# These are snippets of my Exim configuration (variant with ${run ). # http://wiki.exim.org/DbLessGreyListingRun # Lena(at)lena.kiev.ua May 17, 2012 LIM = 100 PERIOD = 1h WARNTO = abuse@example.com EXIMBINARY = /usr/local/sbin/exim -f root SHELL = /bin/sh daemon_smtp_ports = 25 : 587 accept_8bitmime = true untrusted_set_sender = * local_from_check = false helo_accept_junk_hosts = * message_body_newlines = true headers_charset = KOI8-R smtp_return_error_details = true bounce_return_size_limit = 7K delay_warning = 4h:99d message_id_header_domain = lena.kiev # nonexistent domain in order to avoid spam to Message-IDs tls_advertise_hosts = * tls_certificate = /etc/ssl/exim.crt tls_privatekey = /etc/ssl/exim.pem host_lookup = * rfc1413_hosts = * rfc1413_query_timeout = 2s log_selector = +smtp_confirmation +queue_time -retry_defer \ +smtp_incomplete_transaction +smtp_no_mail +deliver_time hostlist whitelisted_hosts = \ # yahooGroups: 98.136.218.0/23 : \ 98.139.44.0/24 : \ 98.138.214.0/23 : \ 98.139.164.0/23 : \ 66.163.168.0/23 : \ 67.195.134.0/23 : \ 69.147.64.0/23 : \ 69.147.102.0/23 : \ 74.6.140.0/24 : \ 98.136.44.0/23 : \ 202.86.5.0/24 : \ 203.188.202.0/24 : \ 217.146.182.0/23 : \ 209.131.38.0/24 : \ 209.191.87.0/24 : \ 209.191.125.0/24 : \ 68.142.206.0/23 : \ 68.142.236.0/23 : \ # rambler.ru: 81.19.92.32/28 : \ 81.19.66.0/23 : \ 81.19.88.0/24 : \ # mail.ru: 194.67.23.0/24 : \ 194.67.57.0/24 : \ 94.100.179.0/24 : \ 194.67.45.0/24 : \ 195.239.211.0/24 : \ 194.186.55.0/24 : \ 195.239.174.0/24 : \ 94.100.176.0/20 : \ 217.69.128.0/23 : \ # yandex.ru: 95.108.253.0/24 : \ 77.88.32.0/24 : \ 87.250.248.0/24 : \ 213.180.200.0/24 : \ 213.180.223.0/24 : \ 77.88.46.0/23 : \ 77.88.60.0/23 : \ 95.108.130.0/23 : \ # pochta.ru: 81.211.64.0/24 : \ 82.204.219.0/24 : \ # aha.ru/go.ru: # 195.2.83.0/24 : \ # beelinegprs: 217.118.66.233 : \ # ngs.ru: 81.176.214.0/24 : \ 195.93.186.0/24 : \ 212.164.71.0/24 : \ # tut.by: 195.137.160.39 : \ 195.137.160.40 : \ 195.137.160.44/31 : \ # kyivstar.net: 193.41.60.22 : \ # ntvplus.ru: 217.106.225.56 : \ # subscribe.ru: 81.222.217.0/24 : \ 81.222.129.0/24 : \ 81.9.34.128/25 : \ # spamgourmet.com: 216.75.35.164 : \ # shootthebreeze.net: 74.220.195.67 : \ # nym.alias.net: 18.26.0.252 : \ # satline.net: 212.72.193.50 : \ # allegro.pl: 91.194.188.90 : 91.207.14.90 : \ # slando.ru : 83.231.211.64/28 : 83.231.236.0/24 : \ # ntvplus.ru: 217.106.225.56 : \ # mailing lists @ opennet.ru (open source software): 217.195.210.187 : \ # spam-l.com: 204.238.179.8 : 204.238.179.3 : 204.238.179.19 : \ # spammers.dontlike.us: 69.61.79.98/31 : \ # mon.itor.us: 208.76.247.123 : \ # mon.itor.us / monitis.com 208.76.245.178 : \ # аптека lekafarm.com.ua: 193.193.194.47 : \ # mailfilter-out-01.viettel.com.vn: 203.113.131.24 : \ # paypal: 206.165.243.109 : 206.165.243.110/31 : 206.165.243.112/28 : \ 206.165.243.128/29 : 206.165.243.136/30 : 206.165.243.140/31 : \ # gmail (from spf 13Nov2008): 216.239.32.0/19 : 64.233.160.0/19 : 66.249.80.0/20 : \ 72.14.192.0/18 : 209.85.128.0/17 : 66.102.0.0/20 : \ 74.125.0.0/16 : 64.18.0.0/20 : 207.126.144.0/20 : \ # from exim-users May 8, 2008: # Blueyonder: 195.188.213.0/29 : 195.188.213.8/31 : \ # Freeserve: # 193.252.22.156/30 : 193.252.22.128/32 : \ # Tucows: 64.97.168.37/32 : 64.97.136.128/26 : \ # Hotmail: 65.54.246.0/24 : \ # Google: 209.85.132.130/32 : 209.85.132.184/29 : 209.85.132.241/32 : \ 209.85.132.244/32 : 209.85.132.250/32 : 212.159.30.228/32 : \ 64.233.162.176/28 : 64.233.162.224/27 : 64.233.182.167/32 : \ 64.233.184.130/32 : 64.233.184.224/27 : 66.249.82.224/28 : \ 66.249.92.171/32 : 66.249.93.114/32 : 66.249.93.27/32 : \ # Messagelabs: # 134.159.150.64/26 : 193.109.254.0/23 : 194.106.220.0/23 : \ # 195.245.230.0/23 : 203.129.72.208/28 : 203.129.72.240/28 : \ # 203.129.74.224/27 : 203.166.119.128/26 : 212.125.75.0/27 : \ # 216.82.240.0/20 : 62.173.108.16/28 : 62.173.108.208/28 : \ # 62.231.131.0/24 : 64.124.170.128/28 : 85.158.136.0/21 : \ # manchester.worldispnetwork.com (with qmail): 216.218.232.61 : \ # from http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ip.txt?view=markup , # but 195.238.2.0/15->195.238.2.0/23: 12.5.136.141 : 12.5.136.142/31 : 12.5.136.144 : 12.107.209.244 : \ 63.82.37.110 : 63.169.44.143 : 63.169.44.144 : 64.7.153.18 : \ 64.12.137.0/24 : 64.12.138.0/24 : \ 64.124.204.39 : 64.125.132.254 : 66.100.210.82 : 66.135.209.0/24 : \ 66.135.197.0/24 : 66.162.216.166 : 66.206.22.82/31 : 66.206.22.84/31 : \ 66.27.51.218 : 152.163.225.0/24 : 194.245.101.88 : 195.235.39.19 : \ 195.238.2.0/23 : 204.107.120.10 : 205.188.139.136/31 : 205.188.139.137 : \ 205.188.144.207 : 205.188.144.208 : 205.188.156.66 : 205.188.157.0/24 : \ 205.188.159.7 : 205.206.231.0/24 : 205.211.164.50 : 207.115.63.0/24 : \ 207.171.168.0/24 : 207.171.180.0/24 : 207.171.187.0/24 : 207.171.188.0/24 : \ 207.171.190.0/24 : 209.132.176.174 : 211.29.132.0/24 : 213.136.52.31 : \ 217.158.50.178 pipelining_advertise_hosts = ${if eq{$sender_host_name}{$sender_helo_name}\ {*}{+whitelisted_hosts}} acl_smtp_rcpt = acl_check_rcpt acl_smtp_data = acl_check_data acl_smtp_predata = acl_check_predata acl_smtp_mime = acl_check_mime acl_smtp_auth = acl_check_auth acl_smtp_mail = acl_check_mail acl_smtp_connect = acl_check_connect acl_smtp_quit = acl_check_quit acl_smtp_notquit = acl_check_notquit =============== =============== begin acl acl_check_rcpt: accept hosts = : deny message = Restricted characters in address domains = +local_domains local_parts = ^[.] : ^.*[@%!/|] deny message = Restricted characters in address domains = !+local_domains local_parts = ^[./|] : ^.*[@] : ^.*/\\.\\./ # was ^[./|] : ^.*[@%!] : ^.*/\\.\\./ warn condition = ${if !def:acl_m_pmfirst} local_parts = postmaster : abuse domains = +local_domains set acl_m_pmfirst = 1 warn condition = ${if !def:acl_m_pmfirst} !local_parts = postmaster : abuse domains = +local_domains set acl_m_pmfirst = 0 defer message = letters to postmaster and abuse are accepted separately \ from letters to other addresses local_parts = postmaster : abuse domains = +local_domains !condition = $acl_m_pmfirst defer message = letters to postmaster and abuse are accepted separately \ from letters to other addresses !local_parts = postmaster : abuse domains = +local_domains condition = $acl_m_pmfirst warn set acl_m_greyfile = /var/spool/exim/greylist/${length_255:\ ${sg{$sender_host_address}{\N\.\d+$\N}{}},\ ${sg{$sender_address,$local_part@$domain}{\N[^\w.,=@-]\N}{}}} accept local_parts = postmaster : abuse domains = +local_domains set acl_m_postmaster = $sender_address,$local_part@$domain require verify = sender accept hosts = !@[] : +relay_from_hosts set acl_m_user = $sender_host_address # or an userid from RADIUS condition = ${if exists{$spool_directory/blocked_relay_users}} condition = ${lookup{$acl_m_user}lsearch\ {$spool_directory/blocked_relay_users}{1}{0}} control = freeze/no_tell control = submission/domain= add_header = X-Relayed-From: $acl_m_user accept hosts = !@[] : +relay_from_hosts !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender ratelimit = LIM / PERIOD / per_rcpt / relayuser-$acl_m_user continue = ${run{SHELL -c "echo $acl_m_user \ >>$spool_directory/blocked_relay_users; \ \N{\N echo Subject: relay user $acl_m_user blocked; echo; echo \ because has sent mail to LIM invalid recipients during PERIOD.; \ \N}\N | EXIMBINARY WARNTO"}} control = freeze/no_tell control = submission/domain= add_header = X-Relayed-From: $acl_m_user accept hosts = +relay_from_hosts control = submission/domain= accept authenticated = * set acl_m_user = $authenticated_id # in case of mailboxes in /var/mail: ${sg{$authenticated_id}{\N\W.*$\N}{}} condition = ${if exists{$spool_directory/blocked_authenticated_users}} condition = ${lookup{$acl_m_user}lsearch\ {$spool_directory/blocked_authenticated_users}{1}{0}} control = freeze/no_tell control = submission/domain= add_header = X-Authenticated-As: $acl_m_user accept authenticated = * !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender ratelimit = LIM / PERIOD / per_rcpt / user-$acl_m_user continue = ${run{SHELL -c "echo $acl_m_user \ >>$spool_directory/blocked_authenticated_users; \ \N{\N echo Subject: user $acl_m_user blocked; echo; echo because \ has sent mail to LIM invalid recipients during PERIOD.; \ \N}\N | EXIMBINARY WARNTO"}} control = freeze/no_tell control = submission/domain= add_header = X-Authenticated-As: $acl_m_user accept authenticated = * condition = ${if !={$received_port}{25}} control = submission/domain= deny message = rejected because `HELO $sender_helo_name` means \ impersonation/forgery of one of my domains by a spammer condition = ${if match_domain{$sender_helo_name}{+local_domains}} !hosts = @[] deny message = rejected because HELO is my (recipient server) IP-address \ as some spammers lie instead of sender hostname condition = ${if match{$sender_helo_name}\ {\N^\[?\N$interface_address\N\]?$\N}} !hosts = @[] deny message = `HELO $sender_helo_name` locally blacklisted condition = ${lookup{$sender_helo_name}nwildlsearch\ {/usr/local/etc/exim/blacklist_re_helo}{1}{0}} deny message = sender address domain $sender_address_domain locally \ blacklisted condition = ${lookup{$sender_address_domain}nwildlsearch\ {/usr/local/etc/exim/blacklist_sender_domain}{1}{0}} deny message = google photos abused by spammers sender_domains = photos-server.bounces.google.com require message = relay not permitted domains = +local_domains : +relay_to_domains require verify = recipient accept hosts = +whitelisted_hosts logwrite = $sender_host_address locally whitelisted deny message = sender hostname $sender_host_name locally blacklisted \ because of too much spam from it log_message = sender hostname locally blacklisted condition = ${lookup{$sender_host_name}nwildlsearch\ {/usr/local/etc/exim/blacklist_re_hostname}{1}{0}} deny message = sender IP-address $sender_host_address locally \ blacklisted because of too much spam from it log_message = sender IP locally blacklisted condition = ${lookup{$sender_host_address}iplsearch\ {/usr/local/etc/exim/blacklist_hostaddress}{1}{0}} accept dnslists = list.dnswl.org : \ swl.spamhaus.org : \ hostkarma.junkemailfilter.com=127.0.0.1 logwrite = $sender_host_address whitelisted in \ $dnslist_domain=$dnslist_value # http://www.dnswl.org/ , http://spamhauswhitelist.com , # http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists deny message = rejected because $sender_host_address is in a black list \ at $dnslist_domain. $dnslist_text dnslists = dul.ru : \ # dynamic ranges submitted by ISPs themselves # orvedb.aupads.org : \ # open relays http://www.aupads.org/ordb.html smtp.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.5 : \ # open relays only dnsbl.njabl.org=127.0.0.2 # open relays # list.dsbl.org RIP :-( deny message = I don`t accept mail from China,HongKong,Taiwan, Korea, \ Vietnam because too many admins there do not care \ about outgoing spam. Your \ IP-address seems to belong to: $dnslist_text. dnslists = zz.countries.nerd.dk=127.0.0.156,127.0.1.88,127.0.0.158,\ 127.0.1.154,127.0.2.192 # # uncomment if you need mail from China: # message = rejected because $sender_host_address is in a black list \ # at $dnslist_domain. $dnslist_text # dnslists = zen.spamhaus.org : bl.spamcop.net : dnsbl.sorbs.net : \ # dnsbl.njabl.org : hostkarma.junkemailfilter.com=127.0.0.2,127.0.0.4 # accept condition = ${if def:tls_cipher} condition = ${if !match{$tls_cipher}{128|168}} condition = ${if eq{$received_protocol}{esmtps}} # not smtps accept condition = ${lookup{$sender_host_name}nwildlsearch\ {/usr/local/etc/exim/whitelist_re_hostname}{1}{0}} logwrite = sender hostname $sender_host_name locally whitelisted defer condition = ${if def:acl_c_grey_checked} message = $acl_c_grey_checked condition = $acl_c_grey_result accept condition = ${if def:acl_c_grey_checked} defer log_message = greylisted because of HELO $sender_helo_name condition = ${if or{\ {!match{$sender_helo_name}{\\.}}\ {match{$sender_helo_name}\ {\N^(\[?(\d{1,3}\.){3}\d{1,3}\]?|\.*[-0-_]+\.*)$\N}}\ }} set acl_c_grey_checked = deferred/greylisted because \ HELO `$sender_helo_name` is not a domain name message = $acl_c_grey_checked set acl_c_grey_result = ${if exists{$acl_m_greyfile}\ {${if >{${eval:$tod_epoch-\ ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\ {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}} # 1 - defer, 0 - allow condition = $acl_c_grey_result accept condition = ${if def:acl_c_grey_checked} logwrite = passed greylisting helo \ ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting helo defer log_message = greylisted because of protocol smtp condition = ${if eq{$received_protocol}{smtp}} # smtp (HELO), not esmtp (EHLO) condition = ${if def:sender_address} # not a verify/callout from another Exim condition = ${if !match{$sender_address}{verif|callout|postmaster}} set acl_c_grey_checked = deferred/greylisted. protocol SMTP message = $acl_c_grey_checked set acl_c_grey_result = ${if exists{$acl_m_greyfile}\ {${if >{${eval:$tod_epoch-\ ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\ {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}} condition = $acl_c_grey_result accept condition = ${if def:acl_c_grey_checked} add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting smtp logwrite = passed greylisting smtp \ ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} defer log_message = greylisted because $sender_host_name looks dynamic condition = ${if match{$sender_host_name}\ {\N(\d{1,3}[-.]){3}\d\N}} condition = ${if !match{$sender_host_name}{sta}} set acl_c_grey_checked = deferred/greylisted because sender hostname \ $sender_host_name looks like dynamic message = $acl_c_grey_checked set acl_c_grey_result = ${if exists{$acl_m_greyfile}\ {${if >{${eval:$tod_epoch-\ ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\ {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}} condition = $acl_c_grey_result accept condition = ${if def:acl_c_grey_checked} add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting dyn logwrite = passed greylisting dyn \ ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} defer log_message = greylisted because `HELO $sender_helo_name` looks \ dynamic condition = ${if match{$sender_helo_name}\ {\N(\d{1,3}[-.]){3}\d\N}} condition = ${if !match{$sender_helo_name}{sta}} set acl_c_grey_checked = deferred/greylisted because \ `HELO $sender_helo_name` looks like dynamic message = $acl_c_grey_checked set acl_c_grey_result = ${if exists{$acl_m_greyfile}\ {${if >{${eval:$tod_epoch-\ ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\ {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}} condition = $acl_c_grey_result accept condition = ${if def:acl_c_grey_checked} add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting helo dyn logwrite = passed greylisting helo dyn \ ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} defer log_message = greylisted because no hostname condition = ${if eq{$sender_host_name}{}} set acl_c_grey_checked = deferred/greylisted because \ $sender_host_address doesn't resolve to hostname or the \ hostname doesn't resolve back to $sender_host_address message = $acl_c_grey_checked set acl_c_grey_result = ${if exists{$acl_m_greyfile}\ {${if >{${eval:$tod_epoch-\ ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\ {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}} condition = $acl_c_grey_result accept condition = ${if def:acl_c_grey_checked} add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting \ no hostname logwrite = passed greylisting no hostname \ ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} deny set acl_m_spf = ${lookup dnsdb{defer_never,txt=$sender_address_domain}} message = SPF record for $sender_address_domain explicitly states \ that this domain should never send mail condition = ${if eq{$acl_m_spf}{v=spf1 -all}} deny message = SPF record for $sender_address_domain lists too many \ IP-addresses, perhaps the whole world - that`s cheating condition = ${if match{$acl_m_spf}{\N(?m)^v=spf(.+?/\d\s){2}\N}} accept !dnslists = hostkarma.junkemailfilter.com=127.0.0.2 : \ http.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.2 : \ socks.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.3 : \ # open HTTP,SOCKS proxies dnsbl.njabl.org=127.0.0.9 : \ # open proxies cbl.abuseat.org # uncomment next line and comment out the cbl line if you need mail from China: # zen.spamhaus.org=127.0.0.2 defer log_message = greylisted because in $dnslist_domain: $dnslist_text set acl_c_grey_checked = deferred/greylisted because \ $sender_host_address is in a black list at \ $dnslist_domain. $dnslist_text message = $acl_c_grey_checked set acl_c_grey_result = ${if exists{$acl_m_greyfile}\ {${if >{${eval:$tod_epoch-\ ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\ {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}} condition = $acl_c_grey_result accept logwrite = passed greylisting $dnslist_domain \ ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting \ $dnslist_domain acl_check_predata: #(Exim4.71+) require control = dkim_disable_verify deny message = too many invalid recipients condition = ${if >{$rcpt_fail_count}{2}} accept hosts = +relay_from_hosts accept authenticated = * accept condition = ${if !def:acl_m_postmaster} defer condition = ${if def:acl_c_grey_checked} message = $acl_c_grey_checked condition = $acl_c_grey_result accept condition = ${if def:acl_c_grey_checked} defer log_message = postmaster greylisted set acl_c_grey_checked = All mail to postmaster is \ deferred/greylisted here for 3 min because \ of too much spam and no other checks. message = $acl_c_grey_checked set acl_c_grey_result = ${if exists{$acl_m_greyfile}\ {${if >{${eval:$tod_epoch-\ ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\ {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}} condition = $acl_c_grey_result accept add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting \ postmaster logwrite = passed greylisting postmaster \ ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} acl_check_mime: deny message = Windows-executable attachments forbidden. Use zip. condition = ${if !eqi{$recipients}{lena()lena.kiev.ua}} # really @ condition = ${if def:sender_host_address} condition = ${if !def:sender_host_authenticated} log_message = forbidden attachment: filename=$mime_filename, \ content-type=$mime_content_type, recipients=$recipients condition = ${if or{\ {match{$mime_content_type}{(?i)executable}}\ {match{$mime_filename}{\N(?i)\.(exe|com|vbs|bat|pif|scr|hta|js|cmd|chm|cpl|jsp|reg|vbe|lnk|dll|sys)$\N}}\ }} deny message = Blocked as Vietnamese spam from gmail condition = ${if match{$sender_host_name}\ {\N^mail-[\w-]+\.google\.com$\N}} condition = ${if eq{$mime_content_type}{text/plain}} condition = ${if eqi{$mime_charset}{UTF-8}} mime_regex = \N([\x01-\x7f](\xe1(\xba[\xa1-\xa3\xa5\xa6\xa8\xab\xad\xb6\xbe\xbf]|\xbb[\x81\x82\x85-\x87\x89-\x92\x97\x99-\x9c\xaa\xab\xad\xb0\xb1])|\xc3[\xaa\xa2\xb4]\xcc[\x81\x83\x89])[\x01-\x7f].*?){3} deny message = Blocked as Chinese spam (type 1) condition = ${if match{$rheader_Subject:}{\N=\?utf-8\?B\?\N}} condition = ${if match{$bheader_X-mailer:}{\NFoxmail [\d, ]+ \[cn\]\N}} condition = ${if or{\ {eq{$mime_content_type}{application/vnd.ms-excel}}\ {match{$mime_filename}{\N(?i)\.xls$\N}}\ }} deny message = Blocked as Chinese spam (type 2) condition = ${if eq{$mime_content_type}{text/plain}} condition = ${if eqi{$mime_charset}{UTF-8}} mime_regex = \N\ ([\x01-\x7f](\xe2\x96\xb2)?(\xe4[\xb8-\xbf]|[\xe5-\xe9]).+?){3} deny message = Blocked as Korean spam (type 2) condition = ${if eq{$mime_content_type}{text/html}} mime_regex = \N\A\ m='%3Cmeta%20http-equiv%3D%22refresh%22 deny message = rejected because recognized as Ukrainian spam (type 2) condition = ${if eq{$mime_content_type}{text/html}} mime_regex = href="?http.//mailplus.kiev.ua/ : \ src="?http.//element-architecture.com/ : \ href="?http.//(www.)?radiationsafe.com/ accept condition = ${if !match{$recipients}{\N(?i)mail2ftp[^,]*@tg.org.ua\N}} # it's my robot which replies to emailed commands deny message = You must set up your mail client to send plain text, \ no HTML, no attachments condition = ${if match{$mime_content_type}{(?i)html|multipart}} require message = Command in the first line of letter body \ not recognized - send HELP mime_regex = \N(?i)\Amail2ftp(verbose)?\s :\ (?i)\Ahttp(post|get)[swtn]?\s :\ (?i)\Alogin\s :\ (?i)\A\"?help[\"\s\n] accept acl_check_auth: drop message = authentication is allowed only once per message in order \ to slow down bruteforce cracking set acl_m_auth = ${eval10:0$acl_m_auth+1} condition = ${if >{$acl_m_auth}{2}} delay = 22s drop message = blacklisted for bruteforce cracking attempt set acl_c_authnomail = ${eval10:0$acl_c_authnomail+1} condition = ${if >{$acl_c_authnomail}{4}} continue = ${run{SHELL -c "echo $sender_host_address \ >>$spool_directory/blocked_IPs; \ \N{\N echo Subject: $sender_host_address blocked; echo; echo \ for bruteforce auth cracking attempt.; \ \N}\N | EXIMBINARY WARNTO"}} accept acl_check_quit: warn condition = ${if def:authentication_failed} condition = $authentication_failed logwrite = :reject: quit after authentication failed: \ ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} ratelimit = 7 / 5m / strict / per_conn continue = ${run{SHELL -c "echo $sender_host_address \ >>$spool_directory/blocked_IPs; \ \N{\N echo Subject: $sender_host_address blocked; echo; echo \ for bruteforce auth cracking attempt.; \ \N}\N | EXIMBINARY WARNTO"}} acl_check_notquit: warn condition = ${if def:authentication_failed} condition = $authentication_failed logwrite = :reject: $smtp_notquit_reason after authentication failed: \ ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} condition = ${if eq{$smtp_notquit_reason}{connection-lost}} ratelimit = 7 / 5m / strict / per_conn continue = ${run{SHELL -c "echo $sender_host_address \ >>$spool_directory/blocked_IPs; \ \N{\N echo Subject: $sender_host_address blocked; echo; echo \ for bruteforce auth cracking attempt.; \ \N}\N | EXIMBINARY WARNTO"}} acl_check_mail: accept set acl_c_authnomail = 0 acl_check_connect: drop message = suspicious client on $sender_host_name \ [$sender_host_address] locally blacklisted condition = ${if or{\ {match_ip{$sender_host_address}{84.246.224.0/21:202.91.182.94:\ 66.46.176.241:61.146.233.114:66.197.220.252:211.35.163.211:\ 77.245.72.32:77.245.72.33:69.73.148.36:203.156.213.70:\ 83.70.129.73:95.226.163.141:69.69.168.196:189.109.6.132:\ 111.164.160.85:113.244.192.180:213.166.137.49:\ 113.65.140.54:180.120.238.48:217.7.232.64:173.0.50.7:\ 205.234.222.29:82.165.45.163:113.111.194.39:113.65.163.75:\ 195.88.208.0/23:98.141.206.122:121.145.96.64/26}}\ {match{$sender_host_name}\ {\N^(mailserver\.liceocampoverde\.com|\ 68-115-208-106\.static\.spbg\.sc\.charter\.com|\ ppp-\d+-\d+-\d+-\d+\.revip2\.asianet\.co\.th|\ ec2-\d+-\d+-\d+-\d+.[\w-]+.compute\.amazonaws\.com)$\N}}\ }} drop message = $sender_host_address locally blacklisted for a bruteforce \ auth (login+password) cracking attempt condition = ${if exists{$spool_directory/blocked_IPs}} condition = ${lookup{$sender_host_address}lsearch\ {$spool_directory/blocked_IPs}{1}{0}} accept acl_check_data: deny message = rejected because recognized as spam to postmaster condition = ${if !def:sender_address} condition = ${if def:acl_m_postmaster} condition = ${if match{$message_body}\ {\N^[^\r\n]{1,80}(\r?\n\r?)?http://[^\r\n]+[\r\n]*\Z\N}} deny message = rejected because recognized as a Windows bot spam condition = ${if match{$received_protocol}{^smtp}} condition = ${if match{$message_headers_raw}\ {\N\AReceived:(?:.+\n\t)+.+\n\ (?:X-AntiVirus:.+\n)?\ Received: from unknown \(HELO (\w+)\) \(\[[\d.]+\]\)\n\ \tby \S+ with ESMTP;.+\n\ Message-ID: <.+@\w+\1>\n\ From: "\w+ \w+" <.+\n\ To: <[^>\n]+>\n\ Subject: .+\n\ Date: .+\n\ MIME-Version: 1.0\n\ Content-Type: text/plain;\n\ \tformat=flowed;\n\ \tcharset="KOI8-R";\n\ \treply-type=original\n\ Content-Transfer-Encoding: 8bit\n\ X-Priority: 3\n\ X-MSMail-Priority: Normal\n\ X-Mailer: Microsoft Outlook Express \N}} # the second Received is fake. accept condition = $acl_m_pmfirst deny message = Send empty letter without Subject \ (Otprav`te pustoe pis`mo bez temy). condition = ${if match{$recipients}{(?i)accmailfaqrus()tg.org.ua}} # really @ # my autoresponder which replies only to empty letters condition = ${if def:header_subject:} condition = ${if !match{$header_subject:}{\N(?i)[Бб]ез темы|no subject|[Пп]усто|empty|^\[\?\? Probable Spam\]$|^([\[\(\*\+]*(probabl[ey] |posibl[ey] |suspected )?spam[\]\)\*\+:\s]*)?(help|.{0,3})$\N}} deny message = You must set up your mail client to send plain text, \ no HTML, no attachments condition = ${if match{$recipients}\ {\N(?i)(mail2ftp[^,]*|tgrus-archive(-backup)?|koi)@tg.org.ua\N}} # my various autoresponders which parse message body condition = ${if match{$rheader_Content-Type:}{(?i)html|multipart}} deny message = Only private letters to an autoresponder are accepted. condition = ${if match{$recipients}\ {\N(?i)(accmailfaqrus|tgrus-archive-list)@tg.org.ua\N}} condition = ${if or{\ {!={$recipients_count}{1}}\ {!eqi{$recipients}{${addresses:$bheader_to:}}}\ {match{$rheader_precedence:}{bulk|list|junk}}\ {!def:sender_address}\ {match{$sender_address_local_part}\ {(?i)mailer-daemon|-outgoing|-relay|listserv|-request}}\ {def:header_auto-submitted:}\ {def:header_list-unsubscribe:}\ {eqi{$sender_address}{$recipients}}\ {def:header_Autorespond:}\ {def:header_X-Autoresponse:}\ {def:header_X-Autoreply-From:}\ {def:header_X-eBay-MailTracker:}\ {def:header_X-MaxCode-Template:}\ {def:header_X-FC-MachineGenerated:}\ {def:header_X-Auto-Response-Suppress:}\ {match{$header_X-OS:}{HP Onboard Administrator}}\ {eq{$header_X-MimeOLE:}{Produced By phpBB2}}\ {match{$h_From:}{\\(via the vacation program\\)}}\ {match{$h_Subject:}{\N^Yahoo! Auto Response$|\ ^ezmlm warning$|^Out of Office|^Autoresponse:|\ ^Auto-Reply:|\(Auto Reply\)$|\(Out of Office\)$|\ is out of the office\.$\N}}\ }} warn condition = ${if match{$sender_host_name}\ {\N\.(blu|col|bay|snt)\d+\.hotmail\.com$\N}} set acl_m_web = ${if match{$rheader_Received:}{\Nfrom [^\(]+\ \(\[(\d+\.\d+\.\d+\.\d+)\]\) by \ [^\w-]+\.((blu|col|bay|snt)\d+\.hotmail\.com|phx\.gbl) \ (over TLS secured channel )?with Microsoft SMTPSVC\N}{$1}} warn condition = ${if match{$sender_host_name}\ {\N\.mail\....?\.yahoo\.com$\N}} condition = ${if or{\ {match{$rheader_X-Yahoo-Newman-Property:}{ymail}}\ {def:header_X-RocketYMMF:}\ {match{$bheader_X-Mailer:}{^YahooMail}}\ }} set acl_m_web = ${if match{$rheader_Received:}{\Nfrom \ \[(\d+\.\d+\.\d+\.\d+)\] by \ web\d+(\.biz)?\.mail\....?\.yahoo\.com via HTTP; \N}{$1}} condition = ${if !def:acl_m_web} set acl_m_web = ${if match{$bheader_Received:}{\Nfrom [^(\n]+ \ \([^)\n]+@(\d+\.\d+\.\d+\.\d+) with login\)[\r\n]+\s+by \ smtp\d+(\.plus|\.sbc)?\.mail\....?\.yahoo\.com with SMTP; \N}{$1}} warn condition = ${if match{$sender_host_name}\ {\N^[oi]mr-\w+\.mx\.aol\.com$\N}} set acl_m_web = ${if match{$rheader_Received:}{\Nfrom \ (\d+\.\d+\.\d+\.\d+) by webmail-\w+\.sysops\.aol\.com \ \(\d+\.\d+\.\d+\.\d+\) with HTTP \(WebMailUI\); \N}{$1}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \ \S+ \(\S+ \[(\d+\.\d+\.\d+\.\d+)\]\)[\s\n]+by \ mtaout-\w+\.\w+\.mx\.aol\.com \(MUA/Third Party Client \ Interface\) with ESMTPA id \w+;\N}{$1}{$acl_m_web}} warn condition = ${if match{$sender_host_name}\ {\N^outbound\d+\.messaging\.lotuslive\.com$\N}} set acl_m_web = ${if match{$rheader_Received:}\ {\N^@[\w.-]+@(\d+\.\d+\.\d+\.\d+)\)\N}{$1}} warn set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \ [\d.]+ (?:\(\[[\d.]+\]\) )?\(proxying[\s\n]+for[\s\n]+\ (\d+\.\d+\.\d+\.\d+)(, [\w.-]+)?\)\n\ \s+\(SquirrelMail authenticated user [^)\n\r]+\)\n\ \s+by [^\s\n]+ with HTTP;\n\N}{$1}{$acl_m_web}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \ (?:\S+ \(\[)?(\d+\.\d+\.\d+\.\d+)(?:\]\))?\n?\ \s+\(SquirrelMail authenticated user [^)\n\r]+\)\n\ \s+by [^\s\n]+ with HTTP;\n\N}{$1}{$acl_m_web}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \ (\d+\.\d+\.\d+\.\d+)(?: \(proxying for [^)]+\))?[\n\s]+\ \(RisuMail authenticated user \N}{$1}{$acl_m_web}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \ \S+ \(\](\d+\.\d+\.\d+\.\d+)\]\)[\s\n]+by[\s\n]+\S+[\s\n]+\ with[\s\n]+HTTP(?s).+\nUser-Agent: Roundcube Webmail\N}\ {$1}{$acl_m_web}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \ \S+[\n\s]+\((?:\S+[\n\s]+)?\[(\d+\.\d+\.\d+\.\d+)\]\)[\n\s]+by\ [\n\s]+\S+[\n\s]+\(Horde[\n\s]+(Framework|MIME[\n\s]+library)\)\ [\n\s]+with[\n\s]+HTTP\N}{$1}{$acl_m_web}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \ \S+\s+\((?:\S+\s+)?\[(\d+\.\d+\.\d+\.\d+)\]\)\s+by\s+\S+\s+\(Horde\s+\ (Framework|MIME\s+library)\)\s+with\s+HTTP;\N}{$1}{$acl_m_web}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \ \[(\d+\.\d+\.\d+\.\d+)\] by \S+[\s\n\r]+ \(mshttpd\);\N}\ {$1}{$acl_m_web}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \ client (\d+\.\d+\.\d+\.\d+) for UebiMiau\d+\.\d+ \(webmail \ client\);\N}{$1}{$acl_m_web}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \ \S+ \(\[(\d+\.\d+\.\d+\.\d+)\]\)[\n\s+]by \S+ \ with HTTP \(UebiMiau\);\N}{$1}{$acl_m_web}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \ \[(\d+\.\d+\.\d+\.\d+)\] \(account \S+\)[\s\n\r]+by[\s\n\r]+\ \S+[\s\n\r]+\(CommuniGate Pro WEBUSER \S+\)[\s\n\r]+\ with[\s\n\r]+HTTP\N}{$1}{$acl_m_web}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from\s+\ (?:\S+[\s\n]+)?\(\[(\d+\.\d+\.\d+\.\d+)\]\)[\s\n]+by[\s\n]+\S+\ [\s\n]+with[\s\n]+http[\s\n]\N}{$1}{$acl_m_web}} set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \ \S+ \(\[(\d+\.\d+\.\d+\.\d+)\]\)[\n\r]+\s+\ by mx.google.com with ESMTPS id \N}{$1}{$acl_m_web}} condition = ${if match{$bheader_X-Mailer:}{^OpenWebMail }} set acl_m_web = ${if match{$bheader_X-OriginatingIP:}\ {\N^\[?(\d+\.\d+\.\d+\.\d+)\]?( |$)\N}{$1}} warn condition = ${if !def:acl_m_web} set acl_m_web = ${if match{$bheader_X-Originating-IP:}\ {\N^\[?(?:::ffff:)?(\d+\.\d+\.\d+\.\d+)\]?$\N}{$1}} warn condition = ${if !def:acl_m_web} set acl_m_web = ${if match{$bheader_X-Client-IP:}\ {\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}} warn condition = ${if !def:acl_m_web} set acl_m_web = ${if match{$bheader_X-Origin:}\ {\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}} warn condition = ${if !def:acl_m_web} set acl_m_web = ${if match{$bheader_X-Originator:}\ {\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}} warn condition = ${if !def:acl_m_web} set acl_m_web = ${if match{$bheader_X-SenderIP:}\ {\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}} warn condition = ${if !def:acl_m_web} set acl_m_web = ${if match{$bheader_X-PHP-Script:}\ {\N^\S+ for (\d+\.\d+\.\d+\.\d+)$\N}{$1}} deny message = webmail from $acl_m_web locally blacklisted condition = ${if def:acl_m_web} condition = ${if !eq{$sender_address_domain}{returns.groups.yahoo.com}} condition = ${lookup{$acl_m_web}iplsearch\ {/usr/local/etc/exim/blacklist_webmail}{1}{0}} deny message = Google+ is evil spammer condition = ${if match{$sender_host_name}\ {\N^mail-[\w-]+\.google\.com$\N}} condition = ${if eq{$bheader_X-Notification-Type:}{STREAM_POST_SHARED}} deny message = "mail to friend" on news.yahoo.com abused by spammers condition = ${if match{$sender_host_name}\ {\N\.bullet\.(mail\.)?...?\.yahoo\.com$\N}} condition = ${if eq{$bheader_X-Yahoo-Newman-Property:}{mail-to-friend}} discard message = discarded because recognized as Russian spam via a relay \ authenticated with a stolen password (type 6) condition = ${if match{$rheader_Received:}\ {\N\Wngs\.ru\W.*\W(213\.87\.12[0-3]|85\.26\.2[23]\d|83\.149\.[45]\d)\.|\W(213\.87\.12[0-3]|85\.26\.2[23]\d|83\.149\.[45]\d)\..*\Wngs\.ru\W\N}} # discarded because $sender_address eq $recipients, # therefore a "deny" would generate a bounce from the relay again to me. accept hosts = : +whitelisted_hosts deny message = rejected because recognized as sent by spammers` mailer condition = ${if match{$rheader_Received:}\ {((?i)helo(?-i)|from)[ =]QRJATYDI}} deny condition = ${if !match{$recipients}{(?i)accmailfaqrus()tg.org.ua}} # really @ !senders = MAILER-DAEMON@spamgourmet.com : \N^\w+@slando\.\N !verify = header_sender deny message = rejected because recognized as spam sent by a \ virus/trojan/zombie/bot condition = ${if def:acl_c_grey_checked} condition = ${if eq{$received_protocol}{smtp}} condition = ${if match{$rheader_Content-Transfer-Encoding:}{7bit}} condition = ${if match{$message_body}\ {\Nhttp://[a-z]+\.com\n\n[A-Z][a-z]+ [A-Z][a-z]+\n\n\Z\N}} condition = ${if !match{$message_body}{http://.+http://}} deny message = rejected because recognized as Russian spam condition = ${if match{$recipients}{^postmaster@[^@]+\$}} condition = ${if match{$rheader_From:}\ {\N^(\t| )(=\?koi8-r\?B\?I|\")\N}} condition = ${if match{$message_body}\ {\N([Ю-Ъ\d]{5} {5,9}\S[^\n\r]+[\n\r]+){2}\N}} deny message = rejected because recognized as sent by Russian spambot via \ a relay authenticated with a stolen password (type 1) condition = ${if or{\ {match{$rheader_received:}{(?s);.+\ (helo=|HELO |EHLO |from )(User|(Thunder)?server|SERVER|tserver1|\ Server1|yandex\\.ru|otissys1|PADILLA|TTSRV\\d+|srv2003|\ Server-Terminal|source|serveur2|cmgserver|\ ${if def:sender_address_domain{$sender_address_domain}{User}}|\ ${if def:sender_host_name{$sender_host_name}{User}})\ [\\) \\r\\n]}}\ {and{\ {match{$rheader_Content-Type:}{(?si)text.+windows-1251}}\ {match{$message_body$message_body_end}{\N[\xC1-\xFE]\N}}\ }}\ }} condition = ${if match{$rheader_X-MimeOLE:}\ {Produced By Microsoft MimeOLE }} condition = ${if or{\ {and{\ {match{$bheader_Content-Type:}{\N^text/(plain|html);([\r\n]*\t| )(charset="?([Ww]indows-125[10]|koi8-u|[\w-]+\$ESC)"?|format=flowed;[\r\n]+\tcharset="(koi8-r|windows-1251)";[\r\n]+\treply-type=original)$\N}}\ {eqi{$bheader_Content-Transfer-Encoding:}{7bit}}\ }}\ {match{$message_headers_raw}{\N\nContent-transfer-encoding: 8BIT\nContent-type: text/plain; charset=Windows-1251\n\N}}\ {and{\ {match{$bheader_Content-Type:}\ {\N^multipart/(mixed|related|alternative);[\r\n]+\t\N}}\ {match{$message_body}\ {\N[\r\n](Content-Type: text/(plain|html);( |[\r\n]+\t)\ charset="(Windows-1251|[\w-]+\$ESC)"[\r\n]+\ (Content-Transfer-Encoding: 7bit|\ Content-transfer-encoding: 8BIT)|\ Content-type: text/plain; charset=Windows-1251[\r\n]+\ Content-transfer-encoding: 7BIT)[\r\n]\N}}\ }}\ }} deny message = rejected because recognized as sent by Russian spambot via \ a relay authenticated with a stolen password (type 2) condition = ${if match{$message_body}\ {\NContent-Type: text/plain;[\r\n]+\ [ \t]+charset="windows-1251"[\r\n]+\ Content-Transfer-Encoding: quoted-printable[\r\n]+\ =C7=E4=F0=E0=E2=F1=F2=E2=F3=E9=F2=E5, =CF=EE=EB=F3=F7=E0=F2=E5=EB=FC\.[\r\n]+\ =DD=F2=EE =D2=E5=EA=F1=F2=EE=E2=E0=FF =F7=E0=F1=F2=FC =EF=E8=F1=FC=EC=E0=\ [\r\n]+\ \.[\r\n]+\ =D1 =F3=E2=E0=E6=E5=ED=E8=E5=EC, =D1=F3=EF=E5=F0 =D4=E8=F0=EC=E0\.\N}} # Здравствуйте, Получатель. # Это Текстовая часть письма. # С уважением, Супер Фирма. deny message = rejected because recognized as sent by Russian spambot via \ a relay authenticated with a stolen password (type 3) condition = ${if match{$rheader_X-Mailer:}{mPOP Web-Mail }} condition = ${if !match{$rheader_Received:}{ with HTTP;}} deny message = rejected because recognized as sent by Russian spambot via \ a relay authenticated with a stolen password (type 4) condition = ${if match{$rheader_X-MimeOLE:}\ {Produced By Microsoft MimeOLE }} condition = ${if or{\ {match{$rheader_Message-ID:}{@cmgserver>}}\ {match{$rheader_Received:}{\\Q[77.110.55.86]\\E}}\ }} deny message = rejected because recognized as sent by Russian spambot via \ a relay authenticated with a stolen password (type 5) condition = ${if match{$message_headers_raw}\ {\N\nReceived: from ((www\.)?caspel\.com|\[?(85.132.32.44|94.30.234.213|212.0.116.118|86.125.36.12|212.181.110.115|195.149.220.131)\]?|(62-101-94-46|83-103-51-58).ip.fastwebnet.it|62.82.74.234.static.user.ono.com|89-96-100-146.ip11.fastwebnet.it|94.244.190.227.nash.net.ua|reverse.completel.net \((reverse.completel.net|unknown) \[92.103.65.138\]\)?|\[?92.103.65.138\]?|correo.peyber.es|212-181-110-115.customer.telia.com|86-125-36-12.static.rdsor.ro|84.120.163.53.dyn.user.ono.com)[ \n]\N}} deny message = rejected because recognized as Ukrainian spam condition = ${if ={$received_count}{1}} condition = ${if eq{$received_protocol}{esmtp}} condition = ${if eq{$bheader_X-Priority:}{3 (Normal)}} condition = ${if match{$bheader_Message-ID:}\ {\N^<\d{10}\.\d{14}@\N}} condition = ${if match{$bheader_In-Reply-To:}\ {\N^<[A-F\d]{44}@[^>]+>?$\N}} condition = ${if match{$bheader_References:}\ {\N^<[A-F\d]{44}@[^>]+>? <[A-F\d]{30,44}@[^>]+>>?$\N}} condition = ${if !eq{${if match{$rheader_In-Reply-To:}{<(.+)@}{$1}}}\ {${if match{$bheader_References:}{\N^<(\w+)@\N}{$1}}}} condition = ${if !eq{${if match{$rheader_In-Reply-To:}{<(.+)@}{$1}}}\ {${if match{$bheader_References:}{\N@.+ <(\w+)@\N}{$1}}}} deny message = rejected as spam abusing km.ru condition = ${if match{$sender_host_name}{\N^e-post\d+\.km\.ru$\N}} condition = ${if match{$header_Received:}\ {\N\A(.+\n\s)+.+\nfrom \Q\N$sender_address_domain\\E }} deny message = rejected as spam (fake subscribe.ru) senders = \N^news\d+@subscribe\.ru$\N condition = ${if match{$bheader_From:}\ {^"Subscribe.ru" <$sender_address>\$}} condition = ${if !def:header_List-Unsubscribe:} deny message = I understand neither Chinese nor Korean nor Japanese condition = ${if !match{$recipients}\ {(?i)(accmailfaqrus|mail2ftp)@tg.org.ua}} condition = ${if or{\ {match{$message_headers_raw}{\N(?i)charset="?(gb2312|big5|gbk|ks_c_|euc[_-]kr|iso-2022-jp|shift_jis)\N}}\ {match{$message_headers_raw}{\N(?i)=\?(gb2312|big5|gbk|ks_c_\w*|euc[_-]kr|iso-2022-jp|shift_jis)\?[BbQq]\?\N}}\ {match{$message_body}{\N(?i)(content-type:\s*text\/(plain|html);\s*charset=\s*"?|content=(3D)?["']text\/html;\s*charset=(3D)?)(gb2312|big5|gbk|ks_c_|euc[_-]kr|iso-2022-jp|shift_jis)\N}}\ }} deny message = Blocked as Korean spam (type 1) condition = ${if match{$rheader_Received:}\ {\N\[210\.183\.153\.\d\d\]\N}} deny message = I consider a Chinese mailbox in Reply-To as a sign of spam. condition = ${if match_domain{${domain:$header_reply-to:}}\ {yahoo.cn:yahoo.com.cn:yahoo.com.hk:w.cn}} warn set acl_m_d = ${sg{\ ${sg{\ ${sg{\ $sender_host_name::$sender_address_domain::\ ${domain:$header_from:}::\ ${domain:$header_reply-to:}::\ ${if match{${domain:$header_message-id:}}\ {\N^[\w-]+\.[\w.-]*[a-zA-Z]$\N}\ {${domain:$header_message-id:}}{}}::\ ${if match{$sender_helo_name}\ {\N^[\w-]+\.[\w.-]*[a-zA-Z]$\N}\ {$sender_helo_name}{}}\ }{(^|::)(?i)(?:livejournal.com|qip.ru)(::|\$)}{\$1\$2}}\ }{(::)+}{::}}\ }{^::|::\$}{}} deny message = rejected as spam because domain $dnslist_matched is \ in $dnslist_domain=$dnslist_value $dnslist_text condition = ${if def:acl_m_d} dnslists = dbl.spamhaus.org/$acl_m_d # usage limits: http://www.spamhaus.org/organization/dnsblusage.html warn condition = ${if def:acl_m_d} dnslists = multi.surbl.org/$acl_m_d # http://www.surbl.org/guidelines warns against rejecting in such way. # Evaluate for few months before adding multi.surbl.org to the "deny" above. # I don't recommend these two lists because of false positives: # multi.uribl.com/$acl_m_d : \ # uribl.swinog.ch/$acl_m_d add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: domain $dnslist_matched \ in $dnslist_domain=$dnslist_value $dnslist_text logwrite = :main,reject: ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} : \ domain $dnslist_matched in \ $dnslist_domain=$dnslist_value $dnslist_text deny condition = ${if match{$recipients}{(?i)accmailfaqrus()tg.org.ua}} # really @ !verify = header_sender/callout=10s,defer_ok,no_cache,\ mailfrom=devnull()tg.org.ua # really @ accept condition = ${if !match{$message_headers_raw}\ {\N\A([^\n]+\n[ \t])+[^\n]+\nReceived: from \[?\N$sender_host_address\\]? by }} accept condition = ${if def:acl_c_grey_checked} defer set acl_c_grey_checked = deferred/greylisted because of \ fake Received line in the header message = $acl_c_grey_checked set acl_m_greyfile = /var/spool/exim/greylist/${length_255:\ ${sg{$sender_host_address}{\N\.\d+$\N}{}},\ ${sg{$sender_address,$recipients}{\N[^\w.,=@-]\N}{}}} condition = ${if exists{$acl_m_greyfile}\ {${if >{${eval:$tod_epoch-\ ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\ {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}} accept add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting \ fake Received logwrite = passed greylisting fake Received \ ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} =============== =============== You can download my lists from: http://lena.kiev.ua/blacklist_hostaddress.txt http://lena.kiev.ua/blacklist_re_helo.txt http://lena.kiev.ua/blacklist_re_hostname.txt http://lena.kiev.ua/blacklist_webmail.txt http://lena.kiev.ua/blacklist_sender_domain.txt http://lena.kiev.ua/whitelist_re_hostname.txt I use neither server-side virus-filter nor SpamAssassin nor other heavy content-filters. I wrote the above with the main goal to minimize false positives and secondary goals to minimize delays and memory consumption. However the above proved to be quite effective fending spam and viruses. Lena