Mail Scanning With Exim And The Exiscan ACL
by Michael Oliveri - Tuesday, 13 April 2004.

deny message = This message contains an unwanted \

extension ($found_extension)

demime = scr:vbs:bat:lnk:pif:exe:hta

In this example, the deny message is the error presented to the sender by Exim when the message is rejected, with the $found_extension variable notifying the sender which specific attachment the server refuses. The demime line is the list of extensions refused.

Antivirus scanning requires the user have a third-party virus scanner installed on their system. According to the Exiscan website, Exiscan works with several different scanners. We have chosen to use ClamAV locally. As one would expect, if a virus is found in an attachment, the message is rejected. The AV daemon's IP address (if not local host) and port (if not the default) are specified earlier in the configure file, and the ACL rule is very simple:

deny message = This message contains malware \


malware = *

In this instance, any malware discovered by Clam is rejected and the sender is notified.

Spam filtering is performed with SpamAssassin and the spamd daemon, and a spam score is generated for every incoming message. Exiscan can be configured with two thresholds for this score: a flag threshold and a rejection threshold. If a message is higher than the flag threshold, a header is attached to the message designating it as spam. The recipient can then configure their MUA to deal with these messages as they see fit. Similarly, with a little extra tweaking, Exiscan can also be configured to rewrite the subject line or body of a message for more obvious labeling. If a message receives a higher score than the bounce threshold, then the message is rejected outright.

Using this capability we have been able to configure our mail server to reject the obvious spam and still allow our users the flexibility to manage the rest on their own with rules and filter sets on their mail client. As with Clam, the server address and port are established earlier in the Exim configure file. Its rule is a little more complex:

deny message = This message scored $spam_score points.\


spam = nobody:true

condition = ${if >{$spam_score_int}{63}{1}{0}}

The spam = nobody:true line specifies that spam scanning will be performed for all users. If the message is greater than the bounce threshold, the message is rejected and the sender notified. In this case, we reject if the message scores over 6.3 points in SpamAssassin tests. Note the threshold is multiplied by ten for placement within the rule.

Regular expression blocking gives the sysadmin further control without having to tweak SpamAssassin configure files. Simply put, by using regular expressions to create a blocked string, messages containing those strings will be rejected outright. The following is one of the examples included with Exiscan:

deny message = This message matches a blacklisted \

regular expression ($regex_match_string)

regex = [Vv] *[Ii] *[Aa] *[Gg] *[Rr] *[Aa]

In this case, the word "Viagra" with any mix of case and whitespace appearing in the body of the message is rejected.

Exiscan comes with thorough documentation and sample configurations for each facility to allow users to get up and running quickly. A HOWTO is also available at the Exiscan website. Further support can be found through the Exiscan-users email list; though primarily a low-traffic list, the active users - including Exiscan author Tom Kistner - are quick at providing answers to questions. From what I've seen, Kistner is also very responsive in adding functionality and providing bug fixes for Exiscan.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th