*?)<((doctor|penis|seductive|keep|sperm|sex(ual)?|prolonged|viagpure|movingsex|72hours|sex(machine|life)|causinganerection|happened)\.(doctor|keep|penis|seductive|sperm|sex(ual)?|prolonged|viagpure|movingsex|72hours|sex(machine|life)|causinganerection|happened))@(.*?)
		(?#delete)From:(.*?)(?i)(((Get( a)? )?free|Trial) Sample|(free )?trial pills|Penis Growth)
		(?#delete)From: VISA <.*\.com>
		(?#delete)From:(.*?)(Ca(s|z)ino|Ro(y|u|i)ale|Jackpot|Ruby)(.)?(Euro|Club)|(Euro|Club)(.)?(Ca(s|z)ino|Royale|Jackpot|Ruby)
		(?#reject)From:(.*?)(?<!@grand)Casino
		(?#reject)From:(.*?)lotto (<)?
		(?#delete)(?i)From:(.*?)(VIAGRA|Acai.Berry|Free.Trial)
		(?#delete)(?i)(Free Viagra|Viagra Free)
		(?#delete)(Received: from google.com|\(HELO google.com\))
		(?#delete)X-Spam-Flag: YES
		(?#delete)X-Spam-Status:Yes, score=[2-9][0-9][0-9]?

dyndns:
##
## authmx - define host that can relay mail from hosts with dyndns.
##
		(?#authmx)(mail|smtp)(in|out)?(-gw)?(\d+)?\.
		(?#authmx)^(\w)?(mail|smtp(in|out)?|out|mx|mq|secmx|post|relay|proxy|ns|gw|list|mta|pop|imap|sender|spamgw|filter|filtteri|gate|posti|(e|www)mail)(\d)?(\d)?
# Known relay domains
		(?#authmx)\.iki\.fi|\.hotmail\.com|\.gmail\.com|\.google\.com|\.yahoo\.com|\.sth\.basefarm\.net|\.fre\.skanova\.net
#
		(?#authmx)^(smtpout|smgw\d\d|memailout\d\d.|eni-mailout\d\d|fmmailgate\d\d|hnexfw\d\d|bbnrelbas\d\d)\.
		(?#authmx)\.hotmail\.com$|\.gmail\.com$|nf-out-\d\d\d\d\.google\.com$|\.yahoo\.com$

# You can use NAME
#	client194-14-197-6.exicom.se
#	(?#authmx)ded-rb.dedicated.tdcsong.se.222.42.195.in-addr.arpa
# IP
#	213.150.148.53
#	217.212.20.191|213.50.2.(2|109)
# Or even regexps with comments.
#	(?#authmx)(?#hemtex.se)83.241.254.6[67]

##
## skip - Do not make dyndns test for match. If recursive mode is enabled,
##        skip to next received host.
##
		(?#skip)(?#too many false blocking).*dnainternet.net|.*\.sta(tic)?\.(smilehouse.com|louhi.net|ac-net.se|estpak.ee)
		(?#skip).(smilehouse.com|louhi.net|ac-net.se|estpak.ee|dnainternet.net)
		(?#skip)(?#diamo.se)88.131.23.18|(?#dpu.se)82.182.83.75|(?#mbcint.se)82.182.83.75|(?#autoexperten.nu)213.150.159.45
		(?#skip)(?#smilehouse.com)193.94.205.129|(?#tamroshop.fi)193.65.59.129|(?#mail.duodecim.fi)195.236.0.9

## Regexp rules how to detect "dynamic" hostnames. If dynamic host should be
## allowed, hostname should be allowed in skip_dns (RBL section).

## TODO? Also RBL checkin' is skiped for those.
# DNS names to be blocked
		\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]
#		^(ip|ppp|ppoe|adsl|dsl|cable|host|pool)?(-)?\d+[-.]\d+[-.]\d+[-.].*.(ar|br|cn|cl|ru|hr|gr|co|tr|jp|pl|hr|il|in|it|rs|hu|vn|rs|es)
#		^(\d+[-.])?\d+[-.]\d+[-.]\d+[-.]((dynamic|dyn)[-.])?(user.ono.com|caiway.nl)
#		\d+.(pool|user).(einsundeins.de|veloxzone.com.br)
#		adsl-dynamic-pool-xxx.hcm.fpt.vn