Exim Filter problem

Posted on 2009-04-30
Last Modified: 2013-11-22
I want to delete any mail with the subject or body with the word "Webmail" in it. But I want to make sure these messages get to our helpdesk only. So the filter I have looks for the word within the subject and body, but if it contains the helpdesk email, then send it to the mailbox. The problem is that the filter kills the emails but also kills it for helpdesk. So I am sure I have something wrong. My understanding is that once it finds the word webmail, but also sees the helpdesk email it will pass it along. If it finds the word webmail but not helpdesk, then it will delete the message. Atleast that is the goal. Bottom line is that we have been having some phishing emails going around asking for webmail account info. I want to kill them at the MTA, but also still allow users to send helpdesk emails about webmail problems. Also all our users use different mail servers from different networks. So I can not base this on local use.
if $message_body: contains "Webmail" or

$message_body: contains "webmail" or

$message_body: contains "WebMail" or

$message_body: contains "Web-Mail" or

$message_body: contains "web-mail" or

$message_body: contains "Web-mail" or

$message_body: contains "WEBMAIL" or

$message_body: contains "WEB-MAIL" or

$header_subject: contains "Webmail" or

$header_subject: contains "webmail" or

$header_subject: contains "WebMail" or

$header_subject: contains "Web-Mail" or

$header_subject: contains "web-mail" or

$header_subject: contains "Web-mail" or

$header_subject: contains "WEBMAIL" or

$header_subject: contains "WEB-MAIL" and

$header_To: does not contain "helpdesk@" or

$header_To: does not contain "techdesk@"


logwrite "$tod_log $message_id $sender_address $reply_address processed"

seen finish


Open in new window

Question by:jellis4131
    LVL 61

    Expert Comment

    X OR ( Y AND Z)
    just like

    clamav is good at common phishing mails just like spamassassin and they reject in smtp session.
    dns blacklists are also very efficient (hints at

    I imagine that 8 text scans of ten 10MB mails will kill your system...

    Author Comment

    We already run ClamAV and spamassassin clusters and phishing is already turned on. But these stupid webmail phishing emails keep getting through. So we want to just have Exim kill them. But the problem with this, is that if a user emails our support desk about a webmail problem, then exim will kill it as well. (As our users come from different networks to send mail to us.)
    LVL 61

    Expert Comment

    I suggest DNS blacklists and greylisting as additional measures to protect your mailer.
    Filter you are trying to create will reject some genuine webmails and slow down your system to no good.
    There are many deviations from SMTP and Envelope RFCs (821 822 2821 2822) done by spamers

    Are your users caught by phishing? Is local Spam filter available on their mail clients?


    Author Comment

    We also already do Greylisting and RBLS at the MTA level as well. I am just asking for someone to look at my filter script and tell me what is wrong with it. Load is not a problem this is a 5 server mail cluster.
    LVL 61

    Accepted Solution

    Wrong is the fact that AND takes precedence over OR
      1 OR 2 OR 3 OR ( 4 AND 5 AND 6 ) and so on.
    Not like you imagined:
    (  1 OR 2 OR 3 OR 4 ) AND 5 AND 6

    Author Comment

    So this is where I reply with something stupid,.... I just need to replace all my 'or' with 'and' & the 'and' with 'or'....
    LVL 61

    Expert Comment

    You are wrong.

    X OR Y == NOT (NOT x AND not y)

    Author Comment

    Okay so I am still not understanding. Maybe if you can edit a small section that will help me.
    if $header_subject: contains "WEBMAIL" or
    $header_body: contains "WEBMAIL" and
    $header_To: does not contain "helpdesk@"

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do email signature updates give you a headache?

    Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

    About FreeBSD Jails In FreeBSD, jails are a way of doing operating system level virtualization.  The basis of FreeBSD jails is chroot (, which changes the root directory of processes.  As a…
    When it comes to providing great business solutions, IBM and Microsoft are the two top companies excelling in the art. Both launch similar products aimed at a wide audience set and have a good customer satisfaction rate. Since their products are qui…
    Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
    Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now