Common Sieve filters Version 5 compatible Rockliffe has developed a set of common Sieve filters that can be used to block several types of junk mail. This document applies to MailSite 5 only. For the best results again spam, we recommend you use the MailShell Anti Spam engine built into MailSite. Please contact your sales rep or email sales@rockliffe.com for pricing information. The MailSite Anti Spam engine is available in MailSite 6.x and later. To use these filter rules, execute the following steps: 1. Double-click the Sieve Plugin icon in the MailSite Console. 2. Click 'New' to create a new filter rule. 3. Enter any rule name or description 4. Click "OK" in the "Creating a new criterion" dialog 5. Click 'Advanced' to bring up the "Advanced Condition Editor". 6. Paste the Sieve script into the Advanced Condition Editor 7. click "OK". In the Action dialog, enable the actions listed below (or the actions that you desire) for the filter. Enable the rule. When blocking mail with Sieve filters such as the ones below, it is recommended that you also save a copy of the rejected messages to verify that the filter is blocking spam and not legitimate email. To measure the effectiveness of each filter, use a different archive directory for each. ====================================================================== 1. Nimda -------- F-Secure has some information on the worm that sends out README.EXE files. It is called Nimda and it not only sends mass e-mails but it also exploits the backdoors left in IIS as a result of the CodeRed worm. A little more information is available at http://www.f-secure.com/v-descs/nimda.shtml. This new worm may have a subject line similar to the following:
c/"??r3_log3_r3010916billemailing-20010910-1r3_log3_r3010908r2_log2_r script: ------- x_body :contains "name=\"readme.exe\"" Action: ------- Stops the readme.exe file. ====================================================================== 2. Trailing Numbers Filter -------------------------- This filter blocks all messages that have a "Subject" that ends with a number after several spaces, which is a common format for spam messages. For example: Subject: Lose 50 pounds this week! 5534 Subject: Check out these great pictures!!!! #76543 This filter consists of regular expressions that search the end of the subject line for any number of consecutive digits following eight or more spaces (the only difference between the two is the inclusion of the "#" character). Script: ------- anyof ( header :regex "Subject" " #[0-9]+$", header :regex "Subject" " [0-9]+$" ) Action: ------- Reject Message Take a Copy of the message ====================================================================== 3. Undisclosed Recipients Filter -------------------------------- This filter blocks all mail that includes a "To" address that contains the words "Undisclosed Recipient" (in a variety of combinations), which is often used as the "To" address of spam. This filter also includes an Outlook Express exception to prevent this it from blocking legitimate mail. (When mail is sent from Outlook Express with only "Cc" and/or "Bcc" recipients, Outlook Express sets the "To" header to "Undisclosed-Recipient:;". Since spam is typically sent with a mail bomb program and not Outlook Express, it is probably safe to exempt this "To" value.) Script: ------- allof ( not header :contains "To" "Undisclosed-Recipient:;", anyof ( header :contains "To" "Undisclosed-Recipient", header :contains "To" "Undisclosed.Recipient", header :contains "To" "Undisclosed Recipient" ) ) Action: ------- Reject Message Take a Copy of the message ====================================================================== 4. Missing Header Filter ------------------------ This filter rejects messages if they do not include "From" and "To" headers. Spammers often send mail with one or both of these headers missing to exempt messages from "From" or "To" value filters. Script: ------- anyof ( not exists "To", not exists "From" ) Action: ------- Reject Message Take a Copy of the message ====================================================================== 5. Attachment Filter -------------------- This filter rejects all messages that have a Visual Basic Script (.VBS) attachment. This same regular expression syntax can be used to block any other file extensions as well (.EXE, .BAT, etc.). Script: ------- x_body :regex "filename=\".+\.vbs\"" Action: ------- Reject Message Take a Copy of the message ====================================================================== 6. Abuse Address Exemption Filter --------------------------------- This filter allows a message to enter your system -- regardless of other Sieve filter rules -- if the "To" header is sent to the address "abuse@domain", the standard address for receiving spam complaints. This filter is highly recommended because it allows users to forward spam complaints to your abuse address without having their message blocked by other filter rules. To ensure that your abuse address receives all spam complaints, this filter should be listed first in the Sieve Filter Rules window. Script: ------- header :contains "To" "abuse@" Action: ------- Don't process any more rules for this message