# filter.cfg for NMS 3.5 and above. 28 April 1999. # Author: < bobp (a) tsc . com > Technology Service Corp. # # Do not use the Administrator web interface to input or edit this file, # or to commit changes! Use a text editor such as Wordpad or vi. # Do not use Notepad. It may create a file with an incomplete end of line. # I will not answer any email if you use the Admin interface! # # First check if user is authenticated. If so, no further checking is # necessary & exit. This header appears ONLY if the user's password has # been successfully verified on this server using Authenticated SMTP # # If you are using multiple NMSs that exchange mail and use AUTH SMTP, you # may need to remove or modify this line. # Auth-Sender:envonly ".+" EXIT # # Now check if sending system is on local network (127.0.0.1 is ALWAYS needed) # These patterns have been specifically designed to reject forgeries # perpetrated by bogus rDNS entries. # Host-From:envonly "\[127\.0\.0\.1\][^[]*$" EXIT # # Change the following to match your network. Change only the network numbers. # For each additional trusted network, add a new line. For class B networks # use a pattern of the form "\[128\.10\.[0-9]+\.[0-9]+\][^[]*$". # # If your server is behind a firewall, you may have to use a different # strategy depending on your firewall and network configuration. # In some configurations, you can assume that any message with a "Host-From" # that matches the firewall IP address originates from a remote system. # For this case, add this line (assuming the firewall IP is 192.10.20.1) # # Host-From:envonly "\[192\.10\.20\.1\][^[]*$" JUMP "ChkAddr" # Host-From:envonly "\[192\.10\.20\.[0-9]+\][^[]*$" EXIT # # If we get here, mail is coming from foreign system # Check for relay attempt in SMTP addressing # Updated 28 May 1999 to handle path hacks ("!" in address) # Updated 24 July 1999 to fix logic flaw for multiple Channel-To's. # Also added additional pattern to check for <"user@x.com"@y.com> # Prior version had '!JUMP' which would have accepted any message # with a least one good address. Thanks to Paul Pinocci of Booz, # Allen & Hamilton for calling this to my attention. # :ChkAddr Channel-To:envonly "<@|<.*[%,:!]|<.*@.*@" JUMP "Bounce" # # Check all recipients against our primary local domain names. If not a # match, then the message is a relay attempt and we will bounce (REJECT) it. # Modify this line with your domains. Do NOT use multiple Channel-To # filters to match your local domains. Doing so results in opening up # your server to relaying. If you have a single domain, use a pattern # of the form "[.@]ourdomain\.com>". If there are too many domains to # fit on one line, you will have to write an external program or script # to verify the recipient domain which can be called with the RUN action. # (See note below on using the RUN action). # # These patterns assume that you are using .COM domains. If your domain # is based on another Top Level Domain (TLD), you need to change them # accordingly (these examples are patterns to be used in the :ChkRcpt line # below, do *not* uncomment or edit the examples!) e.g. # "[.@](mydomain|otherdom)\.org>" or # "[.@](mydomain|otherdom)\.fr>" or # "[.@](mydomain|otherdom)\.co\.uk>" or # "[.@](mydomain|otherdom)\.k12\.portland\.me\.us> # # For a single domain, use: # "[.@]mydomain\.com>" # # If you are using two different TLDs, you will have to use a pattern of # the form (assuming .NET and .CO.UK TLDs): # "[.@]((mydomain|otherdom)\.net|(name3|name4)\.co\.uk)>" # # The trailing ">" at the end of the pattern is required to guarantee the # proper match. Do not remove it. # :ChkRcpt Channel-To:envonly "[.@](mydomain|otherdom)\.com>" !JUMP "Bounce" Host-From:envonly ".*" JUMP "RcptOk" # # Someone is trying to relay. Bounce the message. If return address is # invalid, messsage will end up in our postmaster mailbox. Another option # would be to send (DROP) it to designated local mailbox (such as "relay") # like this ":Bounce Host-From:envonly ".*" DROP "relay" # :Bounce Host-From:envonly ".*" REJECT "Non-local addressee. We do not relay!" Host-From:envonly ".*" EXIT # # When we get here, message is destined for local mailbox. # Check for common spam fingerprints. If found, re-route (DROP) message to # user "spam"'s mailbox. Check daily for false positives. Some of these # patterns may seem somewhat cryptic, but are based on analysis of thousands # of UBEs and should trigger few false positives. # :RcptOk Received "GAA.*-0600.*EST" JUMP "Spam" Received "XAA.*-0700.*EDT" JUMP "Spam" Received "xxxxxxxxxxxxxxxxxxxxx" JUMP "Spam" Received "untrace?able" JUMP "Spam" Received "from (baby|bewellnet|kllklk) " JUMP "Spam" To "Friend@public\.com" JUMP "Spam" To "user@the[-_]internet" JUMP "Spam" Date "/[0-9]+/.+[AP]M.+Time" JUMP "Spam" Subject "^\(?ADV?[:;)]" JUMP "Spam" Message-ID "<>" JUMP "Spam" Message-Id "<>" JUMP "Spam" Message-Id "<(419\.43|989\.28)" JUMP "Spam" X-MimeOLE "MimeOLE V[^0-9]" JUMP "Spam" # # Added 20-Jun-1999. Appears to be broken spamware. # MIME-Version "1.0From" JUMP "Spam" # # Added 28-July-1999. Check X-Mailer for spamware. # X-Mailer "DiffondiCool" JUMP "Spam" X-Mailer "Emailer Platinum" JUMP "Spam" X-Mailer "eMerge" JUMP "Spam" X-Mailer "Crescent Internet Tool" JUMP "Spam" # # Added 4-Apr-2000. Check X-Mailer for Cybercreek Avalanche # X-Mailer "Avalanche" JUMP "Spam" # # Added 28-July-1999. Bcc to 10 or more recipients # Bcc "@.*@.*@.*@.*@.*@.*@.*@.*@.*@" JUMP "Spam" # # Added 21-Oct-1999. Subject contains 20 or more consecutive spaces # Subject " " JUMP "Spam" # # Added 31-Mar-2000. Invalid headers from MyGuestBook.exe CGI spamware # MessageID "<.+>" JUMP "Spam" X-References "0[A-Z0-9]+, 0[A-Z0-9]+$" JUMP "Spam" X-Other-References "0[A-Z0-9]+$" JUMP "Spam" X-See-Also "0[A-Z0-9]+$" JUMP "Spam" # # Updated 28-Apr-1999. Check for "Sender", "Resent-From", or "Resent-By" # before "X-UIDL". If found, then exit. # Sender ".+" EXIT Resent-From ".+" EXIT Resent-By ".+" EXIT # # Updated 19-May-1999. Check for "X-Mozilla-Status" before "X-UIDL". # X-Mozilla-Status ".+" EXIT # # Updated 20-Jul-1999. Check for "X-Mailer: Internet Mail Service" # before "X-UIDL". # X-Mailer "Internet Mail Service" EXIT # # Updated 25-Oct-1999. Check for "X-ID" before "X-UIDL". # X-ID ".+" EXIT # # X-UIDL is a POP3 header that should normally not be seen # X-UIDL ".*" JUMP "Spam" # # Some headers are valid only for the Pegasus Mail client. So first check # for Pegasus header and exit if found. If not found, check for # invalid headers: "Comments: Authenticated sender", "X-PMFLAGS" and "X-pmrqc". # X-mailer "Pegasus" EXIT # # Added 27-Aug-1999. Pegasus now uses X-Mailer instead of X-mailer. # X-Mailer "Pegasus" EXIT # # Added 25-Oct-1999. Check for X-Confirm-Reading-To. # X-Confirm-Reading-To ".+" EXIT # # Check for invalid Pegasus headers # Comments "Authenticated sender" JUMP "Spam" X-PMFLAGS ".*" JUMP "Spam" X-Pmflags ".*" JUMP "Spam" X-pmrqc ".*" JUMP "Spam" Host-From:envonly ".*" EXIT # # Spam detected. Drop all recipients and send to "spam" mailbox. Check this # mailbox daily for false positives. # :Spam Host-From:envonly ".*" DROP "spam" Host-From:envonly ".*" EXIT