Linux CPanel / WHM : Spam filtering with Exim filter on cPanel

Friday, April 12, 2013

Spam filtering with Exim filter on cPanel

1) touch /var/log/filter.log
2) chmod 0644 /var/log/filter.log
3) cp /etc/cpanel_exim_system_filter /etc/cpanel_exim_system_filter_new
Then paste the following code into last of the file “/etc/cpanel_exim_system_filter_new” and save.
—————————————————————————————–

# START
# Filters all incoming an outgoing mail
logfile /var/log/filter.log 0644
## Common Spam
if
# Header Spam
 $header_subject: contains "Pharmaceutical"
 or $header_subject: contains "Viagra"
 or $header_subject: contains "Cialis"
 or $header_subject: contains "RE: DISCOUNT 80% 0FF on Pfizer !"
 or $header_subject: is "The Ultimate Online Pharmaceutical"
 or $header_subject: contains "***SPAM***"
 or $header_subject: contains "[SPAM]"
# Body Spam
or $message_body: contains "Cialis"
or $message_body: contains "Viagra"
or $message_body: contains "Leavitra"
or $message_body: contains "St0ck"
or $message_body: contains "Viaagrra"
or $message_body: contains "Cia1iis"
or $message_body: contains "URGENT BUSINESS PROPOSAL"
or $message_body matches "angka[^s]+[net|com|org|biz|info|us|name]+?"
or $message_body matches "v(i|1)agra|vag(i|1)n(a|4)|pen(  i|1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok"
then
# Log Message - SENDS RESPONSE BACK TO SENDER
# SUGGESTED TO LEAVE OFF to prevent fail loops
# and more work for the mail system
#fail text "Message has been rejected because it hasn
#           triggered our central filter."
logwrite "$tod_log $message_id from $sender_address contained spam keywords"
 seen finish
endif
# END
# Filters all incoming an outgoing mail
# START
# All outgoing mail on the server only - what is sent out
#Check forwarders so it doesn't get blocked
#Forwarders still work =)
## FINANCIAL FAKE SENDERS
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if      (
         $received_protocol is "local"          or
         $received_protocol is "esmtpa"
        ) and (
         $header_from contains "@citibank.com"  or
         $header_from contains "@bankofamerica.com" or
         $header_from contains "@wamu.com"      or
         $header_from contains "@ebay.com"      or
         $header_from contains "@chase.com"     or
         $header_from contains "@paypal.com"    or
         $header_from contains "@wellsfargo.com" or
        $header_from contains "@bankunited.com" or
        $header_from contains "@bankerstrust.com" or
        $header_from contains "@bankfirst.com" or
        $header_from contains "@capitalone.com" or
        $header_from contains "@citizensbank.com" or
        $header_from contains "@jpmorgan.com" or
        $header_from contains "@wachovia.com" or
        $header_from contains "@bankone.com" or
        $header_from contains "@suntrust.com" or
        $header_from contains "@amazon.com" or
        $header_from contains "@banksecurity.com" or
        $header_from contains "@visa.com" or
        $header_from contains "@mastercard.com" or
        $header_from contains "@zamfoo.com" or
        $header_from contains "@mbna.com"
)
  then
     logwrite "$tod_log $message_id from $sender_address is fraud"
     seen finish
  endif
## OTHER FAKE SENDERS SPAM
## Enable this to prevent users using @domain from addresses
## Not recommended since users do use from addresses not on the server
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if      (
         $received_protocol is "local"          or
         $received_protocol is "esmtpa"
        ) and (
        $header_from contains "@hotmail.com" or
        $header_from contains "@yahoo.com" or
        $header_from contains "@aol.com"
)
  then
     logwrite "$tod_log $message_id from $sender_address is forged fake"
     seen finish
  endif

## KNOWN FAKE PHISHING
### Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if      (
         $received_protocol is "local"          or
         $received_protocol is "esmtpa"
        ) and (
#Paypal
        $message_body: contains "Dear valued PayPal member" or
        $message_body: contains "Dear valued PayPal customer" or
        $message_body: contains "Dear Paypal" or
        $message_body: contains "The PayPal Team" or
        $message_body: contains "Dear Paypal Customer" or
        $message_body: contains "Paypal Account Review Department" or
#Ebay
        $message_body: contains "Dear eBay member" or
        $message_body: contains "Dear eBay User" or
        $message_body: contains "The eBay team" or
        $message_body: contains "Dear eBay Community Member" or
#Banks
        $message_body: contains "Dear Charter One Customer" or
        $message_body: contains "Dear wamu.com customer" or
        $message_body: contains "Dear valued Citizens Bank member" or
        $message_body: contains "Dear Visa" or
        $message_body: contains "Dear Citibank" or
        $message_body: contains "Citibank Email" or
        $message_body: contains "Dear customer of Chase Bank" or
        $message_body: contains "Dear Bank of America customer" or

#ISPs
        $message_body: contains "Dear AOL Member" or
        $message_body: contains "Dear AOL Customer"
        )
  then
     logwrite "$tod_log $message_id from $sender_address is phishing"
     seen finish
  endif
# END
# All outgoing mail on the server only - what is sent out
 -----------------------------------------------------------------------------------------

4) Now select this filter from WHM as
main>>Service Configurations >>Exim Configuration Editor >>Select the file “/etc/cpanel_exim_system_filter_new “ under “Filters”.
This filter script will block most common spama and some KNOWN FAKE PHISHING emails you can see filter log any time by type “cat /var/log/filter.log” at your root SSH

Linux CPanel / WHM

Pages

Friday, April 12, 2013

Spam filtering with Exim filter on cPanel

No comments:

Post a Comment

Footer Left

Footer Right