# filter.cfg for NMS 3.5 and above. 28 April 1999.
# Author: < bobp (a) tsc . com > Technology Service Corp.
#
# Do not use the Administrator web interface to input or edit this file,
# or to commit changes! Use a text editor such as Wordpad or vi.
# Do not use Notepad. It may create a file with an incomplete end of line.
# I will not answer any email if you use the Admin interface!
#
# First check if user is authenticated. If so, no further checking is
# necessary & exit. This header appears ONLY if the user's password has
# been successfully verified on this server using Authenticated SMTP
#
# If you are using multiple NMSs that exchange mail and use AUTH SMTP, you
# may need to remove or modify this line.
#
Auth-Sender:envonly ".+" EXIT
#
# Now check if sending system is on local network (127.0.0.1 is ALWAYS needed)
# These patterns have been specifically designed to reject forgeries
# perpetrated by bogus rDNS entries.
#
Host-From:envonly "\[127\.0\.0\.1\][^[]*$" EXIT
#
# Change the following to match your network. Change only the network numbers.
# For each additional trusted network, add a new line. For class B networks
# use a pattern of the form "\[128\.10\.[0-9]+\.[0-9]+\][^[]*$".
#
# If your server is behind a firewall, you may have to use a different
# strategy depending on your firewall and network configuration.
# In some configurations, you can assume that any message with a "Host-From"
# that matches the firewall IP address originates from a remote system.
# For this case, add this line (assuming the firewall IP is 192.10.20.1)
#
# Host-From:envonly "\[192\.10\.20\.1\][^[]*$" JUMP "ChkAddr"
#
Host-From:envonly "\[192\.10\.20\.[0-9]+\][^[]*$" EXIT
#
# If we get here, mail is coming from foreign system
# Check for relay attempt in SMTP addressing
# Updated 28 May 1999 to handle path hacks ("!" in address)
# Updated 24 July 1999 to fix logic flaw for multiple Channel-To's.
# Also added additional pattern to check for <"user@x.com"@y.com>
# Prior version had '!JUMP' which would have accepted any message
# with a least one good address. Thanks to Paul Pinocci of Booz,
# Allen & Hamilton for calling this to my attention.
#
:ChkAddr Channel-To:envonly "<@|<.*[%,:!]|<.*@.*@" JUMP "Bounce"
#
# Check all recipients against our primary local domain names. If not a
# match, then the message is a relay attempt and we will bounce (REJECT) it.
# Modify this line with your domains. Do NOT use multiple Channel-To
# filters to match your local domains. Doing so results in opening up
# your server to relaying. If you have a single domain, use a pattern
# of the form "[.@]ourdomain\.com>". If there are too many domains to
# fit on one line, you will have to write an external program or script
# to verify the recipient domain which can be called with the RUN action.
# (See note below on using the RUN action).
#
# These patterns assume that you are using .COM domains. If your domain
# is based on another Top Level Domain (TLD), you need to change them
# accordingly (these examples are patterns to be used in the :ChkRcpt line
# below, do *not* uncomment or edit the examples!) e.g.
# "[.@](mydomain|otherdom)\.org>" or
# "[.@](mydomain|otherdom)\.fr>" or
# "[.@](mydomain|otherdom)\.co\.uk>" or
# "[.@](mydomain|otherdom)\.k12\.portland\.me\.us>
#
# For a single domain, use:
# "[.@]mydomain\.com>"
#
# If you are using two different TLDs, you will have to use a pattern of
# the form (assuming .NET and .CO.UK TLDs):
# "[.@]((mydomain|otherdom)\.net|(name3|name4)\.co\.uk)>"
#
# The trailing ">" at the end of the pattern is required to guarantee the
# proper match. Do not remove it.
#
:ChkRcpt Channel-To:envonly "[.@](mydomain|otherdom)\.com>" !JUMP "Bounce"
Host-From:envonly ".*" JUMP "RcptOk"
#
# Someone is trying to relay. Bounce the message. If return address is
# invalid, messsage will end up in our postmaster mailbox. Another option
# would be to send (DROP) it to designated local mailbox (such as "relay")
# like this ":Bounce Host-From:envonly ".*" DROP "relay"
#
:Bounce Host-From:envonly ".*" REJECT "Non-local addressee. We do not relay!"
Host-From:envonly ".*" EXIT
#
# When we get here, message is destined for local mailbox.
# Check for common spam fingerprints. If found, re-route (DROP) message to
# user "spam"'s mailbox. Check daily for false positives. Some of these
# patterns may seem somewhat cryptic, but are based on analysis of thousands
# of UBEs and should trigger few false positives.
#
:RcptOk Received "GAA.*-0600.*EST" JUMP "Spam"
Received "XAA.*-0700.*EDT" JUMP "Spam"
Received "xxxxxxxxxxxxxxxxxxxxx" JUMP "Spam"
Received "untrace?able" JUMP "Spam"
Received "from (baby|bewellnet|kllklk) " JUMP "Spam"
To "Friend@public\.com" JUMP "Spam"
To "user@the[-_]internet" JUMP "Spam"
Date "/[0-9]+/.+[AP]M.+Time" JUMP "Spam"
Subject "^\(?ADV?[:;)]" JUMP "Spam"
Message-ID "<>" JUMP "Spam"
Message-Id "<>" JUMP "Spam"
Message-Id "<(419\.43|989\.28)" JUMP "Spam"
X-MimeOLE "MimeOLE V[^0-9]" JUMP "Spam"
#
# Added 20-Jun-1999. Appears to be broken spamware.
#
MIME-Version "1.0From" JUMP "Spam"
#
# Added 28-July-1999. Check X-Mailer for spamware.
#
X-Mailer "DiffondiCool" JUMP "Spam"
X-Mailer "Emailer Platinum" JUMP "Spam"
X-Mailer "eMerge" JUMP "Spam"
X-Mailer "Crescent Internet Tool" JUMP "Spam"
#
# Added 4-Apr-2000. Check X-Mailer for Cybercreek Avalanche
#
X-Mailer "Avalanche" JUMP "Spam"
#
# Added 28-July-1999. Bcc to 10 or more recipients
#
Bcc "@.*@.*@.*@.*@.*@.*@.*@.*@.*@" JUMP "Spam"
#
# Added 21-Oct-1999. Subject contains 20 or more consecutive spaces
#
Subject " " JUMP "Spam"
#
# Added 31-Mar-2000. Invalid headers from MyGuestBook.exe CGI spamware
#
MessageID "<.+>" JUMP "Spam"
X-References "0[A-Z0-9]+, 0[A-Z0-9]+$" JUMP "Spam"
X-Other-References "0[A-Z0-9]+$" JUMP "Spam"
X-See-Also "0[A-Z0-9]+$" JUMP "Spam"
#
# Updated 28-Apr-1999. Check for "Sender", "Resent-From", or "Resent-By"
# before "X-UIDL". If found, then exit.
#
Sender ".+" EXIT
Resent-From ".+" EXIT
Resent-By ".+" EXIT
#
# Updated 19-May-1999. Check for "X-Mozilla-Status" before "X-UIDL".
#
X-Mozilla-Status ".+" EXIT
#
# Updated 20-Jul-1999. Check for "X-Mailer: Internet Mail Service"
# before "X-UIDL".
#
X-Mailer "Internet Mail Service" EXIT
#
# Updated 25-Oct-1999. Check for "X-ID" before "X-UIDL".
#
X-ID ".+" EXIT
#
# X-UIDL is a POP3 header that should normally not be seen
#
X-UIDL ".*" JUMP "Spam"
#
# Some headers are valid only for the Pegasus Mail client. So first check
# for Pegasus header and exit if found. If not found, check for
# invalid headers: "Comments: Authenticated sender", "X-PMFLAGS" and "X-pmrqc".
#
X-mailer "Pegasus" EXIT
#
# Added 27-Aug-1999. Pegasus now uses X-Mailer instead of X-mailer.
#
X-Mailer "Pegasus" EXIT
#
# Added 25-Oct-1999. Check for X-Confirm-Reading-To.
#
X-Confirm-Reading-To ".+" EXIT
#
# Check for invalid Pegasus headers
#
Comments "Authenticated sender" JUMP "Spam"
X-PMFLAGS ".*" JUMP "Spam"
X-Pmflags ".*" JUMP "Spam"
X-pmrqc ".*" JUMP "Spam"
Host-From:envonly ".*" EXIT
#
# Spam detected. Drop all recipients and send to "spam" mailbox. Check this
# mailbox daily for false positives.
#
:Spam Host-From:envonly ".*" DROP "spam"
Host-From:envonly ".*" EXIT