List Info

Thread: RE: Having mfilter.rul drop, reject or challenge words in body -- and more
RE: Having mfilter.rul drop, reject or challenge words in body -- and more
country flaguser name
United States		 2007-11-23 09:39:51 

  


  

    

that would be good examples for the 
Wiki.






From: webmaster1usa.com 
[mailto:webmaster1usa.com] 
Sent: Friday, November 23, 2007 1:36 
AM
To: surgemail-listnetwinsite.com
Subject: [SurgeMail 
List] Having mfilter.rul drop, reject or challenge words in body -- and 
more





The easiest way to reject/drop words in header or 
body:



On the Spam Control page > Manual Blocking section > 
click on Spam Filter Rules 'configure' button,



and add a rule or three.  


This will add the appropriate lines in the mfilter.rul 
file that's located in the default /surgemail/ directory.


 


If you want to get fancy with the rules, you can add 
certain actions on multiple lines in the mfilter.rul file,


certain other actions in the friends.rul file, and certain 
other actions in the local.rul file.


 


Local.rul :  Use only to elevate the [spamgrade] 
points given to an email.


Friends.rul : Use only to force a Friends Challenge... 
which in turn requires customizing the outbound Friends Challenge email, located 
at the very bottom of the Accounts page. ; There are default settings for 
all outbound challenges for the server, plus it can be customized per-domain, 
AND each customer can go in and edit their own (if you allow them to mess it 
up).  Superb control.


 


====


Sample mfilter.rul entries:


 


if (isin("From","paypai.com">servicepaypai.com")) redirect "1usa.com">bobby1usa.com" (your default SpamCatcher 
address)


end if


(paypai is a thief pretending to be from 
paypaL)


 


if (isin("Received","pools.arcor-ip.net")) drop "drop 
mfilter pools.arcor-ip.net"


end if


 


if (isin("X-URLForgery","wachovia")) call spamdetect(40.0, 
"URL FORGERY WACHOVIA")
end if


(This rule adds points, which then places the email under 
control of the SpamDetect system.  Each user can be set to automatically 
delete emails with a spamscore higher than 25... or some jerky customers will 
choose to read the email regardless of the spam score; which is potentially 
dangerous.)


(likewise... once wachovia.net">adminwachovia.net is an approved sender by 
that customer, the only thing to differentiate a good email arriving from the 
real MX is SPF, and some domains, particularly banks, do not use SPF... 
duhhh.  So it will be up to your Surgemail to differentiate/delete any fake 
emails pretending to be from wachovia.net... but again, individual customers may 
choose to turn off SPF for their accounts, and again potentially dangerous.... 
so be careful which parts of the Web Interface you allow the customers to 
edit.  You can control which items by creating customer Groups, then on the 
groups page you'd choose the features available to that customer 
group.


 


Here's a neat multiple line script that you'd manually 
enter in the top section of mfilter.rul


if (isin("X-Verify-MX","not in MX data dom=amazon.com")) 
reject "The From-address is forged"
if (isin("X-Verify-MX","not in MX data 
dom=bankofamerica.com")) reject "The From-address is forged"
if 
(isin("X-Verify-MX","not in mx data dom=ebay.com")) reject "Wrong SPF for 
ebay.com"
if (isin("X-Verify-MX","not in mx data dom=hotmail.com")) reject 
"Wrong SPF for hotmail.com"
if (isin("X-Verify-MX","not in mx data 
dom=monster.com")) reject "Wrong SPF for Monster.com"
if 
(isin("X-Verify-MX","not in mx data dom=myisland.com")) reject "Wrong SPF for 
myisland.com"
if (isin("X-Verify-MX","not in MX data dom=ncua.org")) reject 
"The From-address is forged"
if (isin("X-Verify-MX","not in mx data 
dom=northforkbank.com")) reject "Wrong SPF for northforkbank.com"
if 
(isin("X-Verify-MX","not in MX data dom=yahoogroups.com")) call 
replace("X-Friends-Request","*","true")
end if


 


Note: ; Always have an end if at the end of a 
rule.



 


And here are some multi-line entries that you may find 
useful:



if (isin("from","paypal")) then
if (isin("X-SpamDetect","SPF Default 
Fail")) then
call replace("X-Friends-Request","*","true")
end if
end 
if


 


if (isin("X-URLForgery","paypal.com")) then
if 
(!isin("X-Verify-Helo","paypal.com") then
reject "From Paypal forgery"
end 
if
end if


 


if (isin("X-URLForgery","ebay.com")) then
if 
(!isin("X-Verify-Helo","ebay.com") then
reject "From ebay forgery"
end 
if
end if


 


if (isin("X-X-SpamDetect","spf_fail_notinmx")) then
if 
(isin("X-X-SpamDetect","SPF Default Fail")) then
call 
replace("X-Friends-Request","*","true")
end if
end if


 


And, although Friends rules are supposed to be in the friends.rul file, we 
have a few in the mfilter.rul that forces the rule:


if (isin("Subject","loan request")) call 
replace("X-Friends-Request","*","true")



Sometimes a 'loan request' will come from a legitimate bank, sometimes 
not.  Invoking the Friends system (and having Surgemail re-read the headers 
(the g_friends_latest_headers setting) will force confirmation of the 
sender.


The outbound Friends-Request will stay in the friends queue for 
g_retry_limit hours.  


If the outbound delivery attempt fails, !! the original (spam) email sent 
to the customer is automatically deleted. !!  Use g_friends_pending_vanish 
setting for this. Kewl.


 


The one rule that stops those URL spams that try to get 
the customers to visit infected websites is:


if (isin("Body","http://8")) 
redirect " body1usa.com">body1usa.com"
if 
(isin("Body","http://9")) redirect "1usa.com">body1usa.com"
if (isin("body","SEEING YOUR 
CARD")) reject "reject mfilter 550 No such User - ecard"


endif


(use your imagination for the others... all except 127 .0. 
0. 1)


(An admin person here periodically checks that account to 
make sure no legit emails get caught... Such emails are then 'redirected' to the 
original recipient.  There are a few Newsletters out there in La-La Land 
that like to use IP's in URLs. ; Too bad.


 


These particular rules can be placed manually in the blank 
section above the auto-generated section, however remember to do a Tellmail 
Reload command afterwards; and don't have a txt editing window open when you use 
the Admin interface at the same time. ; Only use one at a time otherwise you 
will end up removing your edits.


 


====


Sample friends.rul entries:


 


request:X-Verify-MX:not in mx data 
dom
accept:From:berksdems.org
vanish:X-Surbl:multi.surbl.org



vanish:X-SpamDetect:Viagra not hidden


request:Subject:Supercharge your


request:$body:dbzmail.com


request:X-IPStats:ip=81  (this will force all emails 
originating from 81.x.x.x IP addresses into the Friends system, if the user has 
Friends turned on.)


 


Note: ; Rules entered manually into friends.rul apply 
to all customers using the Friends system - as long as their account isn't set 
to "Disable Friends".


 


Here at 1USA, approx 95% of the users are set to "Request 
confirmation from all uknown addresses" and we have customized the status.eml 
report, which is sent to the customer under the customer's page > Log ... and 
set it for 1 or 2 days, and only have the first checkbox on the page 
selected.  Customers generally don't need to see the other 
nitty-gritty.


Logs Reports are ALWAYS setup & sent to customers 
using Outlook Express or other mail client software.


Logs Reports are generally NOT sent to customers who use 
webmail - because the Friends-Pending folder (should) appear on their Webmail 
menus.


 


While some customers initially rejected the idea of a 
Friends-Challenge system, most have joined the fold over time. ; Above all, 
they like to be protected.


 


====


Sample local.rul entries:


 


if (isin("X-URLForgery","3riversfcu.org")) then
call 
spamdetect(40.0, "URL FORGERY 3riversfcu.org")
end if


 


if (isin("X-SpamDetect","amazon wrong domain")) 
then
call spamdetect(40.0, "amazon wrong domain IP sending into 1USA 
customers")
end if


 


if (isin("X-Verify-MX","not in MX data dom=amazon.com")) 
then
call spamdetect(40.0, "Sender not in MX data dom=amazon.com")
end 
if


 


if (isin("X-Verify-MX","not in MX data 
dom=cards.bankofamerica.com")) then
call spamdetect(40.0, "Sender not in MX 
data dom=bankofamerica.com")
end if


 


if (isin("X-Verify-MX","not in mx data dom=chase.com")) 
then
call spamdetect(40.0, "Sender not in MX data dom=chase.com")
end 
if


 


if (isin("X-Verify-MX","not in MX data 
dom=downeysavings.com")) then
call spamdetect(40.0, "Sender not in MX data 
dom=downeysavings.com")
end if


 


if (isin("X-SpamDetect","ebay wrong domain")) then
call 
spamdetect(40.0, "ebay wrong domain IP sending into 1USA customers")
end 
if


 


Note: ; While most Surgemail Admin's choose to grade 
on a 1-14 level, we here see 'good' emails get a spamgrade of 12 to 16, so we 
customized our [spamgrade] system to assign 20, 25, 30, 35, 40, etc points -- to 
MAKE SURE that if a user's setting said to 'drop message if 25+' that the spam 
email gets dropped.


 


Note: ; Don't have a rule to Drop in mfilter.rul AND a 
rule in local.rul to add spamdetect points OR have a rule in friends.rul to 
force a Challenge.  Come up with a system how you intend to grade/handle 
emails and only do one of them.


 


SpamAssassin etc:  No, you don't need any add-ons to 
Surgemail.


 


====


Note: ; Once a customer has 'allowed' a From_Address, 
those emails are no longer sent through the [spamgrade] system - so be careful 
which filters you enter into the filters above, and be careful of which level of 
access you allow the Groups to manage on their own.  Rules that you want 
only Admin to apply should be in the mfilter.rul 


 


Note: ; (after Tellmail Reload) (and after a period of 
time) You'd goto the msg.log page and do a search for keywords to determine if 
your filters are working.  If you make the first word or two in the filter 
"drop mfilter..."  or "From Ebay..." you can then do a Logs search for that 
phrase, and see how well your filters are working; and you can group your 
queries.


Yes, you can add "reject mfilterrul " "drop mfilterrul", 
frndsrul", "localrul" into the " " section of the filter to help determine which 
filter filtered what.


 


Surgemail will meet 100% of your needs, however above and 
beyond the existing filtering systems built into Surgemail, you can reduce some 
of the filtering load by off-loading some verifications to your DNS servers (by 
setting up your own RBLs), and if you are running a primary and Mirror server, 
you can off-load the body-checking to the mfilter.rul file that's only on the 
Mirror machine.  Also, if you're running more than one anti-virus program, 
you'll want to only have the built-in Avast function on the primary server, and 
any additional a/v software running on the Mirror server...  (We have our 
customers here pickup their mails from the Mirror, which offloads that work from 
the main server).


 


Does this blow your sox off?


 


1USA is a Surgemail Reseller and we like to think we're 
pretty good at helping new installations get setup quickly and 
effectively.  My opinion is that many of the "demo" setups that people 
install to "try" Surgemail are not sufficient to do a complete commercial-grade 
Surgemail product evaluation.


Surgemail allows you to get more sophisticated and 
customized than any other mail server software that I've 
seen.


 


NetWin has permission to use any or all of 
this.



BarryZ


1USA


 




No virus found in this incoming message.
Checked by AVG Free 
Edition.
Version: 7.5.503 / Virus Database: 269.16.4/1146 - Release Date: 
11/22/2007 6:55 PM

  

  
  
   
     
    






 [1]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )