Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Which lists/files utilize wildcards/globals?
  FAQ FAQ  Forum Search   Register Register  Login Login

Which lists/files utilize wildcards/globals?

 Post Reply Post Reply
Author
pcmatt View Drop Down
Senior Member
Senior Member
Avatar

Joined: 15 February 2005
Location: United States
Status: Offline
Points: 116
Post Options Post Options   Thanks (0) Thanks(0)   Quote pcmatt Quote  Post ReplyReply Direct Link To This Post Topic: Which lists/files utilize wildcards/globals?
    Posted: 02 February 2010 at 4:25pm
I'm sure this has been answered before but I can't find a concise list of which lists/files will use wildcard/globals and which will not.  Does anyone have this or can this be provided? 
 
Thanks.
-Matt R
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 03 February 2010 at 11:32pm
pcmatt,

I'm not sure I understand what you mean by "globals". 
For the wildcards, lists can usually use either * ? DOS-style and REGEX expressions, and/or IP notations in the form 192.168.23.0 (the .0 is the wildcard).
The manual tries to explain that in most cases (see below an extract). Is there one (or more) specific for which you need more info on?


Blacklists

Top  Previous  Next
MAPS Blacklist servers - SpamFilter checks the IP address initiating the connection. If it is listed in one of its many DNS blacklists the connection is refused. SpamFilter can reject connections based on aconfigurable minimum number of matches. A ",true" after an RBL entry means their DNS is expecting the IP to be reversed, i.e. to test a connection from 1.2.3.4 they expect 4.3.2.1.bl.spamcop.net
SURBL Blacklist servers - SpamFilter scans the content of emails for any HTTP links and URLs. Every link found is then tested against one of the many SURBL DNS blacklists available. If present, the connection is refused.
Blacklisted IPs - You can keep a file with additional IPs that you want to blacklist by entering the filename below. If the file does not exist it will be created. The file is reloaded every minute. List individual IP addresses on each line. Use an ending .0 for a Class C wildcard (i.e. 192.12.45.0 to block 192.12.45.1 --> 192.12.45.255). This IP blacklist also supports the use of CDIR notation to specify networks. For example, 192.12.45.0/24 will block the previous Class C of addresses as well. The contents of the file will be loaded in the memo box, allowing you to make changes to the file.
Blacklisted Domains - You can keep a file with additional Domains that you want to blacklist (based on the MAIL FROM field) by entering them below. Enter one domain per line, wildcards (* and ?, same rules as DOS wildcards) are allowed. You can also use Regular Expressions (RegEx). If the file does not exist it will be created. The file is reloaded every minute. The contents of the file will be loaded in the memo box, allowing you to make changes to the file. This list supports the :NULL option to send emails in a black hole. If an entry is in the form domain1.com:NULL it will cause all emails from domain1.com to be accepted and then sent to NULL right away. Such emails will not cause NDRs, they will not be quarantined, they will not be seen by the users. If an entry is in the form domain1.com:NoNDR such emails will not cause NDRs as in the DoNotSendNDROnQuarantine parameter in the ini file. This list supports the :Honeypot option, which will cause the sender's IP address to be automatically blacklisted in the future.
Blacklisted FROM Emails - If you want to block any particular email addresses, enter them here, one email per line. Wildcards (* and ?, same rules as DOS wildcards) are allowed. You can also use Regular Expressions (RegEx). This list supports the :NULL option to send emails in a black hole. If an entry is in the form user1@domain1.com:NULL it will cause all emails from user1@domain1.com to be accepted and then sent to NULL right away. Such emails will not cause NDRs, they will not be quarantined, they will not be seen by the users. If an entry is in the form domain1.com:NoNDR such emails will not cause NDRs as in the DoNotSendNDROnQuarantine parameter in the ini file. This list supports the :Honeypot option, which will cause the sender's IP address to be automatically blacklisted in the future.
Blacklisted TO Emails - If you want to block any particular destination addresses, enter them here, one email per line. Wildcards (* and ?, same rules as DOS wildcards) are allowed. You can also use Regular Expressions (RegEx).  If an entry is in the form user1@domain1.com:NULL it will cause all emails to user1@domain1.com to be accepted and then sent to NULL right away. Such emails will not cause NDRs, they will not be quarantined, they will not be seen by the users. If an entry is in the formdomain1.com:NoNDR such emails will not cause NDRs as in the DoNotSendNDROnQuarantine parameter in the ini file. This list supports the :Honeypot option, which will cause the sender's IP address to be automatically blacklisted in the future.
Country Filters - SpamFilter checks the what country incoming connections are coming from. The current number of connections for each country can be updated by clicking on the Update Stats Now button. Columns can be sorted by clicking on the column header. This will help you in sorting countries and hits so you can determine if there are any countries you do not wish to receive email from.
Honeypot Emails - You can have a list of "honeypot" email addresses. Any email sent to an address in the list will cause the sender's IP to be blacklisted. The IP address will be added to the fileHoneypotBlockedIPs.txt, which contains the list of blocked IPs automatically added by this filter. This filter is typically used by adding non-existent email accounts to it that you know should never receive mail. If they do, then the email is likely spam, so the remote IP will be blacklisted automatically.
Attachment Blocking - You can block emails that have unwanted attachments. You can keep a file with banned attachments here. check emails for specific attachments or attachment extensions. If the attachment is found, the email is rejected. Wildcards (* and ?, same rules as DOS wildcards) are allowed. You can also use Regular Expressions (RegEx). This list supports the :NULL option to send emails in a black hole. If an entry is in the form filename:NULL it will cause all emails with the filename attachment to be accepted and then sent to NULL right away. Such emails will not cause NDRs, they will not be quarantined, they will not be seen by the users. If an entry is in the form domain1.com:NoNDR such emails will not cause NDRs as in the DoNotSendNDROnQuarantine parameter in the ini file. This list supports the :Honeypot option, which will cause the sender's IP address to be automatically blacklisted in the future.
Keywords Filter - You can check email content and subject header for specific keyword and/or phrases. If found, the email is rejected. You can also use Regular Expressions (RegEx). If the keyword file does not exist it will be created. The file is reloaded every minute. The contents of the file will be loaded in the memo box, allowing you to make changes to the file. This list supports the ::NULL option to send emails in a black hole. If an entry is in the form keyword::NULL it will cause all emails to be accepted and then sent to NULL right away. Such emails will not cause NDRs, they will not be quarantined, they will not be seen by the users. If an entry is in the form keyword::NoNDR such emails will not cause NDRs as in the DoNotSendNDROnQuarantine parameter in the ini file. This list supports the ::Honeypot option, which will cause the sender's IP address to be automatically blacklisted in the future.  Please note that unlike in other cases, with the keyword list you must enter the ":" symbol twice to specify the extra tag.


Whitelists

Top  Previous  Next
Local Domains - SpamFilter will only deliver email to the domains listed here. Wildcards (* and ?, same rules as DOS wildcards) are allowed. You can also use Regular Expressions (RegEx). If the domain in the  RCPT TO email address is listed as a local domain, then the recipient is accepted. This is done to prevent spammers to use SpamFilter to relay email to third party email addresses/servers. It is very important to add your own domains to the local domain list. If not, you will not be able to receive emailIf you need to have any domain listed here forward its destination email to a different server than the default destination server, you can specify so here. You can override the default destination server by appending the forwarding mail server and port to any domain in this list. The syntax should be as follows:
 
DomainName:DestinationServer:DestinationPort - ex. logsat.com:mail.netwide.net:25
Excluded Domains / IPs - You can keep a file containing a list of  any "MAIL FROM" domains or any IPs from which you want to receive email if they would be blocked by any of your blacklist rules. Enter as many IPs or domains as you wish, one per line. Wildcards (* and ?, same rules as DOS wildcards) are allowed. To exclude a whole class C, enter it as 209.20.21.*. If the file does not exist it will be created. The file is reloaded every minute.
Unfiltered Emails - Any local email address listed here will cause SpamFilter to bypass all blacklist rules for it. If you have any users who do not want to have their email filtered, enter them here. Wildcards (* and ?, same rules as DOS wildcards) are allowed. You can also use Regular Expressions (RegEx). This list supports the :TAG option to bypass the default "pass all" rule for entries on this list. If an entry is in the formuser@domain1.com:TAGSUBJECT it will cause all emails sent to user@domain1.com to be accepted and then delivered to that user no matter what. However emails that are classified as spam by the various filters will have the prefix "SPAM:" added to the subject line. If an entry is in the form user@domain1.com:TAG it will cause all emails sent to user@domain1.com to be accepted and then delivered to that user no matter what. However emails that are classified as spam by the various filters will have the header "X-SF-SPAM:Y"added to them.
Excluded FROM Emails - You can keep a file containing a list of sender's email address to be excluded from all filtering rules. Enter one email address per line, wildcards (* and ?, same rules as DOS wildcards) are allowed. You can also use Regular Expressions (RegEx). If the file does not exist it will be created. The file is reloaded every minute. The contents of the file will be loaded in the memo box, allowing you to make changes to it.
Authorized TO Emails - You can keep a file containing a list of authorized recipients. If you want SpamFilter to only deliver emails to specific addresses in your domain(s), you can manage such a list here. Enter one email address per line, wildcards (* and ?, same rules as DOS wildcards) are allowed. You can also useRegular Expressions (RegEx). If the file does not exist it will be created. The file is reloaded every minute. Please not that if such a list is present, SpamFilter will not deliver email to an address unless it is present in such a list. Use with care. Delete the filename from the edit box to disable the list.
Keywords Filter - You can check email content and subject header for specific keyword and/or phrases. If found, the email is allowed through the filters. Useful if you want to allow certain customers to send you email without having to place them all in a email address whitelist. The same syntax rules as the blacklist keywords apply.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
pcmatt View Drop Down
Senior Member
Senior Member
Avatar

Joined: 15 February 2005
Location: United States
Status: Offline
Points: 116
Post Options Post Options   Thanks (0) Thanks(0)   Quote pcmatt Quote  Post ReplyReply Direct Link To This Post Posted: 04 February 2010 at 8:28am
(* and ?, same rules as DOS wildcards) was what I was looking for to keep our lists simple.  Can you confirm or correct this list:
 
These lists do support wildcards:
 
Blacklisted Domains
Blacklisted FROM Emails
Attachment Blocking
Local Domains
Excluded Domains / IPs
Unfiltered Emails
Excluded FROM Emails
Authorized TO Emails
Auto Whitelist Force Delivery
 
And these lists do not support wildcards:
 
Blacklisted IP - Supports only special ending 0 only to enter a wildcard class c
Honeypot Emails
Keywords Filter
Honeypot Blocked IPs
Grey List Allowed IPs
 
Thanks.
-Matt R
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 04 February 2010 at 11:39pm
Matt,

Everything is correct except for the keyword filter which supports RegEx (Regular Expressions) instead of wildcards, and for the greylist filter. If using v4.1.2.815 or higher, the following release note applies:

// New to VersionNumber = '4.1.2.815';
{TODO -cNew : Added ability to specify wildcards in GreyListAllowed.txt file to exlcude large number of subnets from greylisting}
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
pcmatt View Drop Down
Senior Member
Senior Member
Avatar

Joined: 15 February 2005
Location: United States
Status: Offline
Points: 116
Post Options Post Options   Thanks (0) Thanks(0)   Quote pcmatt Quote  Post ReplyReply Direct Link To This Post Posted: 05 February 2010 at 7:49am
Was looking for which lists support (* and ?, same rules as DOS wildcards)  which is mostly defined in the docs and displayed in the GUI.  Sounds like Keywords still does not support DOS type wildcards * and ?. 
 
This list is for using globals when one is "RegEx Challenged" like myself. 
 
GreyListAllowed.txt wildcard usage statement is a bit unclear.  My guess is it's same type of wildcard use (.0 for class C and subnet masks) as IP Blacklist, but your release note is not really clear to me.  Maybe you can clarify.
 
Thanks for helping clear this list up for me.
-Matt R
Back to Top
yapadu View Drop Down
Senior Member
Senior Member


Joined: 12 May 2005
Status: Offline
Points: 297
Post Options Post Options   Thanks (0) Thanks(0)   Quote yapadu Quote  Post ReplyReply Direct Link To This Post Posted: 05 February 2010 at 12:24pm
If you are just looking for a simple wildcard in the keywords, the wildcard for regex is actually a period .

If you wanted to filter on the keyword viagra, but accept any character in place of the i you could do (v.agra)

Regex is cool stuff, you might want to check out something from O'Reilly

I have been doing a lot of blocking by address lately, not always effective but some spammers do use the same address over and over.  So if something gets past spamfilter I do something like this in the keyword filter.

10685,hazelhurst dr,(77[0-9]{3})

That keyword filter stops a lot of spam, that spammer uses the address over and over.  He only changes the zipcode.  Basically I am looking for the address, street and a 5 digit number that starts with 77 and then three other numbers in the range of 0-9.

I stop hundreds of messages a day just with this filter alone.

The greylistallowed syntax is a * so you might do 206.168.112.* to prevent that specific class C address space from being blocked.  I have only ever had to use the whitelisting in the greylistingallowed file once - for postini as they have so many servers.
Back to Top
pcmatt View Drop Down
Senior Member
Senior Member
Avatar

Joined: 15 February 2005
Location: United States
Status: Offline
Points: 116
Post Options Post Options   Thanks (0) Thanks(0)   Quote pcmatt Quote  Post ReplyReply Direct Link To This Post Posted: 26 September 2012 at 7:59am
Finally learned some basic Regex:
 
This is great little tidbit example to adding case insensitive blocks:
 
((?i)KeYWord) matches keyword or any other combination of upper/lower case in keyword.
-Matt R
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.288 seconds.