# Example milter-regex config file for blocking common spammer tactics # Author: jhardin@impsec.org # Original at http://www.impsec.org/~jhardin/antispam/milter-regex.conf # # Wherever "your_domain_here\.com" appears, substitute your actual domain name. # You must escape the period as in the example! # Whitelist local messages # NOTE: this will have unfortunate side-effects if you are running # SMTP-over-SSL using stunnel rather than using the MTA's native SSL support! accept connect // /^127\.*/ # EDIT: If your MTA is serving users on a local network, you need to add a case here # for example, if your local network is 192.168.1.x, you would add: # # connect // /^192\.168\.1\./ # # This is _very_ common in spam reject "Malformed HELO (not a fully-qualified host name, there is no dot)" helo /\./n reject "Please use your real hostname in your HELO - private networks not valid" # EDIT: Do not change these: helo /^\[?10\./e helo /^\[?192\.168\./e helo /^\[?172\.(1[6-9]|2[0-9]|3[0-2])\./e reject "Please use your real hostname in your HELO - you are not me" # EDIT: Your domain name goes in the following line: helo /your_domain_here\.com/i # EDIT: Do not alter the following line: helo /^localhost(\.localdomain)?$/ie # EDIT: Your MTA's public IP address goes in the following line: helo /^10\.0\.0\.0$/i reject "Shellshock not welcome" helo /\(\) {/ envfrom /{ *:;/ envfrom /\(\) {/ envrcpt /{ *:;/ envrcpt /\(\) {/ header /BCc/i /{ *:;/ header /Cc/i /{ *:;/ header /Comments/i /{ *:;/ header /Date/i /{ *:;/ header /From/i /{ *:;/ header /Keywords/i /{ *:;/ header /Message-ID/i /{ *:;/ header /References/i /{ *:;/ header /Resent-Date/i /{ *:;/ header /Resent-From/i /{ *:;/ header /Resent-Sender/i /{ *:;/ header /Subject/i /{ *:;/ header /To/i /{ *:;/ header /Bcc/i /\(\) {/ header /Cc/i /\(\) {/ header /Comments/i /\(\) {/ header /Date/i /\(\) {/ header /From/i /\(\) {/ header /Keywords/i /\(\) {/ header /Message-ID/i /\(\) {/ header /References/i /\(\) {/ header /Resent-Date/i /\(\) {/ header /Resent-From/i /\(\) {/ header /Resent-Sender/i /\(\) {/ header /Subject/i /\(\) {/ header /To/i /\(\) {/ # NOTE: The following section assumes you have only one public MTA # If you have more than one public MTA, their public IP addresses # should all be in the "accept" section at the top of the file. reject "Sender forgery - you are not me" # EDIT: Your domain name goes in all of the following lines: envfrom /@your_domain_here\.com/i envfrom /@[a-z]*\.your_domain_here\.com/ie header /Return-Path/i /MAILER-DAEMON@your_domain_here\.com/i header /Return-Path/i /MAILER-DAEMON@[a-z]*\.your_domain_here\.com/ie header /From/i /MAILER-DAEMON@your_domain_here\.com/i header /From/i /MAILER-DAEMON@[a-z]*\.your_domain_here\.com/ie header /From/i /postmaster@your_domain_here\.com/i header /From/i /postmaster@[a-z]*\.your_domain_here\.com/ie header /From/i /@your_domain_here\.com/i and header /List-Id/ /./n # EDIT: Obviously you should omit the following section if you _do_ accept mail in non-latin character sets... reject "Sorry - only English spoken here" header /Subject/i /=[?](KOI8-[RU]|GB2312|GB2312_CHARSET|ISO-2022-JP|SHIFT[-_]JIS|BIG5|WINDOWS-125[156])[?][QB][?]/ie header /Subject/i /charset=(3D)?"?(KOI8-[RU]|GB2312|GB2312_CHARSET|ISO-2022-JP|SHIFT[-_]JIS|BIG5)/ie header /Subject/i /[À-þ]{6}/e header /Content-Type/i ,text/(plain|html); *charset="?(KOI8-[RU]|GB2312(_CHARSET)?|ISO-2022-JP|SHIFT[-_]JIS|BIG5),ie # risky: #body ,Content-Type(: |" content=")text/(plain|html); charset="?(KOI8-[RU]|GB2312(_CHARSET)?|ISO-2022-JP|SHIFT[-_]JIS|BIG5),ie #body ,http-equiv=3D"Content-Type" content=3D"text/(plain|html); charset=3D(KOI8-[RU]|GB2312|ISO-2|SHIFT|BIG5),ie # EDIT: Omit the following two sections if you are not running Mailman mailing lists tempfail "Apparent forged-mailman bounce spam - please implement SPF checks on your mailman host if it is directly exposed to the Internet" # EDIT: Your domain name goes in the following line: envrcpt /mailman@your_domain_here\.com/i and envfrom /mailman-bounces@/i and envfrom /mailman-bounces@your_domain_here\.com/in reject "You are sending a bounce to a mailing list request robot - the sender address on the message you received was forged" envrcpt /-l-request@/ie and envfrom /^<>$/ envrcpt /-l-request@/ie and envfrom /mailer-daemon@/i # NOTE: Omit the following section if you actually do send mail from the "info@" mailbox. # EDIT: Your domain name goes in all of the following lines: reject "Joe-jobbed address that never sends mail - please contact via postmaster@your_domain_here.com" envrcpt /info@your_domain_here\.com/i reject "Lazy spammer sending to obviously bogus addresses" # Do not edit these lines: header /To/i /@example\.com/i header /To/i /@example\.domain/i header /To/i /@your\.domain/i header /To/i /@some\.domain/i header /To/i /@domain\.dom/i header /To/i /@somewhere\.tld/i header /To/i /@somewhere\.com/i header /To/i /@your\.domain\.com/i header /To/i /@your\.favorite\.machine/i