  Related Topics
The default rules.MailRules file, located in Internet Services\Filters folder on the administrator's Desktop, accepts or denies incoming mail based on a set of rules. The majority of these rules are designed to identify and score possible spam. The following is a section-by-section breakdown of the default rules.MailRules file, which can be customized to suit your environment. A number of built-in functions and variables are used in the rules.MailRules file. Information on these functions and variables can be found in Mail rules syntax, variables, functions in our online help.
Lines starting with # are comments and are not interpreted as rules. To disable a rule add a # to the beginning of that rules line.
 NoteFor clarification purposes only, we have numbered each code line and color coded them as follows:
• rules, both active and disabled, are in blue
• comments are in green.
1 # If we can quickly determine that a message should not be processed by the mail rules, do so here
2 # If the message is from a trusted address or site, we're done
3 ^: IF ($Form.Config.1202.Checkbox==0 AND @IsTrustedIP($SenderIP)) DONE
4 # If the sending IP is not the address in the Route through one SMTP server, and is trusted, we're done
5 # This forces mail funnelled through a trusted front end SMTP server through the mail rules.
6 ^: IF ($Form.Config.1202.Checkbox==1 AND @IsTrustedIP($SenderIP) AND ($SenderIP != $Form.Config.1203.String)) DONE
7 # The MAIL FROM address is easily spoofed, so less trustworthy
8 ^: IF (@istrustedaddress($sender)) DONE
9 # The From address is more easily spoofed, so is less trustworthy
10 #From: if (@istrustedaddress($from)) DONE
Line 3 checks if the $SenderIP is in the list of trusted servers found in your filter document and the "Route through one SMTP server" checkbox found in the Advanced Mail form is deselected. If both these tests return TRUE, rules processing will stop and the message will be delivered.
If the sender is a trusted server but the "Route through one SMTP server" checkbox is selected, line 6 additionally checks if the sender is the front-end server. Only if it is not the front-end server will rules processing be bypassed.
Line 8 checks if the $sender is in the list of trusted addresses found in your filter document. If the sender is found in the filter document as a trusted address, rules processing will stop and the message will be delivered.
Line 10 is a disabled rule that uses the From: field in the header. This rule is disabled because the From: field is easily forged by spammers. If you wish to enable this rule, remove the # at beginning of the line.
11 # Admin settable variables are defined here
12 ^: IF (1) SET $CrosspostLimit=$Form.Config.2606.Number AND $CrosspostIncr=5 AND $XpostSpamLevel=20 AND $XpostSpamIncrVal=5
13 ^: IF (1) SET $XtremeCausesNDN=$Form.Config.2604.Checkbox
14 # Changing these variables requires consideration of the various values of the individual spam tests
15 ^: IF (1) SET $LowSpamMin=10 AND $LowSpamMax=25
16 ^: IF (1) SET $MedSpamMax=50 AND $HighSpamMax=100
17 ^: IF (1) SET $BustedMailer=0
18 ^: IF (1) SET $spamlevel=0 AND $spamtests=""
19 ^: IF (1) SET $imgtracking=0 AND $singlepixelimg=0 AND $dotbizurl=0 AND $stealthimg=0 AND $stealthurl=0 AND $aturl=0
20 ^: IF (@IsSpamIP($SenderIP, "lists.SpamIPs")) SET $spamlevel += 100 AND $spamtests += "IPBLOCK;"
21 ^: IF (1) SET $sorry = "Sorry, your message has triggered a SPAM block, please contact the postmaster"
Line 12 sets the crossposting limit variables and their respective spam scores. If the number of recipients is larger than the $CrosspostLimit, the spam score is increased by the value in $XpostSpamLevel. For every set of recipients of size $CrosspostIncr over and above the base $CrosspostLimit, the spam score is increased by $XpostSpamIncrVal.
 WarningIf you use crossposting as a spam indicator, you may need to add the mailing lists you want to receive to your trusted address list (see Using filter documents and the Internet Services Filters folder), since they often contain a large number of recipients.
Line 13 sets the $XtremeCausesNDN variable. All mail with a spam score greater than $HighSpamMax is considered Xtreme. If the "Extreme causes NDN" checkbox, found in the Basic Internet Setup form, is selected all Xtreme mail is rejected by Internet Services which sends an NDN. If the checkbox is deselected, Internet Services will still consider the message Xtreme but will not reject it.
Lines 15 and 16 are used to define the limits for low, medium, and high spam scores.
Line 17 initializes the $BustedMailer variable to 0.
Line 18 sets the spam score to 0 and initializes the $spamtests variable.
Line 19 initializes six variables that are used in other spam tests to 0.
Line 20 checks if the $SenderIP is in the lists.SpamIPs list found in the Filters folder. If this test returns TRUE, the spam score is increased by 100.
Line 21 sets the contents of the NDN sent to users whose messages are rejected due to spam blocks.
22 # check received headers for SPAMmers
23 Received: eregexp:".*[(\\[]\\([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\)[)\\]]" SET $IP = "\\1"
24 Received: IF (@isspamip($IP)) NDN 550 "$sorry"
Line 23 uses a regular expression to scan the message header for an IP address. The IP address is stored in $IP. Line 24 then checks this IP address to see if it is in the spam IP list. If the IP address is in the spam IP list the message is rejected by Internet Services and an NDN is sent.
25 # Subject tests go here
26 Subject: IF ($Form.Config.2605.Checkbox && @InBlockList($Subject)) NDN 550 "$sorry"
27 Subject: IF ($Form.Config.2605.Checkbox == 0 && @inblocklist($subject)) SET $spamlevel += 100 AND $spamtests += "SUBJECTBLOCK;"
28 Subject: regexp:"^$" SET $spamlevel += 10 AND $spamtests += "SUBJ_HAS_NO_SUBJECT;"
29 Subject: " " SET $spamlevel += 20 AND $spamtests += "SUBJ_HAS_SPACES;"
30 Subject: IF (@allcaps($subject)) SET $spamlevel += 25 AND $spamtests += "SUBJ_ALL_CAPS;"
31 Subject: eregexpi:"(^|[^[:alnum:]])(v|\\\\/)[^[:alnum:]]{0,2}[i1l\|!¡ÌÍÎÏìííîï][^[:alnum:]]{0,2}[a@ÀÁÂÃÄÅÆàáâãäå][^[:alnum:]]{0,2}g[^[:alnum:]]{0,2}r[^[:alnum:]]{0,2}[a@ÀÁÂÃÄÅÆàáâãäå]($|[^[:alnum:]])" SET $spamlevel += 101 AND $spamtests += "SUBJ_VIAGRA;"
32 Subject: eregexpi:"x[^[:alnum:]]{0,2}[a@][^[:alnum:]]{0,2}n[^[:alnum:]]{0,2}[a@][^[:alnum:]]{0,2}x" SET $spamlevel += 101 AND $spamtests += "SUBJ_XANAX;"
33 Subject: eregexpi:"d[^[:alnum:]]{0,2}r[^[:alnum:]]{0,2}u[^[:alnum:]]{0,2}g[^[:alnum:]]{0,2}s" SET $spamlevel += 100 AND $spamtests += "SUBJ_DRUGS;"
34 Subject: IF (@PunctCount($Subject) >= 5) SET $spamlevel += 10 AND $spamtests += "EXCESS_PUNCT;"
35 Subject: IF (@WordCount("lists.Rude", $Subject) > 1) SET $spamlevel += 100 AND $spamtests += "SUBJ_RUDE_WORDS;"
Line 26 checks if the subject contains any words that are in the rules.Subjectblock list and the "SubjectBlock causes NDN" checkbox, found in the Basic Internet Setup form, is selected. If this test returns TRUE, an NDN is sent.
Line 27 checks if the subject contains any words that are in the rules.Subjectblock list and the "SubjectBlock causes NDN" checkbox, found in the Basic Internet Setup form, is deselected. If this test returns TRUE, the spam score is increased by 100.
Line 28 checks if the subject line is empty. Messages with no subjects have a greater chance of being spam. If this test returns TRUE, the spam score is increased by 10.
Line 29 checks if the subject has extra spaces in it. Spammers sometimes use subjects such as "Hi... Remember me?", which would get caught by this check because of the extra spaces. If this test returns TRUE, the spam score is increased by 20.
Line 30 checks if the subject is written in all uppercase letters. Using all uppercase letters is usually an indication of spam, and the spam score will be increased by 25.
Lines 31 to 33 check for different variations of the words "Viagra", "Xanax" and "drugs" which are designed by spammers to bypass antispam filters but be recognizable to humans. If the test returns TRUE for either line 30 or 31, the spam score is increased by 101. If the test returns TRUE for line 32, the spam score is increased by 100.
Line 34 checks if the subject contains five or more characters of punctuation. Excessive punctuation is sometimes an indication of spam. If this test returns TRUE, the spam score is increased by 10.
Line 35 checks if the subject contains more than one word that is in the lists.Rude list found in the Filters folder. If this test returns TRUE, the spam score is increased by 100.
36 Errors-To: "*@*" SET $spamlevel -= 20 AND $spamtests += "-ERRORS_TO;"
Line 36 will reduce the spam score by 20 if the Errors-To field is filled with any legitimate value. This is an generally an indication that a message is not spam.
37 # Content-Type and Content-Disposition header checks to allow setting of attachment names for
38 # virus/worm subject/attachment combination checking later
39 Content-Type: regexp:".*name=\"\\(.+\\)\"" SET $attname="\\1"
40 Content-Disposition: regexp:".*name=\"\\(.+\\)\"" SET $attname="\\1"
Lines 39 and 40 detect the name of the attachment in a message. The $attname variable is used in other spam tests.
41 # X-Mailer checks
42 X-Mailer: IF (@InWordList("lists.BustedMailers", $Header)) SET $BustedMailer=1
43 X-Mailer: IF (@InWordList("lists.x-mailer-1", $Header)) SET $spamlevel += 75 AND $spamtests += "X-MAILER-1;"
44 X-Mailer: IF (@InWordList("lists.x-mailer-2", $Header)) SET $spamlevel += 25 AND $spamtests += "X-MAILER-2;"
Line 42 checks if the header contains any words that are in the lists.BustedMailers list found in the Filters folder. If this test returns TRUE, $BustedMailer is set to 1.
Lines 43 and 44 look for specific X-Mailer text which indicates mailers that spammers use. The lists.x-mailer-1 and lists.x-mailer-2 lists found in the Filters folder contain all such text. If any is present, the message is very likely to be spam, and the spam score is increased by 75 if the text is in lists.x-mailer-1, and 25 if it is in lists.x-mailer-2.
45 # Tests for other bulk mailers which use their own X-headers
46 X-Speedi-Job: IF (1) SET $spamlevel += 100 AND $spamtests += "X-SPAMMER-HEADER;"
47 X-Ssi-Job: IF (1) SET $spamlevel += 100 AND $spamtests += "X-SPAMMER-HEADER;"
Lines 46 and 47 increase the spam score by 100 if specific X-headers used by spammers are found.
48 # Tests for people who set an X-Originating-IP header with your own IP address
49 X-Originating-IP: IF ($MyIP == $Header) SET $spamlevel += 101 AND $spamtests += "X-ORIG-IP;"
50 X-Originating-IP: IF ("[$MyIP]" == $Header) SET $spamlevel += 101 AND $spamtests += "X-ORIG-IP;"
Lines 49 and 50 check for an X-Originating-IP header that contains the IP address of the IS server. These are headers that spammers add to their messages to try and trick antispam filters. If these tests return TRUE, the spam score is increased by 101.
51 # Tests at the end of the Internet headers go here
52 # 1 - Tests for missing common and required Internet headers go here
53 : IF (NOT @SeenHeader("Message-ID") AND $BustedMailer==0) SET $spamlevel += 50 AND $spamtests += "NO_MESSAGE_ID;"
54 : IF (NOT @SeenHeader("Subject") AND $BustedMailer==0) SET $spamlevel += 50 AND $spamtests += "NO_SUBJECT_HEADER;"
55 : IF (NOT @SeenHeader("Date") AND $BustedMailer==0) SET $spamlevel += 25 AND $spamtests += "NO_DATE;"
56 # 2 - Tests for dubious Internet headers go here
57 : IF (@SeenHeader("X-CS-IP")) SET $spamlevel += 5 AND $spamtests += "DUBIOUS_X_HEADER;"
58 : IF (@SeenHeader("X-IP")) SET $spamlevel += 5 AND $spamtests += "DUBIOUS_X_HEADER;"
Line 53 increases the spam score by 50 if a message has no Message-ID in the header and $BustedMailer is equal to 0.
Line 54 increases the spam score by 50 if a message header has no subject and $BustedMailer is equal to 0.
Line 55 increases the spam score by 25 if a message header does not contain the Date and $BustedMailer is equal to 0.
Lines 57 and 58 check if the header contains the IP address of the IS server. These are headers that spammers add to their messages to try and trick antispam filters. If these tests return TRUE, the spam score is increased by 5.
59 # Some new for 8.0 rules that examine the message body for SPAM
60 # - look for messages with no text, just 1 or more links.
61 >: IF (@InBlockList($body)) SET $spamlevel += 100 AND $spamtests += "BODYBLOCK;"
62 >: IF (@InWordList("lists.BodyList1", $Body)) SET $spamlevel += 50 AND $spamtests += "BODYLIST1;"
63 >: IF (@WordCount("lists.Rude", $body) > 1) SET $spamlevel += 100 AND $spamtests += "TOO_MANY_RUDE_WORDS;"
64 # look for protestations that this is not really spam...
65 >: regexp:".*[Cc][Aa][Nn]-?[Ss][Pp][Aa][Mm] [Aa]ct of" SET $spamlevel += 100 AND $spamtests += "CAN-SPAM_ACT;"
Line 61 checks if the body contains any words that are in the rules.Subjectblock list. If this test returns TRUE, the spam score is increased by 100.
Line 62 checks if the body contains any words that are in the lists.BodyList1 list found in the Filters folder. If this test returns TRUE, the spam score is increased by 50.
Line 63 checks if the body contains more than one word that is in the lists.Rude list found in the Filters folder. If this test returns TRUE, the spam score is increased by 100.
Line 65 checks if the body contains disclaimers that some spammers put in saying that the spam they are sending isn't really spam because it conforms to the American CAN-SPAM Act of 2003. If this test returns TRUE, the spam score is increased by 100.
66 # The following rules inspect the message body text
67 >: eregexpi:"(^|[^[:alnum:]])(v|\\\\/)[^[:alnum:]]{0,2}[i1l\|!¡ÌÍÎÏìííîï][^[:alnum:]]{0,2}[a@ÀÁÂÃÄÅÆàáâãäå][^[:alnum:]]{0,2}g[^[:alnum:]]{0,2}r[^[:alnum:]]{0,2}[a@ÀÁÂÃÄÅÆàáâãäå]($|[^[:alnum:]])" SET $spamlevel += 101 AND $spamtests += "BODY_VIAGRA;"
68 >: eregexpi:"f[^[:alnum:]]{1,2}r[^[:alnum:]]{1,2}e[^[:alnum:]]{1,2}e" SET $spamlevel += 101 AND $spamtests += "DISGUISED_FREE;"
Line 67 checks if the body contains the word, or any spammer variation of the word, "Viagra". If this test returns TRUE, the spam score is increased by 101.
Line 68 checks if the body contains any spammer variation of the word "free". If this test returns TRUE, the spam score is increased by 101.
69 # Null body scan to set the #BODY internal variable if no other message body text rules are run
70 >: IF (0) DONE
71 # The following rules inspect links (<A and <IMG) found in HTML message bodies
72 <: eregexp:"<IMG SRC=\".+(\\.gif|\\.jpe?g)\\?.+\">" SET $imgtracking+=1
73 <: eregexp:"<IMG .+ WIDTH=1 HEIGHT=1>" SET $singlepixelimg+=1
74 <: regexp:"<A .+\\.biz/.*>" SET $dotbizurl+=1
75 <: regexp:"<IMG SRC=\".+\\*http://" SET $stealthimg+=1
76 <: regexp:"<A HREF=\"http://.+[*?]http://.+\">" SET $stealthurl+=1
77 <: regexp:"<A HREF=\".+@.+\\..+/.*\">" SET $aturl+=1
78 # some rules that look for opt-out links
79 <: eregexp:"<A .+/(remove|opt).*>" SET $spamlevel += 50 AND $spamtests += "UNSUBSCRIBE_LINK;"
80 <: eregexp:"<A .+>.*([Oo]ffer|[Uu]nsub|[Rr]emove|[Nn]o [Mm]ore).*</A>" SET $spamlevel += 50 AND $spamtests += "UNSUBSCRIBE_LINK;"
Lines 72 and 73 check if the body contains URLs to images used by spammers to track who has read the message. If the test in line 72 returns TRUE, $imgtracking is increased by 1. If the test in line 73 returns TRUE, $singlepixelimg is increased by 1.
Line 74 checks if the body contains links to domain names that end in .biz. If this test returns TRUE, $dotbizurl is increased by 1.
Line 75 checks if the body contains URLs to images that look to the user like they are at one server, when they are in fact at another. If this test returns TRUE, $stealthimg is increased by 1.
Line 76 checks if the body contains URLs to images used by spammers to track who has read the message. If this test returns TRUE, $stealthurl is increased by 1.
Line 77 checks if the body contains URLs formatted by spammers to trick users into thinking they are going to a different site than where they are really going to. If this test returns TRUE, $aturl is increased by 1.
Lines 79 and 80 check if the body contains links that users click on to be removed from the spammer's list. If these tests return TRUE, the spam score is increased by 50.
81 # In the first hours of virus outbreak, uncomment this line and do a Get Config
82 #@: IF (1) NDN 550 "No attachments allowed in this system"
Line 82 is a disabled rule that in a panic situation can be used to block all messages that contain one or more attachments.
83 # Virii checking tests go here
84 #@: IF (@length($attname) && @InWordList("lists.VirusNetskySubject", $Subject) && @InWordList("lists.VirusNetskyAttachment", $attname)) NDN 550 "No worms allowed"
85 @: IF (@length($attname) && @InWordList("lists.VirusNetskySubject", $Subject) && @InWordList("lists.VirusNetskyAttachment", $attname)) SET $spamlevel += 101 AND $spamtests += "VIRUS_ALERT;"
Lines 84 and 85 check whether or not an attachment name was detected and if both it and the subject are in the lists.VirusNetskyAttachment list found in the Filters folder. One of these rules must be disabled, and depending on which, either an NDN is sent or the spam score is increased by 101 if the test returns TRUE.
86 #
87 # rules to deal with spam level, processed at the end of the message
88 #
89 .: IF ($#BODY < 10 && ($#IMG + $#URL) > 0) SET $spamlevel += 101 AND $spamtests += "EMPTY_BODY_WITH_LINKS;"
90 .: IF ($imgtracking) SET $spamtests += "IMG_TRACKING;"
91 .: IF ($singlepixelimg) SET $spamtests += "SINGLE_PIXEL_IMG;"
92 .: IF ($dotbizurl>1) SET $spamtests += "DOT_BIZ_URLS;"
93 .: IF ($dotbizurl==1) SET $spamtests += "DOT_BIZ_URL;"
94 .: IF ($stealthimg) SET $spamtests += "STEALTH_IMG;"
95 .: IF ($stealthurl) SET $spamtests += "STEALTH_URL;"
96 .: IF ($aturl>0) SET $spamtests += "AT_URL;"
97 .: IF ($InvisibleText) SET $spamtests += "INVISIBLE_TEXT;"
98 .: IF ($InvisibleText || $imgtracking || $singlepixelimg || $dotbizurl || $stealthurl || $aturl>0) SET $spamlevel += 101
Lines 89 to 98 are run at the end of the message and check to see which of the spam tests have succeeded. If any one of these tests returned TRUE, the spam score is increased by a total of 101.
99 .: IF ($spamlevel > $HighSpamMax && $XtremeCausesNDN) STRIKE # this action must come before the NDN action
100 .: IF ($spamlevel > $HighSpamMax && $XtremeCausesNDN) NDN 550 "$sorry"
101 # the next rules apply if the NDN is not sent
102 .: IF ($spamlevel > $HighSpamMax) INJECT "X-SPAM-Warning: EXTREME"
103 .: IF ($MedSpamMax < $spamlevel && $spamlevel <= $HighSpamMax) INJECT "X-SPAM-Warning: HIGH"
104 .: IF ($LowSpamMax < $spamlevel && $spamlevel <= $MedSpamMax) INJECT "X-SPAM-Warning: MEDIUM"
105 .: IF ($LowSpamMin <= $spamlevel && $spamlevel <= $LowSpamMax) INJECT "X-SPAM-Warning: LOW"
Line 99 will add a strike to the sender for any message with a spam score higher then $HighSpamMax if $XtremeCausesNDN is set to 1. This line must precede line 100, which will send an NDN for such messages.
Lines 102 to 105 will inject X-SPAM headers into a message to indicate the spam score generated for that message. Four different levels are assigned based on the values set in lines 11 and 12.
106 .: IF ($MedSpamMax < $spamlevel) SPAM
If a message has a higher spam score than $MedSpamMax, it will be considered spam and will be marked as machine-generated and JUNK.
107 .: IF ($HighSpamMax < $spamlevel) SPAMSUSPECTED
If a message has a higher spam score than $HighSpamMax, it will be considered suspected spam and will be added to the Suspected abuse or DOS list found in the Internet Services Monitor form.
108 .: IF ($spamlevel > $LowSpamMax) INJECT "X-FC-Options: suppress-ndn"
If a message has a higher spam score than $LowSpamMax, an option is set on it telling the server not to send an NDN if it can't deliver the message. This operates on the theory that spam messages don't have a valid return address to receive NDNs, and that you don't want to send an NDN even if the return address is valid.
109 .: IF ($spamlevel >= $LowSpamMin) INJECT "X-SPAM-Level: $spamlevel"
Line 109 inserts the numerical spam score into the message header.
110 .: IF ($spamlevel >= $LowSpamMin) INJECT "X-SPAM-Tests: $spamtests"
Line 110 inserts the text description of the failed spam tests into the message header.
111 .: IF ($MedSpamMax < $spamlevel) INJECT "X-FC-Icon-ID: 23048"
112 .: IF ($LowSpamMax < $spamlevel && $spamlevel <= $MedSpamMax) INJECT "X-FC-Icon-ID: 23049"
113 .: IF ($LowSpamMin <= $spamlevel && $spamlevel <= $LowSpamMax) INJECT "X-FC-Icon-ID: 23050"
Lines 111 to 113 will insert an Icon-ID into the header based on the level of spam. If the spam score is high or extreme, the mail icon will have a red circle
 . If the spam score is medium, a orange circle will be used. Messages with a low spam score will have a green circle. |