• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 373
  • Last Modified:

Exim Filter problem

I want to delete any mail with the subject or body with the word "Webmail" in it. But I want to make sure these messages get to our helpdesk only. So the filter I have looks for the word within the subject and body, but if it contains the helpdesk email, then send it to the mailbox. The problem is that the filter kills the emails but also kills it for helpdesk. So I am sure I have something wrong. My understanding is that once it finds the word webmail, but also sees the helpdesk email it will pass it along. If it finds the word webmail but not helpdesk, then it will delete the message. Atleast that is the goal. Bottom line is that we have been having some phishing emails going around asking for webmail account info. I want to kill them at the MTA, but also still allow users to send helpdesk emails about webmail problems. Also all our users use different mail servers from different networks. So I can not base this on local use.
if $message_body: contains "Webmail" or
$message_body: contains "webmail" or
$message_body: contains "WebMail" or
$message_body: contains "Web-Mail" or
$message_body: contains "web-mail" or
$message_body: contains "Web-mail" or
$message_body: contains "WEBMAIL" or
$message_body: contains "WEB-MAIL" or
$header_subject: contains "Webmail" or
$header_subject: contains "webmail" or
$header_subject: contains "WebMail" or
$header_subject: contains "Web-Mail" or
$header_subject: contains "web-mail" or
$header_subject: contains "Web-mail" or
$header_subject: contains "WEBMAIL" or
$header_subject: contains "WEB-MAIL" and
$header_To: does not contain "helpdesk@" or
$header_To: does not contain "techdesk@"
then
logwrite "$tod_log $message_id $sender_address $reply_address processed"
seen finish
endif

Open in new window

0
jellis4131
Asked:
jellis4131
  • 4
  • 4
1 Solution
 
gheistCommented:
X OR ( Y AND Z)
just like
1+2*3

clamav is good at common phishing mails just like spamassassin and they reject in smtp session.
dns blacklists are also very efficient (hints at http://moensted.dk/spam)

I imagine that 8 text scans of ten 10MB mails will kill your system...
0
 
jellis4131Author Commented:
We already run ClamAV and spamassassin clusters and phishing is already turned on. But these stupid webmail phishing emails keep getting through. So we want to just have Exim kill them. But the problem with this, is that if a user emails our support desk about a webmail problem, then exim will kill it as well. (As our users come from different networks to send mail to us.)
0
 
gheistCommented:
I suggest DNS blacklists and greylisting as additional measures to protect your mailer.
Filter you are trying to create will reject some genuine webmails and slow down your system to no good.
There are many deviations from SMTP and Envelope RFCs (821 822 2821 2822) done by spamers

Are your users caught by phishing? Is local Spam filter available on their mail clients?

0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
jellis4131Author Commented:
We also already do Greylisting and RBLS at the MTA level as well. I am just asking for someone to look at my filter script and tell me what is wrong with it. Load is not a problem this is a 5 server mail cluster.
0
 
gheistCommented:
Wrong is the fact that AND takes precedence over OR
  1 OR 2 OR 3 OR ( 4 AND 5 AND 6 ) and so on.
Not like you imagined:
(  1 OR 2 OR 3 OR 4 ) AND 5 AND 6
0
 
jellis4131Author Commented:
So this is where I reply with something stupid,.... I just need to replace all my 'or' with 'and' & the 'and' with 'or'....
0
 
gheistCommented:
You are wrong.

X OR Y == NOT (NOT x AND not y)
0
 
jellis4131Author Commented:
Okay so I am still not understanding. Maybe if you can edit a small section that will help me.
if $header_subject: contains "WEBMAIL" or
$header_body: contains "WEBMAIL" and
$header_To: does not contain "helpdesk@"
then
.....
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now