On Mon, Mar 18, 2002 at 10:53:46AM -0600, Dave Sherohman wrote:
>On Mon, Mar 18, 2002 at 07:55:26AM +0000, Patrick Kirk wrote:
>> Its guys like this that led me to add this to my .forward.
>
>Damn, this is a great list! I'd started wondering about setting up a
>scorefile in .forward for exim and planned to look into it Real Soon
>Now, and then the answer just shows up here.
>
I hope this is npt overkill but here's the whole .forward. It is derived from
the filter at the url in the intro to the scoring section - that link is worth
fo llowing if you want to do other clever things like autorespond and so on.
Pat
# Exim filter for Patrick Kirk <[EMAIL PROTECTED]>
# Error trapping
if error_message then finish endif
#####################################################################
# John
if $h_To:,$h_Cc: contains "[EMAIL PROTECTED]"
then deliver john
logfile $home/mail/.filterlog 0644
logwrite "[$tod_log] ${lc:$h_From:} ${lc:$h_Subject:} : John"
finish endif
#####################################################################
# My scoring system
# Email that has a score of 100 or more is treated as junk.
# Values should be ending in 0, 1, 3, 4 so if a mail has a score of
# 144 you can see it was caught by 6n + 41 + 41
# Idea came from http://colondot.net/mbm/mailfilter.shtml#score
#####################################################################
# Step 1
# Things that are definitely spam
if ${lc:$h_Received:} contains "esavingszone.com"
or ${lc:$h_From:} contains "informit.com"
or ${lc:$h_Received:} contains "pkgames" # Leaks from online games
or ${lc:$h_Received:} contains "pknews" # Leaks from usenet
or $h_Received: contains "[EMAIL PROTECTED]" # Old ehr inbox after 4 years
or $h_From: contains "Excite Canada" # Why do they mail me?
then add 1000 to n1 endif
# If its not intended for me at all, then I shouldn't receive it...
#if h_Received: does not contain "[EMAIL PROTECTED]"
#and h_Received: does not contain "[EMAIL PROTECTED]"
#then add 100 to n1 endif
if ${lc:$h_To:} contains "friend" # Not your friend
or ${lc:$h_From:} contains "friend" # Not my friend
or $message_body contains "Dear Friend," # Sickening
or $h_From: contains "wotch.com" # Just won't go away
or $h_From: contains "[EMAIL PROTECTED]" # Just won't go away
[EMAIL PROTECTED]
or $h_subject: contains "ADV " # Wonder that ADV means anyway?
or $h_subject: contains "[ADV]"
or $h_subject: contains "ADV:"
or "$h_subject: $message_body:" matches "bulk .*hosting"
then add 100 to n1 endif
# Can the credit card spammers be caught here?
if $message_body: contains "credit card"
then add 100 to n1 endif
# NUISANCE POSTS TO DEBIAN USER
if ${lc:$h_to:} matches "debian-user"
and $h_subject contains "subscribe"
then add 100 to n1 endif
#####################################################################
# Step 2
# Things that are usually spam.
# Score is 6n so easier to track why individual mails fail
if $h_subject: contains "Viagra" # Dear Lord, 3 kids is enough!
or ($h_Subject: contains \\\$\\\$+) # No dollars for me
or $h_subject: contains "Card" # Credit card scams
or $h_subject: contains "Weight loss Offer" # Fat is a sign of maturity
or $h_subject: contains "Lowest Mortgage Rates" # Got my mortgage
or $h_subject: contains "Free Pics" # Avoid RSI today
# Score the mail
then add 60 to n1 endif
if (${lc:$message_body} contains "<script") # javascript mail
then add 60 to n1 endif
if ${lc:$message_body_end} matches "to be removed"# amazing this works
then add 61 to n1 endif
if ${lc:$message_body} matches "not junk mail" # Trust me
then add 62 to n1 endif
if ${lc:$message_body} matches "spam free" # Nothing is free
then add 62 to n1 endif
# If the To: box is empty, that's suspicious
if (${domain:${lc:$h_To:}} is "")
then add 63 to n1 endif
#####################################################################
# Step 3
# There are a lot of legitimate users of hotmail and
# of html mail. There are other indications that hint
# at spam but that are not conclusive.
if(${lc:$sender_address} contains
"([a-z\\\\d]+)@(lycos|hotmail|aol|yahoo|msn)\\\\.co(\\\\..*|m)" and $1 contains
\\d)
then add 41 to n1 endif
if (${lc:$message_body} matches "<html>") # html mail
then add 41 to n1 endif
# If we find a "mailto:"; link for which the address is not
# the same as the sender address or return path.
if (${lc:$message_body} matches "a\\\\shref=(['\"])mailto:([EMAIL
PROTECTED]@[EMAIL PROTECTED])\$1"
and $2 is not {$lc:$return_path}
and $2 is not {$lc:$sender_address})
then add 41 to n1 endif
# A lot of spams seem to have a subject which has a number
# (possibly in brackets) at the right-hand side, this is
# designed to catch this
if (${lc:$h_Subject:} contains
"\\\\s\\\\s\\\\s\\\\s+(\\\\(\\\\d+\\\\)|\\\\d+)\\\$")
then add 41 to n1 endif
#####################################################################
# Sort the mail by recipe and by score:
# ALLOW POSTMASTER ACCESS
if $h_To:,$h_Cc:,$h_From: contains postmaster
then save $home/mail/kirks.net
logfile $home/mail/.filterlog 0644
logwrite "[$tod_log] ${lc:$h_From:} ${lc:$h_Subject:} $n1: POSTMASTER"
finish endif
# ALL THAT PESTY USEFUL INFO FROM ROOT AND CRON...
if $h_From: contains "[EMAIL PROTECTED]"
or $h_From: contains "Mailer-Daemon"
then save $home/mail/rootmail
logfile $home/mail/.filterlog 0644
logwrite "[$tod_log] ${lc:$h_From:}: ROOT MESSAGE"
finish endif
# BETTER SEE HOW TO USE EXIM
if $h_Sender: contains "[EMAIL PROTECTED]"
and ($n1 is below 100)
then save $home/mail/files/lists
logfile $home/mail/.listfilterlog 0644
logwrite "[$tod_log] ${lc:$h_From:} ${lc:$h_Subject:} $n1: EXIM"
finish endif
# GETTING THE SPEEDTOUCH MODEM WORKING UNDER lINUX
if $h_To:,$h_Cc:,$h_From: contains "speedtouch"
then save $home/mail/files/lists
logfile $home/mail/.listfilterlog 0644
logwrite "[$tod_log] ${lc:$h_From:} ${lc:$h_Subject:} $n1: SPEEDTOUCH"
finish endif
# GENTOO
if $h_Reply-To: contains "gentoo-user@gentoo.org"
and ($n1 is below 100)
then save $home/mail/files/gentoo
logfile $home/mail/.listfilterlog 0644
logwrite "[$tod_log] ${lc:$h_From:} ${lc:$h_Subject:} $n1: GENTOO"
finish endif
# DEBIAN - OF COURSE
if $h_X-Mailing-List: matches "debian-user@lists.debian.org"
and ($n1 is below 100)
then save $home/mail/files/debian
logfile $home/mail/.listfilterlog 0644
logwrite "[$tod_log] ${lc:$h_From:} ${lc:$h_Subject:} $n1: DEBIAN"
finish endif
# KIRKS.NET
if $h_Received: contains "[EMAIL PROTECTED]"
and ($n1 is below 100)
then save $home/mail/kirks.net
logfile $home/mail/.filterlog 0644
logwrite "[$tod_log] ${lc:$h_From:} ${lc:$h_Subject:} $n1: KIRKS.NET"
finish endif
# BTINTERNET
if $h_Received: contains "[EMAIL PROTECTED]"
and ($n1 is below 100)
then save $home/mail/kirks.net
logfile $home/mail/.filterlog 0644
logwrite "[$tod_log] ${lc:$h_From:} ${lc:$h_Subject:} $n1: BTINTERNET"
finish endif
# DEFINITE SPAM
if ($n1 is above 99) then save $home/mail/junkmail
# bouncing to bad addresses causes froxen mail queues
# seen mail to $return_path from [EMAIL PROTECTED] return message subject "This
mail is looks like SPAM. If so, after reviewing the log file, you are
blacklisted"
logfile $home/mail/.filterlog 0644
logwrite "[$tod_log] ${lc:$h_From:} ${lc:$h_Subject:} $n1: DEFINITE_JUNK"
endif
# ALL THE REST
if not delivered then save $home/mail/kirks.net
logfile $home/mail/.filterlog 0644
logwrite "[$tod_log] ${lc:$h_From:} ${lc:$h_Subject:} $n1: DUBIOUS"
endif
#####################################################################
# EOF - patrick's .forward
