Preventing Spam with Antivirus.exim Published: May 10, 2006
  • Rating

    4/5

Cpanel servers have a nice little file called antivirus.exim. Most of you probably have never of this magic little gem. It’s a central filter for the exim mail server that lets you setup all kinds of wonderful filters to help stop spam from coming in and

Preventing Spam with Antivirus.exim

Cpanel servers have a nice little file called antivirus.exim. Most of you probably have never of this magic little gem. It’s a central filter for the exim mail server that lets you setup all kinds of wonderful filters to help stop spam from coming in and going out of your server.

I’m going to share my /etc/antivirus.exim config file with you guys because I hate spam and you do as well. This will help protect you and therefore protect me as well because your server might be spamming mine one day.

First off the default /etc/antivirus.exim has a couple different rule sets in it. The main ones are attachment filters to help stop email viruses from your users. They stop things like .src and .com and .exe attachments.

This shows you some custom rules to stop spammers from sending out of your server, you can also use it to stop spam from coming in. I don’t really go into a lot of detail for filtering incoming mail since other applications like Spam Assassin handle that better IMO.

You need root access to your Cpanel server as usual.

First off we need to create a special log file for these filters do this:

touch /var/log/filter.log
chmod 0644 /var/log/filter.log

Now open up the configuration file
vi /etc/antivirus.exim

It should have a whole whack of comments at the top.

Here’s the webhostgear.com antivirus.exim configuration. Simple add this to your existing file, save the changes and they take effect instantly.

 

### CUSTOM WEBHOSTGEAR.COM FILTERS by Steven Leggett info@webhostgear.com
######################################################

# START
# Filters all incoming an outgoing mail

logfile /var/log/filter.log 0644
## Common Spam
if
# Header Spam
 $header_subject: contains "Pharmaceutical"
 or $header_subject: contains "Viagra"
 or $header_subject: contains "Cialis"
 or $header_subject: is "The Ultimate Online Pharmaceutical"
 or $header_subject: contains "***SPAM***"
 or $header_subject: contains "[SPAM]"

# Body Spam
or $message_body: contains "Cialis"
or $message_body: contains "Viagra"
or $message_body: contains "Leavitra"
or $message_body: contains "St0ck"
or $message_body: contains "Viaagrra"
or $message_body: contains "Cia1iis"
or $message_body: contains "URGENT BUSINESS PROPOSAL"
or $message_body matches "angka[^s]+[net|com|org|biz|info|us|name]+?"
or $message_body matches "v(i|1)agra|vag(i|1)n(a|4)|pen(  i|1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok"
then
# Log Message - SENDS RESPONSE BACK TO SENDER
# SUGGESTED TO LEAVE OFF to prevent fail loops
# and more work for the mail system
#fail text "Message has been rejected because it hasn
#           triggered our central filter."
logwrite "$tod_log $message_id from $sender_address contained spam keywords"
 seen finish
endif

# END
# Filters all incoming an outgoing mail

# START
# All outgoing mail on the server only - what is sent out
#Check forwarders so it doesn't get blocked
#Forwarders still work =)
## FINANCIAL FAKE SENDERS
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if      (
         $received_protocol is "local"          or
         $received_protocol is "esmtpa"
        ) and (
         $header_from contains "@citibank.com"  or
         $header_from contains "@bankofamerica.com" or
         $header_from contains "@wamu.com"      or
         $header_from contains "@ebay.com"      or
         $header_from contains "@chase.com"     or
         $header_from contains "@paypal.com"    or
         $header_from contains "@wellsfargo.com" or
        $header_from contains "@bankunited.com" or
        $header_from contains "@bankerstrust.com" or
        $header_from contains "@bankfirst.com" or
        $header_from contains "@capitalone.com" or
        $header_from contains "@citizensbank.com" or
        $header_from contains "@jpmorgan.com" or
        $header_from contains "@wachovia.com" or
        $header_from contains "@bankone.com" or
        $header_from contains "@suntrust.com" or
        $header_from contains "@amazon.com" or
        $header_from contains "@banksecurity.com" or
        $header_from contains "@visa.com" or
        $header_from contains "@mastercard.com" or
        $header_from contains "@mbna.com"
)
  then
     logwrite "$tod_log $message_id from $sender_address is fraud"
     seen finish
  endif
## OTHER FAKE SENDERS SPAM
## Enable this to prevent users using @domain from addresses
## Not recommended since users do use from addresses not on the server
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if      (
         $received_protocol is "local"          or
         $received_protocol is "esmtpa"
        ) and (
        $header_from contains "@hotmail.com" or
        $header_from contains "@yahoo.com" or
        $header_from contains "@aol.com"

)
  then
     logwrite "$tod_log $message_id from $sender_address is forged fake"
     seen finish
  endif
 
## KNOWN FAKE PHISHING
### Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if      (
         $received_protocol is "local"          or
         $received_protocol is "esmtpa"
        ) and (
#Paypal
        $message_body: contains "Dear valued PayPal member" or
        $message_body: contains "Dear valued PayPal customer" or
        $message_body: contains "Dear Paypal" or
        $message_body: contains "The PayPal Team" or
        $message_body: contains "Dear Paypal Customer" or
        $message_body: contains "Paypal Account Review Department" or

#Ebay
        $message_body: contains "Dear eBay member" or
        $message_body: contains "Dear eBay User" or
        $message_body: contains "The eBay team" or
        $message_body: contains "Dear eBay Community Member" or

#Banks
        $message_body: contains "Dear Charter One Customer" or
        $message_body: contains "Dear wamu.com customer" or
        $message_body: contains "Dear valued Citizens Bank member" or
        $message_body: contains "Dear Visa" or
        $message_body: contains "Dear Citibank" or
        $message_body: contains "Citibank Email" or
        $message_body: contains "Dear customer of Chase Bank" or
        $message_body: contains "Dear Bank of America customer" or
 

#ISPs
        $message_body: contains "Dear AOL Member" or
        $message_body: contains "Dear AOL Customer"

        )
  then
     logwrite "$tod_log $message_id from $sender_address is phishing"
     seen finish
  endif
# END
# All outgoing mail on the server only - what is sent out

 

The log file will have the logging format like this:
/var/log/filter.log

2006-05-10 12:05:13 1Fds7S-0002Sa-MV from smooth595@gmail.com contained spam keywords
2006-05-10 14:18:47 1FduCn-0006GV-1r from dayton.nowellu7xn@gmail.com contained spam keywords
2006-04-27 15:44:35 1FZDLn-0005Mo-5z from nobody@ocean.wavepointmedia.com is fraud
2006-04-27 16:37:40 1FZEB9-0002KQ-VP from nobody@ocean.wavepointmedia.com is phishing


Date and time, the Exim message ID, the sender and the section of the filter, like phishing, fraud or spam. You can check the mail message by grepping the exim_mainlog for it like this

grep 1FZEB9-0002KQ-VP /var/log/exim_mainlog

If you haven’t already you should enable a higher level of logging in your mail server which will be in our next tutorial.

Enjoy

Steve

  • Rating

    4/5

Related Articles

Comments (45)

  • Gravatar - zac
    zac 18:49, May 11, 2006
    good article, but be carefull, by default, this file will be overwritten by upcp on a regular basis.<br />
  • Gravatar - Steve
    Steve 17:40, May 12, 2006
    Actually that's not true. I just did a /scripts/upcp and it ran without any problem and didn't affect the antivirus.exim file at all.
  • Gravatar - Tom
    Tom 00:29, May 13, 2006
    Hi,<br />
    <br />
    Did anybody see higher server load when run this filter settings?<br />
    <br />
    Thanks
  • Gravatar - Steve
    Steve 00:39, May 14, 2006
    Well you could take out the ## Common Spam # Header Spam section which filters all incoming and outgoing but I didn't see any notice on my system at all after this.
  • Gravatar - zac
    zac 20:42, May 14, 2006
    Steve, did you run it with --force, as most people do when running it in shell?<br />
    <br />
  • Gravatar - Steve
    Steve 19:49, June 6, 2006
    Yes, it doesn't get overwritten =)
  • Gravatar - ferrari crash
    ferrari crash 21:57, June 12, 2006
    This is very interesting site...<br />
    <br />
  • Gravatar - toy box
    toy box 13:10, June 13, 2006
    You have an outstanding good and well structured site. I enjoyed browsing through it.<br />
    <br />
  • Gravatar - ImZan
    ImZan 01:31, June 14, 2006
    I think there is some issues with the script dropping emails from the system when they are sent by nobody - has anyone expereinced this ?
  • Gravatar - hyundai car
    hyundai car 03:50, June 14, 2006
    Wonderful and informative web site.I used information from that site its great.<br />
    <br />
  • Gravatar - truck toy
    truck toy 01:58, June 19, 2006
    Cool!.. Nice work...<br />
    <br />
  • Gravatar - Alias
    Alias 09:33, June 22, 2006
    are u sure it is stoping nobody sending mail ??? because my server is using forum also<br />
    <br />
    Please advise me<br />
  • Gravatar - HASAN
    HASAN 00:42, June 30, 2006
    I have problem with copy and paste<br />
    <br />
    Please put the antivirus.exim configuration in txt file<br />
    <br />
    thanks
  • Gravatar - Jay
    Jay 12:59, July 9, 2006
    i added this to my antivirus.exim file but i still dont see any difference.. just about 3-4 emails got deleted.. but that's about it... i was hopping better then that...
  • Gravatar - Noushad
    Noushad 14:36, July 10, 2006
    Is it blocking nobody user sending mail..<br />
    because i am using PHPBB in my server.<br />
    <br />
    <br />
    Please update it,
  • Gravatar - Steve
    Steve 16:04, July 10, 2006
    I don't recommend using the COMMON SPAM section unless you need to. This was more for showing you what it can do. If you're having issues I suggest removing that area of the config. <br />
    <br />
    Been using on very busy systems, no performance problems.
  • Gravatar - Robin
    Robin 17:16, July 20, 2006
    Most people don't use --force when running from shell, there's no need to force a upcp unless you're having other problems. Just running upcp is the same as when Cpanel does it's automatic updates (if selected). If you're not having problems from a previous update then --force just takes longer does more than what's necessary to update Cpanel.
  • Gravatar - virtua
    virtua 00:16, July 27, 2006
    yup... you right Steve, i dont see anything in the log, only when the section #COMMON SPAM# are active... no filtered emails by phising or fake senders...
  • Gravatar - Stephen Strong
    Stephen Strong 03:00, August 7, 2006
    Is this going to block legit e-mails from ebay, paypal, etc?<br />
    <br />
    Thanks!
  • Gravatar - Steve WHG
    Steve WHG 18:02, August 7, 2006
    Stephen,<br />
    <br />
    No this doesn't block legitimate e-mail from the companies listed. It's setup in a specific way to only block messages with the source address being forged when its being sent out from your server. Works great, using on many many many systems.
  • Gravatar - Rog
    Rog 19:16, August 12, 2006
    Nice, thank you
  • Gravatar - Rolly
    Rolly 00:07, August 17, 2006
    Seams to work too good; I implemented this to my server and could not send jpg or gif as an attachments (had to zip them). Weird or what?
  • Gravatar - gary
    gary 02:27, August 19, 2006
    This is a nice script. :) Thanks WHG fir this!<br />
    <br />
    I dont fully understand this area:<br />
    <br />
    ## OTHER FAKE SENDERS SPAM<br />
    <br />
    I do noticed some senders as using fakename@domaininmyserver.com sending out huge number of spam mails.<br />
    <br />
    Is it safe to add @domaininmyserver.com in this line? Will this not block ligitimate mails from @domaininmyserver.com?<br />
    <br />
  • Gravatar - Stephen Strong
    Stephen Strong 02:39, August 19, 2006
    Thanks Steve for your response!<br />
    <br />
    I seem to have having them same issue as Rolly. I can't send e-mails with JPG or GIF attachments ...
  • Gravatar - angel
    angel 01:52, August 25, 2006
    messed up, I couldnt recieve any emails at all!
  • Gravatar - Russ
    Russ 16:09, September 3, 2006
    Hey Steve (or others),<br />
    How can I get this regex working?<br />
    $message_headers: matches "(email1|email2)@(domain1|domain2).com"<br />
    I've tried ^, but I don't exactely know how to specify this otherwise. Currently, it does not error, but also does not work.<br />
    <br />
    Thanks,<br />
    Russ
  • Gravatar - To You
    To You 00:07, October 1, 2006
    I swicth the antivirus.exim to this new one and now I got an error, when try to deliver mail. Anyone know why ?<br />
    <br />
    <br />
    Error in system filter: "and" or "or" or "then" expected near line 12 of filter file, but found "\240or"
  • Gravatar - Bro Bill
    Bro Bill 16:11, October 15, 2006
    I see that MailScanner removes and/or renames this files by default, to bypass it entirely. In fact, the latest version of MailScanner changes the EXIM configuration in WHM to rename antivirus.exim to /etc/antivirus.empty.<br />
    <br />
    I'd like to be able to use *both* MailScanner and additional antivirus.exim filtering. Is there a reason I shouldn't?
  • Gravatar - Steel Rat
    Steel Rat 15:29, October 23, 2006
    I added this to my antivirus.exm file, and it prevented me from sending just about anything with an attachment, even just jpg images.<br />
    <br />
    I didn't see anything in the script that controlled this, but as soon as I removed the entire thing I was able to send again.<br />
    <br />
    Is there a way I can have this work effectively and not block my own email??
  • Gravatar - Dev
    Dev 21:29, October 27, 2006
    Does it matter if we add this to the start of the existing file or at the end of the file.
  • Gravatar - Ken
    Ken 03:52, October 30, 2006
    I attempted to test the loggin and send out a email with some "fake" ebay stuff in the body and it was not logged. Anyone else having this problem? <br />
  • Gravatar - rizalmhm
    rizalmhm 16:57, December 4, 2006
    Question,<br />
    <br />
    How to block spam email like fbi*@*.* or debora*@*.*<br />
    thank you
  • Gravatar - jalu
    jalu 07:37, February 16, 2007
    thanks steve, it work for me. <br />
    how about spam from russian typo like this " &#1050;&#1086;&#1088;&#1087;&#1086;&#1088;&#1072;&#1090;&#1080;&#1074;&#1085;&#1099;&#1077; &#1090;&#1088;&#1077;&#1085;&#1080;&#1085;&#1075;&#1080; "? do you have experience with this? do you have suggestion ?
  • Gravatar - Soumen Biswas
    Soumen Biswas 10:34, March 22, 2007
    May be it will work. But What about image e.g .gif attachment ? spammers are sending attachment spam.
  • Gravatar - bill
    bill 17:51, April 4, 2007
    Cool script. I see the variable<br />
    <br />
    $sender_address<br />
    <br />
    What is the variable for<br />
    <br />
    $to_address<br />
    <br />
    I tried $header_to<br />
    <br />
    but that does not work.
  • Gravatar - bill
    bill 19:09, April 4, 2007
    Nice script, but I found that if a customer wasn't receiving email, the default log message created by the script was not good enough. So, I edited it just a bit from this...<br />
    <br />
    logwrite "$tod_log $message_id from $sender_address contained spam keywords"<br />
    <br />
    to this...<br />
    <br />
    logwrite "$tod_log $message_id Message FROM $sender_address TO $header_to contained spam keywords - SUBJECT: $header_subject"<br />
    <br />
    Now, if a customer complains about not receiving email, I can do a search for their address in the /var/log/filter.log file.
  • Gravatar - Zion
    Zion 21:30, April 11, 2007
    Is there an updated rule that corrects binary attachments from being marked/filtered as spam?
  • Gravatar - Steve
    Steve 00:19, April 12, 2007
    This is not a maintaned version. It's just free for reference. Go check out http://www.serverprogress.com for a maintained version, but it won't be free.
  • Gravatar - Justin
    Justin 07:06, July 4, 2007
    The stuff is really good!!!<br />
    <br />
    Can we add rules such that say if the body contains both the words say ebay and paypal (the operator and, rather than or).<br />
    <br />
    This method would be more effective, since spam mails have specific patterns many a times. And we can fight them more effectively with this method.<br />
    <br />
    Thanks in advance ...
  • Gravatar - Jake Jammin
    Jake Jammin 01:26, July 12, 2007
    To Bro Bill:<br />
    MailScanner did Modify the installer script to change the exim system_filter to an empty file (/etc/antivirus.empty) instead of periodically emptying /etc/antivirus.exim file. <br />
    <br />
    You can still use *both* MailScanner and additional antivirus.exim filtering by putting your code in /etc/antivirus.empty. That way the daily cronjob won't empty out the system_filter file anymore so you can put what you want in there and it will be used.<br />
  • Gravatar - Jake Jammin
    Jake Jammin 03:14, July 12, 2007
    I also would like to say THANK YOU Steve for the great post!! Works great on a cPanel server with no abnormal blocking.<br />
    <br />
    To avoid the filter.log from getting HUGE, you may want to add that log to your Logrotate...<br />
    <br />
    Here is how I did it:<br />
    touch /etc/logrotate.d/filter<br />
    vi /etc/logrotate.d/filter<br />
    <br />
    Add the following:<br />
    /var/log/filter.log {<br />
    missingok<br />
    compress<br />
    postrotate<br />
    endscript<br />
    }<br />
    <br />
    Save changes and you're done.<br />
    <br />
    When your Logrotate runs it should compress the old /var/log/filter.log and start new....<br />
    <br />
    How many compressed files it will keep before dumping the last, is set in your /etc/logrotate.conf file.<br />
    <br />
    Good Luck!<br />
    Jake
  • Gravatar - Med Anouar
    Med Anouar 02:50, March 11, 2008
    to get it work with cpanel 11 add it to the file :<br />
    <br />
    /etc/cpanel_exim_system_filter<br />
    <br />
    <br />
    tanks
  • Gravatar - Sergiu Tot
    Sergiu Tot 13:23, April 23, 2010
    Very useful article. Thank you!
  • Gravatar - Kunnu Singh
    Kunnu Singh 17:35, September 24, 2010
    Not work.
  • Gravatar - 123
    123 16:27, April 12, 2011
    what do you save the file extension as because i am writing it in plain script please help!

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2017 WebHostGear.com