Preventing Spam with Antivirus.exim

zac 18:49, May 11, 2006

good article, but be carefull, by default, this file will be overwritten by upcp on a regular basis.

Steve 17:40, May 12, 2006

Actually that's not true. I just did a /scripts/upcp and it ran without any problem and didn't affect the antivirus.exim file at all.

Tom 00:29, May 13, 2006

Hi, 
 
Did anybody see higher server load when run this filter settings? 
 
Thanks

Steve 00:39, May 14, 2006

Well you could take out the ## Common Spam # Header Spam section which filters all incoming and outgoing but I didn't see any notice on my system at all after this.

zac 20:42, May 14, 2006

Steve, did you run it with --force, as most people do when running it in shell?

Steve 19:49, June 6, 2006

Yes, it doesn't get overwritten =)

ferrari crash 21:57, June 12, 2006

This is very interesting site...

toy box 13:10, June 13, 2006

You have an outstanding good and well structured site. I enjoyed browsing through it.

ImZan 01:31, June 14, 2006

I think there is some issues with the script dropping emails from the system when they are sent by nobody - has anyone expereinced this ?

hyundai car 03:50, June 14, 2006

Wonderful and informative web site.I used information from that site its great.

truck toy 01:58, June 19, 2006

Cool!.. Nice work...

Alias 09:33, June 22, 2006

are u sure it is stoping nobody sending mail ??? because my server is using forum also 
 
Please advise me

HASAN 00:42, June 30, 2006

I have problem with copy and paste 
 
Please put the antivirus.exim configuration in txt file 
 
thanks

Jay 12:59, July 9, 2006

i added this to my antivirus.exim file but i still dont see any difference.. just about 3-4 emails got deleted.. but that's about it... i was hopping better then that...

Noushad 14:36, July 10, 2006

Is it blocking nobody user sending mail.. 
because i am using PHPBB in my server. 
 
 
Please update it,

Steve 16:04, July 10, 2006

I don't recommend using the COMMON SPAM section unless you need to. This was more for showing you what it can do. If you're having issues I suggest removing that area of the config. 
 
Been using on very busy systems, no performance problems.

Robin 17:16, July 20, 2006

Most people don't use --force when running from shell, there's no need to force a upcp unless you're having other problems. Just running upcp is the same as when Cpanel does it's automatic updates (if selected). If you're not having problems from a previous update then --force just takes longer does more than what's necessary to update Cpanel.

virtua 00:16, July 27, 2006

yup... you right Steve, i dont see anything in the log, only when the section #COMMON SPAM# are active... no filtered emails by phising or fake senders...

Stephen Strong 03:00, August 7, 2006

Is this going to block legit e-mails from ebay, paypal, etc? 
 
Thanks!

Steve WHG 18:02, August 7, 2006

Stephen, 
 
No this doesn't block legitimate e-mail from the companies listed. It's setup in a specific way to only block messages with the source address being forged when its being sent out from your server. Works great, using on many many many systems.

Rog 19:16, August 12, 2006

Nice, thank you

Rolly 00:07, August 17, 2006

Seams to work too good; I implemented this to my server and could not send jpg or gif as an attachments (had to zip them). Weird or what?

gary 02:27, August 19, 2006

This is a nice script. :) Thanks WHG fir this! 
 
I dont fully understand this area: 
 
## OTHER FAKE SENDERS SPAM 
 
I do noticed some senders as using fakename@domaininmyserver.com sending out huge number of spam mails. 
 
Is it safe to add @domaininmyserver.com in this line? Will this not block ligitimate mails from @domaininmyserver.com?

Stephen Strong 02:39, August 19, 2006

Thanks Steve for your response! 
 
I seem to have having them same issue as Rolly. I can't send e-mails with JPG or GIF attachments ...

angel 01:52, August 25, 2006

messed up, I couldnt recieve any emails at all!

Russ 16:09, September 3, 2006

Hey Steve (or others), 
How can I get this regex working? 
$message_headers: matches "(email1|email2)@(domain1|domain2).com" 
I've tried ^, but I don't exactely know how to specify this otherwise. Currently, it does not error, but also does not work. 
 
Thanks, 
Russ

To You 00:07, October 1, 2006

I swicth the antivirus.exim to this new one and now I got an error, when try to deliver mail. Anyone know why ? 
 
 
Error in system filter: "and" or "or" or "then" expected near line 12 of filter file, but found "\240or"

Bro Bill 16:11, October 15, 2006

I see that MailScanner removes and/or renames this files by default, to bypass it entirely. In fact, the latest version of MailScanner changes the EXIM configuration in WHM to rename antivirus.exim to /etc/antivirus.empty. 
 
I'd like to be able to use *both* MailScanner and additional antivirus.exim filtering. Is there a reason I shouldn't?

Steel Rat 15:29, October 23, 2006

I added this to my antivirus.exm file, and it prevented me from sending just about anything with an attachment, even just jpg images. 
 
I didn't see anything in the script that controlled this, but as soon as I removed the entire thing I was able to send again. 
 
Is there a way I can have this work effectively and not block my own email??

Dev 21:29, October 27, 2006

Does it matter if we add this to the start of the existing file or at the end of the file.

Ken 03:52, October 30, 2006

I attempted to test the loggin and send out a email with some "fake" ebay stuff in the body and it was not logged. Anyone else having this problem?

rizalmhm 16:57, December 4, 2006

Question, 
 
How to block spam email like fbi*@*.* or debora*@*.* 
thank you

jalu 07:37, February 16, 2007

thanks steve, it work for me. 
how about spam from russian typo like this " Корпоративные тренинги "? do you have experience with this? do you have suggestion ?

Soumen Biswas 10:34, March 22, 2007

May be it will work. But What about image e.g .gif attachment ? spammers are sending attachment spam.

bill 17:51, April 4, 2007

Cool script. I see the variable 
 
$sender_address 
 
What is the variable for 
 
$to_address 
 
I tried $header_to 
 
but that does not work.

bill 19:09, April 4, 2007

Nice script, but I found that if a customer wasn't receiving email, the default log message created by the script was not good enough. So, I edited it just a bit from this... 
 
logwrite "$tod_log $message_id from $sender_address contained spam keywords" 
 
to this... 
 
logwrite "$tod_log $message_id Message FROM $sender_address TO $header_to contained spam keywords - SUBJECT: $header_subject" 
 
Now, if a customer complains about not receiving email, I can do a search for their address in the /var/log/filter.log file.

Zion 21:30, April 11, 2007

Is there an updated rule that corrects binary attachments from being marked/filtered as spam?

Steve 00:19, April 12, 2007

This is not a maintaned version. It's just free for reference. Go check out http://www.serverprogress.com for a maintained version, but it won't be free.

Justin 07:06, July 4, 2007

The stuff is really good!!! 
 
Can we add rules such that say if the body contains both the words say ebay and paypal (the operator and, rather than or). 
 
This method would be more effective, since spam mails have specific patterns many a times. And we can fight them more effectively with this method. 
 
Thanks in advance ...

Jake Jammin 01:26, July 12, 2007

To Bro Bill: 
MailScanner did Modify the installer script to change the exim system_filter to an empty file (/etc/antivirus.empty) instead of periodically emptying /etc/antivirus.exim file. 
 
You can still use *both* MailScanner and additional antivirus.exim filtering by putting your code in /etc/antivirus.empty. That way the daily cronjob won't empty out the system_filter file anymore so you can put what you want in there and it will be used.

Jake Jammin 03:14, July 12, 2007

I also would like to say THANK YOU Steve for the great post!! Works great on a cPanel server with no abnormal blocking. 
 
To avoid the filter.log from getting HUGE, you may want to add that log to your Logrotate... 
 
Here is how I did it: 
touch /etc/logrotate.d/filter 
vi /etc/logrotate.d/filter 
 
Add the following: 
/var/log/filter.log { 
missingok 
compress 
postrotate 
endscript 
} 
 
Save changes and you're done. 
 
When your Logrotate runs it should compress the old /var/log/filter.log and start new.... 
 
How many compressed files it will keep before dumping the last, is set in your /etc/logrotate.conf file. 
 
Good Luck! 
Jake

Med Anouar 02:50, March 11, 2008

to get it work with cpanel 11 add it to the file : 
 
/etc/cpanel_exim_system_filter 
 
 
tanks

Sergiu Tot 13:23, April 23, 2010

Very useful article. Thank you!

Kunnu Singh 17:35, September 24, 2010

Not work.

123 16:27, April 12, 2011

what do you save the file extension as because i am writing it in plain script please help!

Best-Selling Hosting

Top Rated Providers

Editors Pick

Preventing Spam with Antivirus.exim Published: May 10, 2006

Rating

5/5

Rating

Rating

Rate it!

Related Articles

Comments (45)

Add Your Thoughts

Best-Selling Hosting

Top Rated Providers

Editors Pick

Preventing Spam with Antivirus.exim Published: May 10, 2006 Rating 5/5

Rating

Rating

Rate it!

Related Articles

Comments (45)

Add Your Thoughts

Preventing Spam with Antivirus.exim Published: May 10, 2006

Rating

5/5