Preventing Spam with Antivirus.exim Published: May 10, 2006
  • Rating


I’m very excited to announce that 1.03 of Nobody Check is ready for download. This FREE security tool is now better than ever.

The Nobody Check tool is a new and unique security tool that can detect malicious processes that are running on your Linux server and report them to you in real time or by email. It autoconfigures itself to detect the appropriate Apache user and scan for processes hidden such as IRC perl scripts, shell bots and much more.

This new version includes some exciting new features such as:
- cPanel, Plesk and DirectAdmin Support
- High level logging details
- Auto Kill malicious processes
- New scanning rules supporting more systems
- Auto install script

Project Link:



  • Rating


Related Articles

Comments (45)

  • Gravatar - zac
    zac 18:49, May 11, 2006
    good article, but be carefull, by default, this file will be overwritten by upcp on a regular basis.<br />
  • Gravatar - Steve
    Steve 17:40, May 12, 2006
    Actually that's not true. I just did a /scripts/upcp and it ran without any problem and didn't affect the antivirus.exim file at all.
  • Gravatar - Tom
    Tom 00:29, May 13, 2006
    Hi,<br />
    <br />
    Did anybody see higher server load when run this filter settings?<br />
    <br />
  • Gravatar - Steve
    Steve 00:39, May 14, 2006
    Well you could take out the ## Common Spam # Header Spam section which filters all incoming and outgoing but I didn't see any notice on my system at all after this.
  • Gravatar - zac
    zac 20:42, May 14, 2006
    Steve, did you run it with --force, as most people do when running it in shell?<br />
    <br />
  • Gravatar - Steve
    Steve 19:49, June 6, 2006
    Yes, it doesn't get overwritten =)
  • Gravatar - ferrari crash
    ferrari crash 21:57, June 12, 2006
    This is very interesting site...<br />
    <br />
  • Gravatar - toy box
    toy box 13:10, June 13, 2006
    You have an outstanding good and well structured site. I enjoyed browsing through it.<br />
    <br />
  • Gravatar - ImZan
    ImZan 01:31, June 14, 2006
    I think there is some issues with the script dropping emails from the system when they are sent by nobody - has anyone expereinced this ?
  • Gravatar - hyundai car
    hyundai car 03:50, June 14, 2006
    Wonderful and informative web site.I used information from that site its great.<br />
    <br />
  • Gravatar - truck toy
    truck toy 01:58, June 19, 2006
    Cool!.. Nice work...<br />
    <br />
  • Gravatar - Alias
    Alias 09:33, June 22, 2006
    are u sure it is stoping nobody sending mail ??? because my server is using forum also<br />
    <br />
    Please advise me<br />
  • Gravatar - HASAN
    HASAN 00:42, June 30, 2006
    I have problem with copy and paste<br />
    <br />
    Please put the antivirus.exim configuration in txt file<br />
    <br />
  • Gravatar - Jay
    Jay 12:59, July 9, 2006
    i added this to my antivirus.exim file but i still dont see any difference.. just about 3-4 emails got deleted.. but that's about it... i was hopping better then that...
  • Gravatar - Noushad
    Noushad 14:36, July 10, 2006
    Is it blocking nobody user sending mail..<br />
    because i am using PHPBB in my server.<br />
    <br />
    <br />
    Please update it,
  • Gravatar - Steve
    Steve 16:04, July 10, 2006
    I don't recommend using the COMMON SPAM section unless you need to. This was more for showing you what it can do. If you're having issues I suggest removing that area of the config. <br />
    <br />
    Been using on very busy systems, no performance problems.
  • Gravatar - Robin
    Robin 17:16, July 20, 2006
    Most people don't use --force when running from shell, there's no need to force a upcp unless you're having other problems. Just running upcp is the same as when Cpanel does it's automatic updates (if selected). If you're not having problems from a previous update then --force just takes longer does more than what's necessary to update Cpanel.
  • Gravatar - virtua
    virtua 00:16, July 27, 2006
    yup... you right Steve, i dont see anything in the log, only when the section #COMMON SPAM# are active... no filtered emails by phising or fake senders...
  • Gravatar - Stephen Strong
    Stephen Strong 03:00, August 7, 2006
    Is this going to block legit e-mails from ebay, paypal, etc?<br />
    <br />
  • Gravatar - Steve WHG
    Steve WHG 18:02, August 7, 2006
    Stephen,<br />
    <br />
    No this doesn't block legitimate e-mail from the companies listed. It's setup in a specific way to only block messages with the source address being forged when its being sent out from your server. Works great, using on many many many systems.
  • Gravatar - Rog
    Rog 19:16, August 12, 2006
    Nice, thank you
  • Gravatar - Rolly
    Rolly 00:07, August 17, 2006
    Seams to work too good; I implemented this to my server and could not send jpg or gif as an attachments (had to zip them). Weird or what?
  • Gravatar - gary
    gary 02:27, August 19, 2006
    This is a nice script. :) Thanks WHG fir this!<br />
    <br />
    I dont fully understand this area:<br />
    <br />
    <br />
    I do noticed some senders as using [email protected] sending out huge number of spam mails.<br />
    <br />
    Is it safe to add in this line? Will this not block ligitimate mails from<br />
    <br />
  • Gravatar - Stephen Strong
    Stephen Strong 02:39, August 19, 2006
    Thanks Steve for your response!<br />
    <br />
    I seem to have having them same issue as Rolly. I can't send e-mails with JPG or GIF attachments ...
  • Gravatar - angel
    angel 01:52, August 25, 2006
    messed up, I couldnt recieve any emails at all!
  • Gravatar - Russ
    Russ 16:09, September 3, 2006
    Hey Steve (or others),<br />
    How can I get this regex working?<br />
    $message_headers: matches "(email1|email2)@(domain1|domain2).com"<br />
    I've tried ^, but I don't exactely know how to specify this otherwise. Currently, it does not error, but also does not work.<br />
    <br />
    Thanks,<br />
  • Gravatar - To You
    To You 00:07, October 1, 2006
    I swicth the antivirus.exim to this new one and now I got an error, when try to deliver mail. Anyone know why ?<br />
    <br />
    <br />
    Error in system filter: "and" or "or" or "then" expected near line 12 of filter file, but found "\240or"
  • Gravatar - Bro Bill
    Bro Bill 16:11, October 15, 2006
    I see that MailScanner removes and/or renames this files by default, to bypass it entirely. In fact, the latest version of MailScanner changes the EXIM configuration in WHM to rename antivirus.exim to /etc/antivirus.empty.<br />
    <br />
    I'd like to be able to use *both* MailScanner and additional antivirus.exim filtering. Is there a reason I shouldn't?
  • Gravatar - Steel Rat
    Steel Rat 15:29, October 23, 2006
    I added this to my antivirus.exm file, and it prevented me from sending just about anything with an attachment, even just jpg images.<br />
    <br />
    I didn't see anything in the script that controlled this, but as soon as I removed the entire thing I was able to send again.<br />
    <br />
    Is there a way I can have this work effectively and not block my own email??
  • Gravatar - Dev
    Dev 21:29, October 27, 2006
    Does it matter if we add this to the start of the existing file or at the end of the file.
  • Gravatar - Ken
    Ken 03:52, October 30, 2006
    I attempted to test the loggin and send out a email with some "fake" ebay stuff in the body and it was not logged. Anyone else having this problem? <br />
  • Gravatar - rizalmhm
    rizalmhm 16:57, December 4, 2006
    Question,<br />
    <br />
    How to block spam email like fbi*@*.* or debora*@*.*<br />
    thank you
  • Gravatar - jalu
    jalu 07:37, February 16, 2007
    thanks steve, it work for me. <br />
    how about spam from russian typo like this " &#1050;&#1086;&#1088;&#1087;&#1086;&#1088;&#1072;&#1090;&#1080;&#1074;&#1085;&#1099;&#1077; &#1090;&#1088;&#1077;&#1085;&#1080;&#1085;&#1075;&#1080; "? do you have experience with this? do you have suggestion ?
  • Gravatar - Soumen Biswas
    Soumen Biswas 10:34, March 22, 2007
    May be it will work. But What about image e.g .gif attachment ? spammers are sending attachment spam.
  • Gravatar - bill
    bill 17:51, April 4, 2007
    Cool script. I see the variable<br />
    <br />
    $sender_address<br />
    <br />
    What is the variable for<br />
    <br />
    $to_address<br />
    <br />
    I tried $header_to<br />
    <br />
    but that does not work.
  • Gravatar - bill
    bill 19:09, April 4, 2007
    Nice script, but I found that if a customer wasn't receiving email, the default log message created by the script was not good enough. So, I edited it just a bit from this...<br />
    <br />
    logwrite "$tod_log $message_id from $sender_address contained spam keywords"<br />
    <br />
    to this...<br />
    <br />
    logwrite "$tod_log $message_id Message FROM $sender_address TO $header_to contained spam keywords - SUBJECT: $header_subject"<br />
    <br />
    Now, if a customer complains about not receiving email, I can do a search for their address in the /var/log/filter.log file.
  • Gravatar - Zion
    Zion 21:30, April 11, 2007
    Is there an updated rule that corrects binary attachments from being marked/filtered as spam?
  • Gravatar - Steve
    Steve 00:19, April 12, 2007
    This is not a maintaned version. It's just free for reference. Go check out for a maintained version, but it won't be free.
  • Gravatar - Justin
    Justin 07:06, July 4, 2007
    The stuff is really good!!!<br />
    <br />
    Can we add rules such that say if the body contains both the words say ebay and paypal (the operator and, rather than or).<br />
    <br />
    This method would be more effective, since spam mails have specific patterns many a times. And we can fight them more effectively with this method.<br />
    <br />
    Thanks in advance ...
  • Gravatar - Jake Jammin
    Jake Jammin 01:26, July 12, 2007
    To Bro Bill:<br />
    MailScanner did Modify the installer script to change the exim system_filter to an empty file (/etc/antivirus.empty) instead of periodically emptying /etc/antivirus.exim file. <br />
    <br />
    You can still use *both* MailScanner and additional antivirus.exim filtering by putting your code in /etc/antivirus.empty. That way the daily cronjob won't empty out the system_filter file anymore so you can put what you want in there and it will be used.<br />
  • Gravatar - Jake Jammin
    Jake Jammin 03:14, July 12, 2007
    I also would like to say THANK YOU Steve for the great post!! Works great on a cPanel server with no abnormal blocking.<br />
    <br />
    To avoid the filter.log from getting HUGE, you may want to add that log to your Logrotate...<br />
    <br />
    Here is how I did it:<br />
    touch /etc/logrotate.d/filter<br />
    vi /etc/logrotate.d/filter<br />
    <br />
    Add the following:<br />
    /var/log/filter.log {<br />
    missingok<br />
    compress<br />
    postrotate<br />
    endscript<br />
    }<br />
    <br />
    Save changes and you're done.<br />
    <br />
    When your Logrotate runs it should compress the old /var/log/filter.log and start new....<br />
    <br />
    How many compressed files it will keep before dumping the last, is set in your /etc/logrotate.conf file.<br />
    <br />
    Good Luck!<br />
  • Gravatar - Med Anouar
    Med Anouar 02:50, March 11, 2008
    to get it work with cpanel 11 add it to the file :<br />
    <br />
    /etc/cpanel_exim_system_filter<br />
    <br />
    <br />
  • Gravatar - Sergiu Tot
    Sergiu Tot 13:23, April 23, 2010
    Very useful article. Thank you!
  • Gravatar - Kunnu Singh
    Kunnu Singh 17:35, September 24, 2010
    Not work.
  • Gravatar - 123
    123 16:27, April 12, 2011
    what do you save the file extension as because i am writing it in plain script please help!

Add Your Thoughts is a hosting directory, not a web host.

Copyright © 1998-2024