Re: Custom REGEX rules for CSF.
Posted: 03 Sep 2019, 06:38
Block junkmailers before they SPAM again.
The following custom REGEX rule is designed to block the IP of any mailer triggering a [Spamassassin] filter, preventing the mailer from sending subsequent messages. Works with any spam filter – check the exact verbiage of your log entries. Adjust trigger and temp/perm result to taste.
Blocks entries such as:
Why filter spam when you can block it?
The following custom REGEX rule is designed to block the IP of any mailer triggering a [Spamassassin] filter, preventing the mailer from sending subsequent messages. Works with any spam filter – check the exact verbiage of your log entries. Adjust trigger and temp/perm result to taste.
Code: Select all
# Junk Mailer
# 1 try; 3 day ban
# CUSTOM1_LOG = "/var/log/exim_rejectlog"
# Works on CentOS6/7, exim MTA, cPanel, Spamassassin
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.*\[(\S+)\]:\d+\s+.*mail server detected your message as spam.*/)) {
return ("Junkmail sender",$1,"junkmailer","1","","259200");
}
This approach won't block the first one, but it will catch subsequent ones.2019-08-01 04:02:04 1ht8qQ-0005Oy-HD H=(baron.tryimmoredfe.world) [67.198.188.215]:60033 F=<6752-26-981051-1766-user=example.com@mail.tryimmoredfe.world> rejected after DATA: "The mail server detected your message as spam and has prevented delivery (50)."
2019-08-01 06:54:26 1htBXA-00008g-Ky H=(clarke.resturtived.world) [67.198.188.216]:54497 F=<6761-26-981051-1768-user=example.com@mail.resturtived.world> rejected after DATA: "The mail server detected your message as spam and has prevented delivery (50)."
2019-08-01 09:27:16 1htDv9-0003By-Cr H=mta4.loomingbrexit.xyz (newark.windowpanning.xyz) [67.198.188.213]:53527 F=<6766-26-981051-1765-user=example.com@mail.windowpanning.xyz> rejected after DATA: "The mail server detected your message as spam and has prevented delivery (50)."
2019-08-01 10:29:09 1htEsq-0004F4-41 H=(clarke.resturtived.world) [67.198.188.216]:58155 F=<6773-26-981051-1768-user=example.com@mail.resturtived.world> rejected after DATA: "The mail server detected your message as spam and has prevented delivery (50)."
Why filter spam when you can block it?