· 8 years ago · Dec 12, 2017, 08:54 PM
1# These are snippets of my Exim configuration (variant with ${dlfunc ).
2# http://wiki.exim.org/DbLessGreyListingC
3# Lena(at)lena.kiev.ua December 1, 2017
4
5WRONG_RCPT_LIMIT = 100
6PERIOD = 1h
7WARNTO = abuse@example.com
8SHELL = /bin/sh
9P7ZIP = /usr/local/bin/7z
10# port archivers/p7zip in case of FreeBSD
11BINFORBIDDEN = Windows-executable attachments forbidden
12WINBIN = exe|com|js|pif|scr|bat|jse|cpl|vbe|vbs|ace
13# more cautious: exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
14# WinRAR can uncompress .ace, so trojans are sometimes compressed .ace
15COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
16IPNOTIF = echo Subject: blocked $sender_host_address $dnslist_text \
17 ${sg{${lookup dnsdb{>, defer_never,ptr=$sender_host_address}}}{\N[^\w.,-]\N}{}}; \
18 echo; echo for bruteforce auth cracking attempt.;
19.ifdef _OPT_MAIN_CHUNKING_ADVERTISE_HOSTS
20chunking_advertise_hosts =
21.endif
22daemon_smtp_ports = 25 : 587
23accept_8bitmime = true
24untrusted_set_sender = *
25local_from_check = false
26helo_accept_junk_hosts = *
27message_body_newlines = true
28check_rfc2047_length = false
29headers_charset = KOI8-R
30smtp_return_error_details = true
31bounce_return_size_limit = 7K
32delay_warning = 4h:99d
33message_id_header_domain = lena.kiev
34 # nonexistent domain in order to avoid spam to Message-IDs
35tls_advertise_hosts = *
36tls_certificate = /etc/ssl/exim.crt
37tls_privatekey = /etc/ssl/exim.pem
38host_lookup = *
39rfc1413_hosts = *
40rfc1413_query_timeout = 2s
41log_selector = +smtp_confirmation +queue_time -retry_defer \
42 +smtp_incomplete_transaction +smtp_no_mail +deliver_time
43hostlist whitelisted_hosts = \
44 # yahooGroups:
4566.163.168.0/23 : \
4666.196.80.0/23 : \
4767.195.87.0/24 : \
4898.136.45.0/24 : \
4998.136.218.0/23 : \
5098.137.34.0/24 : \
5198.138.120.0/23 : \
5298.138.214.0/23 : \
5398.139.164.0/23 : \
5498.139.237.0/24 : \
55 # yahooGroups old:
5698.136.218.0/23 : \
5798.139.44.0/24 : \
5898.138.214.0/23 : \
5998.139.164.0/23 : \
6066.163.168.0/23 : \
6167.195.134.0/23 : \
6269.147.64.0/23 : \
6369.147.102.0/23 : \
6474.6.140.0/24 : \
6598.136.44.0/23 : \
66202.86.5.0/24 : \
67203.188.202.0/24 : \
68217.146.182.0/23 : \
69209.131.38.0/24 : \
70209.191.87.0/24 : \
71209.191.125.0/24 : \
7268.142.206.0/23 : \
7368.142.236.0/23 : \
74 # rambler.ru:
7581.19.78.103/28 : \
7681.19.92.32/28 : \
7781.19.66.0/23 : \
7881.19.88.0/24 : \
79 # mail.ru:
80194.67.23.0/24 : \
81194.67.57.0/24 : \
8294.100.179.0/24 : \
83194.67.45.0/24 : \
84195.239.211.0/24 : \
85194.186.55.0/24 : \
86195.239.174.0/24 : \
8794.100.176.0/20 : \
88217.69.128.0/20 : \
89 # yandex.ru:
9087.250.230.0/24 : \
915.255.227.0/24 : \
9295.108.253.0/24 : \
9377.88.32.0/24 : \
9487.250.248.0/24 : \
95213.180.200.0/24 : \
96213.180.223.0/24 : \
9777.88.46.0/23 : \
9877.88.60.0/23 : \
9995.108.130.0/23 : \
10084.201.186.0/23 : \
101 # pochta.ru:
10281.211.64.0/24 : \
10382.204.219.0/24 : \
104 # aha.ru/go.ru:
105# 195.2.83.0/24 : \
106 # beelinegprs:
107217.118.66.233 : \
108 # ngs.ru:
10981.176.214.0/24 : \
110195.93.186.0/24 : \
111212.164.71.0/24 : \
112195.19.71.0/27 : \
113 # tut.by:
114195.137.160.39 : \
115195.137.160.40 : \
116195.137.160.44/31 : \
117 # kyivstar.net:
118193.41.60.22 : \
119 # ntvplus.ru:
120217.106.225.56 : \
121 # subscribe.ru:
12281.222.217.0/24 : \
12381.222.129.0/24 : \
12481.9.34.128/25 : \
12581.9.46.0/24 : \
126185.76.232.0/22 : \
127185.138.180.0/22 : \
128 # livejournal.com:
12981.19.74.146/24 : \
130 # spamgourmet.com:
131216.75.35.164 : \
132 # shootthebreeze.net:
13374.220.195.67 : \
134 # nym.alias.net:
13518.26.0.252 : \
136 # WatchThatPage.com:
137178.79.142.95 : \
138 # satline.net:
139212.72.193.50 : \
140 # allegro.pl:
14191.194.188.90 : 91.207.14.90 : 91.207.14.247 : 91.207.14.248 : \
14291.194.189.11 : 91.194.189.12 : 178.21.155.24 : 178.21.155.25 : \
14391.194.188.241 : 91.207.14.113 : 194.0.251.100/31 : \
144 # slando.ru :
14583.231.211.64/28 : 83.231.236.0/24 : \
146 # ntvplus.ru:
147217.106.225.56 : \
148 # mailing lists @ opennet.ru (open source software):
149217.195.210.187 : \
150 # spam-l.com:
151204.238.179.8 : 204.238.179.3 : 204.238.179.19 : \
152 # spammers.dontlike.us:
153192.249.57.241 : \
154 # mon.itor.us:
155208.76.247.123 : \
156 # mon.itor.us / monitis.com
157208.76.245.178 : \
158 # БРФЕЛБ lekafarm.com.ua:
159193.193.194.47 : \
160 # mailfilter-out-01.viettel.com.vn:
161203.113.131.24 : \
162 # paypal:
163206.165.243.109 : 206.165.243.110/31 : 206.165.243.112/28 : \
164206.165.243.128/29 : 206.165.243.136/30 : 206.165.243.140/31 : \
165 # gmail (from spf 13Nov2008):
166216.239.32.0/19 : 64.233.160.0/19 : 66.249.80.0/20 : \
16772.14.192.0/18 : 209.85.128.0/17 : 66.102.0.0/20 : \
16874.125.0.0/16 : 64.18.0.0/20 : 207.126.144.0/20 : \
169 # from exim-users May 8, 2008:
170 # Blueyonder:
171195.188.213.0/29 : 195.188.213.8/31 : \
172 # Freeserve:
173# 193.252.22.156/30 : 193.252.22.128/32 : \
174 # Tucows:
17564.97.168.37/32 : 64.97.136.128/26 : \
176 # Hotmail:
17765.54.246.0/24 : \
178 # Google:
179209.85.132.130/32 : 209.85.132.184/29 : 209.85.132.241/32 : \
180209.85.132.244/32 : 209.85.132.250/32 : 212.159.30.228/32 : \
18164.233.162.176/28 : 64.233.162.224/27 : 64.233.182.167/32 : \
18264.233.184.130/32 : 64.233.184.224/27 : 66.249.82.224/28 : \
18366.249.92.171/32 : 66.249.93.114/32 : 66.249.93.27/32 : \
184 # Messagelabs:
185# 134.159.150.64/26 : 193.109.254.0/23 : 194.106.220.0/23 : \
186# 195.245.230.0/23 : 203.129.72.208/28 : 203.129.72.240/28 : \
187# 203.129.74.224/27 : 203.166.119.128/26 : 212.125.75.0/27 : \
188# 216.82.240.0/20 : 62.173.108.16/28 : 62.173.108.208/28 : \
189# 62.231.131.0/24 : 64.124.170.128/28 : 85.158.136.0/21 : \
190 # manchester.worldispnetwork.com (with qmail):
191216.218.232.61 : \
192 # from http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ip.txt?view=markup ,
193 # but 195.238.2.0/15->195.238.2.0/23:
19412.5.136.141 : 12.5.136.142/31 : 12.5.136.144 : 12.107.209.244 : \
19563.82.37.110 : 63.169.44.143 : 63.169.44.144 : 64.7.153.18 : \
19664.12.137.0/24 : 64.12.138.0/24 : \
19764.124.204.39 : 64.125.132.254 : 66.100.210.82 : 66.135.209.0/24 : \
19866.135.197.0/24 : 66.162.216.166 : 66.206.22.82/31 : 66.206.22.84/31 : \
19966.27.51.218 : 152.163.225.0/24 : 194.245.101.88 : 195.235.39.19 : \
200195.238.2.0/23 : 204.107.120.10 : 205.188.139.136/31 : 205.188.139.137 : \
201205.188.144.207 : 205.188.144.208 : 205.188.156.66 : 205.188.157.0/24 : \
202205.188.159.7 : 205.206.231.0/24 : 205.211.164.50 : 207.115.63.0/24 : \
203207.171.168.0/24 : 207.171.180.0/24 : 207.171.187.0/24 : 207.171.188.0/24 : \
204207.171.190.0/24 : 209.132.176.174 : 211.29.132.0/24 : 213.136.52.31 : \
205217.158.50.178
206pipelining_advertise_hosts = ${if eq{$sender_host_name}{$sender_helo_name}\
207 {*}{+whitelisted_hosts}}
208acl_smtp_rcpt = acl_check_rcpt
209acl_smtp_data = acl_check_data
210acl_smtp_predata = acl_check_predata
211acl_smtp_mime = acl_check_mime
212acl_smtp_helo = acl_check_helo
213acl_smtp_auth = acl_check_auth
214acl_smtp_mail = acl_check_mail
215acl_smtp_connect = acl_check_connect
216acl_smtp_quit = acl_check_quit
217acl_smtp_notquit = acl_check_notquit
218acl_not_smtp = acl_check_notsmtp
219acl_not_smtp_mime = acl_check_notsmtpmime
220
221=============== <snip> ===============
222
223begin acl
224acl_check_rcpt:
225 accept hosts = :
226
227 deny message = Restricted characters in address
228 domains = +local_domains
229 local_parts = ^[.] : ^.*[@%!/|]
230
231 deny message = Restricted characters in address
232 domains = !+local_domains
233 local_parts = ^[./|] : ^.*[@] : ^.*/\\.\\./
234 # was ^[./|] : ^.*[@%!] : ^.*/\\.\\./
235
236 warn condition = ${if !def:acl_m_pmfirst}
237 local_parts = postmaster : abuse
238 domains = +local_domains
239 set acl_m_pmfirst = 1
240
241 warn condition = ${if !def:acl_m_pmfirst}
242 !local_parts = postmaster : abuse
243 domains = +local_domains
244 set acl_m_pmfirst = 0
245
246 defer message = letters to postmaster and abuse are accepted separately \
247 from letters to other addresses
248 local_parts = postmaster : abuse
249 domains = +local_domains
250 !condition = $acl_m_pmfirst
251
252 defer message = letters to postmaster and abuse are accepted separately \
253 from letters to other addresses
254 !local_parts = postmaster : abuse
255 domains = +local_domains
256 condition = $acl_m_pmfirst
257
258 accept local_parts = postmaster : abuse
259 domains = +local_domains
260 set acl_m_postmaster = $sender_address,$local_part@$domain
261
262 require verify = sender
263
264 drop hosts = !@[] : +relay_from_hosts
265 set acl_m_user = $sender_host_address
266 # or username from RADIUS
267 condition = ${if exists{$spool_directory/blocked_relay_users}}
268 set acl_m_wasfree = ${if def:acl_c_blocked{$acl_c_spoolfree}\
269 {${lookup{$acl_m_user}lsearch\
270 {$spool_directory/blocked_relay_users}}}}
271 condition = ${if match{$acl_m_wasfree}{\N^\d+$\N}}
272 condition = ${if match{$spool_space}{\N^\d+$\N}}
273 condition = ${if <={$spool_space}{${eval:$acl_m_wasfree/2}}}
274 log_message = free space on spool disk $spool_space KB - less than \
275 half than it was when the user $acl_m_user was blocked
276 message = spool disk too full
277
278 accept hosts = !@[] : +relay_from_hosts
279 condition = ${if exists{$spool_directory/blocked_relay_users}}
280 condition = ${lookup{$acl_m_user}lsearch\
281 {$spool_directory/blocked_relay_users}\
282 {1}{$acl_c_blocked}}
283 control = freeze/no_tell
284 control = submission/domain=
285 add_header = X-Relayed-From: $acl_m_user
286
287 accept hosts = !@[] : +relay_from_hosts
288 !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
289 ratelimit = WRONG_RCPT_LIMIT / PERIOD / per_rcpt / relayuser-$acl_m_user
290 set acl_c_blocked = 1
291 set acl_c_spoolfree = $spool_space
292 continue = ${run{SHELL -c "echo $acl_m_user:$acl_c_spoolfree \
293 >>$spool_directory/blocked_relay_users; \
294 \N{\N echo Subject: relay user $acl_m_user blocked; echo; echo \
295 because has sent mail to WRONG_RCPT_LIMIT invalid recipients \
296 during PERIOD.; \N}\N | $exim_path -f root WARNTO"}}
297 control = freeze/no_tell
298 control = submission/domain=
299 add_header = X-Relayed-From: $acl_m_user
300
301 accept hosts = +relay_from_hosts
302 control = submission/domain=
303
304 drop authenticated = *
305 set acl_m_user = ${sg{$authenticated_id}{\N[^\w.=@-]\N}{}}
306# in case of mailboxes in /var/mail: ${sg{$authenticated_id}{\N\W.*$\N}{}}
307 condition = ${if exists{$spool_directory/blocked_authenticated_users}}
308 set acl_m_wasfree = ${if def:acl_c_blocked{$acl_c_spoolfree}\
309 {${lookup{$acl_m_user}lsearch\
310 {$spool_directory/blocked_authenticated_users}}}}
311 condition = ${if match{$acl_m_wasfree}{\N^\d+$\N}}
312 condition = ${if match{$spool_space}{\N^\d+$\N}}
313 condition = ${if <={$spool_space}{${eval:$acl_m_wasfree/2}}}
314 log_message = free space on spool disk $spool_space KB - less than \
315 half than it was when the user $acl_m_user was blocked
316 message = spool disk too full
317
318 accept authenticated = *
319 condition = ${if exists{$spool_directory/blocked_authenticated_users}}
320 condition = ${lookup{$acl_m_user}lsearch\
321 {$spool_directory/blocked_authenticated_users}\
322 {1}{$acl_c_blocked}}
323 # The variable acl_c_blocked is used because lookup can be cached.
324 control = freeze/no_tell
325 control = submission/domain=
326 add_header = X-Authenticated-As: $acl_m_user
327
328 accept authenticated = *
329 !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
330 ratelimit = WRONG_RCPT_LIMIT / PERIOD / per_rcpt / user-$acl_m_user
331 set acl_c_blocked = 1
332 set acl_c_spoolfree = $spool_space
333 continue = ${run{SHELL -c "echo $acl_m_user:$acl_c_spoolfree \
334 >>$spool_directory/blocked_authenticated_users; \
335 \N{\N echo Subject: user $acl_m_user blocked; echo; echo because \
336 has sent mail to WRONG_RCPT_LIMIT invalid recipients during \
337 PERIOD.; \N}\N | $exim_path -f root WARNTO"}}
338 control = freeze/no_tell
339 control = submission/domain=
340 add_header = X-Authenticated-As: $acl_m_user
341
342 accept authenticated = *
343 condition = ${if !={$received_port}{25}}
344 control = submission/domain=
345
346 deny message = rejected because `HELO $sender_helo_name` means \
347 impersonation/forgery of one of my domains by a spammer
348 condition = ${if match_domain{$sender_helo_name}{+local_domains}}
349 !hosts = @[]
350
351 deny message = rejected because HELO is my (recipient server) IP-address \
352 as some spammers lie instead of sender hostname
353 condition = ${if match{$sender_helo_name}\
354 {\N^\[?\N$interface_address\N\]?$\N}}
355 !hosts = @[]
356
357 deny message = `HELO $sender_helo_name` locally blacklisted
358 condition = ${lookup{$sender_helo_name}nwildlsearch\
359 {/usr/local/etc/exim/blacklist_re_helo}{1}{0}}
360 !hosts = +whitelisted_hosts
361
362 deny message = sender address domain $sender_address_domain locally \
363 blacklisted
364 condition = ${lookup{$sender_address_domain}nwildlsearch\
365 {/usr/local/etc/exim/blacklist_sender_domain}{1}{0}}
366 !hosts = +whitelisted_hosts
367
368 deny message = sender hostname $sender_host_name locally blacklisted \
369 because of too much spam from it
370 log_message = sender hostname locally blacklisted
371 condition = ${lookup{$sender_host_name}nwildlsearch\
372 {/usr/local/etc/exim/blacklist_re_hostname}{1}{0}}
373 !hosts = +whitelisted_hosts
374
375 deny message = sender IP-address $sender_host_address locally \
376 blacklisted because of too much spam from it
377 log_message = sender IP locally blacklisted
378 condition = ${lookup{$sender_host_address}iplsearch\
379 {/usr/local/etc/exim/blacklist_hostaddress}{1}{0}}
380 !hosts = +whitelisted_hosts
381
382 deny message = google photos abused by spammers
383 sender_domains = photos-server.bounces.google.com
384
385 require message = relay not permitted
386 domains = +local_domains : +relay_to_domains
387
388 require verify = recipient
389
390 accept hosts = +whitelisted_hosts
391 logwrite = $sender_host_address locally whitelisted
392
393 deny message = rejected because recognized as Russian spam (type 2)
394 condition = ${if eq{${lookup dnsdb\
395 {defer_never,a=$sender_address_domain}}}\
396 {195.191.40.160}}
397
398 accept dnslists = list.dnswl.org!=127.0.0.255 : \
399 swl.spamhaus.org : \
400 hostkarma.junkemailfilter.com=127.0.0.1
401 logwrite = $sender_host_address whitelisted in \
402 $dnslist_domain=$dnslist_value
403 # http://www.dnswl.org/ , http://spamhauswhitelist.com ,
404 # http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists
405
406 deny message = rejected because $sender_host_address is in a black list \
407 at $dnslist_domain. $dnslist_text
408 dnslists = smtp.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.5
409 # : orvedb.aupads.org
410 # open relays http://www.aupads.org/ordb.html
411 # dnsbl.njabl.org=127.0.0.2 # open relays RIP :-(
412 # list.dsbl.org, dul.ru RIP :-(
413
414 deny message = I don`t accept mail from China,HongKong,Taiwan, Korea, \
415 Vietnam because too many admins there do not care \
416 about outgoing spam. Your \
417 IP-address seems to belong to: $dnslist_text.
418 dnslists = zz.countries.nerd.dk=127.0.0.156,127.0.1.88,127.0.0.158,\
419 127.0.1.154,127.0.2.192
420#
421# uncomment if you need mail from China:
422# message = rejected because $sender_host_address is in a black list \
423# at $dnslist_domain. $dnslist_text
424# dnslists = zen.spamhaus.org : bl.spamcop.net : dnsbl.sorbs.net : \
425# hostkarma.junkemailfilter.com=127.0.0.2,127.0.0.4
426#
427
428 deny message = Blocked as Peruvian spam
429 condition = ${if eq{$sender_address_local_part}{no-responder}}
430 set acl_m_partip = ${if match{$sender_host_address}\
431 {\N^(?:\d+\.){2}([\d.]+)$\N}{$1}}
432 condition = ${if eq{$sender_host_name}\
433 {a$acl_m_partip.$sender_address_domain}}
434
435 deny message = rejected because recognized as Russian spam (type 5)
436 condition = ${if match{$message_headers_raw}\
437 {\N\nContent-Type: multipart/alternative;\n\t\
438 boundary=(.+\n)+\
439 Content-Type: multipart/alternative;\Z\N}}
440
441# accept condition = ${if def:tls_cipher}
442# condition = ${if !match{$tls_cipher}{128|168}}
443# condition = ${if eq{$received_protocol}{esmtps}}
444# # not smtps
445
446 accept condition = ${lookup{$sender_host_name}nwildlsearch\
447 {/usr/local/etc/exim/whitelist_re_hostname}{1}{0}}
448 logwrite = sender hostname $sender_host_name locally whitelisted
449
450 defer condition = ${if def:acl_c_grey_checked}
451 message = $acl_c_grey_checked
452 condition = $acl_c_grey_result
453
454 accept condition = ${if def:acl_c_grey_checked}
455
456 defer log_message = greylisted because of HELO $sender_helo_name
457 condition = ${if or{\
458 {!match{$sender_helo_name}{\\.}}\
459 {match{$sender_helo_name}\
460 {\N^(\[?(\d{1,3}\.){3}\d{1,3}\]?|\.*[-0-_]+\.*)$\N}}\
461 }}
462 set acl_c_grey_checked = deferred/greylisted because \
463 HELO `$sender_helo_name` is not a domain name
464 message = $acl_c_grey_checked
465 set acl_c_grey_result = ${dlfunc{/root/bin/exim-ext-grey.so}{grey}\
466 {${sg{$sender_host_address}{\N\.\d+$\N}{}},\
467 $sender_address,$local_part@$domain}}
468 # 1 - defer, 0 - allow
469 condition = $acl_c_grey_result
470
471 accept condition = ${if def:acl_c_grey_checked}
472 logwrite = passed greylisting helo \
473 ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
474 add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting helo
475
476 defer log_message = greylisted because of protocol smtp
477 condition = ${if eq{$received_protocol}{smtp}}
478 # smtp (HELO), not esmtp (EHLO)
479 condition = ${if def:sender_address}
480 # not a verify/callout from another Exim
481 condition = ${if !match{$sender_address}{verif|callout|postmaster}}
482 set acl_c_grey_checked = deferred/greylisted. protocol SMTP
483 message = $acl_c_grey_checked
484 set acl_c_grey_result = ${dlfunc{/root/bin/exim-ext-grey.so}{grey}\
485 {${sg{$sender_host_address}{\N\.\d+$\N}{}},\
486 $sender_address,$local_part@$domain}}
487 condition = $acl_c_grey_result
488
489 accept condition = ${if def:acl_c_grey_checked}
490 add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting smtp
491 logwrite = passed greylisting smtp \
492 ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
493
494 defer log_message = greylisted because $sender_host_name looks dynamic
495 condition = ${if match{$sender_host_name}\
496 {\N(\d{1,3}[-.]){3}\d\N}}
497 condition = ${if !match{$sender_host_name}{sta}}
498 set acl_c_grey_checked = deferred/greylisted because sender hostname \
499 $sender_host_name looks like dynamic
500 message = $acl_c_grey_checked
501 set acl_c_grey_result = ${dlfunc{/root/bin/exim-ext-grey.so}{grey}\
502 {${sg{$sender_host_address}{\N\.\d+$\N}{}},\
503 $sender_address,$local_part@$domain}}
504 condition = $acl_c_grey_result
505
506 accept condition = ${if def:acl_c_grey_checked}
507 add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting dyn
508 logwrite = passed greylisting dyn \
509 ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
510
511 defer log_message = greylisted because `HELO $sender_helo_name` looks \
512 dynamic
513 condition = ${if match{$sender_helo_name}\
514 {\N(\d{1,3}[-.]){3}\d\N}}
515 condition = ${if !match{$sender_helo_name}{sta}}
516 set acl_c_grey_checked = deferred/greylisted because \
517 `HELO $sender_helo_name` looks like dynamic
518 message = $acl_c_grey_checked
519 set acl_c_grey_result = ${dlfunc{/root/bin/exim-ext-grey.so}{grey}\
520 {${sg{$sender_host_address}{\N\.\d+$\N}{}},\
521 $sender_address,$local_part@$domain}}
522 condition = $acl_c_grey_result
523
524 accept condition = ${if def:acl_c_grey_checked}
525 add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting helo dyn
526 logwrite = passed greylisting helo dyn \
527 ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
528
529 defer log_message = greylisted because no hostname
530 condition = ${if eq{$sender_host_name}{}}
531 set acl_c_grey_checked = deferred/greylisted because \
532 $sender_host_address doesn't resolve to hostname or the \
533 hostname doesn't resolve back to $sender_host_address
534 message = $acl_c_grey_checked
535 set acl_c_grey_result = ${dlfunc{/root/bin/exim-ext-grey.so}{grey}\
536 {${sg{$sender_host_address}{\N\.\d+$\N}{}},\
537 $sender_address,$local_part@$domain}}
538 condition = $acl_c_grey_result
539
540 accept condition = ${if def:acl_c_grey_checked}
541 add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting \
542 no hostname
543 logwrite = passed greylisting no hostname \
544 ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
545
546 deny set acl_m_spf = ${lookup dnsdb{defer_never,txt=$sender_address_domain}}
547 message = SPF record for $sender_address_domain explicitly states \
548 that this domain should never send mail
549 condition = ${if eq{$acl_m_spf}{v=spf1 -all}}
550
551 deny message = SPF record for $sender_address_domain lists too many \
552 IP-addresses, perhaps the whole world - that`s cheating
553 condition = ${if match{$acl_m_spf}\
554 {\N(?m)^v=spf((.+?/\d\s){2}|.+/[1-6]\s)\N}}
555
556 accept !dnslists = hostkarma.junkemailfilter.com=127.0.0.2 : \
557 http.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.2 : \
558 socks.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.3 : \
559 # open HTTP,SOCKS proxies
560 # dnsbl.njabl.org=127.0.0.9 # open proxies RIP
561 cbl.abuseat.org
562# uncomment next line and comment out the cbl line if you need mail from China:
563# zen.spamhaus.org=127.0.0.2
564
565 defer log_message = greylisted because in $dnslist_domain: $dnslist_text
566 set acl_c_grey_checked = deferred/greylisted because \
567 $sender_host_address is in a black list at \
568 $dnslist_domain. $dnslist_text
569 message = $acl_c_grey_checked
570 set acl_c_grey_result = ${dlfunc{/root/bin/exim-ext-grey.so}{grey}\
571 {${sg{$sender_host_address}{\N\.\d+$\N}{}},\
572 $sender_address,$local_part@$domain}}
573 condition = $acl_c_grey_result
574
575 accept logwrite = passed greylisting $dnslist_domain \
576 ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
577 add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting \
578 $dnslist_domain
579
580acl_check_predata:
581#(Exim4.71+) require control = dkim_disable_verify
582
583 deny message = too many invalid recipients
584 condition = ${if >{$rcpt_fail_count}{2}}
585
586 accept hosts = +relay_from_hosts
587
588 accept authenticated = *
589
590 accept condition = ${if !def:acl_m_postmaster}
591
592 defer condition = ${if def:acl_c_grey_checked}
593 message = $acl_c_grey_checked
594 condition = $acl_c_grey_result
595
596 accept condition = ${if def:acl_c_grey_checked}
597
598 defer log_message = postmaster greylisted
599 set acl_c_grey_checked = All mail to postmaster is \
600 deferred/greylisted here for 3 min because \
601 of too much spam and no other checks.
602 message = $acl_c_grey_checked
603 set acl_c_grey_result = ${dlfunc{/root/bin/exim-ext-grey.so}{grey}\
604 {${sg{$sender_host_address}{\N\.\d+$\N}{}},\
605 $acl_m_postmaster}}
606 condition = $acl_c_grey_result
607
608 accept add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting \
609 postmaster
610 logwrite = passed greylisting postmaster \
611 ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
612
613acl_check_mime:
614 deny condition = ${if eq{$mime_content_type}{text/plain}}
615 !hosts = +whitelisted_hosts
616 !sender_domains = returns.groups.yahoo.com : groups.io
617 !authenticated = *
618 condition = ${if !def:header_List-ID:}
619 set acl_m_fakedom = ${if match{$message_headers_raw}{\N\nReceived: \
620 .*?(?:\n\s.*?)*?\
621 (?:helo=|HELO |EHLO |from )([a-z]{4,6}\.(?:com|net|org))\
622 .*?(?:\n\s.*?)*?\
623 (?i)(?:smtpsa|bizsmtp|ASMTP \(SSL)\
624 .*?(?:\n\s.*?)*?\
625 \n[^R\s]\N}{$1}}
626 condition = ${if def:acl_m_fakedom}
627 mime_regex = https?.//
628 !mime_regex = (?s)https?.//.+https?.//
629 condition = ${if eq{}{${lookup dnsdb{defer_never,a=$acl_m_fakedom}}}}
630 condition = ${if eq{}{${lookup dnsdb{defer_never,mxh=$acl_m_fakedom}}}}
631 message = trojan link suspected: \
632 ${if match{$message_body}{\N(https?://[^>\s]+)\N}{$1}} \
633 rcpthelo=$acl_m_fakedom recipients=$recipients
634
635 deny message = rejected because recognized as spam via a relay \
636 authenticated with a stolen password
637 condition = ${if eq{$mime_content_type}{text/plain}}
638 condition = ${if !def:header_List-ID:}
639 condition = ${lookup{$sender_address_domain}nwildlsearch\
640 {/usr/local/etc/exim/mailing_list_domains}{0}{1}}
641 !mime_regex = (?s)https?.//.+https?.//
642 mime_regex = \Nhttp.//([^/]+)(/[^>\s]+)
643 condition = ${if or{\
644 {>{${listcount:${addresses:$rheader_To:}}}{1}}\
645 {match{$regex2}{\N(^/|\?)[a-fA-F\d]{4}$\N}}\
646 }}
647# $regex requires Exim 4.87+
648 condition = ${lookup dnsdb{defer_never,a=$regex1}{1}{0}}
649 set acl_m_red = ${if match{${readsocket{inet:$regex1:80}\
650 {HEAD $regex2 HTTP/1.0\r\nHost: $regex1\r\n\r\n}\
651 {4s}{%~}{socket failure}}}\
652 {\N(?i)\AHTTP/... 3.+%~Location: (?:https?://)?(.*?)\s*%~\N}{$1}}
653 logwrite = :reject: $regex1$regex2 redirect to $acl_m_red
654 set acl_m_domred = ${sg{$acl_m_red}{/.*}{}}
655 condition = ${if or{\
656 {and{\
657 {eq{$acl_m_red}{$regex2}}\
658 {match{$regex2}{\N(^/|\?)[a-fA-F\d]{4}$\N}}\
659 }}\
660 {bool{${lookup{$acl_m_domred}nwildlsearch\
661 {/usr/local/etc/exim/redirect_domains}{1}{0}}}}\
662 }}
663
664 deny message = rejected because recognized as spam via a relay \
665 authenticated with a stolen password
666 condition = ${if def:acl_m_domred}
667 condition = ${if >{${listcount:${addresses:$rheader_To:}}}{1}}
668 set acl_m_uri = ${sg{$acl_m_red}{^[^/]+/?}{/}}
669 condition = ${lookup dnsdb{defer_never,a=$acl_m_domred}{1}{0}}
670 set acl_m_red = ${if match{${readsocket{inet:$acl_m_domred:80}\
671 {HEAD $acl_m_uri HTTP/1.0\r\nHost: $acl_m_domred\r\n\r\n}\
672 {4s}{%~}{socket failure}}}\
673 {\N\AHTTP/... 3.+%~Location: https?://(.*?)\s*%~\N}{$1}}
674 logwrite = :reject: $acl_m_domred$acl_m_uri second redirect to $acl_m_red
675 set acl_m_domred = ${sg{$acl_m_red}{/.*}{}}
676 condition = ${lookup{$acl_m_domred}nwildlsearch\
677 {/usr/local/etc/exim/redirect_domains}{1}{0}}
678
679 deny message = BINFORBIDDEN
680 log_message = forbidden attachment: filename=$mime_filename, \
681 content-type=$mime_content_type, recipients=$recipients
682 condition = ${if or{\
683 {match{$mime_content_type}\
684 {(?i)executable|application/x-ace-compressed}}\
685 {match{$mime_filename}{\N(?i)\.(WINBIN)$\N}}\
686 }}
687
688 deny message = Compressed BINFORBIDDEN
689 condition = ${if or{\
690 {match{$mime_content_type}\
691 {(?i)executable|application/x-ace-compressed}}\
692 {match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\
693 }}
694 condition = ${if <{$message_size}{1500K}}
695 decode = default
696 log_message = forbidden binary in attachment: filename=$mime_filename, \
697 recipients=$recipients
698 condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\
699 {\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}}
700
701 deny message = Blocked as Vietnamese spam from gmail
702 condition = ${if match{$sender_host_name}\
703 {\N^mail-[\w-]+\.google\.com$\N}}
704 condition = ${if match{$mime_content_type}{text/(plain|html)}}
705 condition = ${if eqi{$mime_charset}{UTF-8}}
706 mime_regex = \N([\x01-\x7f](\xe1(\xba[\xa1-\xa3\xa5\xa6\xa8\xab\xad\xb6\xbe\xbf]|\xbb[\x81\x82\x85-\x87\x89-\x92\x97\x99-\x9c\xaa\xab\xad\xb0\xb1])|\xc3[\xaa\xa2\xb4]\xcc[\x81\x83\x89])[\x01-\x7f].*?){3}
707
708 deny message = Blocked as Chinese spam (type 1)
709 condition = ${if match{$rheader_Subject:}{\N=\?utf-8\?B\?\N}}
710 condition = ${if match{$bheader_X-mailer:}{\NFoxmail [\d, ]+ \[cn\]\N}}
711 condition = ${if or{\
712 {eq{$mime_content_type}{application/vnd.ms-excel}}\
713 {match{$mime_filename}{\N(?i)\.xls$\N}}\
714 }}
715
716 deny message = Blocked as Chinese spam (type 2)
717 condition = ${if eq{$mime_content_type}{text/plain}}
718 condition = ${if eqi{$mime_charset}{UTF-8}}
719 mime_regex = \N\
720 ([\x01-\x7f](\xe2\x96\xb2)?(\xe4[\xb8-\xbf]|[\xe5-\xe9]).+?){3}
721
722 deny message = Blocked as Chinese spam (type 4)
723 !authenticated = *
724 condition = ${if !eq{$sender_address_domain}{returns.groups.yahoo.com}}
725 condition = ${if eq{$mime_content_type}{text/html}}
726 condition = ${if eqi{$mime_charset}{utf-8}}
727 mime_regex = <FONT face=[^>]+_GB2312>
728
729 deny message = Blocked as Korean spam (type 2)
730 condition = ${if eq{$mime_content_type}{text/html}}
731 mime_regex = \N\A\
732 <script\slanguage=JavaScript>m='%3Cmeta%20http-equiv%3D%22refresh%22
733
734 warn condition = ${if eq{$mime_content_type}{text/plain}}
735 set acl_m_plain = 1
736 mime_regex = https?.//yadi.sk/
737 set acl_m_yadisk = 1
738
739 warn condition = ${if eq{$mime_content_type}{message/rfc822}}
740 set acl_m_plain = 0
741
742 deny message = rejected because recognized as Russian spam via a relay \
743 authenticated with a stolen password (type 11)
744 !authenticated = *
745 condition = ${if !eq{$sender_address_domain}{returns.groups.yahoo.com}}
746 condition = ${if eq{$mime_content_type}{text/html}}
747 condition = $acl_m_plain
748 !condition = $acl_m_yadisk
749 mime_regex = href="?https?.//yadi.sk/
750
751 deny message = rejected because recognized as Ukrainian spam (type 2)
752 condition = ${if eq{$mime_content_type}{text/html}}
753 condition = ${if !eq{$sender_address_domain}{returns.groups.yahoo.com}}
754 mime_regex = \Nhref="?http.//(mailplus\d*.kiev|(marmaer|stopm|mailtrackers).com).ua/ :\
755 smartresponder.ru/ : \
756 src="?http.//element-architecture.com/ : \
757 href="?http.//(www.)?radiationsafe.com/ : \
758 href="?http.//(usndr.com|rumailer.ru|sn.am)/ : \
759 href="http.//[^/\s]*&#\d+; : \
760 href="http.//(\w+\.)?salesdoubler.com.ua/ : \
761 href="http.//mailtrackers.(ru|com.ua)/ : \
762 (src|href)="http[^"]+/amsweb.php\? : \
763 href="?https?.//yadi.sk/i/(.)(.)(.)(.)[^>]+>https?.//yadi.sk/i/[^\1][^\2][^\3][^\4] : \
764 href="http.//(\w+\.)?(salesdoubler.com.ua|(poshtar|ua24|tmm).bz.ua|(opt-in-mailer|drtracing|sendlx|getintoinbox|emlportal).com|(fastemailsender|emailunion).net|(mail-run|gakedki|adwad|skypromotion).ru|infobiz.in.ua|goldservicebiz.pp.ua)/
765
766 discard message = discarded because recognized as Ukrainian spam (type 3)
767 condition = ${if eq{$sender_address_domain}{returns.groups.yahoo.com}}
768 condition = ${if eqi{$recipients}{lena@lena.kiev.ua}}
769 condition = ${if eq{$mime_content_type}{text/html}}
770 mime_regex = \Nhref="http.//(\w+\.)?emailunion.net/
771
772 deny message = User unknown
773 !authenticated = *
774 condition = ${if eq{$mime_content_type}{text/plain}}
775 condition = ${if !eq{$sender_address_domain}{returns.groups.yahoo.com}}
776 mime_regex = Ð’Ð°Ñ Ð¸Ð½Ñ‚ÐµÑ€ÐµÑуют базы данных потенциальных клиентов
777 # чБУ ЙОФЕТЕУХÐФ ВБЪЩ ДБООЩИ РПФЕОГЙБМШОЩИ ЛМЙЕОФПЧ
778
779 require acl = mimeea
780
781 accept condition = ${if !match{$recipients}{\N(?i)mail2ftp[^,]*@tg.org.ua\N}}
782 # it's my robot which replies to emailed commands
783
784 deny message = You must set up your mail client to send plain text, \
785 no HTML, no attachments
786 condition = ${if match{$mime_content_type}{(?i)html|multipart}}
787
788 require message = Command in the first line of letter body \
789 not recognized - send HELP
790 mime_regex = \N(?i)\Amail2ftp(verbose)?\s :\
791 (?i)\Ahttp(post|get)[swtn]?\s :\
792 (?i)\Alogin\s :\
793 (?i)\A\"?help[\"\s\n]
794
795 accept
796
797acl_check_helo:
798 drop message = Cutwail/PushDo bot blacklisted
799 condition = ${if eq{$sender_helo_name}{ylmf-pc}}
800 acl = setdnslisttext
801 continue = ${run{SHELL -c 'echo \\\"$sender_host_addressMASKW\\\" \
802 >>$spool_directory/blocked_IPs; \
803 \N{\N IPNOTIF \N}\N | $exim_path -f root WARNTO'}}
804 # if this bot is dropped at helo, it repeats multiple times,
805 # but if dropped at connect, it tries only twice
806
807 accept
808
809acl_check_auth:
810 drop message = authentication is allowed only once per message in order \
811 to slow down bruteforce cracking
812 set acl_m_auth = ${eval10:0$acl_m_auth+1}
813 condition = ${if >{$acl_m_auth}{2}}
814 delay = 22s
815
816 drop message = blacklisted for bruteforce cracking attempt
817 set acl_c_authnomail = ${eval10:0$acl_c_authnomail+1}
818 condition = ${if >{$acl_c_authnomail}{4}}
819 condition = ${if exists{$spool_directory/blocked_IPs}\
820 {${lookup{$sender_host_address}iplsearch\
821 {$spool_directory/blocked_IPs}{0}{1}}}\
822 {1}}
823 acl = setdnslisttext
824 continue = ${run{SHELL -c "echo $sender_host_address \
825 >>$spool_directory/blocked_IPs; \
826 \N{\N IPNOTIF \N}\N | $exim_path -f root WARNTO"}}
827
828 drop message = blacklisted for bruteforce cracking attempt
829 condition = ${if >{$acl_c_authnomail}{4}}
830
831 accept set acl_c_authhash = ${if match{$smtp_command_argument}\
832 {\N(?i)^(?:plain|login) (.+)$\N}{${nhash_1000:$1}}}
833
834acl_check_quit:
835 warn condition = $authentication_failed
836 condition = ${if def:acl_c_authhash}
837 ratelimit = 0 / 5m / strict / $sender_host_address-$acl_c_authhash
838 set acl_c_hashrate = ${sg{$sender_rate}{[.].*}{}}
839
840 warn condition = $authentication_failed
841 logwrite = :reject: quit after authentication failed: \
842 ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
843 condition = ${if or{\
844 {!def:acl_c_authhash}\
845 {<{$acl_c_hashrate}{2}}\
846 }}
847 ratelimit = 7 / 5m / strict / per_conn
848 condition = ${if exists{$spool_directory/blocked_IPs}\
849 {${lookup{$sender_host_address}iplsearch\
850 {$spool_directory/blocked_IPs}{0}{1}}}\
851 {1}}
852 acl = setdnslisttext
853 continue = ${run{SHELL -c "echo $sender_host_address \
854 >>$spool_directory/blocked_IPs; \
855 \N{\N IPNOTIF \N}\N | $exim_path -f root WARNTO"}}
856
857acl_check_notquit:
858 warn condition = $authentication_failed
859 condition = ${if def:acl_c_authhash}
860 ratelimit = 0 / 2h / strict / $sender_host_address-$acl_c_authhash
861 set acl_c_hashrate = ${sg{$sender_rate}{[.].*}{}}
862
863 warn condition = $authentication_failed
864 logwrite = :reject: $smtp_notquit_reason after authentication failed: \
865 ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
866 condition = ${if match{$smtp_notquit_reason}\
867 {^(connection-lost|synchronization-error)}}
868 condition = ${if or{\
869 {!def:acl_c_authhash}\
870 {<{$acl_c_hashrate}{2}}\
871 }}
872 ratelimit = 7 / 2h / strict / per_conn
873 condition = ${if exists{$spool_directory/blocked_IPs}\
874 {${lookup{$sender_host_address}iplsearch\
875 {$spool_directory/blocked_IPs}{0}{1}}}\
876 {1}}
877 acl = setdnslisttext
878 continue = ${run{SHELL -c "echo $sender_host_address \
879 >>$spool_directory/blocked_IPs; \
880 \N{\N IPNOTIF \N}\N | $exim_path -f root WARNTO"}}
881
882setdnslisttext:
883 accept dnslists = zz.countries.nerd.dk
884
885 accept
886
887
888acl_check_mail:
889 accept set acl_c_authnomail = 0
890
891acl_check_connect:
892 drop message = suspicious client on $sender_host_name \
893 [$sender_host_address] locally blacklisted
894 condition = ${if or{\
895 {match_ip{$sender_host_address}{84.246.224.0/21:202.91.182.94:\
896 66.46.176.241:61.146.233.114:66.197.220.252:211.35.163.211:\
897 77.245.72.32:77.245.72.33:69.73.148.36:203.156.213.70:\
898 83.70.129.73:95.226.163.141:69.69.168.196:189.109.6.132:\
899 111.164.160.85:113.244.192.180:213.166.137.49:\
900 113.65.140.54:180.120.238.48:217.7.232.64:173.0.50.7:\
901 205.234.222.29:82.165.45.163:113.111.194.39:113.65.163.75:\
902 195.88.208.0/23:98.141.206.122:121.145.96.64/26}}\
903 {match{$sender_host_name}\
904 {\N^(mailserver\.liceocampoverde\.com|\
905 68-115-208-106\.static\.spbg\.sc\.charter\.com|\
906 ppp-\d+-\d+-\d+-\d+\.revip2\.asianet\.co\.th|\
907 ec2-\d+-\d+-\d+-\d+.[\w-]+.compute\.amazonaws\.com)$\N}}\
908 }}
909
910 drop message = $sender_host_address locally blacklisted for a bruteforce \
911 auth (username+password) cracking attempt
912 condition = ${if exists{$spool_directory/blocked_IPs}}
913 condition = ${lookup{$sender_host_address}iplsearch\
914 {/var/..$spool_directory/blocked_IPs}{1}{0}}
915 # Another path to the same file in order to circumvent lookup caching.
916
917 accept
918
919hash:
920 accept set acl_c_authhash = ${nhash_1000:$acl_arg1}
921
922acl_check_data:
923 deny message = SwiftMailer, no website
924 condition = ${if match{$message_headers_raw}\
925 {\N\nX-\w+-Mailer: SwiftMailer -\N}}
926 condition = ${lookup dnsdb{defer_never,a=$sender_address_domain}{1}{0}}
927 condition = ${if match{${readsocket{inet:$sender_address_domain:80}\
928 {HEAD / HTTP/1.0\r\nHost: $sender_address_domain\r\n\r\n}\
929 {4s}{%~}{socket failure}}}\
930 {\\AHTTP/... (403|3.+%~Location: http://$sender_address_domain/customer/(index.php/)?\\s*%~)}}
931
932 discard message = discarded because recognized as Ukrainian spam (type 2)
933 senders = :
934 condition = ${if eq{$received_protocol}{smtp}}
935 condition = ${if !match{${local_part:$header_From:}}{(?i)daemon}}
936 condition = ${if match{$message_headers_raw}\
937 {\N\AReceived:(?:.+\n\t)+.+\n\
938 Received: from unknown \(HELO localhost\) \
939 \(([a-z\d._-]+@[a-z\d.-]+)@([\d.]+)\)\n\
940 \tby \S+ with ESMTPA;.+\n\
941 (X-Originating-IP: \2\n)?\
942 From: \1\n\
943 To: \S+\n\
944 Subject: \N}}
945# The second Received is fake.
946
947 discard message = Russian spam discarded
948 condition = ${if match{${address:$rheader_Reply-To:}}{^prodawez}}
949 condition = ${if eqi{$sender_address}{$recipients}}
950
951 deny message = SwiftMailer, no website
952 condition = ${if match{$message_headers_raw}\
953 {\N\nX-\w+-Mailer: SwiftMailer -\N}}
954 condition = ${lookup dnsdb{defer_never,a=$sender_address_domain}{1}{0}}
955 condition = ${if match{${readsocket{inet:$sender_address_domain:80}\
956 {HEAD / HTTP/1.0\r\nHost: $sender_address_domain\r\n\r\n}\
957 {4s}{%~}{socket failure}}}\
958 {\\AHTTP/... 3.+%~Location: http://$sender_address_domain/customer/index.php/\\s*%~}}
959
960 deny message = rejected because recognized as spam to postmaster
961 condition = ${if !def:sender_address}
962 condition = ${if def:acl_m_postmaster}
963 condition = ${if match{$message_body}\
964 {\N^[^\r\n]{1,80}(\r?\n\r?)?http://[^\r\n]+[\r\n]*\Z\N}}
965
966 deny message = rejected because recognized as a Windows bot spam
967 condition = ${if match{$received_protocol}{^smtp}}
968 condition = ${if match{$message_headers_raw}\
969 {\N\AReceived:(?:.+\n\t)+.+\n\
970 (?:X-AntiVirus:.+\n)?\
971 Received: from unknown \(HELO (\w+)\) \(\[[\d.]+\]\)\n\
972 \tby \S+ with ESMTP;.+\n\
973 Message-ID: <.+@\w+\1>\n\
974 From: "?\w+ \w+"? <.+\n\
975 To: \S+\n\
976 Subject: .*\n\
977 Date: .+\n\
978 MIME-Version: 1.0\n\
979 Content-Type: text/plain;\n\
980 \tformat=flowed;\n\
981 \tcharset="(KOI8-R|windows-1250|iso-8859-[12])";\n\
982 \treply-type=original\n\
983 Content-Transfer-Encoding: [78]bit\n\
984 X-Priority: 3\n\
985 X-MSMail-Priority: Normal\n\
986 X-Mailer: Microsoft Outlook Express \N}}
987# the second Received is fake.
988
989 accept condition = $acl_m_pmfirst
990
991 deny message = Send empty letter without Subject \
992 (Otprav`te pustoe pis`mo bez temy).
993 condition = ${if match{$recipients}{(?i)accmailfaqrus()tg.org.ua}}
994 # really @
995# my autoresponder which replies only to empty letters
996 condition = ${if def:header_subject:}
997 condition = ${if !match{$header_subject:}{\N(?i)[вВ]ЕЪ ФЕÐЩ|no subject|[рР]ХУФП|empty|^\[\?\? Probable Spam\]$|^([\[\(\*\+]*(probabl[ey] |posibl[ey] |suspected )?spam[\]\)\*\+:\s]*)?(help|.{0,3})$\N}}
998
999 deny message = You must set up your mail client to send plain text, \
1000 no HTML, no attachments
1001 condition = ${if match{$recipients}\
1002 {\N(?i)(mail2ftp[^,]*|tgrus-archive(-backup)?|koi)@tg.org.ua\N}}
1003# my various autoresponders which parse message body
1004 condition = ${if match{$rheader_Content-Type:}{(?i)html|multipart}}
1005
1006 deny message = Only private letters to an autoresponder are accepted.
1007 condition = ${if match{$recipients}\
1008 {\N(?i)(accmailfaqrus|tgrus-archive-list)@tg.org.ua\N}}
1009 condition = ${if or{\
1010 {!={$recipients_count}{1}}\
1011 {!eqi{$recipients}{${addresses:$rheader_to:}}}\
1012 {match{$rheader_precedence:}{bulk|list|junk}}\
1013 {!def:sender_address}\
1014 {match{$sender_address_local_part}\
1015 {(?i)mailer-daemon|-outgoing|-relay|listserv|-request}}\
1016 {def:header_auto-submitted:}\
1017 {def:header_list-unsubscribe:}\
1018 {eqi{$sender_address}{$recipients}}\
1019 {def:header_Autorespond:}\
1020 {def:header_X-Autoresponse:}\
1021 {def:header_X-Autoreply-From:}\
1022 {def:header_X-eBay-MailTracker:}\
1023 {def:header_X-MaxCode-Template:}\
1024 {def:header_X-FC-MachineGenerated:}\
1025 {def:header_X-Auto-Response-Suppress:}\
1026 {match{$header_X-OS:}{HP Onboard Administrator}}\
1027 {eq{$header_X-MimeOLE:}{Produced By phpBB2}}\
1028 {match{$h_From:}{\\(via the vacation program\\)}}\
1029 {match{$h_Subject:}{\N^Yahoo! Auto Response$|\
1030 ^ezmlm warning$|^Out of Office|^Autoresponse:|\
1031 ^Auto-Reply:|\(Auto Reply\)$|\(Out of Office\)$|\
1032 is out of the office\.$\N}}\
1033 }}
1034
1035 warn condition = ${if match{$sender_host_name}\
1036 {\N\.(blu|col|bay|snt)\d+\.hotmail\.com$\N}}
1037 set acl_m_web = ${if match{$rheader_Received:}{\Nfrom [^\(]+\
1038 \(\[(\d+\.\d+\.\d+\.\d+)\]\) by \
1039 [^\w-]+\.((blu|col|bay|snt)\d+\.hotmail\.com|phx\.gbl) \
1040 (over TLS secured channel )?with Microsoft SMTPSVC\N}{$1}}
1041 warn condition = ${if match{$sender_host_name}\
1042 {\N\.mail\....?\.yahoo\.co(m|\.jp)$\N}}
1043 condition = ${if or{\
1044 {match{$rheader_X-Yahoo-Newman-Property:}{ymail}}\
1045 {def:header_X-RocketYMMF:}\
1046 {match{$bheader_X-Mailer:}{^YahooMail}}\
1047 }}
1048 set acl_m_web = ${if match{$rheader_Received:}{\Nfrom \
1049 \[(\d+\.\d+\.\d+\.\d+)\] by \
1050 web\d+(\.biz)?\.mail\....?\.yahoo\.co(m|\.jp) via HTTP; \N}{$1}}
1051 condition = ${if !def:acl_m_web}
1052 set acl_m_web = ${if match{$bheader_Received:}{\Nfrom \
1053 [^(\n]+ \([^)\n]+@(\d+\.\d+\.\d+\.\d+) \
1054 with (login|plain)?( \[\d.]+\])?\)\n\s+by \
1055 smtp\d+(\.(plus|sbc|biz))?\.mail\....?\.yahoo\.com with SMTP; \N}{$1}}
1056 condition = ${if !def:acl_m_web}
1057 set acl_m_web = ${if match{$bheader_X-Rocket-Received:}{\Nfrom \
1058 [^(\n]+ \([^)\n]+@(\d+\.\d+\.\d+\.\d+) \
1059 with (login|plain)?( \[\d.]+\])?\)\n\s+by \
1060 smtp\d+(\.(plus|sbc|biz))?\.mail\....?\.yahoo\.com with SMTP; \N}{$1}}
1061 warn condition = ${if match{$sender_host_name}\
1062 {\N\.mx\.aol\.com$\N}}
1063 set acl_m_web = ${if match{$rheader_Received:}{\Nfrom \
1064 (\d+\.\d+\.\d+\.\d+) by webmail-\w+\.sysops\.aol\.com \
1065 \(\d+\.\d+\.\d+\.\d+\) with HTTP \(WebMailUI\); \N}{$1}}
1066 set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
1067 \S+ \(\S+ \[(\d+\.\d+\.\d+\.\d+)\]\)\
1068 (?:\s+\(using \S+ with cipher \S+ \(\d+/\d+ bits\)\))?\
1069 (?:\s+\(No client certificate requested\))?\
1070 \s+by mtaout-[\w.]+\.mx\.aol\.com \(MUA/Third Party Client \
1071 Interface\) with ESMTPS?A id \N}{$1}{$acl_m_web}}
1072 warn condition = ${if match{$sender_host_name}\
1073 {\N^outbound\d+\.messaging\.lotuslive\.com$\N}}
1074 set acl_m_web = ${if match{$rheader_Received:}\
1075 {\N^@[\w.-]+@(\d+\.\d+\.\d+\.\d+)\)\N}{$1}}
1076 warn set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
1077 [\d.]+ (?:\(\[[\d.]+\]\) )?\(proxying[\s\n]+for[\s\n]+\
1078 (\d+\.\d+\.\d+\.\d+)(, [\w.-]+)?\)\n\
1079 \s+\(SquirrelMail authenticated user[\s\n]+[^)\n\r]+\)\n\
1080 \s+by [^\s\n]+ with HTTP;\n\N}{$1}{$acl_m_web}}
1081 set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
1082 (?:\S+ \(\[)?(\d+\.\d+\.\d+\.\d+)(?:\]\))?\
1083 (?: \(proxying for unknown\))?\n?\
1084 \s+\(SquirrelMail authenticated user[\s\n]+[^)\n\r]+\)\n\
1085 \s+by [^\s\n]+ with HTTP;\n\N}{$1}{$acl_m_web}}
1086 set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
1087 (\d+\.\d+\.\d+\.\d+)(?: \(proxying for [^)]+\))?[\n\s]+\
1088 \(RisuMail authenticated user \N}{$1}{$acl_m_web}}
1089 set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
1090 \S+ \(\](\d+\.\d+\.\d+\.\d+)\]\)[\s\n]+by[\s\n]+\S+[\s\n]+\
1091 with[\s\n]+HTTP(?s).+\nUser-Agent: Roundcube Webmail\N}\
1092 {$1}{$acl_m_web}}
1093 set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
1094 \S+[\n\s]+\((?:\S+[\n\s]+)?\[(\d+\.\d+\.\d+\.\d+)\]\)[\n\s]+by\
1095 [\n\s]+\S+[\n\s]+\(Horde([\n\s]+(Framework|MIME[\n\s]+library))?\)\
1096 [\n\s]+with[\n\s]+HTTP\N}{$1}{$acl_m_web}}
1097 set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
1098 \S+\s+\((?:\S+\s+)?\[(\d+\.\d+\.\d+\.\d+)\]\)\s+by\s+\S+\s+\(Horde\s+\
1099 (Framework|MIME\s+library)\)\s+with\s+HTTP;\N}{$1}{$acl_m_web}}
1100 set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
1101 \[(\d+\.\d+\.\d+\.\d+)\] by \S+[\s\n\r]+ \(mshttpd\);\N}\
1102 {$1}{$acl_m_web}}
1103 set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
1104 client (\d+\.\d+\.\d+\.\d+) for UebiMiau\d+\.\d+ \(webmail \
1105 client\);\N}{$1}{$acl_m_web}}
1106 set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
1107 \S+ \(\[(\d+\.\d+\.\d+\.\d+)\]\)[\n\s+]by \S+ \
1108 with HTTP \(UebiMiau\);\N}{$1}{$acl_m_web}}
1109 set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
1110 \[(\d+\.\d+\.\d+\.\d+)\] \(account \S+\)[\s\n\r]+by[\s\n\r]+\
1111 \S+[\s\n\r]+\(CommuniGate Pro WEBUSER \S+\)[\s\n\r]+\
1112 with[\s\n\r]+HTTP\N}{$1}{$acl_m_web}}
1113 set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from\s+\
1114 \S+[\s\n]+\(\[(\d+\.\d+\.\d+\.\d+)\]\)[\s\n]+by[\s\n]+\S+\
1115 [\s\n]+\(IMP\)[\s\n]+with[\s\n]+HTTP[\s\n]\N}{$1}{$acl_m_web}}
1116 set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from\s+\
1117 (?:\S+[\s\n]+)?\(\[(\d+\.\d+\.\d+\.\d+)\]\)[\s\n]+by[\s\n]+\S+\
1118 [\s\n]+with[\s\n]+http[\s\n]\N}{$1}{$acl_m_web}}
1119 set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
1120 \S+ \(\[(\d+\.\d+\.\d+\.\d+)\]\)[\n\r]+\s+\
1121 by mx.google.com with ESMTPS id \N}{$1}{$acl_m_web}}
1122 condition = ${if match{$bheader_X-Mailer:}{^OpenWebMail }}
1123 set acl_m_web = ${if match{$bheader_X-OriginatingIP:}\
1124 {\N^\[?(\d+\.\d+\.\d+\.\d+)\]?( |$)\N}{$1}}
1125 warn condition = ${if !def:acl_m_web}
1126 set acl_m_web = ${if match{$bheader_X-Originating-IP:}\
1127 {\N^\[?(?:::ffff:)?(\d+\.\d+\.\d+\.\d+)\]?$\N}{$1}}
1128 warn condition = ${if !def:acl_m_web}
1129 set acl_m_web = ${if match{$bheader_X-Client-IP:}\
1130 {\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}}
1131 warn condition = ${if !def:acl_m_web}
1132 set acl_m_web = ${if match{$bheader_X-Origin:}\
1133 {\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}}
1134 warn condition = ${if !def:acl_m_web}
1135 set acl_m_web = ${if match{$bheader_X-Originator:}\
1136 {\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}}
1137 warn condition = ${if !def:acl_m_web}
1138 set acl_m_web = ${if match{$bheader_X-SenderIP:}\
1139 {\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}}
1140 warn condition = ${if !def:acl_m_web}
1141 set acl_m_web = ${if match{$bheader_X-PHP-Script:}\
1142 {\N^\S+ for (\d+\.\d+\.\d+\.\d+)$\N}{$1}}
1143 deny message = webmail from $acl_m_web locally blacklisted
1144 condition = ${if def:acl_m_web}
1145 condition = ${if !eq{$sender_address_domain}{returns.groups.yahoo.com}}
1146 condition = ${lookup{$acl_m_web}iplsearch\
1147 {/usr/local/etc/exim/blacklist_webmail}{1}{0}}
1148
1149 deny message = Google+ is evil spammer
1150 condition = ${if match{$sender_host_name}\
1151 {\N^mail-[\w-]+\.google\.com$\N}}
1152 condition = ${if eq{$bheader_X-Notification-Type:}{STREAM_POST_SHARED}}
1153
1154 deny message = calendar.yahoo.com, refertofriend(unp) and \
1155 "mail to friend" on news.yahoo.com abused by spammers
1156 condition = ${if match{$sender_host_name}\
1157 {\N\.bullet\.(mail\.)?...?\.yahoo\.com$\N}}
1158 condition = ${if match{$bheader_X-Yahoo-Newman-Property:}\
1159 {\N^(mail-to-friend|calendar-invite|unp)$\N}}
1160
1161 discard message = discarded because recognized as Russian spam via a relay \
1162 authenticated with a stolen password (type 6)
1163 condition = ${if eqi{$sender_address}{$recipients}}
1164 condition = ${if match{$rheader_Received:}\
1165 {\N\Wngs\.ru\W.*\W(213\.87\.12[0-3]|85\.26\.2[23]\d|83\.149\.[45]\d|192\.9\.\d+|188\.162\.([12]?\d|3[01])|178\.137\.1[2-9])\.|\W(213\.87\.12[0-3]|85\.26\.2[23]\d|83\.149\.[45]\d|192\.9\.\d+|188\.162\.([12]?\d|3[01])|178\.137\.1[2-9])\..*\Wngs\.ru\W\N}}
1166# discarded because $sender_address eq $recipients,
1167# therefore a "deny" would generate a bounce from the relay again to me.
1168
1169 deny message = rejected because recognized as sent by Russian spambot via \
1170 a relay authenticated with a stolen password (type 7)
1171 condition = ${if ={$received_count}{2}}
1172 condition = ${if match{$rheader_Message-ID:}\
1173 {\N<[\dA-F]{32}@[a-z]{4,7}>\N}}
1174 condition = ${if match{$message_headers_raw}\
1175 {Received: from [Uu]nknown }}
1176 condition = ${if def:header_To:}
1177 condition = ${if !def:header_Cc:}
1178 condition = ${if !def:header_In-Reply-To:}
1179 condition = ${if !def:header_Importance:}
1180 condition = ${if !def:header_X-Mailing-List:}
1181 condition = ${if !def:header_List-Unsubscribe:}
1182 condition = ${if !def:header_Sender:}
1183 condition = ${if !def:header_X-Sender:}
1184 condition = ${if !eq{$sender_address_domain}{returns.groups.yahoo.com}}
1185 condition = ${if !match{${addresses:>, $rheader_To:}}{,}}
1186 # single address in To
1187 condition = ${if !forany{<, $recipients}\
1188 {eqi{$item}{${address:$rheader_To:}}}}
1189 condition = ${if match{$rheader_X-Mailer:}\
1190 {Microsoft (Outlook Express|Windows( Live)? Mail)}}
1191 condition = ${if match{$rheader_Subject:}{\N=\?windows-1251\?B\?\N}}
1192 condition = ${if match{$rheader_date:}{\N \+0[56]00\N}}
1193
1194 deny message = rejected because recognized as sent by Russian spambot via \
1195 a relay authenticated with a stolen password (type 8)
1196 condition = ${if ={$received_count}{2}}
1197 set acl_m_bot8 = ${if match{$header_Received:}\
1198 {\N\A(?:.+\n\s)+.+\nfrom (\S+) \N}{$1}}
1199 condition = ${lookup{$acl_m_bot8}nwildlsearch\
1200 {/usr/local/etc/exim/blacklist_injector}{1}{0}}
1201
1202 deny message = spam in Hebrew
1203 condition = ${if match{$bheader_List-Unsubscribe:}\
1204 {http://emails-direct.com/}}
1205
1206 deny message = Microsoft thinks it is spam: SFV:SPM in \
1207 X-Forefront-Antispam-Report
1208 condition = ${if match{$rheader_X-Forefront-Antispam-Report:}\
1209 {;SFV:SPM;}}
1210 condition = ${if !def:header_List-ID:}
1211 condition = ${lookup{$sender_address_domain}nwildlsearch\
1212 {/usr/local/etc/exim/mailing_list_domains}{0}{1}}
1213
1214 require acl = rt
1215
1216 accept hosts = : +whitelisted_hosts
1217
1218 deny message = rejected as spam from a \
1219 web-hosting account created for spamming only
1220 condition = ${if match{$sender_address}\
1221 {${local_part:$header_From:}-${sg{$recipients}{@}{=}}@}}
1222 condition = ${if match{$sender_host_name}\
1223 {^[a-z]+\.$sender_address_domain\$}}
1224 condition = ${if ={$received_count}{2}}
1225 condition = ${if match{$header_Received:}\
1226 {\N\A(.+\n\s)+.+\nby \N$sender_host_name id }}
1227 condition = ${if eq{$sender_address_domain}{${domain:$header_From:}}}
1228 condition = ${if eq{$recipients}{$header_To:}}
1229 condition = ${if eq{$header_Content-Type:}{text/plain;}}
1230 condition = ${if !def:header_Content_Transfer_Encoding:}
1231 condition = ${if eq{$sender_host_name}{${domain:$header_Message-ID:}}}
1232 condition = ${if match{$message_body}\
1233 {http://$sender_address_domain/\N\w.+\n(\.\n){4,}.+: http://\N$sender_address_domain/\\w}}
1234
1235 deny message = rejected because recognized as sent by spammers` mailer
1236 condition = ${if match{$rheader_Received:}\
1237 {((?i)helo(?-i)|from)[ =]QRJATYDI}}
1238
1239 deny condition = ${if !match{$recipients}{(?i)accmailfaqrus()tg.org.ua}}
1240 # really @
1241 !senders = MAILER-DAEMON@spamgourmet.com : \N^\w+@slando\.\N
1242 !authenticated = *
1243 !verify = header_sender
1244
1245 deny message = rejected because recognized as Russian spam (type 1)
1246 condition = ${if match{$recipients}{^postmaster@[^@]+\$}}
1247 condition = ${if match{$rheader_From:}\
1248 {\N^(\t| )(=\?koi8-r\?B\?I|\")\N}}
1249 condition = ${if match{$message_body}\
1250 {\N([а-Ñ\d]{5} {5,9}\S[^\n\r]+[\n\r]+){2}\N}}
1251
1252 discard message = discarded because recognized as Russian spam (type 3)
1253 condition = ${if match{$header_Subject:}\
1254 {\N (ICQ:? ?6288862|\+79133913837) \N}}
1255 condition = ${if eqi{$sender_address}{$recipients}}
1256
1257 deny message = rejected because recognized as Russian spam (type 3)
1258 condition = ${if match{$header_Subject:}{ ICQ:? ?6288862 }}
1259
1260 deny message = rejected because recognized as Russian spam (type 4)
1261 condition = ${if match{$header_List-Unsubscribe:}{http://mainler.ru/}}
1262
1263 deny message = rejected because recognized as sent by Russian spambot via \
1264 a relay authenticated with a stolen password (type 1)
1265 condition = ${if or{\
1266 {match{$rheader_received:}{(?s);.+\
1267 (helo=|HELO |EHLO |from )(User|(Thunder)?server|SERVER|tserver1|\
1268 Server1|yandex\\.ru|otissys1|PADILLA|TTSRV\\d+|srv2003|\
1269 Server-Terminal|source|serveur2|cmgserver|UnknownHost|\
1270 ${if def:sender_address_domain{$sender_address_domain}{User}}|\
1271 ${if def:sender_host_name{$sender_host_name}{User}})\
1272 [\\) \\r\\n]}}\
1273 {and{\
1274 {match{$rheader_Content-Type:}{(?si)text.+windows-1251}}\
1275 {match{$message_body$message_body_end}{\N[\xC1-\xFE]\N}}\
1276 }}\
1277 }}
1278 condition = ${if match{$rheader_X-MimeOLE:}\
1279 {Produced By Microsoft MimeOLE }}
1280 condition = ${if or{\
1281 {and{\
1282 {match{$bheader_Content-Type:}{\N^text/(plain|html);([\r\n]*\t| )(charset="?([Ww]indows-125[10]|koi8-u|[\w_-]+\$ESC)"?|format=flowed;[\r\n]+\tcharset="(koi8-r|windows-1251)";[\r\n]+\treply-type=original)$\N}}\
1283 {eqi{$bheader_Content-Transfer-Encoding:}{7bit}}\
1284 }}\
1285 {match{$message_headers_raw}{\N\nContent-transfer-encoding: 8BIT\nContent-type: text/plain; charset=Windows-1251\n\N}}\
1286 {and{\
1287 {match{$bheader_Content-Type:}\
1288 {\N^multipart/(mixed|related|alternative);[\r\n]+\t\N}}\
1289 {match{$message_body}\
1290 {\N[\r\n](Content-Type: text/(plain|html);( |[\r\n]+\t)\
1291 charset="(Windows-1251|[\w_-]+\$ESC)"[\r\n]+\
1292 (Content-Transfer-Encoding: 7bit|\
1293 Content-transfer-encoding: 8BIT)|\
1294 Content-type: text/plain; charset=Windows-1251[\r\n]+\
1295 Content-transfer-encoding: 7BIT)[\r\n]\N}}\
1296 }}\
1297 }}
1298
1299 deny message = rejected because recognized as sent by Russian spambot via \
1300 a relay authenticated with a stolen password (type 2)
1301 condition = ${if match{$message_body}\
1302 {\NContent-Type: text/plain;[\r\n]+\
1303 [ \t]+charset="windows-1251"[\r\n]+\
1304 Content-Transfer-Encoding: quoted-printable[\r\n]+\
1305 =C7=E4=F0=E0=E2=F1=F2=E2=F3=E9=F2=E5, =CF=EE=EB=F3=F7=E0=F2=E5=EB=FC\.[\r\n]+\
1306 =DD=F2=EE =D2=E5=EA=F1=F2=EE=E2=E0=FF =F7=E0=F1=F2=FC =EF=E8=F1=FC=EC=E0=\
1307 [\r\n]+\
1308 \.[\r\n]+\
1309 =D1 =F3=E2=E0=E6=E5=ED=E8=E5=EC, =D1=F3=EF=E5=F0 =D4=E8=F0=EC=E0\.\N}}
1310# ъДТБЧУФЧХКФЕ, рПМХЮБФЕМШ.
1311# ьФП фЕЛУФПЧБС ЮБУФШ РЙУШÐБ.
1312# у ХЧБЦЕОЙЕÐ, уХРЕТ жЙТÐБ.
1313
1314 deny message = rejected because recognized as sent by Russian spambot via \
1315 a relay authenticated with a stolen password (type 3)
1316 condition = ${if match{$rheader_X-Mailer:}{mPOP Web-Mail }}
1317 condition = ${if !match{$rheader_Received:}{ with HTTP;}}
1318
1319 deny message = rejected because recognized as sent by Russian spambot via \
1320 a relay authenticated with a stolen password (type 4)
1321 condition = ${if match{$rheader_X-MimeOLE:}\
1322 {Produced By Microsoft MimeOLE }}
1323 condition = ${if or{\
1324 {match{$rheader_Message-ID:}{@cmgserver>}}\
1325 {match{$rheader_Received:}{\\Q[77.110.55.86]\\E}}\
1326 }}
1327
1328 deny message = rejected because recognized as sent by Russian spambot via \
1329 a relay authenticated with a stolen password (type 5)
1330 condition = ${if match{$message_headers_raw}\
1331 {\N\nReceived: from ((www\.)?caspel\.com|\[?(74.10.145.5[56]|79.172.192.188|217.153.227.194|95.211.160.137|207.99.107.164|194.152.235.4|62.101.95.45|93.63.224.135|188.230.127.16|69.183.32.232|89.96.100.146|109.166.1[23]\d\.\d+|89.96.63.62|95.76.161.199|195.82.150.22|212.36.95.121|85.132.32.44|94.30.234.213|212.0.116.118|86.125.36.12|212.181.110.115|195.149.220.131|195.189.46.3|193.205.162.98|77.72.193.206|193.205.184.124|89.25.105.101)\]?|(62-101-94-46|83-103-51-58|193.205.162.98).ip.fastwebnet.it|62.82.74.234.static.user.ono.com|89-96-100-146.ip11.fastwebnet.it|93-63-224-132.ip29.fastwebnet.it|94.244.190.227.nash.net.ua|reverse.completel.net \((reverse.completel.net|unknown) \[92.103.65.138\]\)?|\[?92.103.65.138\]?|correo.peyber.es|212-181-110-115.customer.telia.com|86-125-36-12.static.rdsor.ro|84.120.163.53.dyn.user.ono.com|host217-34-238-217.in-addr.btopenworld.com|ppp03-std.net.lg.ua|unknown \(HELO 193.205.162.98\)|host7-8-static.238-77-b.business.telecomitalia.it|host-212-36-95-121.solointernet.com|2-229-114-95.ip196.fastwebnet.it|relay.rrc.com.ua|(?i)27.Red-2-139-255.staticIP.rima-tde.net|89-96-63-62.ip11.fastwebnet.it|75-151-69-41-littlerock.hfc.comcastbusiness.net|vds125.xserver.ua|11942.user.farlep.net|69-183-32-232.saisystems.com|dafi-16.vl.net.ua|93-63-224-135.ip29.fastwebnet.it|server88-208-229-7.live-servers.net|pool-91-218-19-45.optima-east.net|81.184.3.111.static.user.ono.com)[ \n]\N}}
1332
1333 deny message = rejected because recognized as Ukrainian spam
1334 condition = ${if ={$received_count}{1}}
1335 condition = ${if eq{$received_protocol}{esmtp}}
1336 condition = ${if eq{$bheader_X-Priority:}{3 (Normal)}}
1337 condition = ${if match{$bheader_Message-ID:}\
1338 {\N^<\d{10}\.\d{14}@\N}}
1339 condition = ${if match{$bheader_In-Reply-To:}\
1340 {\N^<[A-F\d]{44}@[^>]+>?$\N}}
1341 condition = ${if match{$bheader_References:}\
1342 {\N^<[A-F\d]{44}@[^>]+>? <[A-F\d]{30,44}@[^>]+>>?$\N}}
1343 condition = ${if !eq{${if match{$rheader_In-Reply-To:}{<(.+)@}{$1}}}\
1344 {${if match{$bheader_References:}{\N^<(\w+)@\N}{$1}}}}
1345 condition = ${if !eq{${if match{$rheader_In-Reply-To:}{<(.+)@}{$1}}}\
1346 {${if match{$bheader_References:}{\N@.+ <(\w+)@\N}{$1}}}}
1347
1348 deny message = rejected as spam abusing km.ru
1349 condition = ${if match{$sender_host_name}{\N^e-post\d+\.km\.ru$\N}}
1350 condition = ${if match{$header_Received:}\
1351 {\N\A(.+\n\s)+.+\nfrom \Q\N$sender_address_domain\\E }}
1352
1353 deny message = rejected as spam (fake subscribe.ru)
1354 senders = \N^news\d+@subscribe\.ru$\N
1355 condition = ${if match{$bheader_From:}\
1356 {^"Subscribe.ru" <$sender_address>\$}}
1357 condition = ${if !def:header_List-Unsubscribe:}
1358
1359 deny message = I understand neither Chinese nor Korean nor Japanese
1360 condition = ${if !match{$recipients}\
1361 {(?i)(accmailfaqrus|mail2ftp)@tg.org.ua}}
1362 condition = ${if or{\
1363 {match{$message_headers_raw}{\N(?i)charset="?(gb2312|big5|gbk|ks_c_|euc[_-]kr|shift_jis)\N}}\
1364 {match{$message_headers_raw}{\N(?i)=\?(gb2312|big5|gbk|ks_c_\w*|euc[_-]kr|shift_jis)\?[BbQq]\?\N}}\
1365 {match{$message_body}{\N(?i)(content-type:\s*text\/(plain|html);\s*charset=\s*"?|content=(3D)?["']text\/html;\s*charset=(3D)?)(gb2312|big5|gbk|ks_c_|euc[_-]kr|shift_jis)\N}}\
1366 }}
1367
1368 deny message = Blocked as Korean spam (type 1)
1369 condition = ${if match{$rheader_Received:}\
1370 {\N\[210\.183\.153\.\d\d\]\N}}
1371
1372 deny message = Blocked as Chinese spam (type 3)
1373 condition = ${if match{$rheader_Subject:}{\N^ =\?utf-8\?\N}}
1374 condition = ${if match{$bheader_Subject:}\
1375 {\N^(\xe2\x96\xb2)?(\xe4[\xb8-\xbf]|[\xe5-\xe9])\N}}
1376
1377 deny message = I consider a Chinese mailbox in Reply-To as a sign of spam.
1378 condition = ${if match_domain{${domain:$header_reply-to:}}\
1379 {yahoo.cn:yahoo.com.cn:yahoo.com.hk:w.cn}}
1380
1381 warn set acl_m_d = ${sg{\
1382 ${sg{\
1383 ${sg{\
1384 ${if match{$sender_host_name}\
1385 {\N^[\w-]+\.[\w.-]*[a-zA-Z]$\N}\
1386 {$sender_host_name}}::\
1387 $sender_address_domain::\
1388 ${domain:$header_from:}::\
1389 ${domain:$header_reply-to:}::\
1390 ${if match{${domain:$header_message-id:}}\
1391 {\N^[\w-]+\.[\w.-]*[a-zA-Z]$\N}\
1392 {${domain:$header_message-id:}}}::\
1393 ${if match{$sender_helo_name}\
1394 {\N^[\w-]+\.[\w.-]*[a-zA-Z]$\N}\
1395 {$sender_helo_name}}\
1396 }{(^|:)(?i)(?:(?:[^:]+\.)?(?:livejournal.com|qip.ru|pochta.ru|land.ru|front.ru|nm.ru|kinozal.tv|sovam.net.ua|forum.firstvds.ru|firstvds.ru|smtp-pulse.com))(:|\$)}{\$1\$2}}\
1397 }{(::)+}{::}}\
1398 }{^::|::\$}{}}
1399
1400 deny message = rejected as spam because domain $dnslist_matched is \
1401 in $dnslist_domain=$dnslist_value $dnslist_text
1402 condition = ${if def:acl_m_d}
1403 condition = ${if !def:header_List-ID:}
1404 condition = ${lookup{$sender_address_domain}nwildlsearch\
1405 {/usr/local/etc/exim/mailing_list_domains}{0}{1}}
1406 dnslists = dbl.spamhaus.org=127.0.1.2,127.0.1.4,127.0.1.5/$acl_m_d
1407# usage limits: http://www.spamhaus.org/organization/dnsblusage.html
1408
1409 warn condition = ${if def:acl_m_d}
1410 dnslists = multi.surbl.org/$acl_m_d
1411# http://www.surbl.org/guidelines warns against rejecting in such way.
1412# Evaluate for few months before adding multi.surbl.org to the "deny" above.
1413# I don't recommend these two lists because of false positives:
1414# multi.uribl.com/$acl_m_d : \
1415# uribl.swinog.ch/$acl_m_d
1416 add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: domain $dnslist_matched \
1417 in $dnslist_domain=$dnslist_value $dnslist_text
1418 logwrite = :main,reject: ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} : \
1419 domain $dnslist_matched in \
1420 $dnslist_domain=$dnslist_value $dnslist_text
1421
1422 deny condition = ${if match{$recipients}{(?i)accmailfaqrus()tg.org.ua}}
1423 # really @
1424 !verify = header_sender/callout=10s,defer_ok,no_cache,\
1425 mailfrom=devnull()tg.org.ua
1426 # really @
1427
1428 accept condition = ${if !match{$message_headers_raw}\
1429{\N\A([^\n]+\n[ \t])+[^\n]+\nReceived: from \[?\N$sender_host_address\\]? by }}
1430
1431 accept condition = ${if def:acl_c_grey_checked}
1432
1433 defer set acl_c_grey_checked = deferred/greylisted because of \
1434 fake Received line in the header
1435 message = $acl_c_grey_checked
1436 condition = ${dlfunc{/root/bin/exim-ext-grey.so}{grey}\
1437 {${sg{$sender_host_address}{\N\.\d+$\N}{}},\
1438 $sender_address,${sg{$recipients}{[, ]+}{;}}}}
1439
1440 accept add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting \
1441 fake Received
1442 logwrite = passed greylisting fake Received \
1443 ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
1444
1445rt:
1446 deny condition = ${if forany{${addresses:$rheader_Reply-To:}}\
1447 {eq{${acl{ea}{$item}}}{caught}}}
1448 log_message = Reply-To: $header_Reply-To: in EBL: $dnslist_text \
1449 From: $header_From:, envelope-from $sender_address, \
1450 recipients=$recipients, Subject: $header_Subject:
1451 message = spam detected
1452 # 419 (Nigerian) scams often sent by humans, do not tell them
1453 # that the spam was detected with EBL http://msbl.org
1454
1455 accept
1456
1457mimeea:
1458 deny condition = ${if match{$mime_content_type}{text}}
1459 mime_regex = \N(?s)([\w.+=-]+@\w[\w-]*\.[\w.-]+\w)\
1460 (.+?([\w.+=-]+@\w[\w-]*\.[\w.-]+\w))?\
1461 (.+?([\w.+=-]+@\w[\w-]*\.[\w.-]+\w))?\
1462 (.+?([\w.+=-]+@\w[\w-]*\.[\w.-]+\w))?\
1463 (.+?([\w.+=-]+@\w[\w-]*\.[\w.-]+\w))?
1464 condition = ${if forany{$regex1 :$regex3 :$regex5 :$regex7 :$regex9}\
1465 {eq{${acl{ea}{$item}}}{caught}}}
1466# $regex requires Exim version 4.87 or higher
1467 log_message = email address in body $acl_m_ea in EBL: $dnslist_text \
1468 From: $header_From:, envelope-from $sender_address, \
1469 recipients=$recipients, Subject: $header_Subject:
1470 message = spam detected
1471
1472 accept
1473
1474ea:
1475 accept condition = ${if eqi{$sender_address}{$acl_arg1}}
1476
1477 accept condition = ${lookup{$sender_address_domain}nwildlsearch\
1478 {/usr/local/etc/exim/mailing_list_domains}{0}{1}}
1479
1480 accept condition = ${if eq{}\
1481 {${lookup dnsdb{defer_never,mxh=${domain:$acl_arg1}}}}}
1482 condition = ${if eq{}\
1483 {${lookup dnsdb{defer_never,a=${domain:$acl_arg1}}}}}
1484
1485 warn set acl_m_ea = ${sg{${lc:$acl_arg1}}{\\+.*@}{@}}
1486 condition = ${if match{$acl_m_ea}{@g(oogle)?mail.com}}
1487 set acl_m_ea = ${sg{${local_part:$acl_m_ea}}{\\.}{}}@${domain:$acl_m_ea}
1488
1489 accept condition = ${lookup{${domain:$acl_m_ea}}nwildlsearch\
1490 {/usr/local/etc/exim/mailing_list_domains}{0}{1}}
1491 dnslists = ebl.msbl.org/${sha1:$acl_m_ea}
1492 message = caught
1493
1494 accept
1495
1496acl_check_notsmtp:
1497 require acl = rt
1498
1499 accept
1500
1501acl_check_notsmtpmime:
1502 require acl = mimeea
1503
1504 accept
1505
1506=============== <snip> ===============
1507
1508You can download my lists from:
1509http://lena.kiev.ua/blacklist_hostaddress.txt
1510http://lena.kiev.ua/blacklist_re_helo.txt
1511http://lena.kiev.ua/blacklist_re_hostname.txt
1512http://lena.kiev.ua/blacklist_webmail.txt
1513http://lena.kiev.ua/blacklist_sender_domain.txt
1514http://lena.kiev.ua/blacklist_injector.txt
1515http://lena.kiev.ua/whitelist_re_hostname.txt
1516http://lena.kiev.ua/mailing_list_domains.txt
1517http://lena.kiev.ua/redirect_domains.txt
1518
1519I use neither server-side virus-filter nor SpamAssassin nor other
1520heavy content-filters. I wrote the above with the main goal
1521to minimize false positives and secondary goals to minimize
1522delays and memory consumption. However the above proved to be
1523quite effective fending spam and viruses.
1524
1525Lena