~semi-hallikas/sspamm/3.0-devel

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
###
### Configuration file for Semi's Spam Milter
###
### When filter starts configuration file (sspamm.conf) would be searched
### from paths in this order: Current directory, /etc/sspamm and /etc
###
[main]
# Name of our filter, must be same as defined in sendmail
name:		sspamm3

# If child threads is used. Configuration is checked and reloaded in real
# time. Negative effect with threads is that you can't use signals and not
# even CTRL-C to quit. Even then, you SHOULD use childs.
childs:		True
#
# In /etc/mail/sendmail.mc you should define same port, here is also
# information about flags used in 'INPUT_MAIL_FILTER' macro:
#
# /********************* This stuff goes to sendmail.mc ********************
#
#dnl # F=
#dnl # (If a filter is unavailable or unresponsive and no 'F'lags have been
#dnl #  specified, the MTA will continue normal handling of the current
#dnl #  connection. The MTA will try to contact the filter again on each
#dnl #  new connection.)
#dnl # T - TempFail
#dnl # R - Reject
#dnl # T=
#dnl # C - Connection
#dnl # S - Sending Data
#dnl # R - Reading Data
#dnl # E - Overall timeout between sending end-of-message to filter and waiting for the final acknowledgment.
#
#define(`MILTER', 1)
#define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name}, {if_name}, {if_addr}')dnl
#define(`confMILTER_MACROS_HELO',`s, {tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer}')dnl
#define(`confMILTER_MACROS_ENVFROM',`i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr}')dnl
#define(`confMILTER_MACROS_ENVRCPT',`{rcpt_mailer}, {rcpt_host}, {rcpt_addr}')dnl
#
#INPUT_MAIL_FILTER(`sspamm', `S=inet:7999@localhost, F=T, T=C:10m;E:10m;R:10m;S:5m')dnl
#
# ********************* This stuff goes to sendmail.mc ********************/
#
# Define port/socket that filter would listen.
port:		inet:8003
#port:		local:/tmp/sspamm.sock

###
### Files and Paths
###
#
# If sspamdir path is not defined, files would be used/saved/created in same
# that that configuration file is in.
sspammdir:	.
tmpdir:		/dev/shm
#
# If pid file is removed while sspamm is running in daemon mode (as it
# should), sspamm will quite nicely. This is CORRECT way to quit from
# sspamm. Milters does not like signals.
pid:		sspamm.pid
#
# Note! If logfile is renamed, sspamm will close and open new logfile with
# original name. This allows logrotate.
logfile:	sspamm.log

# Verbose is numerical value. Verbose levels are:
#	0 - No output at all
#	1 - warning conditions, error, critical
#	2 - Informational (for quick debug) or normal but significant condition
#	3 - debug-level messages
#	4 - full debug with is_listed tests
#	5 - quickview of filtering, without debug
#	6 - log output
#
verbose:	1

#### timeme and syslog is going to be removed?
# Path to create mail 'var' files (for debug purpouses)
savedir:	saved
# Save unsure and HAM messages only. Usefull for training purpouses.
nonspamonly:	True

###
### On/Off parameters can be used with values: False, No, 0 or True, Yes, 1
###

# Save information about time spend in different steps while filtering
# Times are shown on saved .var file, or on debug log with higher verbose
# level.
timeme:		Yes

##
## Keep checksum database of passed message body. Also makes crc test possible.
##
crcsave:	True
crchours:	12

# If WatchMode is True, all mails are passed without modifying anything, only
# logging would take place
#
#
# ***** NOTICE, YOU SHOULD DISABLE THIS AFTER YOU HAVE CONFIGURED FILTER *****
#
watchmode:	Yes

##############################################################################
[filter]
#
# We define default tests here. Possible values are:
# connect	Our white-/blacklisting
# helo		Imitates to be us
# ipfromto	Sender/Recipient matching
# rbl		Blacklisting
# dyndns	Dynamic DNS-name
# bayesian	Bayesian SPAM/HAM probability
# wordscan	Scan message body for strings
#
defaulttests: connect, helo, accept, samefromto, crc, block, dyndns, ipfromto, headers, wordscan, charset, bayesian, rbl

domains:
### TODO: Samples how these matches
#
# We only filter for these domains. It is possible to define different rules for domains.
# You can define scans to use with domain match (below, only those 3 tests are done):
# 	foobar.com, ourdomain.org:	connect, helo
# ... append 'non default' test for domain:
#	tests: connect, helo, ipfromto
#	domains:
#		ourdomain.org:	+rbl
#		.*
# Or opt-out scans from default tests:
#	other.com:			!bayesian
#
# Domains can be defined here in (real) regexp. Note, first match breaks.
#		somedomain1.(net|fi|se|as|ch|be|gr): ipfromto
#		test.com
#		(guest1|guest2|guest3).com
#		(fi.|se.)?(customer|alias).com: !charset
#		foobar.net|foo.net|foo.com|thisisfoo.org
#		domain2.(com|net|fi|se|dk): accept, samefromto, connect, helo, block, ipfromto, dyndns, headers, wordscan, bayesian, rbl, charset
#		ourdomain.org, someother.net, anyone.com
#		blocked.com: block
# All these three are same:
#		sample1.org: all,-helo
#		sample1.net: -helo
#		sample1.com: !helo
# Also these two:
#		sample2.org: +charset
#		sample2.org: all,+charset
#
# Note: .* below matches ALL ADDRESS
		.*

rules:
### TODO: Samples how these matches
#
# It is possible to define few special things on domains. These are made in
# filter/rules section. Rules section does not affect what domains are
# filtered.
		(sspamm|spam)(-)?(filter)?.(com|net): flagall
### ALWAYS filter this domain, even in watch mode!
		hallikas.com: !watch

[actions]
accept:		Accept
block:		Delete
connect:	Delete
helo:		Delete
samefromto:	Reject
ipfromto:	Flag
dyndns:		Flag
rbl:		Delete
charset:	Flag
headers:	Flag
wordscan:	Flag
bayesian:	Flag
crc:		Delete

[settings]
maxbodysize:	1024
ipservers:
# Level 3, ISP Block
		dnsbl-3.uceprotect.net
# Level 2, Network Block
		dnsbl-2.uceprotect.net
# Level 1, Host block
		dnsbl-1.uceprotect.net
#		bl.spamcop.net
#		b.barracudacentral.org
#		xbl.spamhaus.org
#		zen.spamhaus.org
#		cbl.abuseat.org
#		psbl.surriel.com
#		sbl.spamhaus.org


### NOTE! comments in rules!
### You can use multiple comments on one line, but if you START regexp line with comment,
### it is used as 'action' what LINE (not single rule) should do!
### So look carefully on next examples:
#
# If first does not match, but second does. Mail WOULD BE REJECTED!
#		(?#reject)smtp-gw\d.sspamm.com|(?#accept)^smtp
# This is correct way to write above
#		(?#reject)smtp-gw\d.sspamm.com
#		(?#accept)^smtp
# 
# This is valid line. All matches on this line, is detected as authmx host.
#		(?#authmx)(?#smilehouse.com)193.94.205.129|(?#datacapture.co.uk)adsl-217.146.111.67.merula.net|(?#mail.nordvalls.se)85.30.130.17
#
# This is bit dangerous, because system parses first comment as action:
#		(?#smilehouse.com)193.94.205.129|(?#datacapture.co.uk)adsl-217.146.111.67.merula.net|(?#mail.nordvalls.se)85.30.130.17
# If must start with comment, but without action, this is beter way to write it:
#		(?#)(?#smilehouse.com)193.94.205.129|(?#datacapture.co.uk)adsl-217.146.111.67.merula.net|(?#mail.nordvalls.se)85.30.130.17


[rules]
## Hide rules make possible to hide hosts from received/ipfromto tests. You
## should add hosts here, that relays email to your system often. gmail and
## iki.fi for example. Technical detail, received lines are processed
## recursively, lines matched to hide rules are ignored when creating
## received table, so those lines are not matched to any rules!
hide:
		^(192\.168\.\d{1,3}\.\d{1,3}|10\.\d{1,3}\.\d{1,3}\.\d{1,3})
		(silppuri|jatkuu|taas|leimasin).iki.fi

### Connect - Personal 'firewall'
## Matches is tested against IP and DNS. (Not recursive. Should it be?)
connect:
# ignore = accept without logging. "Outgoing"
# 127.0.0.1 test is also hardcoded, here is sample how to do it:
		(?#ignore)^127\.0\.0\.1$
# If reverse DNS returns localhost, delete message. PTR should NEVER point
# to localhost. (except on 127. block)
		(?#delete)^localhost$
# Local, internal, network are accepted
		(?#accept)^(10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})$
		(?#accept)^193\.93\.133\.\d{1,3}
# Our IP/DNS Blacklist
		(?#delete)^(41.178.206.33|59.97.228.77|62.33.151.228|93.46.245.100|94.178.74.109|95.56.110.10|95.79.45.230|111.65.136.240|114.34.95.232|117.207.84.67|119.42.126.187|124.107.86.195|188.93.135.34|190.178.93.116|201.254.80.39|201.34.214.16)$

### accept/block/ipfromto - test [ip/dns]:[from]:[to] combinations for match.
##
## Accept and Block are tested with all [ip/dns]:[from]:[to] combinations,
## These two MUST keep as light as possible. Mostly these are used for quick
## block of recipients. Note these usually should have recipient to match.
##
## Most rules (sender based) should be in ipfromto because that is tested
## for only first recipient.
##
accept:
		(?#flag):abuse@
#
		(?#skip):(hostmaster|postmaster|webmaster|website)@hallikas.com$
		(?#skip):(wlan|wlan2|secure|symbian|giveaway|notify|iphone|growl|blog)@hallikas.com$
		(?#skip):(root|semi|sami|samipekka.hallikas|sami-pekka.hallikas|hilkka|jonne|jaska|mari|ville|laura|lasse)@hallikas.com$
#		(?#skip):([A-Za-z]+\.[A-Za-z]+|[a-z]+)@hallikas.com$
# If sender/recipient is abuse@ flag it. (Should code have flag+accept?)
		(?#break)@hallikas.com$
#
# Known services, commonly phished, should be added here. Like real address for paypal:
# PAYPAL
		^(email|outbound|mx).+.paypal.com:(payment@|paypal@email.|service@intl.)paypal.com:
# EBAY
		(smfcamppool\d\d.emailebay.com|emasmail\d.emarsys.net):ebay.*(@reply\d\.ebay\.com|@ebay\.emarsys\.net):
		mx(smf)?pool\d\d.ebay.com:(checkout|status|member|ebay|[\d\w._-]+)@.*ebay\.\w\w(\w)?:
# VALVE/Steam
		wcmx\d.valvesoftware.com:.*@valvesoftware.com:
#
# Apple
		(mail-out\d)?.apple.com:(repair2-feedback|do_not_reply_con_en|[A-Za-z0-9_-]+)@euro.apple.com:
		.apple.com:([\d\w._-]+@insideapple.|do_not_reply@)apple.com:
# Ticketmaster
		(sms1-els\d\d\d-\d\d\d.mm)?.ticketmaster.com:[A-Za-z0-9_.=@+-]ticketmaster.com:
		(sms1-els\d\d\d-\d\d\d.mm)?.ticketmaster.com:.*ticketmaster.com:
		ticketmaster.com:.*ticketmaster.com:
# Facebook
		(out(camp)?mail0\d\d.snc\d)?.facebook.com:(notification|update)+.*@facebookmail.com:
		(out(camp)?mail0\d\d.snc\d)?.facebook.com:.*facebookmail.com:
		.tfbnw.net:^(notification|update)?.*@facebookmail.com:

##
block:
# This should/could be in ipfromto, but we must make as quick match as possible.
# Matches as sender AND recipient
		(?#delete)firstname.(last|sure)name(\w)?@|etunimi.sukunimi(\w)?@
		(?#delete)@rolex.com:
# SpamTrap. Matches as recipient, note end of line mark ($).
		spamtrap@somewhere.net$
		(?#reject)roskaposti@hallikas.com$
# All messages to hallikas.com will be deleted! Note, there is (?#skip) rule
# in accept, if that rule matches, it will skip blocking. But all other
# tests are done.
#####		(?#delete)@hallikas.com$

##
ipfromto:
		(?#skip)(support|abuse|postmaster)@target.org$
		(?#skip)^(smtp-gw1.crescom.fi|80.81.171.48):
		(?#flag)@(paypal.com|facebook.com|ebay.com|apple.com):
charset:
		(?#skip)(utf-8|iso-8859-1|us-ascii)
		(?#flag)(windows-1250|windows-1251|windows-1252)
		(?#reject)(iso-2022-jp|shift_jis|big5|GB2312|koi8-r)

#
# Note! This is does not include headers that has duplicate keys, like Received.
headers:
		(?#delete)(?i)From:.*(Viagra|Rolex|Pfizer)
		(?#reject)\<(halen@iki.fi|samipekka.hallikas@nic.fi)\>
		(?#flag)(Received: from google.com|\(HELO google.com\))
		(?#flag)X-Spam-Flag: YES

dyndns:
###
### authmx - define mail relay hosts, that can/would accept 'dyndns'. Don't do dyndns check after match.
###
		(?#authmx)^(\w)?(mail|smtp(in|out)?|out|mx|mq|secmx|post|relay|proxy|ns|gw|list|mta|pop|imap|sender|spamgw|filter|filtteri|gate|posti|(e|www)mail)(\d)?(\d)?
# Known relay domains
#		(?#authmx)\.iki\.fi|\.hotmail\.com|\.gmail\.com|\.google\.com|\.yahoo\.com|\.sth\.basefarm\.net|\.fre\.skanova\.net
#		(?#authmx)^(smtpout|smgw\d\d|memailout\d\d.|eni-mailout\d\d|fmmailgate\d\d|hnexfw\d\d|bbnrelbas\d\d)\.

# You can use NAME
#	client194-14-197-6.exicom.se
#	(?#authmx)ded-rb.dedicated.tdcsong.se.222.42.195.in-addr.arpa
# IP
#	213.150.148.53
#	217.212.20.191|213.50.2.(2|109)
# Or even regexps with comments.
#	(?#authmx)(?#hemtex.se)83.241.254.6[67]

###
### skip - Do not make dyndns test for match. If recursive mode is enabled,
###        skip to next received host.
###
#		(?#skip)(?#too many false blocking).*dnainternet.net|.*\.sta(tic)?\.(smilehouse.com|louhi.net|ac-net.se|estpak.ee)
#		(?#skip).(smilehouse.com|louhi.net|ac-net.se|estpak.ee|dnainternet.net)
#		(?#skip)(?#diamo.se)88.131.23.18|(?#dpu.se)82.182.83.75|(?#mbcint.se)82.182.83.75|(?#autoexperten.nu)213.150.159.45
#		(?#skip)(?#smilehouse.com)193.94.205.129|(?#tamroshop.fi)193.65.59.129|(?#mail.duodecim.fi)195.236.0.9

### Regexp rules how to detect "dynamic" hostnames. If dynamic host should be
### allowed, hostname should be allowed in skip_dns (RBL section).

### TODO? Also RBL checkin' is skiped for those.
# DNS names to be blocked
		(?#flag)\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]

blockwords:
		(?#reject)Penetrate this site
		(?#delete)Pharmacy(USA|Canada)|http://pharma