|
List Info
Thread: help needed with mfilter syntax
|
|
| help needed with mfilter syntax |
 
Canada |
2008-02-13 12:52:47 |
I am trying to block very short spam messages being sent
from Yahoo and
Hotmail accounts.
The rule I tried was:
if
(rexp("Received","hotmail.com|yahoo.com"
)) then
if
(!rexp("To","onedomain.com|anotherdomain.com&
quot;)) then
reject "Sorry - we do not accept bulk mail from
hotmail or yahoo
accounts"
end if
end if
So in English: reject mail not addressed directly to one of
our domains
coming from yahoo or hotmail.
Unfortunately, the rule is too "greedy". Mail
coming from listservers is
being bounced because way down in the chain, one of the
sources was
hotmail or yahoo. The rule seems to look at *all* of the
"Received"
headers and not the topmost.
Is there a way to say "look only at the most recent
"Received" header?
An alternative solution I am trying is to look at the
"Return-path"
header instead.
--
Neil Herber
Corporate info at http://www.eton.ca/
|
|
| Re: help needed with mfilter syntax |
Canada |
2008-02-13 13:15:30 |
Neil Herber (nospam) wrote:
> I am trying to block very short spam messages being
sent from Yahoo and
> Hotmail accounts.
>
> The rule I tried was:
>
> if
(rexp("Received","hotmail.com|yahoo.com"
)) then
> if
(!rexp("To","onedomain.com|anotherdomain.com&
quot;)) then
> reject "Sorry - we do not accept bulk mail
from hotmail or yahoo
> accounts"
> end if
> end if
>
> So in English: reject mail not addressed directly to
one of our domains
> coming from yahoo or hotmail.
>
> Unfortunately, the rule is too "greedy". Mail
coming from listservers is
> being bounced because way down in the chain, one of the
sources was
> hotmail or yahoo. The rule seems to look at *all* of
the "Received"
> headers and not the topmost.
>
> Is there a way to say "look only at the most
recent "Received" header?
>
> An alternative solution I am trying is to look at the
"Return-path"
> header instead.
>
Bad form to answer my own question! But my original rule had
even bigger
problems - it was blocking outbound mail destined for
Hotmail accounts.
Return-Path testing seems to work and probably makes much
more sense.
--
Neil Herber
Corporate info at http://www.eton.ca/
|
|
| Re: help needed with mfilter syntax |
 
United States |
2008-02-14 05:14:55 |
|
|
Try using ; "Sender-IPname" instead of the
Received.
Also, my question to NetWin the other day was along the
same lines.
The Hotmail, Gmail & Yahoo emails are being put into
the Friends Pending folder, and our customers are clicking & being exposed
to the http links in the message body... which then either goes to a p_rn
website or an infected Redirect.
I was looking for the ability to have the Friends system
(or the SPF system) send back an email to the sender who must visit the
Confirm_By_Web page, type in 4 numbers, THEN their email would appear in the
Friends folder.
There's a lot of crap out there in La-La Land,
huh.
BarryZ
----- Original Message -----
Sent: Wednesday, February 13, 2008 2:15 PM
Subject: Re: [SurgeMail List] help needed with mfilter
syntax
Neil Herber (nospam) wrote:
>; I am trying to block very
short spam messages being sent from Yahoo and
> Hotmail accounts.
>
> The rule I tried was:
>
> if
(rexp("Received","hotmail.com|yahoo.com")) then
> if
(!rexp("To","onedomain.com|anotherdomain.com"))
then
>; reject "Sorry - we do not
accept bulk mail from hotmail or yahoo
>
accounts"
> ; end if
> end if
>
> So in
English: reject mail not addressed directly to one of our domains
>
coming from yahoo or hotmail.
>
> Unfortunately, the rule is too
"greedy". Mail coming from listservers is
> being bounced because way
down in the chain, one of the sources was
> hotmail or yahoo. The rule
seems to look at *all* of the "Received"
> headers and not the
topmost.
>
> Is there a way to say "look only at the most recent
"Received" header?
>
> An alternative solution I am trying is to
look at the "Return-path"
> header instead.
>
Bad form to
answer my own question! But my original rule had even bigger
problems - it
was blocking outbound mail destined for Hotmail accounts.
Return-Path
testing seems to work and probably makes much more sense.
--
Neil
Herber
Corporate info at http://www.eton.ca/
|
| Re: help needed with mfilter syntax |
United States |
2008-02-14 05:32:22 |
|
|
> if (rexp("Received","hotmail.com|yahoo.com"))
then
>; if
(!rexp("To","onedomain.com|anotherdomain.com"))
then
>; reject "Sorry - we do not
accept bulk mail from hotmail or yahoo
>
accounts"
> ; end if
> end if
Hey Netwin, is there a variable for "local domains"
?
That would eliminate the need for listing all hosted
domains in such a filter.
i.e.
> if (!rexp("To","<local_domains>")) then
Also, this filter would only be a subset of
If From Hotmail, Yahoo, Gmail; do not display on
FriendsPending list.
I would guesstimate that all Admins would be interested in
something like this to protect their customers from the junk.
Another way to attack this is to run a script every hour
or so that looks through all the users' Pending Folders and removes the ones
>From those domains.
And another way would be to have a List in Surgemail,
similar to the g_spf_skip list, where Admins could create a list of domains to
Not display in the Friends Pending folder or in the status.eml
report.
... but SOMETHING needs to be done about the crap arriving
from those 'free' email services.
X-SpamDetect isn't picking up the long teary-eyed letters
from Mrs WannaHackYour BankAccount. 
BarryZ
|
| Re: help needed with mfilter syntax |
United States |
2008-02-14 08:13:52 |
|
1usa.com">webmaster 1usa.com wrote:
BARRYZ" type="cite">
> if (rexp("Received","hotmail.com|yahoo.com")) then
>; if (!rexp("To","onedomain.com|anotherdomain.com")) then
>; reject "Sorry - we do not accept bulk mail from hotmail or
yahoo
> accounts"
> ; end if
> end if
Hey Netwin, is there a variable for "local
domains" ?
That would eliminate the need for listing all
hosted domains in such a filter.
i.e.
> ; if (!rexp("To","<local_domains>")) then
Also, this filter would only be a subset of
If From Hotmail, Yahoo, Gmail; do not display
on FriendsPending list.
I would guesstimate that all Admins would be
interested in something like this to protect their customers from the
junk.
Another way to attack this is to run a script
every hour or so that looks through all the users' Pending Folders and
removes the ones From those domains.
And another way would be to have a List in
Surgemail, similar to the g_spf_skip list, where Admins could create a
list of domains to Not display in the Friends Pending folder or in the
status.eml report.
... but SOMETHING needs to be done about the
crap arriving from those 'free' email services.
X-SpamDetect isn't picking up the long
teary-eyed letters from Mrs WannaHackYour BankAccount.
BarryZ
It's unfortunate that we can not depend on only one system to catch
most spam coming in. But the bad guys are using those filters to test
their spam!
In any case, I have a commercial product in front of our Surgemail
setup. (for more than one reason unrelated to Surge) But it catches
the lion's share of the crap and frees up cpu time for Surge. In Surge
we run clamav(minus clamav's phishingURL filter) plus SaneSecurity and
MSRBL sigs. Spam Assassin is not a clean fit in Surgemail and I had to
drop it.
I manage another server for a medium size company and we use both
clamav and SA there. SA still catches some stuff there after our
filter and clamav with the addon sigs.
I disabled ClamAV's internal phishingURL filter, I find extremely few
false positives. Most of those can be traced to stupid users sending
pics from their camera phones with no text or subject and such.
Lyle
|
[1-5]
|
|
|
about | contact Other archives ( Real Estate discussion Medical topics )
|