OITC's rules data base has been built to attempt to help mail admins manage and select the contextual filtering rules appropriate to there own facility.
The Rules Set data Base for Simple Text Filter version 1.1 and greater are presently available in Excel format. If you cannot support Excel please contact us at STFRules@oitc.com
Structure
STF Rules contain the following tab separated fields:
Source/Location - Where the rule should apply, such as BODY, SUBJECT, etc. This field corresponds to the first field in STF rules. Note: due to the evolving nature of STF this field may contain directives that are not compatible with version 1.1 of the filter.
Rule - The STF rule.
Error Msg - The message provided to EIMS to reply to the mailer.
Log Msg - The message logged locally.
Stat Name - If you are interested in collecting statistics on filetering you may wish to change this. This field is our default configuration for rule performace logging.
Source/Location
The Source/Location field is comprised of three contatinated parts:
Action - The action flag specified how STF will process the rule. If the action is a # or ;, the rule is ignored. If the action is a !, the rule is executed and if true a message is placed in the log but the mail is not rejected. If the action character is not entered, the rule is executed and if true the mail is rejected and the fact logged.
Location - Where the rule should apply. This field is further explained below.
Rule Qualifiers - Qualifiers such as anchor at a field's beginning. This field is further explained below.
Thus, a Source/Location item would look like: ActionLocationQualifier.
The Location field specifies which area of an email that the rule applies to. Permissable values are:
Return-Path: header line describing the return path.
Received: header line describing the path the email took to get to your machine.
Sender: header line describing who the send is.
Errors-To: header line defining the email address to which to send errors to.
Reply-To: header line defining the email address to which replies are sent to.
Message-Id: header line displaying the message ID.
Mime-Version: header line describing the MIME version of the mailing client.
Content-Type: header line describing the MIME content type.
Content-Disposition: header line describing the MIME content information.
Precedence: header line describing email precedence.
Date: header line describing the date of the email. Remember this is cosmetic.
From: header line who the mail is from. Remember this is cosmetic.
To: header line who the mail is from. Remember this is cosmetic.
Subject: header line containing the subject of the email.
X-Headers: "x" header lines.
Other Headers: any other header lines.
:host: special keyword indicating the IP from which the mail comes from.
:hostip: special keyword indicating to check the IP from which the mail comes from against a range of IPs.
:rcpt: special keyword indicating the actual email address that the mail was sent to. Note: when sent to multiple recipients in a single domain, this field may not be found.
:sender: special keyword indicating the email address that the mail was sent from.
H*: special keyword indicating to check all headers.
BODY: special keyword indicating the body of the email.
Qualifiers appear after the colon (":") of the Location field. Allowable qualifers are:
1 Applies to the H*: location meaning only the primary (first) set of headers and not subsequent headers in other MIME parts.
< Applies to all locations and means that the matching must start at the beginning of the field. For example, if a subject was "Now is the time" the rule "is the" would fail on the location "Subject:<" but not fail on the location "Subject:"
V Applies to all locations. It is normally associated with virus rules. This qualified disables all but special whitelist entries.
- Applies to all locations. The character dash ("-") and underscore ("_") are ignored for this rule only.
S Applies to all locations. Any whitespace (spaces, tabs, returns and linefeeds) are reduced to single spaces for this rule only.
A Applies to all locations. Any character other than alphanumerics are ignored for this rule only.
Rule
The Rule field contains the rule to be applied to the source field.
STF will search the location for the rule pattern. Rules are similar to regular expressions. The will match any text and contain wildcards. Wildcards are:
%# matches a run of decimal digits.
%n# matches a n digit run of decimal digits.
%x matches a run of hex digits.
%nx matches a n digit run of hex digits.
%*s matches a run of characters until the string ("s") is detected.
%n* matches n characters.
To identify special characters in a rules you can use the following escape sequences:
\r matches the return character.
\n matches a linefeed.
\t matches a horizontal tab.
\\ matches a bachslash ("\") character.
\^ matches a caret ("^") character.
\0xx replaced by a single character with the hex value of xx. For example, \000 would represent a null character. \020 would be a space. You can represent characters that are greater than 128 using this. Note that using \000 for any string other than the text to match will be ignored.
^x where x is a character from a-z, [, \, ], ^ or _ and ^x is replaced by replaced by control-x
Error Msg
The Error Msg field contains the message that will be returned to the sending mail server if the rule is true. You must return the correct RFC status codes.
You can fill the error message with information about the email using replacement strings. These replacement strings are:
%r recipient's email address.
%s sender's email address.
%h sending host name.
%i sending host IP address.
You can also fill the error message with macros from your pref files. These macros are identified as |macro_name|.
An example error message might be:
550 5.7.0 Rejected by filter (code: 1023). Contact postmaster for details.
Log Msg
The Log Msg field contains the message that will be output to the error log if the rule is true.
You can fill the error message with information about the email using the replacement strings defined above.
You can also fill the error message with macros from your pref files. These macros are identified as |macro_name|.
The Stat Name field is used to accumulate performance statistics. If you wish to accumlate statistics enter an variable name here. Each time the rule is true the variable is incremented. You can accumulate information on each rule, on only some rules or you can group rule performance together by using the same, different or no variable names.
The above rule means: Search the body of the email message for http:// followed by 8 numeric digits. If found reject the message and return 550 5.7.0 Rejected by filter (code: 1023). to the sending mail server and place Bounced (BODY: Undotted Quad) [1023, %h (%i), Frm: %s To: %r] in the error log and increment the count in the UndottedQuad stats valiable.
Try to say the rule out loud when you read it. This helps you clarify its operation.
