Mailing List Archive

drop emails by subject - should be simple
Hi All,

I'm trying to add a *simple* SPAM filter rule to exim:

drop message = Subject is know SPAM email, ignoring
log_message = Message dropped because of know SPAM Subject
condition = ${if >{${strlen:$h_subject:}}{20}{yes}{no}}
condition =
${lookup{"$h_subject:"}lsearch{/etc/exim/lists/subject.droplist}{yes}{no}}

I have the following:

[root@ollie2 lists]# cat subject.droplist
This is a test subject
[root@ollie2 lists]#


However, when I send a test email, it is allowed through and gets delivered.
Can someone please tell me what I've done wrong, and how to fix it.

Gary

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: drop emails by subject - should be simple [ In reply to ]
On Monday 30 July 2018 10:47:07 Gary Stainburn via Exim-users wrote:
condition = ${lookup{"$h_subject:"}lsearch{/etc/exim/lists/subject.droplist}
{yes}{no}}

The original attempt did not have quotes around the $h_subject, but I added
them as a suggestion found on a web page.

It doesn't work with or without

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: drop emails by subject - should be simple [ In reply to ]
On 30/07/2018 10:47, Gary Stainburn via Exim-users wrote:

> I'm trying to add a *simple* SPAM filter rule to exim:

Try the exim system filter.

https://www.exim.org/exim-html-current/doc/html/spec_html/ch-systemwide_message_filtering.html
https://www.exim.org/exim-html-current/doc/html/spec_html/filter_ch-exim_filter_files.html
etc.



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: drop emails by subject - should be simple [ In reply to ]
On 07/30/2018 10:47 AM, Gary Stainburn via Exim-users wrote:
> drop message = Subject is know SPAM email, ignoring
> log_message = Message dropped because of know SPAM Subject

- dubious grammar in those messages
- I prefer to put the conditions first

> condition = ${if >{${strlen:$h_subject:}}{20}{yes}{no}}
> condition =
> ${lookup{"$h_subject:"}lsearch{/etc/exim/lists/subject.droplist}{yes}{no}}

- using "drop" rather than "deny" leaves the sender having to assume
there was an error. A positive rejection makes it more likely they
won't come back, and on false-positives will leave better log
information on the sending system for debugging

- you don't say where you placed this verb. If it's not in a data-time
ACL, the headers are not available

--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: drop emails by subject - should be simple [ In reply to ]
On Monday 30 July 2018 11:11:03 James via Exim-users wrote:
> On 30/07/2018 10:47, Gary Stainburn via Exim-users wrote:
> > I'm trying to add a *simple* SPAM filter rule to exim:
>
> Try the exim system filter.
>
> https://www.exim.org/exim-html-current/doc/html/spec_html/ch-systemwide_mes
>sage_filtering.html
> https://www.exim.org/exim-html-current/doc/html/spec_html/filter_ch-exim_fi
>lter_files.html etc.

I do have similar clauses in my system filter file, but I'm looking for a much
cleaner and easier to maintain approach to the problem.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: drop emails by subject - should be simple [ In reply to ]
On Monday 30 July 2018 11:18:19 Jeremy Harris via Exim-users wrote:
> On 07/30/2018 10:47 AM, Gary Stainburn via Exim-users wrote:
> > drop message = Subject is know SPAM email, ignoring
> > log_message = Message dropped because of know SPAM Subject
>
> - dubious grammar in those messages
> - I prefer to put the conditions first

Good point. This is only a test setup, but for clarity I have tidied up my
code.

>
> > condition = ${if >{${strlen:$h_subject:}}{20}{yes}{no}}
> > condition =
> > ${lookup{"$h_subject:"}lsearch{/etc/exim/lists/subject.droplist}{yes}{no}
> >}
>
> - using "drop" rather than "deny" leaves the sender having to assume
> there was an error. A positive rejection makes it more likely they
> won't come back, and on false-positives will leave better log
> information on the sending system for debugging

Agreed, drop changed to deny.

>
> - you don't say where you placed this verb. If it's not in a data-time
> ACL, the headers are not available

This is in acl_check_data along with my other anti-SPAM/Virus code

>
> --
> Cheers,
> Jeremy



--
Gary Stainburn
Group I.T. Manager
Ringways Garages
http://www.ringways.co.uk

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: drop emails by subject - should be simple [ In reply to ]
On 30 Jul 2018, at 12:54, Gary Stainburn via Exim-users <exim-users@exim.org> wrote:
> This is in acl_check_data along with my other anti-SPAM/Virus code

In that case, it's time to run in debug mode and see *why* it isn't matching.

If you can do it for real, start exim with '-d' and watch the log while it listens to an incoming test message.

If you can't do that, construct yourself an RFC5322 compliant message then pipe it into

exim -d -bhc ip.add.re.ss

and see what comes out. I'll take a tilt at the message hitting an 'accept' clause earlier in the config!

Graeme
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: drop emails by subject - should be simple [ In reply to ]
On 07/30/2018 12:54 PM, Gary Stainburn via Exim-users wrote:
> This is in acl_check_data along with my other anti-SPAM/Virus code

OK, enable debug and observe the acl flow, and the expansions, with
your test message.
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/