Last Modified:

OITC's
STF Virus & SPAM/UCE Rule Data Base
Useage Instructions

OITC uses the Eudora Internet Mail Server and Simple Text Filter

VirusAlert_120x60 OITC's rules data base has been built to attempt to help mail admins manage and select the contextual filtering rules appropriate to there own facility.

The Rules Set data Base for Simple Text Filter version 1.1 and greater are presently available in Excel format. If you cannot support Excel please contact us at STFRules@oitc.com


Inventory

Included in this distribution are:
  1. ReadMe - Current and topical information
  2. Rule Set Data Base - OITC's Data Base of content filtering rules for viruses and spam.
  3. Installation Help

ReadMe - This file includes a current and topical information about the distribution's version.

Rule Set Data Base - This file is what you are looking for. The database of our rule set which can be used by anyone and whose rules can be filtered to select only the rules that apply to each users environment.


Rule Set Data Base Layout

The data base is organized first by worksheet tabs.


Header

Legacy header - may be removed at some time in the future.


Prefs

This area holds our current selection for preferences and macros. We recommend that you update all macros to meet your local needs. Also update your selection of Simple Text Filer's preferences.


Virus

This area holds our current set of anti-virus rules. These rules protect you from the major virsuses and worms for the PC, *nix, and Mac. It stops virus such as Nimda, Sircam, BadTrans, Snow White, Happy99, etc. The way the database is currently configured is to bouce all PC executable attachments with an error message to resend after "zipping" or contact the postmaster. This is the safeest setting on the virus rules and we recommend that you seriously think about your risk before changing or eliminating these virus rules.


Mail Format

This area holds our current set of anti-spam rules dealing with an email's format. This includes detection of invalid header information, improper scripts, spamware, undotted quads, languages, etc. It also includes some of the larger, longer lived spam houses like Monsterhut and Instant Empires. A more detailed explaination of these rules can be found below. This is part of our original area labled SPAM


Mail Content

This area holds our current set of anti-spam rules dealing with an email's content. This includes mass bulk email, gambling, financial scams, removes, fake justifications, redirectors, email marketing companies, free emails and hosts associated with spam, drugs, get-rich-quick and pyramid schemes, and just plain spam. It also includes some identified IP blocks that are not filters by DNSbl systems. A more detailed explaination of these rules can be found below. This is part of our original area labled SPAM


DNSbl

This area holds our current set of anti-spam rules dealing with an email's last IP. These IP blocks have been reported via spamcop; their owners' either don't care or their email bounces; they fail open relays checks but continue to send spam. When an IP block meets this criteria, it is added to this rule set.


45 Days

This area holds our current set of anti-spam rules that seem to be good for 30 - 45 days. These rules focus on From and Return-Path email addresses. These are typically throwaway but seem to last about 30 days or a little over in spams being sent before they are retired.


Region

This area holds our current set of anti-spam rules that are targetted at regional problems. For example, they block free webmail systems in China know to be used in SPAM. If you have clients in any of these areas, you probably should not use these rules.


Experimental

This area holds our current set of experimental anti-spam rules. These should not be used operationally until more statistics are gathered.


Local Rules

This area has been configured so that you can place manage your own local rules.


DNS Filter Exclusions

This area holds a portion of our DNS Filter Exclusions whitelist. Depending upon your selection of rules, rule types and confidence you may or may not need a number of these entries. The key entries are Spamcop, EIMS and STF lists.


Whitelist

This area holds a portion of our current set of whitelisted addresses. Depending upon your selection of rules, rule types and confidence you may or may not need a number of these entries. The key entries are EIMS and STF lists as well as your own contact address (we use as postmaster [RFC2821/4.5.1] and abuse [RFC2142]). The reason that the whitelist is larger than I would have normally liked is that there are a number of mass mailers (Type: EmailMarket) that don't care where their addresses come from or who accept contracts from unethical people.


Holding Area

Experimental area for OITC.


Understanding the rule sets

All rule sheets include the following entries:

The portions of each worksheet which must be exported to STF are highlighted in this color in the database.


  • Installation Guide

    Note: You should read the STF documentation before reading this installation guide.

    Note: All OITC rules require that you copy the MACROS that appear the Preferences Worksheet to your STF Preferences File.

    Note: You can get more help at EIMS Filter FAQ page or the How To Write an STF Rule page.


    Initial Installation

    Setting Up Preferences

    1. Click on the Pref tab
    2. Update the STF Preference to match your site's requirements. Use the documentation that came with STF to understand the options.
    3. Update the Macros and error messages as you wish. (Note: You may wish to keep the same error log structure)
    4. After editting, copy the blue area information (Cols D - G) and paste it into your "SimpleText Filter Prefs" file.

    Setting Up Whitelist

    1. Click on the Whitelist tab
    2. Update the STF Whitelist to match your site's requirements. Use the documentation that came with STF to understand the options.
    3. Delete/Add/Update as you see fit. The reason there are so many entries is that there are a number of bulk mailer that bulk mail for ethical companies as well as unethical comapnies/spammers. To keep the level of filtering up we have whitelisted these. Also, if your users like jokes you either must be careful with rules or whitelist certain "trusted" accounts. We have hilighted in blue those whitelist items which should seriously be considered. They cover postmaster, abuse, EIMS list, STF list, spamcop, and apple.
    4. After editting, copy the blue area information (Col A) and paste it into your "Whitelist" file.

    Setting Up DNS filter exclusions

    1. Click on the DNS filter exclusions tab
    2. Update the DNS filter exclusions to match your site's requirements. Use the documentation that came with STF to understand the options.
    3. Delete/Add/Update as you see fit. The reason there are so many entries is that there are a number of bulk mailers that bulk mail for ethical companies as well as unethical comapnies/spammers. To keep the level of filtering up we have DNS filter excluded these. Also, if your users like jokes you either must be careful with rules or DNS filter exclusions certain "trusted" accounts. We have hilighted in blue those DNS filter exclusions items which should seriously be considered. They cover the EIMS list, STF list, spamcop, and STF developer.
    4. After editting, copy the blue area information (Col A) and paste it into your "DNS filter exclusions" file.

    Setting Up Whitelist

    1. Click on the Whitelist tab
    2. Update the STF Whitelist to match your site's requirements. Use the documentation that came with STF to understand the options.
    3. Delete/Add/Update as you see fit. The reason there are so many entries is that there are a number of bulk mailers that bulk mail for ethical companies as well as unethical comapnies/spammers. To keep the level of filtering up we have whitelisted these. Also, if your users like jokes you either must be careful with rules or whitelist certain "trusted" accounts. We have hilighted in blue those whitelist items which should seriously be considered. They cover postmaster, abuse, EIMS list, STF list, spamcop, and apple.
    4. After editting, copy the blue area information (Col A) and paste it into your "Whitelist" file.


    How to Use

    1. Select a Tab
    2. Sort
    3. Select
    4. Deploy

    How to Select a Tab

    Select rules by clicking on the tabs at the bottom of the spreadsheet.

    How to Sort

    The power of this rule set is your ability to sort it in order to select the only rules that you are looking for. You can sort by:
    • Date
    • Status
    • Type
    • Source
    • Rule
    • Error Msg
    • Log Msg
    • Stat Name
    • Code
    • Error
    • Subtype
    • ID
    • XXX
    • Ranking
    • Reason
    • ID
    • Comment
    • Author
    • STF Version
    Just select Cols A-S and Rows 2-End of rules. Under Data in the Menu, select Sort... and pick what you wish to sort on.

    How to Select

    Now, select the part of each rule you desire that is blue (eg Cols D-H), copy the rules to the clipboard, and paste into your STF rule file(s) using BBEdit or a similar text editor. Note: do not use OSX's TextEdit unless you reset its Preferences to Plain Text.

    How to Deploy

    Copy your updated STF rule file(s) to your mailserver.


    ©2001 by OITC. All rights Reserved, USA and Worldwide