Preventing Spam with Antivirus.exim Published: May 10, 2006
  • Rating


Some minor updates on today. I changed our ad server, the previous version wasn’t always showing ads correctly in Internet Explorer browser. It would sometimes come up blank which was very strange. I also upgraded some scripts on the site.

Since I added the new image verification for comments I’ve only received 1 comment spam. This is a huge difference from previously where I was getting hundreds of spam comments per day.

I’m working on putting together a local file server for the office network here. There are a few old systems lying around that I can use their hardware and put them back to work again. The system I’m using is an old Celeron 566 Slot 1 but the card seems messed up. I managed to find a pair of P3 1Ghz CPUs on eBay for under $55 to replace the old Celeron. The board doesn’t have SATA but it already has over 700 megs ram so it should do nicely. All I need after the CPUs arrive are 2 IDE drives (probably 200+ gigs each) and I should be all set.

  • Rating


Related Articles

Comments (45)

  • Gravatar - zac
    zac 18:49, May 11, 2006
    good article, but be carefull, by default, this file will be overwritten by upcp on a regular basis.<br />
  • Gravatar - Steve
    Steve 17:40, May 12, 2006
    Actually that's not true. I just did a /scripts/upcp and it ran without any problem and didn't affect the antivirus.exim file at all.
  • Gravatar - Tom
    Tom 00:29, May 13, 2006
    Hi,<br />
    <br />
    Did anybody see higher server load when run this filter settings?<br />
    <br />
  • Gravatar - Steve
    Steve 00:39, May 14, 2006
    Well you could take out the ## Common Spam # Header Spam section which filters all incoming and outgoing but I didn't see any notice on my system at all after this.
  • Gravatar - zac
    zac 20:42, May 14, 2006
    Steve, did you run it with --force, as most people do when running it in shell?<br />
    <br />
  • Gravatar - Steve
    Steve 19:49, June 6, 2006
    Yes, it doesn't get overwritten =)
  • Gravatar - ferrari crash
    ferrari crash 21:57, June 12, 2006
    This is very interesting site...<br />
    <br />
  • Gravatar - toy box
    toy box 13:10, June 13, 2006
    You have an outstanding good and well structured site. I enjoyed browsing through it.<br />
    <br />
  • Gravatar - ImZan
    ImZan 01:31, June 14, 2006
    I think there is some issues with the script dropping emails from the system when they are sent by nobody - has anyone expereinced this ?
  • Gravatar - hyundai car
    hyundai car 03:50, June 14, 2006
    Wonderful and informative web site.I used information from that site its great.<br />
    <br />
  • Gravatar - truck toy
    truck toy 01:58, June 19, 2006
    Cool!.. Nice work...<br />
    <br />
  • Gravatar - Alias
    Alias 09:33, June 22, 2006
    are u sure it is stoping nobody sending mail ??? because my server is using forum also<br />
    <br />
    Please advise me<br />
  • Gravatar - HASAN
    HASAN 00:42, June 30, 2006
    I have problem with copy and paste<br />
    <br />
    Please put the antivirus.exim configuration in txt file<br />
    <br />
  • Gravatar - Jay
    Jay 12:59, July 9, 2006
    i added this to my antivirus.exim file but i still dont see any difference.. just about 3-4 emails got deleted.. but that's about it... i was hopping better then that...
  • Gravatar - Noushad
    Noushad 14:36, July 10, 2006
    Is it blocking nobody user sending mail..<br />
    because i am using PHPBB in my server.<br />
    <br />
    <br />
    Please update it,
  • Gravatar - Steve
    Steve 16:04, July 10, 2006
    I don't recommend using the COMMON SPAM section unless you need to. This was more for showing you what it can do. If you're having issues I suggest removing that area of the config. <br />
    <br />
    Been using on very busy systems, no performance problems.
  • Gravatar - Robin
    Robin 17:16, July 20, 2006
    Most people don't use --force when running from shell, there's no need to force a upcp unless you're having other problems. Just running upcp is the same as when Cpanel does it's automatic updates (if selected). If you're not having problems from a previous update then --force just takes longer does more than what's necessary to update Cpanel.
  • Gravatar - virtua
    virtua 00:16, July 27, 2006
    yup... you right Steve, i dont see anything in the log, only when the section #COMMON SPAM# are active... no filtered emails by phising or fake senders...
  • Gravatar - Stephen Strong
    Stephen Strong 03:00, August 7, 2006
    Is this going to block legit e-mails from ebay, paypal, etc?<br />
    <br />
  • Gravatar - Steve WHG
    Steve WHG 18:02, August 7, 2006
    Stephen,<br />
    <br />
    No this doesn't block legitimate e-mail from the companies listed. It's setup in a specific way to only block messages with the source address being forged when its being sent out from your server. Works great, using on many many many systems.
  • Gravatar - Rog
    Rog 19:16, August 12, 2006
    Nice, thank you
  • Gravatar - Rolly
    Rolly 00:07, August 17, 2006
    Seams to work too good; I implemented this to my server and could not send jpg or gif as an attachments (had to zip them). Weird or what?
  • Gravatar - gary
    gary 02:27, August 19, 2006
    This is a nice script. :) Thanks WHG fir this!<br />
    <br />
    I dont fully understand this area:<br />
    <br />
    <br />
    I do noticed some senders as using sending out huge number of spam mails.<br />
    <br />
    Is it safe to add in this line? Will this not block ligitimate mails from<br />
    <br />
  • Gravatar - Stephen Strong
    Stephen Strong 02:39, August 19, 2006
    Thanks Steve for your response!<br />
    <br />
    I seem to have having them same issue as Rolly. I can't send e-mails with JPG or GIF attachments ...
  • Gravatar - angel
    angel 01:52, August 25, 2006
    messed up, I couldnt recieve any emails at all!
  • Gravatar - Russ
    Russ 16:09, September 3, 2006
    Hey Steve (or others),<br />
    How can I get this regex working?<br />
    $message_headers: matches "(email1|email2)@(domain1|domain2).com"<br />
    I've tried ^, but I don't exactely know how to specify this otherwise. Currently, it does not error, but also does not work.<br />
    <br />
    Thanks,<br />
  • Gravatar - To You
    To You 00:07, October 1, 2006
    I swicth the antivirus.exim to this new one and now I got an error, when try to deliver mail. Anyone know why ?<br />
    <br />
    <br />
    Error in system filter: "and" or "or" or "then" expected near line 12 of filter file, but found "\240or"
  • Gravatar - Bro Bill
    Bro Bill 16:11, October 15, 2006
    I see that MailScanner removes and/or renames this files by default, to bypass it entirely. In fact, the latest version of MailScanner changes the EXIM configuration in WHM to rename antivirus.exim to /etc/antivirus.empty.<br />
    <br />
    I'd like to be able to use *both* MailScanner and additional antivirus.exim filtering. Is there a reason I shouldn't?
  • Gravatar - Steel Rat
    Steel Rat 15:29, October 23, 2006
    I added this to my antivirus.exm file, and it prevented me from sending just about anything with an attachment, even just jpg images.<br />
    <br />
    I didn't see anything in the script that controlled this, but as soon as I removed the entire thing I was able to send again.<br />
    <br />
    Is there a way I can have this work effectively and not block my own email??
  • Gravatar - Dev
    Dev 21:29, October 27, 2006
    Does it matter if we add this to the start of the existing file or at the end of the file.
  • Gravatar - Ken
    Ken 03:52, October 30, 2006
    I attempted to test the loggin and send out a email with some "fake" ebay stuff in the body and it was not logged. Anyone else having this problem? <br />
  • Gravatar - rizalmhm
    rizalmhm 16:57, December 4, 2006
    Question,<br />
    <br />
    How to block spam email like fbi*@*.* or debora*@*.*<br />
    thank you
  • Gravatar - jalu
    jalu 07:37, February 16, 2007
    thanks steve, it work for me. <br />
    how about spam from russian typo like this " &#1050;&#1086;&#1088;&#1087;&#1086;&#1088;&#1072;&#1090;&#1080;&#1074;&#1085;&#1099;&#1077; &#1090;&#1088;&#1077;&#1085;&#1080;&#1085;&#1075;&#1080; "? do you have experience with this? do you have suggestion ?
  • Gravatar - Soumen Biswas
    Soumen Biswas 10:34, March 22, 2007
    May be it will work. But What about image e.g .gif attachment ? spammers are sending attachment spam.
  • Gravatar - bill
    bill 17:51, April 4, 2007
    Cool script. I see the variable<br />
    <br />
    $sender_address<br />
    <br />
    What is the variable for<br />
    <br />
    $to_address<br />
    <br />
    I tried $header_to<br />
    <br />
    but that does not work.
  • Gravatar - bill
    bill 19:09, April 4, 2007
    Nice script, but I found that if a customer wasn't receiving email, the default log message created by the script was not good enough. So, I edited it just a bit from this...<br />
    <br />
    logwrite "$tod_log $message_id from $sender_address contained spam keywords"<br />
    <br />
    to this...<br />
    <br />
    logwrite "$tod_log $message_id Message FROM $sender_address TO $header_to contained spam keywords - SUBJECT: $header_subject"<br />
    <br />
    Now, if a customer complains about not receiving email, I can do a search for their address in the /var/log/filter.log file.
  • Gravatar - Zion
    Zion 21:30, April 11, 2007
    Is there an updated rule that corrects binary attachments from being marked/filtered as spam?
  • Gravatar - Steve
    Steve 00:19, April 12, 2007
    This is not a maintaned version. It's just free for reference. Go check out for a maintained version, but it won't be free.
  • Gravatar - Justin
    Justin 07:06, July 4, 2007
    The stuff is really good!!!<br />
    <br />
    Can we add rules such that say if the body contains both the words say ebay and paypal (the operator and, rather than or).<br />
    <br />
    This method would be more effective, since spam mails have specific patterns many a times. And we can fight them more effectively with this method.<br />
    <br />
    Thanks in advance ...
  • Gravatar - Jake Jammin
    Jake Jammin 01:26, July 12, 2007
    To Bro Bill:<br />
    MailScanner did Modify the installer script to change the exim system_filter to an empty file (/etc/antivirus.empty) instead of periodically emptying /etc/antivirus.exim file. <br />
    <br />
    You can still use *both* MailScanner and additional antivirus.exim filtering by putting your code in /etc/antivirus.empty. That way the daily cronjob won't empty out the system_filter file anymore so you can put what you want in there and it will be used.<br />
  • Gravatar - Jake Jammin
    Jake Jammin 03:14, July 12, 2007
    I also would like to say THANK YOU Steve for the great post!! Works great on a cPanel server with no abnormal blocking.<br />
    <br />
    To avoid the filter.log from getting HUGE, you may want to add that log to your Logrotate...<br />
    <br />
    Here is how I did it:<br />
    touch /etc/logrotate.d/filter<br />
    vi /etc/logrotate.d/filter<br />
    <br />
    Add the following:<br />
    /var/log/filter.log {<br />
    missingok<br />
    compress<br />
    postrotate<br />
    endscript<br />
    }<br />
    <br />
    Save changes and you're done.<br />
    <br />
    When your Logrotate runs it should compress the old /var/log/filter.log and start new....<br />
    <br />
    How many compressed files it will keep before dumping the last, is set in your /etc/logrotate.conf file.<br />
    <br />
    Good Luck!<br />
  • Gravatar - Med Anouar
    Med Anouar 02:50, March 11, 2008
    to get it work with cpanel 11 add it to the file :<br />
    <br />
    /etc/cpanel_exim_system_filter<br />
    <br />
    <br />
  • Gravatar - Sergiu Tot
    Sergiu Tot 13:23, April 23, 2010
    Very useful article. Thank you!
  • Gravatar - Kunnu Singh
    Kunnu Singh 17:35, September 24, 2010
    Not work.
  • Gravatar - 123
    123 16:27, April 12, 2011
    what do you save the file extension as because i am writing it in plain script please help!

Add Your Thoughts is a hosting directory, not a web host.

Copyright © 1998-2018