# These are snippets of my Exim configuration (variant with ${run ). # http://wiki.exim.org/DbLessGreyListingRun # Lena(at)lena.kiev.ua June 23, 2023 WRONG_RCPT_LIMIT = 100 PERIOD = 1h WARNTO = abuse@example.com SHELL = /bin/sh P7ZIP = /usr/local/bin/7zz # port archivers/7-zip in case of FreeBSD BINFORBIDDEN = Windows-executable attachments forbidden WINBIN = exe|com|js|pif|scr|bat|jse|cpl|vbe|vbs|ace # more cautious: ace|apk|bat|btm|cgi|chm|cmd|com|cpl|dat|dll|exe|flv|hta|jar|js|jse|jsp|lnk|msi|msu|mst|ocx|pif|prf|ps1|reg|scr|sys|vb|vba|vbe|vbs|wsf|cab|7za|lah|lzo|lzx|arj|bin|msi|cbr|deb|rpm|gzip|jar|pak|pkg|tar-gz|xar|zipx|wim|tb2|paq|iso|jar|lzh|lzma|pak|pk3|pk4|smzip|u3p|xpi|zipx|cpio|xar|lz|rk|zoo|img|ha|z|uu # WinRAR can uncompress .ace, so trojans are sometimes compressed .ace COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z|tar|tgz|iso|img|r\d+ IPNOTIF = echo Subject: blocked $sender_host_address $acl_c_country \ ${sg{${lookup dnsdb{>, defer_never,ptr=$sender_host_address}}}{\N[^\w.,-]\N}{}}; \ echo; echo for bruteforce auth cracking attempt.; .ifdef _OPT_MAIN_CHUNKING_ADVERTISE_HOSTS chunking_advertise_hosts = .endif daemon_smtp_ports = 25 : 587 accept_8bitmime = true untrusted_set_sender = * local_from_check = false helo_accept_junk_hosts = * message_body_newlines = true check_rfc2047_length = false headers_charset = KOI8-R smtp_return_error_details = true bounce_return_size_limit = 7K delay_warning = 4h:99d message_id_header_domain = lena.kiev # nonexistent domain in order to avoid spam to Message-IDs tls_advertise_hosts = * tls_certificate = /etc/ssl/exim.crt tls_privatekey = /etc/ssl/exim.pem host_lookup = * rfc1413_hosts = * rfc1413_query_timeout = 2s log_selector = +smtp_confirmation +queue_time -retry_defer \ +smtp_incomplete_transaction +smtp_no_mail +deliver_time hostlist whitelisted_hosts = \ # yahooGroups: 66.163.168.0/23 : \ 66.196.80.0/23 : \ 67.195.87.0/24 : \ 98.136.45.0/24 : \ 98.136.218.0/23 : \ 98.137.34.0/24 : \ 98.138.120.0/23 : \ 98.138.214.0/23 : \ 98.139.164.0/23 : \ 98.139.237.0/24 : \ # yahooGroups old: 98.136.218.0/23 : \ 98.139.44.0/24 : \ 98.138.214.0/23 : \ 98.139.164.0/23 : \ 66.163.168.0/23 : \ 67.195.134.0/23 : \ 69.147.64.0/23 : \ 69.147.102.0/23 : \ 74.6.140.0/24 : \ 98.136.44.0/23 : \ 202.86.5.0/24 : \ 203.188.202.0/24 : \ 217.146.182.0/23 : \ 209.131.38.0/24 : \ 209.191.87.0/24 : \ 209.191.125.0/24 : \ 68.142.206.0/23 : \ 68.142.236.0/23 : \ # groups.io: 66.175.222.12 : \ 66.175.222.108 : \ # rambler.ru: 81.19.78.103/28 : \ 81.19.92.32/28 : \ 81.19.66.0/23 : \ 81.19.88.0/24 : \ # mail.ru: 194.67.23.0/24 : \ 194.67.57.0/24 : \ 94.100.179.0/24 : \ 194.67.45.0/24 : \ 195.239.211.0/24 : \ 194.186.55.0/24 : \ 195.239.174.0/24 : \ 94.100.176.0/20 : \ 217.69.128.0/20 : \ # yandex.ru: 87.250.230.0/24 : \ 5.255.227.0/24 : \ 95.108.253.0/24 : \ 77.88.32.0/24 : \ 87.250.248.0/24 : \ 213.180.200.0/24 : \ 213.180.223.0/24 : \ 77.88.46.0/23 : \ 77.88.60.0/23 : \ 95.108.130.0/23 : \ 84.201.186.0/23 : \ # pochta.ru: 81.211.64.0/24 : \ 82.204.219.0/24 : \ # aha.ru/go.ru: # 195.2.83.0/24 : \ # beelinegprs: 217.118.66.233 : \ # ngs.ru: 81.176.214.0/24 : \ 195.93.186.0/24 : \ 212.164.71.0/24 : \ 195.19.71.0/27 : \ # tut.by: 195.137.160.39 : \ 195.137.160.40 : \ 195.137.160.44/31 : \ # kyivstar.net: 193.41.60.22 : \ # ntvplus.ru: 217.106.225.56 : \ # subscribe.ru: 81.222.217.0/24 : \ 81.222.129.0/24 : \ 81.9.34.128/25 : \ 81.9.46.0/24 : \ 185.76.232.0/22 : \ 185.138.180.0/22 : \ # livejournal.com: 81.19.74.146/24 : \ # spamgourmet.com: 216.75.35.164 : \ # shootthebreeze.net: 74.220.195.67 : \ # nym.alias.net: 18.26.0.252 : \ # WatchThatPage.com: 178.79.142.95 : \ # satline.net: 212.72.193.50 : \ # allegro.pl: 91.194.188.90 : 91.207.14.90 : 91.207.14.247 : 91.207.14.248 : \ 91.194.189.11 : 91.194.189.12 : 178.21.155.24 : 178.21.155.25 : \ 91.194.188.241 : 91.207.14.113 : 194.0.251.100/31 : \ # slando.ru : 83.231.211.64/28 : 83.231.236.0/24 : \ # skylots.org: 91.234.33.227 : \ # ntvplus.ru: 217.106.225.56 : \ # mailing lists @ opennet.ru (open source software): 217.195.210.187 : \ # spam-l.com: 204.238.179.8 : 204.238.179.3 : 204.238.179.19 : \ # spammers.dontlike.us: 192.249.57.241 : \ # mon.itor.us: 208.76.247.123 : \ # mon.itor.us / monitis.com 208.76.245.178 : \ # ÁÐÔÅËÁ lekafarm.com.ua: 193.193.194.47 : \ # mailfilter-out-01.viettel.com.vn: 203.113.131.24 : \ # paypal: 206.165.243.109 : 206.165.243.110/31 : 206.165.243.112/28 : \ 206.165.243.128/29 : 206.165.243.136/30 : 206.165.243.140/31 : \ # gmail (from spf 13Nov2008): 216.239.32.0/19 : 64.233.160.0/19 : 66.249.80.0/20 : \ 72.14.192.0/18 : 209.85.128.0/17 : 66.102.0.0/20 : \ 74.125.0.0/16 : 64.18.0.0/20 : 207.126.144.0/20 : \ # from exim-users May 8, 2008: # Blueyonder: 195.188.213.0/29 : 195.188.213.8/31 : \ # Freeserve: # 193.252.22.156/30 : 193.252.22.128/32 : \ # Tucows: 64.97.168.37/32 : 64.97.136.128/26 : \ # Hotmail: 65.54.246.0/24 : \ # Google: 209.85.132.130/32 : 209.85.132.184/29 : 209.85.132.241/32 : \ 209.85.132.244/32 : 209.85.132.250/32 : 212.159.30.228/32 : \ 64.233.162.176/28 : 64.233.162.224/27 : 64.233.182.167/32 : \ 64.233.184.130/32 : 64.233.184.224/27 : 66.249.82.224/28 : \ 66.249.92.171/32 : 66.249.93.114/32 : 66.249.93.27/32 : \ # Messagelabs: # 134.159.150.64/26 : 193.109.254.0/23 : 194.106.220.0/23 : \ # 195.245.230.0/23 : 203.129.72.208/28 : 203.129.72.240/28 : \ # 203.129.74.224/27 : 203.166.119.128/26 : 212.125.75.0/27 : \ # 216.82.240.0/20 : 62.173.108.16/28 : 62.173.108.208/28 : \ # 62.231.131.0/24 : 64.124.170.128/28 : 85.158.136.0/21 : \ # manchester.worldispnetwork.com (with qmail): 216.218.232.61 : \ # from http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ip.txt?view=markup , # but 195.238.2.0/15->195.238.2.0/23: 12.5.136.141 : 12.5.136.142/31 : 12.5.136.144 : 12.107.209.244 : \ 63.82.37.110 : 63.169.44.143 : 63.169.44.144 : 64.7.153.18 : \ 64.12.137.0/24 : 64.12.138.0/24 : \ 64.124.204.39 : 64.125.132.254 : 66.100.210.82 : 66.135.209.0/24 : \ 66.135.197.0/24 : 66.162.216.166 : 66.206.22.82/31 : 66.206.22.84/31 : \ 66.27.51.218 : 152.163.225.0/24 : 194.245.101.88 : 195.235.39.19 : \ 195.238.2.0/23 : 204.107.120.10 : 205.188.139.136/31 : 205.188.139.137 : \ 205.188.144.207 : 205.188.144.208 : 205.188.156.66 : 205.188.157.0/24 : \ 205.188.159.7 : 205.206.231.0/24 : 205.211.164.50 : 207.115.63.0/24 : \ 207.171.168.0/24 : 207.171.180.0/24 : 207.171.187.0/24 : 207.171.188.0/24 : \ 207.171.190.0/24 : 209.132.176.174 : 211.29.132.0/24 : 213.136.52.31 : \ 217.158.50.178 pipelining_advertise_hosts = ${if eq{$sender_host_name}{$sender_helo_name}\ {*}{+whitelisted_hosts}} acl_smtp_rcpt = acl_check_rcpt acl_smtp_data = acl_check_data acl_smtp_predata = acl_check_predata acl_smtp_mime = acl_check_mime acl_smtp_helo = acl_check_helo acl_smtp_auth = acl_check_auth acl_smtp_mail = acl_check_mail acl_smtp_connect = acl_check_connect acl_smtp_quit = acl_check_quit acl_smtp_notquit = acl_check_notquit acl_not_smtp = acl_check_notsmtp acl_not_smtp_mime = acl_check_notsmtpmime =============== =============== begin acl acl_check_rcpt: accept hosts = : deny message = Restricted characters in address domains = +local_domains local_parts = ^[.] : ^.*[@%!/|] deny message = Restricted characters in address domains = !+local_domains local_parts = ^[./|] : ^.*[@] : ^.*/\\.\\./ # was ^[./|] : ^.*[@%!] : ^.*/\\.\\./ warn condition = ${if !def:acl_m_pmfirst} local_parts = postmaster : abuse domains = +local_domains set acl_m_pmfirst = 1 warn condition = ${if !def:acl_m_pmfirst} !local_parts = postmaster : abuse domains = +local_domains set acl_m_pmfirst = 0 defer message = letters to postmaster and abuse are accepted separately \ from letters to other addresses local_parts = postmaster : abuse domains = +local_domains !condition = $acl_m_pmfirst defer message = letters to postmaster and abuse are accepted separately \ from letters to other addresses !local_parts = postmaster : abuse domains = +local_domains condition = $acl_m_pmfirst warn set acl_m_greyfile = /var/spool/exim/greylist/${length_255:\ ${sg{$sender_host_address}{\N\.\d+$\N}{}},\ ${sg{$sender_address,$local_part@$domain}{\N[^\w.,=@-]\N}{}}} accept local_parts = postmaster : abuse domains = +local_domains set acl_m_postmaster = $sender_address,$local_part@$domain require verify = sender drop hosts = !@[] : +relay_from_hosts set acl_m_user = $sender_host_address # or username from RADIUS condition = ${if exists{$spool_directory/blocked_relay_users}} set acl_m_wasfree = ${if def:acl_c_blocked{$acl_c_spoolfree}\ {${lookup{$acl_m_user}lsearch\ {$spool_directory/blocked_relay_users}}}} condition = ${if match{$acl_m_wasfree}{\N^\d+$\N}} condition = ${if match{$spool_space}{\N^\d+$\N}} condition = ${if <={$spool_space}{${eval:$acl_m_wasfree/2}}} log_message = free space on spool disk $spool_space KB - less than \ half than it was when the user $acl_m_user was blocked message = spool disk too full accept hosts = !@[] : +relay_from_hosts condition = ${if exists{$spool_directory/blocked_relay_users}} condition = ${lookup{$acl_m_user}lsearch\ {$spool_directory/blocked_relay_users}\ {1}{$acl_c_blocked}} control = freeze/no_tell control = submission/domain= add_header = X-Relayed-From: $acl_m_user accept hosts = !@[] : +relay_from_hosts !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender ratelimit = WRONG_RCPT_LIMIT / PERIOD / per_rcpt / relayuser-$acl_m_user set acl_c_blocked = 1 set acl_c_spoolfree = $spool_space set acl_m_shargs = echo $acl_m_user:$acl_c_spoolfree \ >>$spool_directory/blocked_relay_users; \ { echo Subject: relay user $acl_m_user blocked; echo; echo \ because has sent mail to WRONG_RCPT_LIMIT invalid recipients \ during PERIOD.; } | $exim_path -f root WARNTO"}} continue = ${run{SHELL -c "$acl_m_shargs control = freeze/no_tell control = submission/domain= add_header = X-Relayed-From: $acl_m_user accept hosts = +relay_from_hosts control = submission/domain= drop authenticated = * set acl_m_user = ${sg{$authenticated_id}{\N[^\w.=@-]\N}{}} # in case of mailboxes in /var/mail: ${sg{$authenticated_id}{\N\W.*$\N}{}} condition = ${if exists{$spool_directory/blocked_authenticated_users}} set acl_m_wasfree = ${if def:acl_c_blocked{$acl_c_spoolfree}\ {${lookup{$acl_m_user}lsearch\ {$spool_directory/blocked_authenticated_users}}}} condition = ${if match{$acl_m_wasfree}{\N^\d+$\N}} condition = ${if match{$spool_space}{\N^\d+$\N}} condition = ${if <={$spool_space}{${eval:$acl_m_wasfree/2}}} log_message = free space on spool disk $spool_space KB - less than \ half than it was when the user $acl_m_user was blocked message = spool disk too full accept authenticated = * condition = ${if exists{$spool_directory/blocked_authenticated_users}} condition = ${lookup{$acl_m_user}lsearch\ {$spool_directory/blocked_authenticated_users}\ {1}{$acl_c_blocked}} # The variable acl_c_blocked is used because lookup can be cached. control = freeze/no_tell control = submission/domain= add_header = X-Authenticated-As: $acl_m_user accept authenticated = * !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender ratelimit = WRONG_RCPT_LIMIT / PERIOD / per_rcpt / user-$acl_m_user set acl_c_blocked = 1 set acl_c_spoolfree = $spool_space set acl_m_shargs = echo $acl_m_user:$acl_c_spoolfree \ >>$spool_directory/blocked_authenticated_users; \ { echo Subject: user $acl_m_user blocked; echo; echo because \ has sent mail to WRONG_RCPT_LIMIT invalid recipients during \ PERIOD.; } | $exim_path -f root WARNTO continue = ${run{SHELL -c "$acl_m_shargs"}} control = freeze/no_tell control = submission/domain= add_header = X-Authenticated-As: $acl_m_user accept authenticated = * condition = ${if !={$received_port}{25}} control = submission/domain= deny message = rejected because `HELO $sender_helo_name` means \ impersonation/forgery of one of my domains by a spammer condition = ${if match_domain{$sender_helo_name}{+local_domains}} !hosts = @[] deny message = rejected because HELO is my (recipient server) IP-address \ as some spammers lie instead of sender hostname condition = ${if match{$sender_helo_name}\ {\N^\[?\N$interface_address\N\]?$\N}} !hosts = @[] deny message = `HELO $sender_helo_name` locally blacklisted condition = ${lookup{$sender_helo_name}nwildlsearch\ {/usr/local/etc/exim/blacklist_re_helo}{1}{0}} !hosts = +whitelisted_hosts deny message = sender address domain $sender_address_domain locally \ blacklisted condition = ${lookup{$sender_address_domain}nwildlsearch\ {/usr/local/etc/exim/blacklist_sender_domain}{1}{0}} !hosts = +whitelisted_hosts deny message = sender hostname $sender_host_name locally blacklisted \ because of too much spam from it log_message = sender hostname locally blacklisted condition = ${lookup{$sender_host_name}nwildlsearch\ {/usr/local/etc/exim/blacklist_re_hostname}{1}{0}} !hosts = +whitelisted_hosts deny message = sender IP-address $sender_host_address locally \ blacklisted because of too much spam from it log_message = sender IP locally blacklisted condition = ${lookup{$sender_host_address}iplsearch\ {/usr/local/etc/exim/blacklist_hostaddress}{1}{0}} !hosts = +whitelisted_hosts deny message = google photos abused by spammers sender_domains = photos-server.bounces.google.com require message = relay not permitted domains = +local_domains : +relay_to_domains require verify = recipient accept hosts = +whitelisted_hosts logwrite = $sender_host_address locally whitelisted deny message = rejected because recognized as Russian spam (type 2) condition = ${if eq{${lookup dnsdb\ {defer_never,a=$sender_address_domain}}}\ {195.191.40.160}} accept dnslists = list.dnswl.org!=127.0.0.255 : \ swl.spamhaus.org : \ hostkarma.junkemailfilter.com=127.0.0.1 logwrite = $sender_host_address whitelisted in \ $dnslist_domain=$dnslist_value # http://www.dnswl.org/ , http://spamhauswhitelist.com , # http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists deny message = rejected because $sender_host_address is in a black list \ at $dnslist_domain. $dnslist_text dnslists = smtp.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.5 # : orvedb.aupads.org # open relays http://www.aupads.org/ordb.html # dnsbl.njabl.org=127.0.0.2 # open relays RIP :-( # list.dsbl.org, dul.ru RIP :-( deny message = I don`t accept mail from China,HongKong,Taiwan, Korea, \ Vietnam because too many admins there do not care \ about outgoing spam. Your \ IP-address seems to belong to: $acl_c_country. dnslists = all.ascc.dnsbl.bit.nl=127.0.0.39,127.0.0.73,127.0.0.156,\ 127.0.0.93,127.0.0.165 # https://noc.bit.nl/dnsbl/ , https://noc.bit.nl/dnsbl/ascc/ # I found country codes in all.ascc.dnsbl.bit.nl using # ftp://ftp.apnic.net/pub/stats/apnic/delegated-apnic-extended-latest # linked from https://metacpan.org/pod/IP::Country::DB_File::Builder # 3 AD 4 AE 5 AG 6 AL 7 AM 9 AO 11 AR 12 AS 13 AT 14 AU 15 AW # 16 AZ 17 BA 18 BB 19 BD 20 BE 21 BF 22 BG 23 BH 24 BJ 25 BM 26 BN 27 BO 28 BR # 29 BS 30 BT 31 BW 32 BY 33 BZ 34 CA 35 CH 36 CK 37 CL 38 CM 39 CN 40 CO 41 CR # 42 CU 43 CY 44 CZ 45 DE 46 DK 47 DM 48 DO 49 DZ 50 EC 51 EE 52 EG 53 ES 54 ET # 56 FI 57 FJ 58 FM 59 FO 60 FR 61 GA 62 GD 63 GE 64 GH 65 GI 66 GL 67 GM 68 GP # 69 GR 70 GT 71 GU 72 GY 73 HK 74 HN 75 HR 76 HT 77 HU 78 ID 79 IE 80 IL 81 IN # 82 IO 83 IR 84 IS 85 IT 86 JM 87 JO 88 JP 89 KE 90 KG 91 KH 92 KN 93 KR 94 KW # 95 KY 96 KZ 97 LA 98 LB 99 LI 100 LK 101 LS 102 LT 103 LU 104 LV 105 LY # 106 MA 107 MD 108 MK 109 ML 110 MM 111 MN 112 MO 113 MP 114 MT 115 MU 116 MV # 117 MX 118 MY 119 NA 120 NC 121 NG 122 NI 123 NL 124 NO 125 NP 126 NU 127 NZ # 128 PA 129 PE 130 PF 131 PG 132 PK 133 PL 134 PR 135 PS 136 PT 138 PW 139 PY # 140 RO 141 RU 142 SA 143 SD 144 SE 145 SG 146 SI 147 SK 148 SM 149 SV 150 SZ # 151 TC 152 TH 153 TM 154 TR 155 TT 156 TW 157 TZ 158 UA 160 US 161 UY 162 UZ # 163 VE 165 VN 166 VU 167 WS 168 YE 169 ZA 170 ZM 171 ZW 173 BQ 174 CI 175 CW # 176 DJ 177 GB 178 JE 179 ME 180 MW 181 NR 182 OM 183 PH 184 QA 185 RS 186 SX # 188 UG 189 GG 190 SR 191 TD 192 SO 193 GF 194 NF 196 AX 197 TO 198 KP 199 SB # 200 MC 201 TJ 202 TL 203 TN 204 MH 206 SC 207 GN 208 KM 209 RE 210 GQ 211 AF # 212 BI 213 CD 214 CG 215 IM 216 IQ 217 LR 218 MF 219 MG 220 MR 221 MZ 222 NE # 223 PM 224 RW 225 SL 226 SS 227 SY 228 TG 229 VC 230 VG 231 WF 232 VA 233 CF # 234 SN 235 YT 236 ST 237 GW set acl_c_country = ${if match{$dnslist_text}{ CC=(\\S+) }{$1}} # # uncomment if you need mail from China: # message = rejected because $sender_host_address is in a black list \ # at $dnslist_domain. $dnslist_text # dnslists = zen.spamhaus.org : bl.spamcop.net : dnsbl.sorbs.net : \ # hostkarma.junkemailfilter.com=127.0.0.2,127.0.0.4 # deny message = Blocked as Peruvian spam condition = ${if eq{$sender_address_local_part}{no-responder}} set acl_m_partip = ${if match{$sender_host_address}\ {\N^(?:\d+\.){2}([\d.]+)$\N}{$1}} condition = ${if eq{$sender_host_name}\ {a$acl_m_partip.$sender_address_domain}} deny message = rejected because recognized as Russian spam (type 5) condition = ${if match{$message_headers_raw}\ {\N\nContent-Type: multipart/alternative;\n\t\ boundary=(.+\n)+\ Content-Type: multipart/alternative;\Z\N}} # accept condition = ${if def:tls_cipher} # condition = ${if !match{$tls_cipher}{128|168}} # condition = ${if eq{$received_protocol}{esmtps}} # # not smtps accept condition = ${lookup{$sender_host_name}nwildlsearch\ {/usr/local/etc/exim/whitelist_re_hostname}{1}{0}} logwrite = sender hostname $sender_host_name locally whitelisted defer condition = ${if def:acl_c_grey_checked} message = $acl_c_grey_checked condition = $acl_c_grey_result accept condition = ${if def:acl_c_grey_checked} defer log_message = greylisted because of HELO $sender_helo_name condition = ${if or{\ {!match{$sender_helo_name}{\\.}}\ {match{$sender_helo_name}\ {\N^(\[?(\d{1,3}\.){3}\d{1,3}\]?|\.*[-0-_]+\.*)$\N}}\ }} set acl_c_grey_checked = deferred/greylisted because \ HELO `$sender_helo_name` is not a domain name message = $acl_c_grey_checked set acl_c_grey_result = ${if exists{$acl_m_greyfile}\ {${if >{${eval:$tod_epoch-\ ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\ {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}} # 1 - defer, 0 - allow condition = $acl_c_grey_result accept condition = ${if def:acl_c_grey_checked} logwrite = passed greylisting helo \ ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting helo defer log_message = greylisted because of protocol smtp condition = ${if eq{$received_protocol}{smtp}} # smtp (HELO), not esmtp (EHLO) condition = ${if def:sender_address} # not a verify/callout from another Exim condition = ${if !match{$sender_address}{verif|callout|postmaster}} set acl_c_grey_checked = deferred/greylisted. protocol SMTP message = $acl_c_grey_checked set acl_c_grey_result = ${if exists{$acl_m_greyfile}\ {${if >{${eval:$tod_epoch-\ ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\ {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}} condition = $acl_c_grey_result accept condition = ${if def:acl_c_grey_checked} add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting smtp logwrite = passed greylisting smtp \ ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} defer log_message = greylisted because $sender_host_name looks dynamic condition = ${if match{$sender_host_name}\ {\N(\d{1,3}[-.]){3}\d\N}} condition = ${if !match{$sender_host_name}{sta}} set acl_c_grey_checked = deferred/greylisted because sender hostname \ $sender_host_name looks like dynamic message = $acl_c_grey_checked set acl_c_grey_result = ${if exists{$acl_m_greyfile}\ {${if >{${eval:$tod_epoch-\ ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\ {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}} condition = $acl_c_grey_result accept condition = ${if def:acl_c_grey_checked} add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting dyn logwrite = passed greylisting dyn \ ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} defer log_message = greylisted because `HELO $sender_helo_name` looks \ dynamic condition = ${if match{$sender_helo_name}\ {\N(\d{1,3}[-.]){3}\d\N}} condition = ${if !match{$sender_helo_name}{sta}} set acl_c_grey_checked = deferred/greylisted because \ `HELO $sender_helo_name` looks like dynamic message = $acl_c_grey_checked set acl_c_grey_result = ${if exists{$acl_m_greyfile}\ {${if >{${eval:$tod_epoch-\ ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\ {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}} condition = $acl_c_grey_result accept condition = ${if def:acl_c_grey_checked} add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting helo dyn logwrite = passed greylisting helo dyn \ ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} defer log_message = greylisted because no hostname condition = ${if eq{$sender_host_name}{}} set acl_c_grey_checked = deferred/greylisted because \ $sender_host_address doesn't resolve to hostname or the \ hostname doesn't resolve back to $sender_host_address message = $acl_c_grey_checked set acl_c_grey_result = ${if exists{$acl_m_greyfile}\ {${if >{${eval:$tod_epoch-\ ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\ {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}} condition = $acl_c_grey_result accept condition = ${if def:acl_c_grey_checked} add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting \ no hostname logwrite = passed greylisting no hostname \ ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} deny set acl_m_spf = ${lookup dnsdb{defer_never,txt=$sender_address_domain}} message = SPF record for $sender_address_domain explicitly states \ that this domain should never send mail condition = ${if eq{$acl_m_spf}{v=spf1 -all}} deny message = SPF record for $sender_address_domain lists too many \ IP-addresses, perhaps the whole world - that`s cheating condition = ${if match{$acl_m_spf}\ {\N(?m)^v=spf((.+?/\d\s){2}|.+/[1-6]\s)\N}} accept !dnslists = hostkarma.junkemailfilter.com=127.0.0.2 : \ http.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.2 : \ socks.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.3 : \ # open HTTP,SOCKS proxies # dnsbl.njabl.org=127.0.0.9 # open proxies RIP cbl.abuseat.org # uncomment next line and comment out the cbl line if you need mail from China: # zen.spamhaus.org=127.0.0.2 defer log_message = greylisted because in $dnslist_domain: $dnslist_text set acl_c_grey_checked = deferred/greylisted because \ $sender_host_address is in a black list at \ $dnslist_domain. $dnslist_text message = $acl_c_grey_checked set acl_c_grey_result = ${if exists{$acl_m_greyfile}\ {${if >{${eval:$tod_epoch-\ ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\ {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}} condition = $acl_c_grey_result accept logwrite = passed greylisting $dnslist_domain \ ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting \ $dnslist_domain acl_check_predata: #(Exim4.71+) require control = dkim_disable_verify deny message = too many invalid recipients condition = ${if >{$rcpt_fail_count}{2}} accept hosts = +relay_from_hosts accept authenticated = * accept condition = ${if !def:acl_m_postmaster} defer condition = ${if def:acl_c_grey_checked} message = $acl_c_grey_checked condition = $acl_c_grey_result accept condition = ${if def:acl_c_grey_checked} defer log_message = postmaster greylisted set acl_c_grey_checked = All mail to postmaster is \ deferred/greylisted here for 3 min because \ of too much spam and no other checks. message = $acl_c_grey_checked set acl_c_grey_result = ${if exists{$acl_m_greyfile}\ {${if >{${eval:$tod_epoch-\ ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\ {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}} condition = $acl_c_grey_result accept add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting \ postmaster logwrite = passed greylisting postmaster \ ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} acl_check_mime: accept condition = ${if def:header_List-ID:} accept condition = ${lookup{$sender_address_domain}nwildlsearch\ {/usr/local/etc/exim/mailing_list_domains}{1}{0}} deny condition = ${if eq{$mime_content_type}{text/plain}} !hosts = +whitelisted_hosts !sender_domains = returns.groups.yahoo.com : groups.io !authenticated = * condition = ${if !def:header_List-ID:} set acl_m_fakedom = ${if match{$message_headers_raw}{\N\nReceived: \ .*?(?:\n\s.*?)*?\ (?:helo=|HELO |EHLO |from )([a-z]{4,6}\.(?:com|net|org))\ .*?(?:\n\s.*?)*?\ (?i)(?:smtpsa|bizsmtp|ASMTP \(SSL)\ .*?(?:\n\s.*?)*?\ \n[^R\s]\N}{$1}} condition = ${if def:acl_m_fakedom} mime_regex = https?.// !mime_regex = (?s)https?.//.+https?.// condition = ${if eq{}{${lookup dnsdb{defer_never,a=$acl_m_fakedom}}}} condition = ${if eq{}{${lookup dnsdb{defer_never,mxh=$acl_m_fakedom}}}} message = trojan link suspected: \ ${if match{$message_body}{\N(https?://[^>\s]+)\N}{$1}} \ rcpthelo=$acl_m_fakedom recipients=$recipients deny message = rejected because recognized as spam via a relay \ authenticated with a stolen password condition = ${if eq{$mime_content_type}{text/plain}} condition = ${if !def:header_List-ID:} condition = ${lookup{$sender_address_domain}nwildlsearch\ {/usr/local/etc/exim/mailing_list_domains}{0}{1}} !mime_regex = (?s)https?.//.+https?.// mime_regex = \Nhttp.//([^/]+)(/[^>\s]+) condition = ${if or{\ {>{${listcount:${addresses:$rheader_To:}}}{1}}\ {match{$regex2}{\N(^/|\?)[a-fA-F\d]{4}$\N}}\ }} # $regex requires Exim 4.87+ condition = ${lookup dnsdb{defer_never,a=$regex1}{1}{0}} set acl_m_red = ${if match{${readsocket{inet:$regex1:80}\ {HEAD $regex2 HTTP/1.0\r\nHost: $regex1\r\n\r\n}\ {4s}{%~}{socket failure}}}\ # Exim 4.90+: {4s:shutdown=no} {\N(?i)\AHTTP/... 3.+%~Location: (?:https?://)?(.*?)\s*%~\N}{$1}} logwrite = :reject: $regex1$regex2 redirect to $acl_m_red set acl_m_domred = ${sg{$acl_m_red}{/.*}{}} condition = ${if or{\ {and{\ {eq{$acl_m_red}{$regex2}}\ {match{$regex2}{\N(^/|\?)[a-fA-F\d]{4}$\N}}\ }}\ {bool{${lookup{$acl_m_domred}nwildlsearch\ {/usr/local/etc/exim/redirect_domains}{1}{0}}}}\ }} deny message = rejected because recognized as spam via a relay \ authenticated with a stolen password condition = ${if def:acl_m_domred} condition = ${if >{${listcount:${addresses:$rheader_To:}}}{1}} set acl_m_uri = ${sg{$acl_m_red}{^[^/]+/?}{/}} condition = ${lookup dnsdb{defer_never,a=$acl_m_domred}{1}{0}} set acl_m_red = ${if match{${readsocket{inet:$acl_m_domred:80}\ {HEAD $acl_m_uri HTTP/1.0\r\nHost: $acl_m_domred\r\n\r\n}\ {4s}{%~}{socket failure}}}\ # Exim 4.90+: {4s:shutdown=no} {\N\AHTTP/... 3.+%~Location: https?://(.*?)\s*%~\N}{$1}} logwrite = :reject: $acl_m_domred$acl_m_uri second redirect to $acl_m_red set acl_m_domred = ${sg{$acl_m_red}{/.*}{}} condition = ${lookup{$acl_m_domred}nwildlsearch\ {/usr/local/etc/exim/redirect_domains}{1}{0}} deny message = BINFORBIDDEN log_message = forbidden attachment: filename=$mime_filename, \ content-type=$mime_content_type, recipients=$recipients condition = ${if or{\ {match{$mime_content_type}\ {(?i)executable|application/x-ace-compressed}}\ {match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\ }} deny message = Compressed BINFORBIDDEN condition = ${if or{\ {match{$mime_content_type}{(?i)application/\ (octet-stream|x(-zip)?-compressed|zip)}}\ {match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\ }} condition = ${if <{$message_size}{1500K}} decode = default log_message = forbidden binary in attachment: filename=$mime_filename, \ recipients=$recipients condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\ {\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}} deny message = Blocked as Vietnamese spam from gmail condition = ${if match{$sender_host_name}\ {\N^mail-[\w-]+\.google\.com$\N}} condition = ${if match{$mime_content_type}{text/(plain|html)}} condition = ${if eqi{$mime_charset}{UTF-8}} mime_regex = \N([\x01-\x7f](\xe1(\xba[\xa1-\xa3\xa5\xa6\xa8\xab\xad\xb6\xbe\xbf]|\xbb[\x81\x82\x85-\x87\x89-\x92\x97\x99-\x9c\xaa\xab\xad\xb0\xb1])|\xc3[\xaa\xa2\xb4]\xcc[\x81\x83\x89])[\x01-\x7f].*?){3} deny message = Blocked as Chinese spam (type 1) condition = ${if match{$rheader_Subject:}{\N=\?utf-8\?B\?\N}} condition = ${if match{$bheader_X-mailer:}{\NFoxmail [\d, ]+ \[cn\]\N}} condition = ${if or{\ {eq{$mime_content_type}{application/vnd.ms-excel}}\ {match{$mime_filename}{\N(?i)\.xls$\N}}\ }} deny message = Blocked as Chinese spam (type 2) condition = ${if eq{$mime_content_type}{text/plain}} condition = ${if eqi{$mime_charset}{UTF-8}} mime_regex = \N\ ([\x01-\x7f](\xe2\x96\xb2)?(\xe4[\xb8-\xbf]|[\xe5-\xe9]).+?){3} deny message = Blocked as Chinese spam (type 4) !authenticated = * condition = ${if !eq{$sender_address_domain}{returns.groups.yahoo.com}} condition = ${if eq{$mime_content_type}{text/html}} condition = ${if eqi{$mime_charset}{utf-8}} mime_regex = ]+_GB2312> deny message = Blocked as Korean spam (type 2) condition = ${if eq{$mime_content_type}{text/html}} mime_regex = \N\A\ m='%3Cmeta%20http-equiv%3D%22refresh%22 warn condition = ${if eq{$mime_content_type}{text/plain}} set acl_m_plain = 1 mime_regex = https?.//yadi.sk/ set acl_m_yadisk = 1 warn condition = ${if eq{$mime_content_type}{message/rfc822}} set acl_m_plain = 0 deny message = rejected because recognized as Russian spam via a relay \ authenticated with a stolen password (type 11) !authenticated = * condition = ${if !eq{$sender_address_domain}{returns.groups.yahoo.com}} condition = ${if eq{$mime_content_type}{text/html}} condition = $acl_m_plain !condition = $acl_m_yadisk mime_regex = href="?https?.//yadi.sk/ deny message = rejected because recognized as Ukrainian spam (type 2) condition = ${if eq{$mime_content_type}{text/html}} condition = ${if !eq{$sender_address_domain}{returns.groups.yahoo.com}} mime_regex = \Nhref="?http.//(mailplus\d*.kiev|(marmaer|stopm).com).ua/ :\ smartresponder.ru/ : \ src="?http.//element-architecture.com/ : \ href="?http.//(www.)?radiationsafe.com/ : \ href="?http.//(usndr.com|rumailer.ru|sn.am)/ : \ href="http.//[^/\s]*&#\d+; : \ href="http.//(\w+\.)?salesdoubler.com.ua/ : \ href="http.//(mailtrackers.(ru|com.ua)|track.sysuyva.com)/ : \ (src|href)="http[^"]+/amsweb.php\? : \ href="?https?.//yadi.sk/i/(.)(.)(.)(.)[^>]+>https?.//yadi.sk/i/[^\1][^\2][^\3][^\4] : \ href="http.//(\w+\.)?(salesdoubler.com.ua|(poshtar|ua24|tmm).bz.ua|(opt-in-mailer|drtracing|sendlx|getintoinbox|emlportal).com|(fastemailsender|emailunion).net|(mail-run|gakedki|adwad|skypromotion).ru|infobiz.in.ua|goldservicebiz.pp.ua)/ discard message = discarded because recognized as Ukrainian spam (type 3) condition = ${if eq{$sender_address_domain}{returns.groups.yahoo.com}} condition = ${if eqi{$recipients}{lena@lena.kiev.ua}} condition = ${if eq{$mime_content_type}{text/html}} mime_regex = \Nhref="http.//(\w+\.)?emailunion.net/ deny message = User unknown !authenticated = * condition = ${if eq{$mime_content_type}{text/plain}} condition = ${if !eq{$sender_address_domain}{returns.groups.yahoo.com}} mime_regex = Âàñ èíòåðåñóþò áàçû äàííûõ ïîòåíöèàëüíûõ êëèåíòîâ # ÷ÁÓ ÉÎÔÅÒÅÓÕÀÔ ÂÁÚÙ ÄÁÎÎÙÈ ÐÏÔÅÎÃÉÁÌØÎÙÈ ËÌÉÅÎÔÏ× require acl = mimeea accept condition = ${if !match{$recipients}{\N(?i)mail2ftp[^,]*@tg.org.ua\N}} # it's my robot which replies to emailed commands deny message = You must set up your mail client to send plain text, \ no HTML, no attachments condition = ${if match{$mime_content_type}{(?i)html|multipart}} require message = Command in the first line of letter body \ not recognized - send HELP mime_regex = \N(?i)\Amail2ftp(verbose)?\s :\ (?i)\Ahttp(post|get)[swtn]?\s :\ (?i)\Alogin\s :\ (?i)\A\"?help[\"\s\n] accept acl_check_helo: drop message = Cutwail/PushDo bot blacklisted condition = ${if eq{$sender_helo_name}{ylmf-pc}} acl = setdnslisttext set acl_m_shargs = echo $sender_host_address \ >>$spool_directory/blocked_IPs; \ { IPNOTIF } | $exim_path -f root WARNTO continue = ${run{SHELL -c '$acl_m_shargs'}} # if this bot is dropped at helo, it repeats multiple times, # but if dropped at connect, it tries only twice accept acl_check_auth: drop message = authentication is allowed only once per message in order \ to slow down bruteforce cracking set acl_m_auth = ${eval10:0$acl_m_auth+1} condition = ${if >{$acl_m_auth}{2}} delay = 22s drop message = blacklisted for bruteforce cracking attempt set acl_c_authnomail = ${eval10:0$acl_c_authnomail+1} condition = ${if >{$acl_c_authnomail}{4}} condition = ${if exists{$spool_directory/blocked_IPs}\ {${lookup{$sender_host_address}iplsearch\ {$spool_directory/blocked_IPs}{0}{1}}}\ {1}} acl = setdnslisttext set acl_m_shargs = echo $sender_host_address \ >>$spool_directory/blocked_IPs; \ { IPNOTIF } | $exim_path -f root WARNTO continue = ${run{SHELL -c "$acl_m_shargs"}} drop message = blacklisted for bruteforce cracking attempt condition = ${if >{$acl_c_authnomail}{4}} accept set acl_c_authhash = ${if match{$smtp_command_argument}\ {\N(?i)^(?:plain|login) (.+)$\N}{${nhash_1000:$1}}} acl_check_quit: warn condition = $authentication_failed condition = ${if def:acl_c_authhash} ratelimit = 0 / 5m / strict / $sender_host_address-$acl_c_authhash set acl_c_hashrate = ${sg{$sender_rate}{[.].*}{}} warn condition = $authentication_failed logwrite = :reject: quit after authentication failed: \ ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} condition = ${if or{\ {!def:acl_c_authhash}\ {<{$acl_c_hashrate}{2}}\ }} ratelimit = 7 / 5m / strict / per_conn condition = ${if exists{$spool_directory/blocked_IPs}\ {${lookup{$sender_host_address}iplsearch\ {$spool_directory/blocked_IPs}{0}{1}}}\ {1}} acl = setdnslisttext set acl_m_shargs = echo $sender_host_address \ >>$spool_directory/blocked_IPs; \ { IPNOTIF } | $exim_path -f root WARNTO continue = ${run{SHELL -c "$acl_m_shargs"}} acl_check_notquit: warn condition = $authentication_failed condition = ${if def:acl_c_authhash} ratelimit = 0 / 2h / strict / $sender_host_address-$acl_c_authhash set acl_c_hashrate = ${sg{$sender_rate}{[.].*}{}} warn condition = $authentication_failed logwrite = :reject: $smtp_notquit_reason after authentication failed: \ ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} condition = ${if match{$smtp_notquit_reason}\ {^(connection-lost|synchronization-error)}} condition = ${if or{\ {!def:acl_c_authhash}\ {<{$acl_c_hashrate}{2}}\ }} ratelimit = 7 / 2h / strict / per_conn condition = ${if exists{$spool_directory/blocked_IPs}\ {${lookup{$sender_host_address}iplsearch\ {$spool_directory/blocked_IPs}{0}{1}}}\ {1}} acl = setdnslisttext set acl_m_shargs = echo $sender_host_address \ >>$spool_directory/blocked_IPs; \ { IPNOTIF } | $exim_path -f root WARNTO continue = ${run{SHELL -c "$acl_m_shargs"}} setdnslisttext: accept dnslists = all.ascc.dnsbl.bit.nl set acl_c_country = ${if match{$dnslist_text}{ CC=(\\S+) }{$1}} accept acl_check_mail: accept set acl_c_authnomail = 0 acl_check_connect: drop message = suspicious client on $sender_host_name \ [$sender_host_address] locally blacklisted condition = ${if or{\ {match_ip{$sender_host_address}{84.246.224.0/21:202.91.182.94:\ 66.46.176.241:61.146.233.114:66.197.220.252:211.35.163.211:\ 77.245.72.32:77.245.72.33:69.73.148.36:203.156.213.70:\ 83.70.129.73:95.226.163.141:69.69.168.196:189.109.6.132:\ 111.164.160.85:113.244.192.180:213.166.137.49:\ 113.65.140.54:180.120.238.48:217.7.232.64:173.0.50.7:\ 205.234.222.29:82.165.45.163:113.111.194.39:113.65.163.75:\ 195.88.208.0/23:98.141.206.122:121.145.96.64/26}}\ {match{$sender_host_name}\ {\N^(mailserver\.liceocampoverde\.com|\ 68-115-208-106\.static\.spbg\.sc\.charter\.com|\ ppp-\d+-\d+-\d+-\d+\.revip2\.asianet\.co\.th|\ ec2-\d+-\d+-\d+-\d+.[\w-]+.compute\.amazonaws\.com)$\N}}\ }} drop message = $sender_host_address locally blacklisted for a bruteforce \ auth (username+password) cracking attempt condition = ${if exists{$spool_directory/blocked_IPs}} condition = ${lookup{$sender_host_address}iplsearch\ {/var/..$spool_directory/blocked_IPs}{1}{0}} # Another path to the same file in order to circumvent lookup caching. accept hash: accept set acl_c_authhash = ${nhash_1000:$acl_arg1} acl_check_data: deny message = SwiftMailer, no website condition = ${if match{$message_headers_raw}\ {\N\nX-\w+-Mailer: SwiftMailer -\N}} condition = ${lookup dnsdb{defer_never,a=$sender_address_domain}{1}{0}} condition = ${if match{${readsocket{inet:$sender_address_domain:80}\ {GET / HTTP/1.0\r\nHost: $sender_address_domain\r\n\r\n}\ {4s}{%~}{socket failure}}}\ # Exim 4.90+: {4s:shutdown=no} {\\AHTTP/... (403|3.+%~Location: http://$sender_address_domain/customer/(index.php/)?\\s*%~|200.+Coming Soon)}} discard message = discarded because recognized as Ukrainian spam (type 2) senders = : condition = ${if eq{$received_protocol}{smtp}} condition = ${if !match{${local_part:$header_From:}}{(?i)daemon}} condition = ${if match{$message_headers_raw}\ {\N\AReceived:(?:.+\n\t)+.+\n\ Received: from unknown \(HELO localhost\) \ \(([a-z\d._-]+@[a-z\d.-]+)@([\d.]+)\)\n\ \tby \S+ with ESMTPA;.+\n\ (X-Originating-IP: \2\n)?\ From: \1\n\ To: \S+\n\ Subject: \N}} # The second Received is fake. discard message = Russian spam discarded condition = ${if match{${address:$rheader_Reply-To:}}{^prodawez}} condition = ${if eqi{$sender_address}{$recipients}} deny message = rejected because recognized as spam to postmaster condition = ${if !def:sender_address} condition = ${if def:acl_m_postmaster} condition = ${if match{$message_body}\ {\N^[^\r\n]{1,80}(\r?\n\r?)?http://[^\r\n]+[\r\n]*\Z\N}} deny message = rejected because recognized as a Windows bot spam condition = ${if match{$received_protocol}{^smtp}} condition = ${if match{$message_headers_raw}\ {\N\AReceived:(?:.+\n\t)+.+\n\ (?:X-AntiVirus:.+\n)?\ Received: from unknown \(HELO (\w+)\) \(\[[\d.]+\]\)\n\ \tby \S+ with ESMTP;.+\n\ Message-ID: <.+@\w+\1>\n\ From: "?\w+ \w+"? <.+\n\ To: \S+\n\ Subject: .*\n\ Date: .+\n\ MIME-Version: 1.0\n\ Content-Type: text/plain;\n\ \tformat=flowed;\n\ \tcharset="(KOI8-R|windows-1250|iso-8859-[12])";\n\ \treply-type=original\n\ Content-Transfer-Encoding: [78]bit\n\ X-Priority: 3\n\ X-MSMail-Priority: Normal\n\ X-Mailer: Microsoft Outlook Express \N}} # the second Received is fake. accept condition = $acl_m_pmfirst deny message = Send empty letter without Subject \ (Otprav`te pustoe pis`mo bez temy). condition = ${if match{$recipients}{(?i)accmailfaqrus()tg.org.ua}} # really @ # my autoresponder which replies only to empty letters condition = ${if def:header_subject:} condition = ${if !match{$header_subject:}{\N(?i)[âÂ]ÅÚ ÔÅÍÙ|no subject|[ðÐ]ÕÓÔÏ|empty|^\[\?\? Probable Spam\]$|^([\[\(\*\+]*(probabl[ey] |posibl[ey] |suspected )?spam[\]\)\*\+:\s]*)?(help|.{0,3})$\N}} deny message = You must set up your mail client to send plain text, \ no HTML, no attachments condition = ${if match{$recipients}\ {\N(?i)(mail2ftp[^,]*|tgrus-archive(-backup)?|koi)@tg.org.ua\N}} # my various autoresponders which parse message body condition = ${if match{$rheader_Content-Type:}{(?i)html|multipart}} deny message = Only private letters to an autoresponder are accepted. condition = ${if match{$recipients}\ {\N(?i)(accmailfaqrus|tgrus-archive-list)@tg.org.ua\N}} condition = ${if or{\ {!={$recipients_count}{1}}\ {!eqi{$recipients}{${addresses:$rheader_to:}}}\ {match{$rheader_precedence:}{bulk|list|junk}}\ {!def:sender_address}\ {match{$sender_address_local_part}\ {(?i)mailer-daemon|-outgoing|-relay|listserv|-request}}\ {def:header_auto-submitted:}\ {def:header_list-unsubscribe:}\ {eqi{$sender_address}{$recipients}}\ {def:header_Autorespond:}\ {def:header_X-Autoresponse:}\ {def:header_X-Autoreply-From:}\ {def:header_X-eBay-MailTracker:}\ {def:header_X-MaxCode-Template:}\ {def:header_X-FC-MachineGenerated:}\ {def:header_X-Auto-Response-Suppress:}\ {match{$header_X-OS:}{HP Onboard Administrator}}\ {eq{$header_X-MimeOLE:}{Produced By phpBB2}}\ {match{$h_From:}{\\(via the vacation program\\)}}\ {match{$h_Subject:}{\N^Yahoo! Auto Response$|\ ^ezmlm warning$|^Out of Office|^Autoresponse:|\ ^Auto-Reply:|\(Auto Reply\)$|\(Out of Office\)$|\ is out of the office\.$\N}}\ }} warn condition = ${if match{$sender_host_name}\ {\N\.(blu|col|bay|snt)\d+\.hotmail\.com$\N}} set acl_m_web = ${if match{$rheader_Received:}{\Nfrom [^\(]+\ \(\[(\d+\.\d+\.\d+\.\d+)\]\) by \ [^\w-]+\.((blu|col|bay|snt)\d+\.hotmail\.com|phx\.gbl) \ (over TLS secured channel )?with Microsoft SMTPSVC\N}{$1}} warn condition = ${if match{$sender_host_name}\ {\N\.mail\....?\.yahoo\.co(m|\.jp)$\N}} condition = ${if or{\ {match{$rheader_X-Yahoo-Newman-Property:}{ymail}}\ {def:header_X-RocketYMMF:}\ {match{$bheader_X-Mailer:}{^YahooMail}}\ }} set acl_m_web = ${if match{$rheader_Received:}{\Nfrom \ \[(\d+\.\d+\.\d+\.\d+)\] by \ web\d+(\.biz)?\.mail\....?\.yahoo\.co(m|\.jp) via HTTP; \N}{$1}} condition = ${if !def:acl_m_web} set acl_m_web = ${if match{$bheader_Received:}{\Nfrom \ [^(\n]+ \([^)\n]+@(\d+\.\d+\.\d+\.\d+) \ with (login|plain)?( \[\d.]+\])?\)\n\s+by \ smtp\d+(\.(plus|sbc|biz))?\.mail\....?\.yahoo\.com with SMTP; \N}{$1}} condition = ${if !def:acl_m_web} set acl_m_web = ${if match{$bheader_X-Rocket-Received:}{\Nfrom \ [^(\n]+ \([^)\n]+@(\d+\.\d+\.\d+\.\d+) \ with (login|plain)?( \[\d.]+\])?\)\n\s+by \ smtp\d+(\.(plus|sbc|biz))?\.mail\....?\.yahoo\.com with SMTP; \N}{$1}} warn condition = ${if match{$sender_host_name}\ {\N\.mx\.aol\.com$\N}} set acl_m_web = ${if match{$rheader_Received:}{\Nfrom \ (\d+\.\d+\.\d+\.\d+) by webmail-\w+\.sysops\.aol\.com \ \(\d+\.\d+\.\d+\.\d+\) with HTTP \(WebMailUI\); \N}{$1}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \ \S+ \(\S+ \[(\d+\.\d+\.\d+\.\d+)\]\)\ (?:\s+\(using \S+ with cipher \S+ \(\d+/\d+ bits\)\))?\ (?:\s+\(No client certificate requested\))?\ \s+by mtaout-[\w.]+\.mx\.aol\.com \(MUA/Third Party Client \ Interface\) with ESMTPS?A id \N}{$1}{$acl_m_web}} warn condition = ${if match{$sender_host_name}\ {\N^outbound\d+\.messaging\.lotuslive\.com$\N}} set acl_m_web = ${if match{$rheader_Received:}\ {\N^@[\w.-]+@(\d+\.\d+\.\d+\.\d+)\)\N}{$1}} warn set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \ [\d.]+ (?:\(\[[\d.]+\]\) )?\(proxying[\s\n]+for[\s\n]+\ (\d+\.\d+\.\d+\.\d+)(, [\w.-]+)?\)\n\ \s+\(SquirrelMail authenticated user[\s\n]+[^)\n\r]+\)\n\ \s+by [^\s\n]+ with HTTP;\n\N}{$1}{$acl_m_web}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \ (?:\S+ \(\[)?(\d+\.\d+\.\d+\.\d+)(?:\]\))?\ (?: \(proxying for unknown\))?\n?\ \s+\(SquirrelMail authenticated user[\s\n]+[^)\n\r]+\)\n\ \s+by [^\s\n]+ with HTTP;\n\N}{$1}{$acl_m_web}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \ (\d+\.\d+\.\d+\.\d+)(?: \(proxying for [^)]+\))?[\n\s]+\ \(RisuMail authenticated user \N}{$1}{$acl_m_web}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \ \S+ \(\](\d+\.\d+\.\d+\.\d+)\]\)[\s\n]+by[\s\n]+\S+[\s\n]+\ with[\s\n]+HTTP(?s).+\nUser-Agent: Roundcube Webmail\N}\ {$1}{$acl_m_web}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \ \S+[\n\s]+\((?:\S+[\n\s]+)?\[(\d+\.\d+\.\d+\.\d+)\]\)[\n\s]+by\ [\n\s]+\S+[\n\s]+\(Horde([\n\s]+(Framework|MIME[\n\s]+library))?\)\ [\n\s]+with[\n\s]+HTTP\N}{$1}{$acl_m_web}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \ \[(\d+\.\d+\.\d+\.\d+)\] by \S+[\s\n\r]+ \(mshttpd\);\N}\ {$1}{$acl_m_web}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \ client (\d+\.\d+\.\d+\.\d+) for UebiMiau\d+\.\d+ \(webmail \ client\);\N}{$1}{$acl_m_web}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \ \S+ \(\[(\d+\.\d+\.\d+\.\d+)\]\)[\n\s+]by \S+ \ with HTTP \(UebiMiau\);\N}{$1}{$acl_m_web}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \ \[(\d+\.\d+\.\d+\.\d+)\] \(account \S+\)[\s\n\r]+by[\s\n\r]+\ \S+[\s\n\r]+\(CommuniGate Pro WEBUSER \S+\)[\s\n\r]+\ with[\s\n\r]+HTTP\N}{$1}{$acl_m_web}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from\s+\ \S+[\s\n]+\(\[(\d+\.\d+\.\d+\.\d+)\]\)[\s\n]+by[\s\n]+\S+\ [\s\n]+\(IMP\)[\s\n]+with[\s\n]+HTTP[\s\n]\N}{$1}{$acl_m_web}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from\s+\ (?:\S+[\s\n]+)?\(\[(\d+\.\d+\.\d+\.\d+)\]\)[\s\n]+by[\s\n]+\S+\ [\s\n]+with[\s\n]+http[\s\n]\N}{$1}{$acl_m_web}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \ \S+ \(\[(\d+\.\d+\.\d+\.\d+)\]\)[\n\r]+\s+\ by mx.google.com with ESMTPS id \N}{$1}{$acl_m_web}} condition = ${if match{$bheader_X-Mailer:}{^OpenWebMail }} set acl_m_web = ${if match{$bheader_X-OriginatingIP:}\ {\N^\[?(\d+\.\d+\.\d+\.\d+)\]?( |$)\N}{$1}} warn condition = ${if !def:acl_m_web} set acl_m_web = ${if match{$bheader_X-Originating-IP:}\ {\N^\[?(?:::ffff:)?(\d+\.\d+\.\d+\.\d+)\]?$\N}{$1}} warn condition = ${if !def:acl_m_web} set acl_m_web = ${if match{$bheader_X-Client-IP:}\ {\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}} warn condition = ${if !def:acl_m_web} set acl_m_web = ${if match{$bheader_X-Origin:}\ {\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}} warn condition = ${if !def:acl_m_web} set acl_m_web = ${if match{$bheader_X-Originator:}\ {\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}} warn condition = ${if !def:acl_m_web} set acl_m_web = ${if match{$bheader_X-SenderIP:}\ {\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}} warn condition = ${if !def:acl_m_web} set acl_m_web = ${if match{$bheader_X-PHP-Script:}\ {\N^\S+ for (\d+\.\d+\.\d+\.\d+)$\N}{$1}} deny message = webmail from $acl_m_web locally blacklisted condition = ${if def:acl_m_web} condition = ${if !eq{$sender_address_domain}{returns.groups.yahoo.com}} condition = ${lookup{$acl_m_web}iplsearch\ {/usr/local/etc/exim/blacklist_webmail}{1}{0}} deny message = Google+ is evil spammer condition = ${if match{$sender_host_name}\ {\N^mail-[\w-]+\.google\.com$\N}} condition = ${if eq{$bheader_X-Notification-Type:}{STREAM_POST_SHARED}} deny message = calendar.yahoo.com, refertofriend(unp) and \ "mail to friend" on news.yahoo.com abused by spammers condition = ${if match{$sender_host_name}\ {\N\.bullet\.(mail\.)?...?\.yahoo\.com$\N}} condition = ${if match{$bheader_X-Yahoo-Newman-Property:}\ {\N^(mail-to-friend|calendar-invite|unp)$\N}} discard message = discarded because recognized as Russian spam via a relay \ authenticated with a stolen password (type 6) condition = ${if eqi{$sender_address}{$recipients}} condition = ${if match{$rheader_Received:}\ {\N\Wngs\.ru\W.*\W(213\.87\.12[0-3]|85\.26\.2[23]\d|83\.149\.[45]\d|192\.9\.\d+|188\.162\.([12]?\d|3[01])|178\.137\.1[2-9])\.|\W(213\.87\.12[0-3]|85\.26\.2[23]\d|83\.149\.[45]\d|192\.9\.\d+|188\.162\.([12]?\d|3[01])|178\.137\.1[2-9])\..*\Wngs\.ru\W\N}} # discarded because $sender_address eq $recipients, # therefore a "deny" would generate a bounce from the relay again to me. deny message = rejected because recognized as sent by Russian spambot via \ a relay authenticated with a stolen password (type 7) condition = ${if ={$received_count}{2}} condition = ${if match{$rheader_Message-ID:}\ {\N<[\dA-F]{32}@[a-z]{4,7}>\N}} condition = ${if match{$message_headers_raw}\ {Received: from [Uu]nknown }} condition = ${if def:header_To:} condition = ${if !def:header_Cc:} condition = ${if !def:header_In-Reply-To:} condition = ${if !def:header_Importance:} condition = ${if !def:header_X-Mailing-List:} condition = ${if !def:header_List-Unsubscribe:} condition = ${if !def:header_Sender:} condition = ${if !def:header_X-Sender:} condition = ${if !eq{$sender_address_domain}{returns.groups.yahoo.com}} condition = ${if !match{${addresses:>, $rheader_To:}}{,}} # single address in To condition = ${if !forany{<, $recipients}\ {eqi{$item}{${address:$rheader_To:}}}} condition = ${if match{$rheader_X-Mailer:}\ {Microsoft (Outlook Express|Windows( Live)? Mail)}} condition = ${if match{$rheader_Subject:}{\N=\?windows-1251\?B\?\N}} condition = ${if match{$rheader_date:}{\N \+0[56]00\N}} deny message = rejected because recognized as sent by Russian spambot via \ a relay authenticated with a stolen password (type 8) condition = ${if ={$received_count}{2}} set acl_m_bot8 = ${if match{$header_Received:}\ {\N\A(?:.+\n\s)+.+\nfrom (\S+) \N}{$1}} condition = ${lookup{$acl_m_bot8}nwildlsearch\ {/usr/local/etc/exim/blacklist_injector}{1}{0}} deny message = spam in Hebrew condition = ${if match{$bheader_List-Unsubscribe:}\ {http://emails-direct.com/}} accept condition = ${if def:header_List-ID:} accept condition = ${lookup{$sender_address_domain}nwildlsearch\ {/usr/local/etc/exim/mailing_list_domains}{1}{0}} deny message = Microsoft thinks it is spam: SFV:SPM in \ X-Forefront-Antispam-Report condition = ${if match{$rheader_X-Forefront-Antispam-Report:}\ {;SFV:SPM;}} require acl = rt accept hosts = : +whitelisted_hosts deny message = rejected as spam from Emotet botnet set acl_m_singledomain = ${domain:$recipients} condition = ${if def:acl_m_singledomain} condition = ${if match{$header_Message-ID:}\ {\N^<\d{1,20}\.[\dA-F]{16}@(?i)\N$acl_m_singledomain>\$}} deny message = rejected as spam from a \ web-hosting account created for spamming only condition = ${if match{$sender_address}\ {\N\\Q${local_part:$header_From:}-${sg{$recipients}{@}{=}}\\E@\N}} condition = ${if match{$sender_host_name}\ {^[a-z]+\.$sender_address_domain\$}} condition = ${if ={$received_count}{2}} condition = ${if match{$header_Received:}\ {\N\A(.+\n\s)+.+\nby \N$sender_host_name id }} condition = ${if eq{$sender_address_domain}{${domain:$header_From:}}} condition = ${if eq{$recipients}{$header_To:}} condition = ${if eq{$header_Content-Type:}{text/plain;}} condition = ${if !def:header_Content_Transfer_Encoding:} condition = ${if eq{$sender_host_name}{${domain:$header_Message-ID:}}} condition = ${if match{$message_body}\ {http://$sender_address_domain/\N\w.+\n(\.\n){4,}.+: http://\N$sender_address_domain/\\w}} deny message = rejected because recognized as sent by spammers` mailer condition = ${if match{$rheader_Received:}\ {((?i)helo(?-i)|from)[ =]QRJATYDI}} deny condition = ${if !match{$recipients}{(?i)accmailfaqrus()tg.org.ua}} # really @ !senders = MAILER-DAEMON@spamgourmet.com : \N^\w+@slando\.\N !authenticated = * !verify = header_sender deny message = rejected because recognized as Russian spam (type 1) condition = ${if match{$recipients}{^postmaster@[^@]+\$}} condition = ${if match{$rheader_From:}\ {\N^(\t| )(=\?koi8-r\?B\?I|\")\N}} condition = ${if match{$message_body}\ {\N([à-ÿ\d]{5} {5,9}\S[^\n\r]+[\n\r]+){2}\N}} discard message = discarded because recognized as Russian spam (type 3) condition = ${if match{$header_Subject:}\ {\N (ICQ:? ?6288862|\+79133913837) \N}} condition = ${if eqi{$sender_address}{$recipients}} deny message = rejected because recognized as Russian spam (type 3) condition = ${if match{$header_Subject:}{ ICQ:? ?6288862 }} deny message = rejected because recognized as Russian spam (type 4) condition = ${if match{$header_List-Unsubscribe:}{http://mainler.ru/}} deny message = rejected because recognized as sent by Russian spambot via \ a relay authenticated with a stolen password (type 1) condition = ${if or{\ {match{$rheader_received:}{(?s);.+\ (helo=|HELO |EHLO |from )(User|(Thunder)?server|SERVER|tserver1|\ Server1|yandex\\.ru|otissys1|PADILLA|TTSRV\\d+|srv2003|\ Server-Terminal|source|serveur2|cmgserver|UnknownHost|\ ${if def:sender_address_domain{$sender_address_domain}{User}}|\ ${if def:sender_host_name{$sender_host_name}{User}})\ [\\) \\r\\n]}}\ {and{\ {match{$rheader_Content-Type:}{(?si)text.+windows-1251}}\ {match{$message_body$message_body_end}{\N[\xC1-\xFE]\N}}\ }}\ }} condition = ${if match{$rheader_X-MimeOLE:}\ {Produced By Microsoft MimeOLE }} condition = ${if or{\ {and{\ {match{$bheader_Content-Type:}{\N^text/(plain|html);([\r\n]*\t| )(charset="?([Ww]indows-125[10]|koi8-u|[\w_-]+\$ESC)"?|format=flowed;[\r\n]+\tcharset="(koi8-r|windows-1251)";[\r\n]+\treply-type=original)$\N}}\ {eqi{$bheader_Content-Transfer-Encoding:}{7bit}}\ }}\ {match{$message_headers_raw}{\N\nContent-transfer-encoding: 8BIT\nContent-type: text/plain; charset=Windows-1251\n\N}}\ {and{\ {match{$bheader_Content-Type:}\ {\N^multipart/(mixed|related|alternative);[\r\n]+\t\N}}\ {match{$message_body}\ {\N[\r\n](Content-Type: text/(plain|html);( |[\r\n]+\t)\ charset="(Windows-1251|[\w_-]+\$ESC)"[\r\n]+\ (Content-Transfer-Encoding: 7bit|\ Content-transfer-encoding: 8BIT)|\ Content-type: text/plain; charset=Windows-1251[\r\n]+\ Content-transfer-encoding: 7BIT)[\r\n]\N}}\ }}\ }} deny message = rejected because recognized as sent by Russian spambot via \ a relay authenticated with a stolen password (type 2) condition = ${if match{$message_body}\ {\NContent-Type: text/plain;[\r\n]+\ [ \t]+charset="windows-1251"[\r\n]+\ Content-Transfer-Encoding: quoted-printable[\r\n]+\ =C7=E4=F0=E0=E2=F1=F2=E2=F3=E9=F2=E5, =CF=EE=EB=F3=F7=E0=F2=E5=EB=FC\.[\r\n]+\ =DD=F2=EE =D2=E5=EA=F1=F2=EE=E2=E0=FF =F7=E0=F1=F2=FC =EF=E8=F1=FC=EC=E0=\ [\r\n]+\ \.[\r\n]+\ =D1 =F3=E2=E0=E6=E5=ED=E8=E5=EC, =D1=F3=EF=E5=F0 =D4=E8=F0=EC=E0\.\N}} # úÄÒÁ×ÓÔ×ÕÊÔÅ, ðÏÌÕÞÁÔÅÌØ. # üÔÏ ôÅËÓÔÏ×ÁÑ ÞÁÓÔØ ÐÉÓØÍÁ. # ó Õ×ÁÖÅÎÉÅÍ, óÕÐÅÒ æÉÒÍÁ. deny message = rejected because recognized as sent by Russian spambot via \ a relay authenticated with a stolen password (type 3) condition = ${if match{$rheader_X-Mailer:}{mPOP Web-Mail }} condition = ${if !match{$rheader_Received:}{ with HTTP;}} deny message = rejected because recognized as sent by Russian spambot via \ a relay authenticated with a stolen password (type 4) condition = ${if match{$rheader_X-MimeOLE:}\ {Produced By Microsoft MimeOLE }} condition = ${if or{\ {match{$rheader_Message-ID:}{@cmgserver>}}\ {match{$rheader_Received:}{\\Q[77.110.55.86]\\E}}\ }} deny message = rejected because recognized as sent by Russian spambot via \ a relay authenticated with a stolen password (type 5) condition = ${if match{$message_headers_raw}\ {\N\nReceived: from ((www\.)?caspel\.com|\[?(74.10.145.5[56]|79.172.192.188|217.153.227.194|95.211.160.137|207.99.107.164|194.152.235.4|62.101.95.45|93.63.224.135|188.230.127.16|69.183.32.232|89.96.100.146|109.166.1[23]\d\.\d+|89.96.63.62|95.76.161.199|195.82.150.22|212.36.95.121|85.132.32.44|94.30.234.213|212.0.116.118|86.125.36.12|212.181.110.115|195.149.220.131|195.189.46.3|193.205.162.98|77.72.193.206|193.205.184.124|89.25.105.101)\]?|(62-101-94-46|83-103-51-58|193.205.162.98).ip.fastwebnet.it|62.82.74.234.static.user.ono.com|89-96-100-146.ip11.fastwebnet.it|93-63-224-132.ip29.fastwebnet.it|94.244.190.227.nash.net.ua|reverse.completel.net \((reverse.completel.net|unknown) \[92.103.65.138\]\)?|\[?92.103.65.138\]?|correo.peyber.es|212-181-110-115.customer.telia.com|86-125-36-12.static.rdsor.ro|84.120.163.53.dyn.user.ono.com|host217-34-238-217.in-addr.btopenworld.com|ppp03-std.net.lg.ua|unknown \(HELO 193.205.162.98\)|host7-8-static.238-77-b.business.telecomitalia.it|host-212-36-95-121.solointernet.com|2-229-114-95.ip196.fastwebnet.it|relay.rrc.com.ua|(?i)27.Red-2-139-255.staticIP.rima-tde.net|89-96-63-62.ip11.fastwebnet.it|75-151-69-41-littlerock.hfc.comcastbusiness.net|vds125.xserver.ua|11942.user.farlep.net|69-183-32-232.saisystems.com|dafi-16.vl.net.ua|93-63-224-135.ip29.fastwebnet.it|server88-208-229-7.live-servers.net|pool-91-218-19-45.optima-east.net|81.184.3.111.static.user.ono.com)[ \n]\N}} deny message = rejected because recognized as Ukrainian spam condition = ${if ={$received_count}{1}} condition = ${if eq{$received_protocol}{esmtp}} condition = ${if eq{$bheader_X-Priority:}{3 (Normal)}} condition = ${if match{$bheader_Message-ID:}\ {\N^<\d{10}\.\d{14}@\N}} condition = ${if match{$bheader_In-Reply-To:}\ {\N^<[A-F\d]{44}@[^>]+>?$\N}} condition = ${if match{$bheader_References:}\ {\N^<[A-F\d]{44}@[^>]+>? <[A-F\d]{30,44}@[^>]+>>?$\N}} condition = ${if !eq{${if match{$rheader_In-Reply-To:}{<(.+)@}{$1}}}\ {${if match{$bheader_References:}{\N^<(\w+)@\N}{$1}}}} condition = ${if !eq{${if match{$rheader_In-Reply-To:}{<(.+)@}{$1}}}\ {${if match{$bheader_References:}{\N@.+ <(\w+)@\N}{$1}}}} deny message = rejected as spam abusing km.ru condition = ${if match{$sender_host_name}{\N^e-post\d+\.km\.ru$\N}} condition = ${if match{$header_Received:}\ {\N\A(.+\n\s)+.+\nfrom \Q\N$sender_address_domain\\E }} deny message = rejected as spam (fake subscribe.ru) senders = \N^news\d+@subscribe\.ru$\N condition = ${if match{$bheader_From:}\ {^"Subscribe.ru" <$sender_address>\$}} condition = ${if !def:header_List-Unsubscribe:} deny message = I understand neither Chinese nor Korean nor Japanese condition = ${if !match{$recipients}\ {(?i)(accmailfaqrus|mail2ftp)@tg.org.ua}} condition = ${if or{\ {match{$message_headers_raw}{\N(?i)charset="?(gb2312|big5|gbk|ks_c_|euc[_-]kr|shift_jis)\N}}\ {match{$message_headers_raw}{\N(?i)=\?(gb2312|big5|gbk|ks_c_\w*|euc[_-]kr|shift_jis)\?[BbQq]\?\N}}\ {match{$message_body}{\N(?i)(content-type:\s*text\/(plain|html);\s*charset=\s*"?|content=(3D)?["']text\/html;\s*charset=(3D)?)(gb2312|big5|gbk|ks_c_|euc[_-]kr|shift_jis)\N}}\ }} deny message = Blocked as Korean spam (type 1) condition = ${if match{$rheader_Received:}\ {\N\[210\.183\.153\.\d\d\]\N}} deny message = Blocked as Chinese spam (type 3) condition = ${if match{$rheader_Subject:}{\N^ =\?utf-8\?\N}} condition = ${if match{$bheader_Subject:}\ {\N^(\xe2\x96\xb2)?(\xe4[\xb8-\xbf]|[\xe5-\xe9])\N}} deny message = I consider a Chinese mailbox in Reply-To as a sign of spam. condition = ${if match_domain{${domain:$header_reply-to:}}\ {yahoo.cn:yahoo.com.cn:yahoo.com.hk:w.cn}} warn set acl_m_d = ${sg{\ ${sg{\ ${sg{\ ${if match{$sender_host_name}\ {\N^[\w-]+\.[\w.-]*[a-zA-Z]$\N}\ {$sender_host_name}}::\ $sender_address_domain::\ ${domain:$header_from:}::\ ${domain:$header_reply-to:}::\ ${if match{${domain:$header_message-id:}}\ {\N^[\w-]+\.[\w.-]*[a-zA-Z]$\N}\ {${domain:$header_message-id:}}}::\ ${if match{$sender_helo_name}\ {\N^[\w-]+\.[\w.-]*[a-zA-Z]$\N}\ {$sender_helo_name}}\ }{(^|:)(?i)(?:(?:[^:]+\.)?(?:livejournal.com|qip.ru|pochta.ru|land.ru|front.ru|nm.ru|kinozal.tv|sovam.net.ua|forum.firstvds.ru|firstvds.ru|smtp-pulse.com))(:|\$)}{\$1\$2}}\ }{(::)+}{::}}\ }{^::|::\$}{}} deny message = rejected as spam because domain $dnslist_matched is \ in $dnslist_domain=$dnslist_value $dnslist_text condition = ${if def:acl_m_d} condition = ${if !def:header_List-ID:} condition = ${lookup{$sender_address_domain}nwildlsearch\ {/usr/local/etc/exim/mailing_list_domains}{0}{1}} dnslists = dbl.spamhaus.org=127.0.1.2,127.0.1.4,127.0.1.5/$acl_m_d # usage limits: http://www.spamhaus.org/organization/dnsblusage.html warn condition = ${if def:acl_m_d} dnslists = multi.surbl.org/$acl_m_d # http://www.surbl.org/guidelines warns against rejecting in such way. # Evaluate for few months before adding multi.surbl.org to the "deny" above. # I don't recommend these two lists because of false positives: # multi.uribl.com/$acl_m_d : \ # uribl.swinog.ch/$acl_m_d add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: domain $dnslist_matched \ in $dnslist_domain=$dnslist_value $dnslist_text logwrite = :main,reject: ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} : \ domain $dnslist_matched in \ $dnslist_domain=$dnslist_value $dnslist_text deny condition = ${if match{$recipients}{(?i)accmailfaqrus()tg.org.ua}} # really @ !verify = header_sender/callout=10s,defer_ok,no_cache,\ mailfrom=devnull()tg.org.ua # really @ accept condition = ${if !match{$message_headers_raw}\ {\N\A([^\n]+\n[ \t])+[^\n]+\nReceived: from \[?\N$sender_host_address\\]? by }} accept condition = ${if def:acl_c_grey_checked} defer set acl_c_grey_checked = deferred/greylisted because of \ fake Received line in the header message = $acl_c_grey_checked set acl_m_greyfile = /var/spool/exim/greylist/${length_255:\ ${sg{$sender_host_address}{\N\.\d+$\N}{}},\ ${sg{$sender_address,$recipients}{\N[^\w.,=@-]\N}{}}} condition = ${if exists{$acl_m_greyfile}\ {${if >{${eval:$tod_epoch-\ ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\ {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}} accept add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting \ fake Received logwrite = passed greylisting fake Received \ ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} rt: deny condition = ${if forany{${addresses:$rheader_Reply-To:}}\ {eq{${acl{ea}{$item}}}{caught}}} log_message = Reply-To: $header_Reply-To: in EBL: $dnslist_text \ From: $header_From:, envelope-from $sender_address, \ recipients=$recipients, Subject: $header_Subject: message = spam detected # 419 (Nigerian) scams often sent by humans, do not tell them # that the spam was detected with EBL http://msbl.org accept mimeea: deny condition = ${if match{$mime_content_type}{text}} mime_regex = \N(?s)([\w.+=-]+@\w[\w-]*\.[\w.-]+\w)\ (.+?([\w.+=-]+@\w[\w-]*\.[\w.-]+\w))?\ (.+?([\w.+=-]+@\w[\w-]*\.[\w.-]+\w))?\ (.+?([\w.+=-]+@\w[\w-]*\.[\w.-]+\w))?\ (.+?([\w.+=-]+@\w[\w-]*\.[\w.-]+\w))? condition = ${if forany{$regex1 :$regex3 :$regex5 :$regex7 :$regex9}\ {eq{${acl{ea}{$item}}}{caught}}} # $regex requires Exim version 4.87 or higher log_message = email address in body $acl_m_ea in EBL: $dnslist_text \ From: $header_From:, envelope-from $sender_address, \ recipients=$recipients, Subject: $header_Subject: message = spam detected accept ea: accept condition = ${if eqi{$acl_arg1}{$sender_address}} accept condition = ${lookup{$sender_address_domain}nwildlsearch\ {/usr/local/etc/exim/mailing_list_domains}{0}{1}} accept condition = ${if eq{}\ {${lookup dnsdb{defer_never,mxh=${domain:$acl_arg1}}}}} condition = ${if eq{}\ {${lookup dnsdb{defer_never,a=${domain:$acl_arg1}}}}} warn set acl_m_ea = ${sg{${lc:$acl_arg1}}{\\+.*@}{@}} condition = ${if match{$acl_m_ea}{@g(oogle)?mail.com}} set acl_m_ea = ${sg{${local_part:$acl_m_ea}}{\\.}{}}@${domain:$acl_m_ea} accept condition = ${lookup{${domain:$acl_m_ea}}nwildlsearch\ {/usr/local/etc/exim/mailing_list_domains}{0}{1}} dnslists = ebl.msbl.org/${sha1:$acl_m_ea} message = caught accept acl_check_notsmtp: require acl = rt accept acl_check_notsmtpmime: require acl = mimeea accept =============== =============== You can download my lists from: http://lena.kiev.ua/blacklist_hostaddress.txt http://lena.kiev.ua/blacklist_re_helo.txt http://lena.kiev.ua/blacklist_re_hostname.txt http://lena.kiev.ua/blacklist_webmail.txt http://lena.kiev.ua/blacklist_sender_domain.txt http://lena.kiev.ua/blacklist_injector.txt http://lena.kiev.ua/whitelist_re_hostname.txt http://lena.kiev.ua/mailing_list_domains.txt http://lena.kiev.ua/redirect_domains.txt I use neither server-side virus-filter nor SpamAssassin nor other heavy content-filters. I wrote the above with the main goal to minimize false positives and secondary goals to minimize delays and memory consumption. However the above proved to be quite effective fending spam and viruses. Lena