July 23, 2008

server management, apache tutorials, hosting tutorials, cpanel, server security

Advanced Search
Search Forums

Categories:

Blog

Reviews

Projects

Special Offer:

Site Related:

Submit Article

Advertise

About Us

Partners

RSS Syndicate

Write for us

Recommend Us

Disclaimer

Site Map

Free Newsletter:

Subscribe to our free newsletter and receive, tutorials, reviews and more all related to the hosting industry.

$50 OFF Coupon for Dedicated and VPS Servers

cPanel Dedicated Servers

Home / Hosting Tutorials / cPanel Tutorials / Preventing Spam with Antivirus.exim

Preventing Spam with Antivirus.exim

Printer Friendly

Send to a friend

By : ramprage

Rating :

Preventing Spam with Antivirus.exim

Cpanel servers have a nice little file called antivirus.exim. Most of you probably have never of this magic little gem. It’s a central filter for the exim mail server that lets you setup all kinds of wonderful filters to help stop spam from coming in and going out of your server.

I’m going to share my /etc/antivirus.exim config file with you guys because I hate spam and you do as well. This will help protect you and therefore protect me as well because your server might be spamming mine one day.

First off the default /etc/antivirus.exim has a couple different rule sets in it. The main ones are attachment filters to help stop email viruses from your users. They stop things like .src and .com and .exe attachments.

This shows you some custom rules to stop spammers from sending out of your server, you can also use it to stop spam from coming in. I don’t really go into a lot of detail for filtering incoming mail since other applications like Spam Assassin handle that better IMO.

You need root access to your Cpanel server as usual.

First off we need to create a special log file for these filters do this:

Article provided by WebHostGear.com

touch /var/log/filter.log
chmod 0644 /var/log/filter.log

Article provided by WebHostGear.com

Now open up the configuration file
vi /etc/antivirus.exim

It should have a whole whack of comments at the top.

Here’s the webhostgear.com antivirus.exim configuration. Simple add this to your existing file, save the changes and they take effect instantly.

### CUSTOM WEBHOSTGEAR.COM FILTERS by Steven Leggett info@webhostgear.com
######################################################

# START
# Filters all incoming an outgoing mail


logfile /var/log/filter.log 0644
## Common Spam
if

# Header Spam
 $header_subject: contains "Pharmaceutical"
 or $header_subject: contains "Viagra"
 or $header_subject: contains "Cialis"
 or $header_subject: is "The Ultimate Online Pharmaceutical"
 or $header_subject: contains "***SPAM***"
 or $header_subject: contains "[SPAM]"


# Body Spam
or $message_body: contains "Cialis"
or $message_body: contains "Viagra"
or $message_body: contains "Leavitra"
or $message_body: contains "St0ck"
or $message_body: contains "Viaagrra"
or $message_body: contains "Cia1iis"
or $message_body: contains "URGENT BUSINESS PROPOSAL"
or $message_body matches "angka[^s]+[net|com|org|biz|info|us|name]+?"
or $message_body matches "v(i|1)agra|vag(i|1)n(a|4)|pen(  i|1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok"

then
# Log Message - SENDS RESPONSE BACK TO SENDER
# SUGGESTED TO LEAVE OFF to prevent fail loops
# and more work for the mail system
#fail text "Message has been rejected because it hasn
#           triggered our central filter."
logwrite "$tod_log $message_id from $sender_address contained spam keywords"

 seen finish
endif


# END
# Filters all incoming an outgoing mail


# START
# All outgoing mail on the server only - what is sent out

#Check forwarders so it doesn't get blocked
#Forwarders still work =)

## FINANCIAL FAKE SENDERS
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if      (
         $received_protocol is "local"          or
         $received_protocol is "esmtpa"
        ) and (
         $header_from contains "@citibank.com"  or
         $header_from contains "@bankofamerica.com" or
         $header_from contains "@wamu.com"      or
         $header_from contains "@ebay.com"      or
         $header_from contains "@chase.com"     or
         $header_from contains "@paypal.com"    or
         $header_from contains "@wellsfargo.com" or
        $header_from contains "@bankunited.com" or
        $header_from contains "@bankerstrust.com" or
        $header_from contains "@bankfirst.com" or
        $header_from contains "@capitalone.com" or
        $header_from contains "@citizensbank.com" or
        $header_from contains "@jpmorgan.com" or
        $header_from contains "@wachovia.com" or
        $header_from contains "@bankone.com" or
        $header_from contains "@suntrust.com" or
        $header_from contains "@amazon.com" or
        $header_from contains "@banksecurity.com" or
        $header_from contains "@visa.com" or
        $header_from contains "@mastercard.com" or
        $header_from contains "@mbna.com"
)
  then
     logwrite "$tod_log $message_id from $sender_address is fraud"
     seen finish
  endif

## OTHER FAKE SENDERS SPAM
## Enable this to prevent users using @domain from addresses
## Not recommended since users do use from addresses not on the server
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if      (
         $received_protocol is "local"          or
         $received_protocol is "esmtpa"
        ) and (
        $header_from contains "@hotmail.com" or
        $header_from contains "@yahoo.com" or
        $header_from contains "@aol.com"


)
  then
     logwrite "$tod_log $message_id from $sender_address is forged fake"
     seen finish
  endif

## KNOWN FAKE PHISHING
### Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if      (
         $received_protocol is "local"          or
         $received_protocol is "esmtpa"
        ) and (
#Paypal
        $message_body: contains "Dear valued PayPal member" or
        $message_body: contains "Dear valued PayPal customer" or
        $message_body: contains "Dear Paypal" or
        $message_body: contains "The PayPal Team" or
        $message_body: contains "Dear Paypal Customer" or
        $message_body: contains "Paypal Account Review Department" or


#Ebay
        $message_body: contains "Dear eBay member" or
        $message_body: contains "Dear eBay User" or
        $message_body: contains "The eBay team" or
        $message_body: contains "Dear eBay Community Member" or


#Banks
        $message_body: contains "Dear Charter One Customer" or
        $message_body: contains "Dear wamu.com customer" or
        $message_body: contains "Dear valued Citizens Bank member" or
        $message_body: contains "Dear Visa" or
        $message_body: contains "Dear Citibank" or
        $message_body: contains "Citibank Email" or
        $message_body: contains "Dear customer of Chase Bank" or
        $message_body: contains "Dear Bank of America customer" or


#ISPs
        $message_body: contains "Dear AOL Member" or
        $message_body: contains "Dear AOL Customer"


        )
  then
     logwrite "$tod_log $message_id from $sender_address is phishing"
     seen finish
  endif

# END
# All outgoing mail on the server only - what is sent out

The log file will have the logging format like this:
/var/log/filter.log

2006-05-10 12:05:13 1Fds7S-0002Sa-MV from smooth595@gmail.com contained spam keywords
2006-05-10 14:18:47 1FduCn-0006GV-1r from dayton.nowellu7xn@gmail.com contained spam keywords
2006-04-27 15:44:35 1FZDLn-0005Mo-5z from nobody@ocean.wavepointmedia.com is fraud
2006-04-27 16:37:40 1FZEB9-0002KQ-VP from nobody@ocean.wavepointmedia.com is phishing

Date and time, the Exim message ID, the sender and the section of the filter, like phishing, fraud or spam. You can check the mail message by grepping the exim_mainlog for it like this

grep 1FZEB9-0002KQ-VP /var/log/exim_mainlog

If you haven’t already you should enable a higher level of logging in your mail server which will be in our next tutorial.

Enjoy

Steve

New! - Need server help? Hire an Expert

Get professional help with your configuration, script installation or server issue.
Learn how we can help you with any server problem and make your server run like new. Professional staff will contact you, after submitting a quote request, by phone or email.

» E-mail Alert on Root SSH Login
» Properly Reject Invalid Email
» Exim Extended Logging
» Use Exiscan to Scan For Viruses
» Stop Spam At The Server with Exim RBL
» HOW TO: Allow SMTP through port 26
» More Than 1 Million Bots On The Attack
» Stop PHP nobody Spammers
» Clean up Exim msglog Logging /var/spool/exim_incoming/msglog

Discuss this article with others in our new hosting forums

Comments / Feedback

zac
good article, but be carefull, by default, this file will be overwritten by upcp on a regular basis.

Steve
Actually that's not true. I just did a /scripts/upcp and it ran without any problem and didn't affect the antivirus.exim file at all.

Tom
Hi,

Did anybody see higher server load when run this filter settings?

Thanks

Steve
Well you could take out the ## Common Spam # Header Spam section which filters all incoming and outgoing but I didn't see any notice on my system at all after this.

zac
Steve, did you run it with --force, as most people do when running it in shell?

Steve
Yes, it doesn't get overwritten =)

ferrari crash
This is very interesting site...

toy box
You have an outstanding good and well structured site. I enjoyed browsing through it.

ImZan
I think there is some issues with the script dropping emails from the system when they are sent by nobody - has anyone expereinced this ?

hyundai car
Wonderful and informative web site.I used information from that site its great.

truck toy
Cool!.. Nice work...

Alias
are u sure it is stoping nobody sending mail ??? because my server is using forum also

Please advise me

HASAN
I have problem with copy and paste

Please put the antivirus.exim configuration in txt file

thanks

Jay
i added this to my antivirus.exim file but i still dont see any difference.. just about 3-4 emails got deleted.. but that's about it... i was hopping better then that...

Noushad
Is it blocking nobody user sending mail..
because i am using PHPBB in my server.

Please update it,

Steve
I don't recommend using the COMMON SPAM section unless you need to. This was more for showing you what it can do. If you're having issues I suggest removing that area of the config.

Been using on very busy systems, no performance problems.

Robin
Most people don't use --force when running from shell, there's no need to force a upcp unless you're having other problems. Just running upcp is the same as when Cpanel does it's automatic updates (if selected). If you're not having problems from a previous update then --force just takes longer does more than what's necessary to update Cpanel.

virtua
yup... you right Steve, i dont see anything in the log, only when the section #COMMON SPAM# are active... no filtered emails by phising or fake senders...

Stephen Strong
Is this going to block legit e-mails from ebay, paypal, etc?

Thanks!

Steve WHG
Stephen,

No this doesn't block legitimate e-mail from the companies listed. It's setup in a specific way to only block messages with the source address being forged when its being sent out from your server. Works great, using on many many many systems.

Rog
Nice, thank you

Rolly
Seams to work too good; I implemented this to my server and could not send jpg or gif as an attachments (had to zip them). Weird or what?

gary
This is a nice script. :) Thanks WHG fir this!

I dont fully understand this area:

## OTHER FAKE SENDERS SPAM

I do noticed some senders as using fakename@domaininmyserver.com sending out huge number of spam mails.

Is it safe to add @domaininmyserver.com in this line? Will this not block ligitimate mails from @domaininmyserver.com?

Stephen Strong
Thanks Steve for your response!

I seem to have having them same issue as Rolly. I can't send e-mails with JPG or GIF attachments ...

angel
messed up, I couldnt recieve any emails at all!

Russ
Hey Steve (or others),
How can I get this regex working?
$message_headers: matches "(email1|email2)@(domain1|domain2).com"
I've tried ^, but I don't exactely know how to specify this otherwise. Currently, it does not error, but also does not work.

Thanks,
Russ

To You
I swicth the antivirus.exim to this new one and now I got an error, when try to deliver mail. Anyone know why ?

Error in system filter: "and" or "or" or "then" expected near line 12 of filter file, but found "240or"

Bro Bill
I see that MailScanner removes and/or renames this files by default, to bypass it entirely. In fact, the latest version of MailScanner changes the EXIM configuration in WHM to rename antivirus.exim to /etc/antivirus.empty.

I'd like to be able to use *both* MailScanner and additional antivirus.exim filtering. Is there a reason I shouldn't?

Steel Rat
I added this to my antivirus.exm file, and it prevented me from sending just about anything with an attachment, even just jpg images.

I didn't see anything in the script that controlled this, but as soon as I removed the entire thing I was able to send again.

Is there a way I can have this work effectively and not block my own email??

Dev
Does it matter if we add this to the start of the existing file or at the end of the file.

Ken
I attempted to test the loggin and send out a email with some "fake" ebay stuff in the body and it was not logged. Anyone else having this problem?

rizalmhm
Question,

How to block spam email like fbi*@*.* or debora*@*.*
thank you

jalu
thanks steve, it work for me.
how about spam from russian typo like this " Корпоративные тренинги "? do you have experience with this? do you have suggestion ?

Soumen Biswas
May be it will work. But What about image e.g .gif attachment ? spammers are sending attachment spam.

bill
Cool script. I see the variable

$sender_address

What is the variable for

$to_address

I tried $header_to

but that does not work.

bill
Nice script, but I found that if a customer wasn't receiving email, the default log message created by the script was not good enough. So, I edited it just a bit from this...

logwrite "$tod_log $message_id from $sender_address contained spam keywords"

to this...

logwrite "$tod_log $message_id Message FROM $sender_address TO $header_to contained spam keywords - SUBJECT: $header_subject"

Now, if a customer complains about not receiving email, I can do a search for their address in the /var/log/filter.log file.

Zion
Is there an updated rule that corrects binary attachments from being marked/filtered as spam?

Steve
This is not a maintaned version. It's just free for reference. Go check out http://www.serverprogress.com for a maintained version, but it won't be free.

Justin
The stuff is really good!!!

Can we add rules such that say if the body contains both the words say ebay and paypal (the operator and, rather than or).

This method would be more effective, since spam mails have specific patterns many a times. And we can fight them more effectively with this method.

Thanks in advance ...

Jake Jammin
To Bro Bill:
MailScanner did Modify the installer script to change the exim system_filter to an empty file (/etc/antivirus.empty) instead of periodically emptying /etc/antivirus.exim file.

You can still use *both* MailScanner and additional antivirus.exim filtering by putting your code in /etc/antivirus.empty. That way the daily cronjob won't empty out the system_filter file anymore so you can put what you want in there and it will be used.

Jake Jammin
I also would like to say THANK YOU Steve for the great post!! Works great on a cPanel server with no abnormal blocking.

To avoid the filter.log from getting HUGE, you may want to add that log to your Logrotate...

Here is how I did it:
touch /etc/logrotate.d/filter
vi /etc/logrotate.d/filter

Add the following:
/var/log/filter.log {
missingok
compress
postrotate
endscript
}

Save changes and you're done.

When your Logrotate runs it should compress the old /var/log/filter.log and start new....

How many compressed files it will keep before dumping the last, is set in your /etc/logrotate.conf file.

Good Luck!
Jake

Med Anouar
to get it work with cpanel 11 add it to the file :

/etc/cpanel_exim_system_filter

tanks

Web Hosting News

WebHostGear Hire an Expert - NEW!
Let us improve your servers performance, find that spammer and take care of that kernel upgrade. Hire us to help with any tutorials listed on the site or any other services needed. Get your free, NO obligation quote now

Our site offers free hosting tutorials, cpanel tutorial, web hosting news, shell commands, running a web hosting business, dedicated guides, linux tutorial, apache install, home web server, web server guide, ssh commands, dedicated servers, DNS nameservers, chkrootkit, apf firewall, exim configuration, server compromised, cron backup solution, ftp backup script

WebHostGear Reviewed by Ping Zine - Click here

Special Offer:

Links:

cPanel server administration

MidPhase Coupons

Reseller Hosting

Reseller Hosting FAQ

Icon

Web Hosting

Datacenter Discussion Forum

Lunarpages Coupon

Hosting Coupon

Preventing Spam with Antivirus.exim

New! - Need server help? Hire an Expert

Related Articles

Web Hosting News