# These are snippets of my Exim configuration (variant with ${run ).
# Lena(at)lena.kiev.ua May 11, 2012

LIM = 100
PERIOD = 1h
WARNTO = abuse@example.com
EXIMBINARY = /usr/local/sbin/exim -f root
SHELL = /bin/sh

daemon_smtp_ports = 25 : 587
accept_8bitmime = true
untrusted_set_sender = *
local_from_check = false
helo_accept_junk_hosts = *
message_body_newlines = true
headers_charset = KOI8-R
smtp_return_error_details = true
bounce_return_size_limit = 7K
delay_warning = 4h:99d
message_id_header_domain = lena.kiev
		 # nonexistent domain in order to avoid spam to Message-IDs
tls_advertise_hosts = *
tls_certificate = /etc/ssl/exim.crt
tls_privatekey = /etc/ssl/exim.pem
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 2s
log_selector = +smtp_confirmation +queue_time -retry_defer \
	       +smtp_incomplete_transaction +smtp_no_mail +deliver_time
hostlist whitelisted_hosts = \
		# yahooGroups:
98.136.218.0/23 : \
98.139.44.0/24  : \
98.138.214.0/23 : \
98.139.164.0/23 : \
66.163.168.0/23 : \
67.195.134.0/23 : \
69.147.64.0/23  : \
69.147.102.0/23 : \
74.6.140.0/24   : \
98.136.44.0/23  : \
202.86.5.0/24   : \
203.188.202.0/24 : \
217.146.182.0/23 : \
209.131.38.0/24 : \
209.191.87.0/24 : \
209.191.125.0/24 : \
68.142.206.0/23 : \
68.142.236.0/23 : \
		# rambler.ru:
81.19.92.32/28  : \
81.19.66.0/23   : \
81.19.88.0/24   : \
		# mail.ru:
194.67.23.0/24  : \
194.67.57.0/24  : \
94.100.179.0/24 : \
194.67.45.0/24  : \
195.239.211.0/24 : \
194.186.55.0/24 : \
195.239.174.0/24 : \
94.100.176.0/20 : \
217.69.128.0/23 : \
		# yandex.ru:
95.108.253.0/24 : \
77.88.32.0/24   : \
87.250.248.0/24 : \
213.180.200.0/24 : \
213.180.223.0/24 : \
77.88.46.0/23   : \
77.88.60.0/23   : \
95.108.130.0/23 : \
		# pochta.ru:
81.211.64.0/24  : \
82.204.219.0/24 : \
		# aha.ru/go.ru:
# 195.2.83.0/24   : \
		# beelinegprs:
217.118.66.233  : \
		# ngs.ru:
81.176.214.0/24 : \
195.93.186.0/24 : \
212.164.71.0/24 : \
                # tut.by:
195.137.160.39  : \
195.137.160.40  : \
195.137.160.44/31 : \
                # kyivstar.net:
193.41.60.22    : \
		# ntvplus.ru:
217.106.225.56	: \
		# subscribe.ru:
81.222.217.0/24 : \
81.222.129.0/24 : \
81.9.34.128/25  : \
		# spamgourmet.com:
216.75.35.164	: \
                # shootthebreeze.net:
74.220.195.67   : \
                # nym.alias.net:
18.26.0.252     : \
                # satline.net:
212.72.193.50   : \
                # allegro.pl:
91.194.188.90 : 91.207.14.90 : \
                # slando.ru :
83.231.211.64/28 : 83.231.236.0/24 : \
                # ntvplus.ru:
217.106.225.56  : \
                # mailing lists @ opennet.ru (open source software):
217.195.210.187 : \
                # spam-l.com:
204.238.179.8 : 204.238.179.3 : 204.238.179.19 : \
                # spammers.dontlike.us:
69.61.79.98/31 : \
                # mon.itor.us:
208.76.247.123 : \
                # mon.itor.us / monitis.com
208.76.245.178 : \
                #  lekafarm.com.ua:
193.193.194.47  : \
                # mailfilter-out-01.viettel.com.vn:
203.113.131.24  : \
                # paypal:
206.165.243.109 : 206.165.243.110/31 : 206.165.243.112/28 : \
206.165.243.128/29 : 206.165.243.136/30 : 206.165.243.140/31 : \
                # gmail (from spf 13Nov2008):
216.239.32.0/19 : 64.233.160.0/19 : 66.249.80.0/20 : \
72.14.192.0/18 : 209.85.128.0/17 : 66.102.0.0/20 : \
74.125.0.0/16 : 64.18.0.0/20 : 207.126.144.0/20 : \
                # from exim-users May 8, 2008:
                # Blueyonder:
195.188.213.0/29 : 195.188.213.8/31 : \
                # Freeserve:
# 193.252.22.156/30 : 193.252.22.128/32 : \
                # Tucows:
64.97.168.37/32 : 64.97.136.128/26 : \
                # Hotmail:
65.54.246.0/24  : \
                # Google:
209.85.132.130/32 : 209.85.132.184/29 : 209.85.132.241/32 : \
209.85.132.244/32 : 209.85.132.250/32 : 212.159.30.228/32 : \
64.233.162.176/28 : 64.233.162.224/27 : 64.233.182.167/32 : \
64.233.184.130/32 : 64.233.184.224/27 : 66.249.82.224/28 : \
66.249.92.171/32 : 66.249.93.114/32 : 66.249.93.27/32 : \
                # Messagelabs:
# 134.159.150.64/26 : 193.109.254.0/23 : 194.106.220.0/23 : \
# 195.245.230.0/23 : 203.129.72.208/28 : 203.129.72.240/28 : \
# 203.129.74.224/27 : 203.166.119.128/26 : 212.125.75.0/27 : \
# 216.82.240.0/20 : 62.173.108.16/28 : 62.173.108.208/28 : \
# 62.231.131.0/24 : 64.124.170.128/28 : 85.158.136.0/21 : \
                # manchester.worldispnetwork.com (with qmail):
216.218.232.61  : \
                # from http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ip.txt?view=markup ,
                # but 195.238.2.0/15->195.238.2.0/23:
12.5.136.141 : 12.5.136.142/31 : 12.5.136.144 : 12.107.209.244 : \
63.82.37.110 : 63.169.44.143 : 63.169.44.144 : 64.7.153.18 : \
64.12.137.0/24 : 64.12.138.0/24 : \
64.124.204.39 : 64.125.132.254 : 66.100.210.82 : 66.135.209.0/24 : \
66.135.197.0/24 : 66.162.216.166 : 66.206.22.82/31 : 66.206.22.84/31 : \
66.27.51.218 : 152.163.225.0/24 : 194.245.101.88 : 195.235.39.19 : \
195.238.2.0/23 : 204.107.120.10 : 205.188.139.136/31 : 205.188.139.137 : \
205.188.144.207 : 205.188.144.208 : 205.188.156.66 : 205.188.157.0/24 : \
205.188.159.7 : 205.206.231.0/24 : 205.211.164.50 : 207.115.63.0/24 : \
207.171.168.0/24 : 207.171.180.0/24 : 207.171.187.0/24 : 207.171.188.0/24 : \
207.171.190.0/24 : 209.132.176.174 : 211.29.132.0/24 : 213.136.52.31 : \
217.158.50.178
pipelining_advertise_hosts = ${if eq{$sender_host_name}{$sender_helo_name}\
                             {*}{+whitelisted_hosts}}
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acl_smtp_predata = acl_check_predata
acl_smtp_mime = acl_check_mime
acl_smtp_auth = acl_check_auth
acl_smtp_mail = acl_check_mail
acl_smtp_connect = acl_check_connect
acl_smtp_quit = acl_check_quit
acl_smtp_notquit = acl_check_notquit

=============== <snip> ===============

begin acl
acl_check_rcpt:
  accept  hosts = :
  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|]
  deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@] : ^.*/\\.\\./
                    # was ^[./|] : ^.*[@%!] : ^.*/\\.\\./

  warn condition = ${if !def:acl_m_pmfirst}
       local_parts = postmaster : abuse
       domains = +local_domains
       set acl_m_pmfirst = 1

  warn condition = ${if !def:acl_m_pmfirst}
       !local_parts = postmaster : abuse
       domains = +local_domains
       set acl_m_pmfirst = 0

  defer message = letters to postmaster and abuse are accepted separately \
                  from letters to other addresses
        local_parts = postmaster : abuse
        domains = +local_domains
        !condition = $acl_m_pmfirst

  defer message = letters to postmaster and abuse are accepted separately \
                  from letters to other addresses
        !local_parts = postmaster : abuse
        domains = +local_domains
        condition = $acl_m_pmfirst

  warn set acl_m_greyfile = /var/spool/exim/greylist/${length_255:\
     ${sg{$sender_host_address}{\N\.\d+$\N}{}},\
     ${sg{$sender_address,$local_part@$domain}{\N[^\w.,=@-]\N}{}}}

  accept  local_parts   = postmaster : abuse
	  domains       = +local_domains
	  set acl_m_postmaster = $sender_address,$local_part@$domain

  require verify        = sender

  accept hosts = !@[] : +relay_from_hosts
        set acl_m_user = $sender_host_address
			 # or an userid from RADIUS
        condition = ${if exists{$spool_directory/blocked_relay_users}}
        condition = ${lookup{$acl_m_user}lsearch\
                    {$spool_directory/blocked_relay_users}{1}{0}}
        control = freeze/no_tell
        control = submission/domain=
        add_header = X-Relayed-From: $acl_m_user

  accept hosts = !@[] : +relay_from_hosts
        !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
        ratelimit = LIM / PERIOD / per_rcpt / relayuser-$acl_m_user
        continue = ${run{SHELL -c "echo $acl_m_user \
           >>$spool_directory/blocked_relay_users; \
           \N{\N echo Subject: relay user $acl_m_user blocked; echo; echo \
           because has sent mail to LIM invalid recipients during PERIOD.; \
           \N}\N | EXIMBINARY WARNTO"}}
        control = freeze/no_tell
        control = submission/domain=
        add_header = X-Relayed-From: $acl_m_user

  accept  hosts         = +relay_from_hosts
          control       = submission/domain=

  accept authenticated = *
        set acl_m_user = $authenticated_id
# in case of mailboxes in /var/mail: ${sg{$authenticated_id}{\N\W.*$\N}{}}
        condition = ${if exists{$spool_directory/blocked_authenticated_users}}
        condition = ${lookup{$acl_m_user}lsearch\
                    {$spool_directory/blocked_authenticated_users}{1}{0}}
        control = freeze/no_tell
        control = submission/domain=
        add_header = X-Authenticated-As: $acl_m_user

  accept authenticated = *
        !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
        ratelimit = LIM / PERIOD / per_rcpt / user-$acl_m_user
        continue = ${run{SHELL -c "echo $acl_m_user \
           >>$spool_directory/blocked_authenticated_users; \
           \N{\N echo Subject: user $acl_m_user blocked; echo; echo because \
           has sent mail to LIM invalid recipients during PERIOD.; \
           \N}\N | EXIMBINARY WARNTO"}}
        control = freeze/no_tell
        control = submission/domain=
        add_header = X-Authenticated-As: $acl_m_user

  accept authenticated = *
        condition = ${if !={$received_port}{25}}
        control = submission/domain=

  deny message = rejected because `HELO $sender_helo_name` means \
                 impersonation/forgery of one of my domains by a spammer
       condition = ${if match_domain{$sender_helo_name}{+local_domains}}
       !hosts = @[]

  deny message = rejected because HELO is my (recipient server) IP-address \
                 as some spammers lie instead of sender hostname
       condition = ${if match{$sender_helo_name}\
                             {\N^\[?\N$interface_address\N\]?$\N}}
       !hosts = @[]

  deny message = `HELO $sender_helo_name` locally blacklisted
       condition = ${lookup{$sender_helo_name}nwildlsearch\
                     {/usr/local/etc/exim/blacklist_re_helo}{1}{0}}

  deny  message = sender address domain $sender_address_domain locally \
                  blacklisted
        condition = ${lookup{$sender_address_domain}nwildlsearch\
                     {/usr/local/etc/exim/blacklist_sender_domain}{1}{0}}

  deny  message = google photos abused by spammers
        sender_domains = photos-server.bounces.google.com

  require message = relay not permitted
          domains = +local_domains : +relay_to_domains

  require verify = recipient

  accept hosts = +whitelisted_hosts
         logwrite = $sender_host_address locally whitelisted

  deny   message = sender hostname $sender_host_name locally blacklisted \
                   because of too much spam from it
         log_message = sender hostname locally blacklisted
         condition = ${lookup{$sender_host_name}nwildlsearch\
                     {/usr/local/etc/exim/blacklist_re_hostname}{1}{0}}

  deny   message = sender IP-address $sender_host_address locally \
                   blacklisted because of too much spam from it
         log_message = sender IP locally blacklisted
         condition = ${lookup{$sender_host_address}iplsearch\
                     {/usr/local/etc/exim/blacklist_hostaddress}{1}{0}}

  accept dnslists = list.dnswl.org : \
                    swl.spamhaus.org : \
                    hostkarma.junkemailfilter.com=127.0.0.1
         logwrite = $sender_host_address whitelisted in \
	            $dnslist_domain=$dnslist_value
         # http://www.dnswl.org/ , http://spamhauswhitelist.com ,
         # http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists

  deny   message = rejected because $sender_host_address is in a black list \
		   at $dnslist_domain. $dnslist_text
         dnslists = dul.ru : \
		    # dynamic ranges submitted by ISPs themselves 
		    # orvedb.aupads.org : \
		    # open relays http://www.aupads.org/ordb.html
                    smtp.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.5 : \
						       # open relays only
                    dnsbl.njabl.org=127.0.0.2
                                  # open relays
		    # list.dsbl.org RIP :-(

  deny   message = I don`t accept mail from China,HongKong,Taiwan, Korea, \
                   Vietnam because too many admins there do not care \
                   about outgoing spam. Your \
                   IP-address seems to belong to: $dnslist_text.
         dnslists = zz.countries.nerd.dk=127.0.0.156,127.0.1.88,127.0.0.158,\
                                         127.0.1.154,127.0.2.192
#
# uncomment if you need mail from China:
#        message = rejected because $sender_host_address is in a black list \
#                  at $dnslist_domain. $dnslist_text
#        dnslists = zen.spamhaus.org : bl.spamcop.net : dnsbl.sorbs.net : \
#           dnsbl.njabl.org : hostkarma.junkemailfilter.com=127.0.0.2,127.0.0.4
#

  accept condition = ${if def:tls_cipher}
	 condition = ${if !match{$tls_cipher}{128|168}}
         condition = ${if eq{$received_protocol}{esmtps}}
                                                # not smtps

  accept condition = ${lookup{$sender_host_name}nwildlsearch\
                     {/usr/local/etc/exim/whitelist_re_hostname}{1}{0}}
         logwrite = sender hostname $sender_host_name locally whitelisted

  defer	 condition = ${if def:acl_c_grey_checked}
         message = $acl_c_grey_checked
	 condition = $acl_c_grey_result

  accept condition = ${if def:acl_c_grey_checked}

  defer  log_message = greylisted because of HELO $sender_helo_name
         condition = ${if or{\
                             {!match{$sender_helo_name}{\\.}}\
                             {match{$sender_helo_name}\
                          {\N^(\[?(\d{1,3}\.){3}\d{1,3}\]?|\.*[-0-_]+\.*)$\N}}\
                            }}
         set acl_c_grey_checked = deferred/greylisted because \
                                  HELO `$sender_helo_name` is not a domain name
         message = $acl_c_grey_checked
	 set acl_c_grey_result = ${if exists{$acl_m_greyfile}\
	   {${if >{${eval:$tod_epoch-\
	   ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\
	   {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}}
	   # 1 - defer, 0 - allow
         condition = $acl_c_grey_result

  accept condition = ${if def:acl_c_grey_checked}
         logwrite = passed greylisting helo \
                    ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
         add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting helo

  defer  log_message = greylisted because of protocol smtp
         condition = ${if eq{$received_protocol}{smtp}}
					       # smtp (HELO), not esmtp (EHLO)
	 condition = ${if def:sender_address}
			# not a verify/callout from another Exim
	 condition = ${if !match{$sender_address}{verif|callout|postmaster}}
         set acl_c_grey_checked = deferred/greylisted. protocol SMTP
         message = $acl_c_grey_checked
	 set acl_c_grey_result = ${if exists{$acl_m_greyfile}\
	   {${if >{${eval:$tod_epoch-\
	   ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\
	   {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}}
         condition = $acl_c_grey_result

  accept condition = ${if def:acl_c_grey_checked}
         add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting smtp
         logwrite = passed greylisting smtp \
                    ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}

  defer  log_message = greylisted because $sender_host_name looks dynamic
         condition = ${if match{$sender_host_name}\
                               {\N(\d{1,3}[-.]){3}\d\N}}
         condition = ${if !match{$sender_host_name}{sta}}
         set acl_c_grey_checked = deferred/greylisted because sender hostname \
                                  $sender_host_name looks like dynamic
         message = $acl_c_grey_checked
	 set acl_c_grey_result = ${if exists{$acl_m_greyfile}\
	   {${if >{${eval:$tod_epoch-\
	   ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\
	   {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}}
         condition = $acl_c_grey_result

  accept condition = ${if def:acl_c_grey_checked}
         add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting dyn
         logwrite = passed greylisting dyn \
                    ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}

  defer  log_message = greylisted because `HELO $sender_helo_name` looks \
                       dynamic
         condition = ${if match{$sender_helo_name}\
                               {\N(\d{1,3}[-.]){3}\d\N}}
         condition = ${if !match{$sender_helo_name}{sta}}
         set acl_c_grey_checked = deferred/greylisted because \
                                  `HELO $sender_helo_name` looks like dynamic
         message = $acl_c_grey_checked
	 set acl_c_grey_result = ${if exists{$acl_m_greyfile}\
	   {${if >{${eval:$tod_epoch-\
	   ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\
	   {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}}
         condition = $acl_c_grey_result

  accept condition = ${if def:acl_c_grey_checked}
         add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting helo dyn
         logwrite = passed greylisting helo dyn \
                    ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}

  defer  log_message = greylisted because no hostname
         condition = ${if eq{$sender_host_name}{}}
         set acl_c_grey_checked = deferred/greylisted because \
                $sender_host_address doesn't resolve to hostname or the \
                hostname doesn't resolve back to $sender_host_address
         message = $acl_c_grey_checked
	 set acl_c_grey_result = ${if exists{$acl_m_greyfile}\
	   {${if >{${eval:$tod_epoch-\
	   ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\
	   {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}}
         condition = $acl_c_grey_result

  accept condition = ${if def:acl_c_grey_checked}
         add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting \
                      no hostname
         logwrite = passed greylisting no hostname \
                    ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}

  deny  set acl_m_spf = ${lookup dnsdb{defer_never,txt=$sender_address_domain}}
        message = SPF record for $sender_address_domain explicitly states \
                  that this domain should never send mail
        condition = ${if eq{$acl_m_spf}{v=spf1 -all}}

  deny  message = SPF record for $sender_address_domain lists too many \
                  IP-addresses, perhaps the whole world - that`s cheating
        condition = ${if match{$acl_m_spf}{\N(?m)^v=spf(.+?/\d\s){2}\N}}

  accept !dnslists = hostkarma.junkemailfilter.com=127.0.0.2 : \
                     http.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.2 : \
                     socks.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.3 : \
                                   # open HTTP,SOCKS proxies
                     dnsbl.njabl.org=127.0.0.9 : \
                                   # open proxies
		     cbl.abuseat.org
# uncomment next line and comment out the cbl line if you need mail from China:
#                    zen.spamhaus.org=127.0.0.2

  defer  log_message = greylisted because in $dnslist_domain: $dnslist_text
         set acl_c_grey_checked = deferred/greylisted because \
                                  $sender_host_address is in a black list at \
                                  $dnslist_domain. $dnslist_text
         message = $acl_c_grey_checked
	 set acl_c_grey_result = ${if exists{$acl_m_greyfile}\
	   {${if >{${eval:$tod_epoch-\
	   ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\
	   {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}}
         condition = $acl_c_grey_result

  accept logwrite = passed greylisting $dnslist_domain \
                    ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
         add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting \
		      $dnslist_domain

acl_check_predata:
#(Exim4.71+)  require control = dkim_disable_verify

  deny message = too many invalid recipients
       condition = ${if >{$rcpt_fail_count}{2}}

  accept hosts = +relay_from_hosts

  accept authenticated = *

  accept condition = ${if !def:acl_m_postmaster}

  defer  condition = ${if def:acl_c_grey_checked}
	 message = $acl_c_grey_checked
	 condition = $acl_c_grey_result

  accept condition = ${if def:acl_c_grey_checked}

  defer  log_message = postmaster greylisted
	 set acl_c_grey_checked = All mail to postmaster is \
				  deferred/greylisted here for 3 min because \
				  of too much spam and no other checks.
	 message = $acl_c_grey_checked
	 set acl_c_grey_result = ${if exists{$acl_m_greyfile}\
	   {${if >{${eval:$tod_epoch-\
	   ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\
	   {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}}
	 condition = $acl_c_grey_result

  accept add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting \
		      postmaster
         logwrite = passed greylisting postmaster \
		    ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}

acl_check_mime:
  deny message = Windows-executable attachments forbidden. Use zip.
       condition = ${if !eqi{$recipients}{lena()lena.kiev.ua}}
                                     # really @
       condition = ${if def:sender_host_address}
       condition = ${if !def:sender_host_authenticated}
       log_message = forbidden attachment: filename=$mime_filename, \
		     content-type=$mime_content_type, recipients=$recipients
       condition = ${if or{\
			   {match{$mime_content_type}{(?i)executable}}\
			   {match{$mime_filename}{\N(?i)\.(exe|com|vbs|bat|pif|scr|hta|js|cmd|chm|cpl|jsp|reg|vbe|lnk|dll|sys)$\N}}\
			  }}

  deny  message = Blocked as Vietnamese spam from gmail
        condition = ${if match{$sender_host_name}\
                              {\N^mail-[\w-]+\.google\.com$\N}}
        condition = ${if eq{$mime_content_type}{text/plain}}
        condition = ${if eqi{$mime_charset}{UTF-8}}
        mime_regex = \N([\x01-\x7f](\xe1(\xba[\xa1-\xa3\xa5\xa6\xa8\xab\xad\xb6\xbe\xbf]|\xbb[\x81\x82\x85-\x87\x89-\x92\x97\x99-\x9c\xaa\xab\xad\xb0\xb1])|\xc3[\xaa\xa2\xb4]\xcc[\x81\x83\x89])[\x01-\x7f].*?){3}

  deny  message = Blocked as Chinese spam (type 1)
        condition = ${if match{$rheader_Subject:}{\N=\?utf-8\?B\?\N}}
        condition = ${if match{$bheader_X-mailer:}{\NFoxmail [\d, ]+ \[cn\]\N}}
        condition = ${if or{\
                            {eq{$mime_content_type}{application/vnd.ms-excel}}\
                            {match{$mime_filename}{\N(?i)\.xls$\N}}\
                           }}

  deny  message = Blocked as Chinese spam (type 2)
        condition = ${if eq{$mime_content_type}{text/plain}}
        condition = ${if eqi{$mime_charset}{UTF-8}}
        mime_regex = \N\
                ([\x01-\x7f](\xe2\x96\xb2)?(\xe4[\xb8-\xbf]|[\xe5-\xe9]).+?){3}

  deny  message = Blocked as Korean spam (type 2)
        condition = ${if eq{$mime_content_type}{text/html}}
        mime_regex = \N\A\
          <script\slanguage=JavaScript>m='%3Cmeta%20http-equiv%3D%22refresh%22

  deny  message = rejected because recognized as Ukrainian spam (type 2)
        condition = ${if eq{$mime_content_type}{text/html}}
        mime_regex = href="?http.//mailplus.kiev.ua/ : \
                     src="?http.//element-architecture.com/ : \
                     href="?http.//(www.)?radiationsafe.com/

  accept condition = ${if !match{$recipients}{\N(?i)mail2ftp[^,]*@tg.org.ua\N}}
                        # it's my robot which replies to emailed commands

  deny message = You must set up your mail client to send plain text, \
                 no HTML, no attachments
       condition = ${if match{$mime_content_type}{(?i)html|multipart}}

  require message = Command in the first line of letter body \
                    not recognized - send HELP
          mime_regex = \N(?i)\Amail2ftp(verbose)?\s :\
                         (?i)\Ahttp(post|get)[swtn]?\s :\
                         (?i)\Alogin\s :\
                         (?i)\A\"?help[\"\s\n]

  accept

acl_check_auth:
  drop  message = authentication is allowed only once per message in order \
                  to slow down bruteforce cracking
        set acl_m_auth = ${eval10:0$acl_m_auth+1}
        condition = ${if >{$acl_m_auth}{2}}
        delay = 22s

  drop  message = blacklisted for bruteforce cracking attempt
        set acl_c_authnomail = ${eval10:0$acl_c_authnomail+1}
        condition = ${if >{$acl_c_authnomail}{4}}
        continue = ${run{SHELL -c "echo $sender_host_address \
           >>$spool_directory/blocked_IPs; \
           \N{\N echo Subject: $sender_host_address blocked; echo; echo \
           for bruteforce auth cracking attempt.; \
           \N}\N | EXIMBINARY WARNTO"}}

  accept

acl_check_quit:
  warn  condition = ${if def:authentication_failed}
        condition = $authentication_failed
        logwrite = :reject: quit after authentication failed: \
                            ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
        ratelimit = 7 / 5m / strict / per_conn
        continue = ${run{SHELL -c "echo $sender_host_address \
           >>$spool_directory/blocked_IPs; \
           \N{\N echo Subject: $sender_host_address blocked; echo; echo \
           for bruteforce auth cracking attempt.; \
           \N}\N | EXIMBINARY WARNTO"}}

acl_check_notquit:
  warn  condition = ${if def:authentication_failed}
        condition = $authentication_failed
        logwrite = :reject: $smtp_notquit_reason after authentication failed: \
                            ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
        condition = ${if eq{$smtp_notquit_reason}{connection-lost}}
        ratelimit = 7 / 5m / strict / per_conn
        continue = ${run{SHELL -c "echo $sender_host_address \
           >>$spool_directory/blocked_IPs; \
           \N{\N echo Subject: $sender_host_address blocked; echo; echo \
           for bruteforce auth cracking attempt.; \
           \N}\N | EXIMBINARY WARNTO"}}

acl_check_mail:
  accept set acl_c_authnomail = 0

acl_check_connect:
  drop  message = suspicious client on $sender_host_name \
                  [$sender_host_address] locally blacklisted
        condition = ${if or{\
                {match_ip{$sender_host_address}{84.246.224.0/21:202.91.182.94:\
                  66.46.176.241:61.146.233.114:66.197.220.252:211.35.163.211:\
                  77.245.72.32:77.245.72.33:69.73.148.36:203.156.213.70:\
                  83.70.129.73:95.226.163.141:69.69.168.196:189.109.6.132:\
                  111.164.160.85:113.244.192.180:213.166.137.49:\
                  113.65.140.54:180.120.238.48:217.7.232.64:173.0.50.7:\
                  205.234.222.29:82.165.45.163:113.111.194.39:113.65.163.75:\
                  195.88.208.0/23:98.141.206.122:121.145.96.64/26}}\
                {match{$sender_host_name}\
                  {\N^(mailserver\.liceocampoverde\.com|\
                     68-115-208-106\.static\.spbg\.sc\.charter\.com|\
                     ppp-\d+-\d+-\d+-\d+\.revip2\.asianet\.co\.th|\
		     ec2-\d+-\d+-\d+-\d+.[\w-]+.compute\.amazonaws\.com)$\N}}\
                           }}

  drop  message = $sender_host_address locally blacklisted for a bruteforce \
                  auth (login+password) cracking attempt
        condition = ${if exists{$spool_directory/blocked_IPs}}
        condition = ${lookup{$sender_host_address}lsearch\
                    {$spool_directory/blocked_IPs}{1}{0}}

  accept

acl_check_data:
  deny  message = rejected because recognized as spam to postmaster
        condition = ${if !def:sender_address}
        condition = ${if def:acl_m_postmaster}
        condition = ${if match{$message_body}\
                    {\N^[^\r\n]{1,80}(\r?\n\r?)?http://[^\r\n]+[\r\n]*\Z\N}}

  deny  message = rejected because recognized as a Windows bot spam
        condition = ${if match{$received_protocol}{^smtp}}
        condition = ${if match{$message_headers_raw}\
                {\N\AReceived:(?:.+\n\t)+.+\n\
                (?:X-AntiVirus:.+\n)?\
                Received: from unknown \(HELO (\w+)\) \(\[[\d.]+\]\)\n\
                \tby \S+ with ESMTP;.+\n\
                Message-ID: <.+@\w+\1>\n\
                From: "\w+ \w+" <.+\n\
                To: <[^>\n]+>\n\
                Subject: .+\n\
                Date: .+\n\
                MIME-Version: 1.0\n\
                Content-Type: text/plain;\n\
                \tformat=flowed;\n\
                \tcharset="KOI8-R";\n\
                \treply-type=original\n\
                Content-Transfer-Encoding: 8bit\n\
                X-Priority: 3\n\
                X-MSMail-Priority: Normal\n\
                X-Mailer: Microsoft Outlook Express \N}}
# the second Received is fake.

  accept condition = $acl_m_pmfirst

  deny  message = Send empty letter without Subject \
                  (Otprav`te pustoe pis`mo bez temy).
        condition = ${if match{$recipients}{(?i)accmailfaqrus()tg.org.ua}}
						    # really @
# my autoresponder which replies only to empty letters
        condition = ${if def:header_subject:}
        condition = ${if !match{$header_subject:}{\N(?i)[] |no subject|[]|empty|^\[\?\? Probable Spam\]$|^([\[\(\*\+]*(probabl[ey] |posibl[ey] |suspected )?spam[\]\)\*\+:\s]*)?(help|.{0,3})$\N}}

  deny message = You must set up your mail client to send plain text, \
                 no HTML, no attachments
       condition = ${if match{$recipients}\
           {\N(?i)(mail2ftp[^,]*|tgrus-archive(-backup)?|koi)@tg.org.ua\N}}
# my various autoresponders which parse message body
       condition = ${if match{$rheader_Content-Type:}{(?i)html|multipart}}

  deny  message = Only private letters to an autoresponder are accepted.
        condition = ${if match{$recipients}\
             {\N(?i)(accmailfaqrus|tgrus-archive-list)@tg.org.ua\N}}
        condition = ${if or{\
                            {!={$recipients_count}{1}}\
                            {!eqi{$recipients}{${addresses:$bheader_to:}}}\
                            {match{$rheader_precedence:}{bulk|list|junk}}\
                            {!def:sender_address}\
                            {match{$sender_address_local_part}\
                {(?i)mailer-daemon|-outgoing|-relay|listserv|-request}}\
                            {def:header_auto-submitted:}\
                            {def:header_list-unsubscribe:}\
                            {eqi{$sender_address}{$recipients}}\
                            {def:header_Autorespond:}\
                            {def:header_X-Autoresponse:}\
                            {def:header_X-Autoreply-From:}\
                            {def:header_X-eBay-MailTracker:}\
                            {def:header_X-MaxCode-Template:}\
                            {def:header_X-FC-MachineGenerated:}\
                            {def:header_X-Auto-Response-Suppress:}\
                            {match{$header_X-OS:}{HP Onboard Administrator}}\
                            {eq{$header_X-MimeOLE:}{Produced By phpBB2}}\
                            {match{$h_From:}{\\(via the vacation program\\)}}\
                            {match{$h_Subject:}{\N^Yahoo! Auto Response$|\
                              ^ezmlm warning$|^Out of Office|^Autoresponse:|\
                              ^Auto-Reply:|\(Auto Reply\)$|\(Out of Office\)$|\
                              is out of the office\.$\N}}\
                           }}

  warn  condition = ${if match{$sender_host_name}\
                              {\N\.(blu|col|bay|snt)\d+\.hotmail\.com$\N}}
        set acl_m_web = ${if match{$rheader_Received:}{\Nfrom [^\(]+\
          \(\[(\d+\.\d+\.\d+\.\d+)\]\) by \
          [^\w-]+\.((blu|col|bay|snt)\d+\.hotmail\.com|phx\.gbl) \
          (over TLS secured channel )?with Microsoft SMTPSVC\N}{$1}}
  warn  condition = ${if match{$sender_host_name}\
                              {\N\.mail\....?\.yahoo\.com$\N}}
        condition = ${if or{\
                            {match{$rheader_X-Yahoo-Newman-Property:}{ymail}}\
                            {def:header_X-RocketYMMF:}\
                            {match{$bheader_X-Mailer:}{^YahooMail}}\
                           }}
        set acl_m_web = ${if match{$rheader_Received:}{\Nfrom \
                \[(\d+\.\d+\.\d+\.\d+)\] by \
                web\d+(\.biz)?\.mail\....?\.yahoo\.com via HTTP; \N}{$1}}
        condition = ${if !def:acl_m_web}
        set acl_m_web = ${if match{$bheader_Received:}{\Nfrom [^(\n]+ \
             \([^)\n]+@(\d+\.\d+\.\d+\.\d+) with login\)[\r\n]+\s+by \
             smtp\d+(\.plus|\.sbc)?\.mail\....?\.yahoo\.com with SMTP; \N}{$1}}
  warn  condition = ${if match{$sender_host_name}\
                              {\N^[oi]mr-\w+\.mx\.aol\.com$\N}}
        set acl_m_web = ${if match{$rheader_Received:}{\Nfrom \
          (\d+\.\d+\.\d+\.\d+) by webmail-\w+\.sysops\.aol\.com \
          \(\d+\.\d+\.\d+\.\d+\) with HTTP \(WebMailUI\); \N}{$1}}
        set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
                \S+ \(\S+ \[(\d+\.\d+\.\d+\.\d+)\]\)[\s\n]+by \
                mtaout-\w+\.\w+\.mx\.aol\.com \(MUA/Third Party Client \
                Interface\) with ESMTPA id \w+;\N}{$1}{$acl_m_web}}
  warn  condition = ${if match{$sender_host_name}\
                              {\N^outbound\d+\.messaging\.lotuslive\.com$\N}}
        set acl_m_web = ${if match{$rheader_Received:}\
                                  {\N^@[\w.-]+@(\d+\.\d+\.\d+\.\d+)\)\N}{$1}}
  warn  set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
                [\d.]+ (?:\(\[[\d.]+\]\) )?\(proxying[\s\n]+for[\s\n]+\
                (\d+\.\d+\.\d+\.\d+)(, [\w.-]+)?\)\n\
                \s+\(SquirrelMail authenticated user [^)\n\r]+\)\n\
                \s+by [^\s\n]+ with HTTP;\n\N}{$1}{$acl_m_web}}
        set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
                (?:\S+ \(\[)?(\d+\.\d+\.\d+\.\d+)(?:\]\))?\n?\
                \s+\(SquirrelMail authenticated user [^)\n\r]+\)\n\
                \s+by [^\s\n]+ with HTTP;\n\N}{$1}{$acl_m_web}}
        set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
                (\d+\.\d+\.\d+\.\d+)(?: \(proxying for [^)]+\))?[\n\s]+\
                \(RisuMail authenticated user \N}{$1}{$acl_m_web}}
        set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
                \S+ \(\](\d+\.\d+\.\d+\.\d+)\]\)[\s\n]+by[\s\n]+\S+[\s\n]+\
                with[\s\n]+HTTP(?s).+\nUser-Agent: Roundcube Webmail\N}\
                {$1}{$acl_m_web}}
        set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
                \S+[\n\s]+\((?:\S+[\n\s]+)?\[(\d+\.\d+\.\d+\.\d+)\]\)[\n\s]+by\
               [\n\s]+\S+[\n\s]+\(Horde[\n\s]+(Framework|MIME[\n\s]+library)\)\
                [\n\s]+with[\n\s]+HTTP\N}{$1}{$acl_m_web}}
        set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
         \S+\s+\((?:\S+\s+)?\[(\d+\.\d+\.\d+\.\d+)\]\)\s+by\s+\S+\s+\(Horde\s+\
                (Framework|MIME\s+library)\)\s+with\s+HTTP;\N}{$1}{$acl_m_web}}
        set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
                \[(\d+\.\d+\.\d+\.\d+)\] by \S+[\s\n\r]+ \(mshttpd\);\N}\
                {$1}{$acl_m_web}}
        set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
                client (\d+\.\d+\.\d+\.\d+) for UebiMiau\d+\.\d+ \(webmail \
                client\);\N}{$1}{$acl_m_web}}
        set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
                \S+ \(\[(\d+\.\d+\.\d+\.\d+)\]\)[\n\s+]by \S+ \
                with HTTP \(UebiMiau\);\N}{$1}{$acl_m_web}}
        set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
                \[(\d+\.\d+\.\d+\.\d+)\] \(account \S+\)[\s\n\r]+by[\s\n\r]+\
                \S+[\s\n\r]+\(CommuniGate Pro WEBUSER \S+\)[\s\n\r]+\
                with[\s\n\r]+HTTP\N}{$1}{$acl_m_web}}
        set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from\s+\
                (?:\S+[\s\n]+)?\(\[(\d+\.\d+\.\d+\.\d+)\]\)[\s\n]+by[\s\n]+\S+\
                [\s\n]+with[\s\n]+http[\s\n]\N}{$1}{$acl_m_web}}
        set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
                \S+ \(\[(\d+\.\d+\.\d+\.\d+)\]\)[\n\r]+\s+\
                by mx.google.com with ESMTPS id \N}{$1}{$acl_m_web}}
        condition = ${if match{$bheader_X-Mailer:}{^OpenWebMail }}
        set acl_m_web = ${if match{$bheader_X-OriginatingIP:}\
                                  {\N^\[?(\d+\.\d+\.\d+\.\d+)\]?( |$)\N}{$1}}
  warn  condition = ${if !def:acl_m_web}
        set acl_m_web = ${if match{$bheader_X-Originating-IP:}\
                            {\N^\[?(?:::ffff:)?(\d+\.\d+\.\d+\.\d+)\]?$\N}{$1}}
  warn  condition = ${if !def:acl_m_web}
        set acl_m_web = ${if match{$bheader_X-Client-IP:}\
                                  {\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}}
  warn  condition = ${if !def:acl_m_web}
        set acl_m_web = ${if match{$bheader_X-Origin:}\
                                  {\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}}
  warn  condition = ${if !def:acl_m_web}
        set acl_m_web = ${if match{$bheader_X-Originator:}\
                                  {\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}}
  warn  condition = ${if !def:acl_m_web}
        set acl_m_web = ${if match{$bheader_X-SenderIP:}\
                                  {\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}}
  warn  condition = ${if !def:acl_m_web}
        set acl_m_web = ${if match{$bheader_X-PHP-Script:}\
                                  {\N^\S+ for (\d+\.\d+\.\d+\.\d+)$\N}{$1}}
  deny  message = webmail from $acl_m_web locally blacklisted
        condition = ${if def:acl_m_web}
        condition = ${if !eq{$sender_address_domain}{returns.groups.yahoo.com}}
        condition = ${lookup{$acl_m_web}iplsearch\
                            {/usr/local/etc/exim/blacklist_webmail}{1}{0}}

  deny  message = Google+ is evil spammer
        condition = ${if match{$sender_host_name}\
                              {\N^mail-[\w-]+\.google\.com$\N}}
        condition = ${if eq{$bheader_X-Notification-Type:}{STREAM_POST_SHARED}}

  deny  message = "mail to friend" on news.yahoo.com abused by spammers
        condition = ${if match{$sender_host_name}\
                              {\N\.bullet\.(mail\.)?...?\.yahoo\.com$\N}}
        condition = ${if eq{$bheader_X-Yahoo-Newman-Property:}{mail-to-friend}}

  discard message = discarded because recognized as Russian spam via a relay \
		    authenticated with a stolen password (type 6)
        condition = ${if match{$rheader_Received:}\
                              {\N\Wngs\.ru\W.*\W(213\.87\.12[0-3]|85\.26\.2[23]\d|83\.149\.[45]\d)\.|\W(213\.87\.12[0-3]|85\.26\.2[23]\d|83\.149\.[45]\d)\..*\Wngs\.ru\W\N}}
# discarded because $sender_address eq $recipients,
# therefore a "deny" would generate a bounce from the relay again to me.

  accept hosts = : +whitelisted_hosts

  deny  message = rejected because recognized as sent by spammers` mailer
        condition = ${if match{$rheader_Received:}\
			      {((?i)helo(?-i)|from)[ =]QRJATYDI}}

  deny  condition = ${if !match{$recipients}{(?i)accmailfaqrus()tg.org.ua}}
						     # really @
        !senders = MAILER-DAEMON@spamgourmet.com : \N^\w+@slando\.\N
        !verify = header_sender

  deny message = rejected because recognized as spam sent by a \
                 virus/trojan/zombie/bot
       condition = ${if def:acl_c_grey_checked}
       condition = ${if eq{$received_protocol}{smtp}}
       condition = ${if match{$rheader_Content-Transfer-Encoding:}{7bit}}
       condition = ${if match{$message_body}\
            {\Nhttp://[a-z]+\.com\n\n[A-Z][a-z]+ [A-Z][a-z]+\n\n\Z\N}}
       condition = ${if !match{$message_body}{http://.+http://}}

  deny message = rejected because recognized as Russian spam
       condition = ${if match{$recipients}{^postmaster@[^@]+\$}}
       condition = ${if match{$rheader_From:}\
                             {\N^(\t| )(=\?koi8-r\?B\?I|\")\N}}
       condition = ${if match{$message_body}\
                             {\N([-\d]{5} {5,9}\S[^\n\r]+[\n\r]+){2}\N}}

  deny	message = rejected because recognized as sent by Russian spambot via \
		  a relay authenticated with a stolen password (type 1)
        condition = ${if or{\
            {match{$rheader_received:}{(?s);.+\
          (helo=|HELO |EHLO |from )(User|(Thunder)?server|SERVER|tserver1|\
          Server1|yandex\\.ru|otissys1|PADILLA|TTSRV\\d+|srv2003|\
          Server-Terminal|source|serveur2|cmgserver|\
          ${if def:sender_address_domain{$sender_address_domain}{User}}|\
          ${if def:sender_host_name{$sender_host_name}{User}})\
          [\\) \\r\\n]}}\
            {and{\
              {match{$rheader_Content-Type:}{(?si)text.+windows-1251}}\
              {match{$message_body$message_body_end}{\N[\xC1-\xFE]\N}}\
                }}\
                           }}
        condition = ${if match{$rheader_X-MimeOLE:}\
                     {Produced By Microsoft MimeOLE }}
	condition = ${if or{\
           {and{\
		{match{$bheader_Content-Type:}{\N^text/(plain|html);([\r\n]*\t| )(charset="?([Ww]indows-125[10]|koi8-u|[\w-]+\$ESC)"?|format=flowed;[\r\n]+\tcharset="(koi8-r|windows-1251)";[\r\n]+\treply-type=original)$\N}}\
		{eqi{$bheader_Content-Transfer-Encoding:}{7bit}}\
               }}\
           {match{$message_headers_raw}{\N\nContent-transfer-encoding: 8BIT\nContent-type: text/plain; charset=Windows-1251\n\N}}\
           {and{\
		{match{$bheader_Content-Type:}\
		      {\N^multipart/(mixed|related|alternative);[\r\n]+\t\N}}\
		{match{$message_body}\
                      {\N[\r\n](Content-Type: text/(plain|html);( |[\r\n]+\t)\
                       charset="(Windows-1251|[\w-]+\$ESC)"[\r\n]+\
                       (Content-Transfer-Encoding: 7bit|\
                        Content-transfer-encoding: 8BIT)|\
                       Content-type: text/plain; charset=Windows-1251[\r\n]+\
                       Content-transfer-encoding: 7BIT)[\r\n]\N}}\
               }}\
			   }}

  deny  message = rejected because recognized as sent by Russian spambot via \
                  a relay authenticated with a stolen password (type 2)
        condition = ${if match{$message_body}\
 {\NContent-Type: text/plain;[\r\n]+\
 [ \t]+charset="windows-1251"[\r\n]+\
 Content-Transfer-Encoding: quoted-printable[\r\n]+\
 =C7=E4=F0=E0=E2=F1=F2=E2=F3=E9=F2=E5, =CF=EE=EB=F3=F7=E0=F2=E5=EB=FC\.[\r\n]+\
 =DD=F2=EE =D2=E5=EA=F1=F2=EE=E2=E0=FF =F7=E0=F1=F2=FC =EF=E8=F1=FC=EC=E0=\
 [\r\n]+\
 \.[\r\n]+\
 =D1 =F3=E2=E0=E6=E5=ED=E8=E5=EC, =D1=F3=EF=E5=F0 =D4=E8=F0=EC=E0\.\N}}
#                             , .
#                                .
#                              ,  .

  deny  message = rejected because recognized as sent by Russian spambot via \
                  a relay authenticated with a stolen password (type 3)
        condition = ${if match{$rheader_X-Mailer:}{mPOP Web-Mail }}
        condition = ${if !match{$rheader_Received:}{ with HTTP;}}

  deny  message = rejected because recognized as sent by Russian spambot via \
                  a relay authenticated with a stolen password (type 4)
        condition = ${if match{$rheader_X-MimeOLE:}\
                     {Produced By Microsoft MimeOLE }}
        condition = ${if or{\
          {match{$rheader_Message-ID:}{@cmgserver>}}\
          {match{$rheader_Received:}{\\Q[77.110.55.86]\\E}}\
                           }}

  deny  message = rejected because recognized as sent by Russian spambot via \
                  a relay authenticated with a stolen password (type 5)
        condition = ${if match{$message_headers_raw}\
                {\N\nReceived: from ((www\.)?caspel\.com|\[?(85.132.32.44|94.30.234.213|212.0.116.118|86.125.36.12|212.181.110.115|195.149.220.131)\]?|(62-101-94-46|83-103-51-58).ip.fastwebnet.it|62.82.74.234.static.user.ono.com|89-96-100-146.ip11.fastwebnet.it|94.244.190.227.nash.net.ua|reverse.completel.net \((reverse.completel.net|unknown) \[92.103.65.138\]\)?|\[?92.103.65.138\]?|correo.peyber.es|212-181-110-115.customer.telia.com|86-125-36-12.static.rdsor.ro)[ \n]\N}}

  deny	message = rejected because recognized as Ukrainian spam
	condition = ${if ={$received_count}{1}}
	condition = ${if eq{$received_protocol}{esmtp}}
	condition = ${if eq{$bheader_X-Priority:}{3 (Normal)}}
	condition = ${if match{$bheader_Message-ID:}\
			      {\N^<\d{10}\.\d{14}@\N}}
	condition = ${if match{$bheader_In-Reply-To:}\
			      {\N^<[A-F\d]{44}@[^>]+>?$\N}}
	condition = ${if match{$bheader_References:}\
			 {\N^<[A-F\d]{44}@[^>]+>? <[A-F\d]{30,44}@[^>]+>>?$\N}}
	condition = ${if !eq{${if match{$rheader_In-Reply-To:}{<(.+)@}{$1}}}\
			 {${if match{$bheader_References:}{\N^<(\w+)@\N}{$1}}}}
	condition = ${if !eq{${if match{$rheader_In-Reply-To:}{<(.+)@}{$1}}}\
		      {${if match{$bheader_References:}{\N@.+ <(\w+)@\N}{$1}}}}

  deny  message = rejected as spam abusing km.ru
        condition = ${if match{$sender_host_name}{\N^e-post\d+\.km\.ru$\N}}
        condition = ${if match{$header_Received:}\
                        {\N\A(.+\n\s)+.+\nfrom \Q\N$sender_address_domain\\E }}

  deny  message = rejected as spam (fake subscribe.ru)
        senders = \N^news\d+@subscribe\.ru$\N
        condition = ${if match{$bheader_From:}\
                              {^"Subscribe.ru" <$sender_address>\$}}
        condition = ${if !def:header_List-Unsubscribe:}

  deny  message = I understand neither Chinese nor Korean nor Japanese
        condition = ${if !match{$recipients}\
                               {(?i)(accmailfaqrus|mail2ftp)@tg.org.ua}}
        condition = ${if or{\
                            {match{$message_headers_raw}{\N(?i)charset="?(gb2312|big5|gbk|ks_c_|euc[_-]kr|iso-2022-jp|shift_jis)\N}}\
                            {match{$message_headers_raw}{\N(?i)=\?(gb2312|big5|gbk|ks_c_\w*|euc[_-]kr|iso-2022-jp|shift_jis)\?[BbQq]\?\N}}\
                            {match{$message_body}{\N(?i)(content-type:\s*text\/(plain|html);\s*charset=\s*"?|content=(3D)?["']text\/html;\s*charset=(3D)?)(gb2312|big5|gbk|ks_c_|euc[_-]kr|iso-2022-jp|shift_jis)\N}}\
                           }}

  deny  message = Blocked as Korean spam (type 1)
        condition = ${if match{$rheader_Received:}\
                              {\N\[210\.183\.153\.\d\d\]\N}}

  deny  message = I consider a Chinese mailbox in Reply-To as a sign of spam.
        condition = ${if match_domain{${domain:$header_reply-to:}}\
                    {yahoo.cn:yahoo.com.cn:yahoo.com.hk:w.cn}}

  warn  set acl_m_d = ${sg{\
                      ${sg{\
                      ${sg{\
                           $sender_host_name::$sender_address_domain::\
                           ${domain:$header_from:}::\
                           ${domain:$header_reply-to:}::\
                           ${if match{${domain:$header_message-id:}}\
                                     {\N^[\w-]+\.[\w.-]*[a-zA-Z]$\N}\
                                     {${domain:$header_message-id:}}{}}::\
                           ${if match{$sender_helo_name}\
                                     {\N^[\w-]+\.[\w.-]*[a-zA-Z]$\N}\
                                     {$sender_helo_name}{}}\
		}{(^|::)(?i)(?:livejournal.com|qip.ru)(::|\$)}{\$1\$2}}\
                      }{(::)+}{::}}\
                      }{^::|::\$}{}}

  deny  message = rejected as spam because domain $dnslist_matched is \
                  in $dnslist_domain=$dnslist_value $dnslist_text
        condition = ${if def:acl_m_d}
        dnslists = dbl.spamhaus.org/$acl_m_d
# usage limits: http://www.spamhaus.org/organization/dnsblusage.html

  warn  condition = ${if def:acl_m_d}
        dnslists = multi.surbl.org/$acl_m_d
# http://www.surbl.org/guidelines  warns against rejecting in such way.
# Evaluate for few months before adding multi.surbl.org to the "deny" above.
# I don't recommend these two lists because of false positives:
#                  multi.uribl.com/$acl_m_d : \
#                  uribl.swinog.ch/$acl_m_d
        add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: domain $dnslist_matched \
                     in $dnslist_domain=$dnslist_value $dnslist_text
        logwrite = :main,reject: ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} : \
                   domain $dnslist_matched in \
                   $dnslist_domain=$dnslist_value $dnslist_text

  deny  condition = ${if match{$recipients}{(?i)accmailfaqrus()tg.org.ua}}
						    # really @
        !verify = header_sender/callout=10s,defer_ok,no_cache,\
                                        mailfrom=devnull()tg.org.ua
					       # really @

  accept condition = ${if !match{$message_headers_raw}\
{\N\A([^\n]+\n[ \t])+[^\n]+\nReceived: from \[?\N$sender_host_address\\]? by }}

  accept condition = ${if def:acl_c_grey_checked}

  defer set acl_c_grey_checked = deferred/greylisted because of \
                                 fake Received line in the header
        message = $acl_c_grey_checked
        set acl_m_greyfile = /var/spool/exim/greylist/${length_255:\
		${sg{$sender_host_address}{\N\.\d+$\N}{}},\
		${sg{$sender_address,$recipients}{\N[^\w.,=@-]\N}{}}}
	condition = ${if exists{$acl_m_greyfile}\
	   {${if >{${eval:$tod_epoch-\
	   ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\
	   {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}}

  accept add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting \
                      fake Received
         logwrite = passed greylisting fake Received \
                    ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}

=============== <snip> ===============

You can download my lists from:
http://lena.kiev.ua/blacklist_hostaddress.txt
http://lena.kiev.ua/blacklist_re_helo.txt
http://lena.kiev.ua/blacklist_re_hostname.txt
http://lena.kiev.ua/blacklist_webmail.txt
http://lena.kiev.ua/blacklist_sender_domain.txt
http://lena.kiev.ua/whitelist_re_hostname.txt

I use neither server-side virus-filter nor SpamAssassin nor other
heavy content-filters. I wrote the above with the main goal
to minimize false positives and secondary goals to minimize
delays and memory consumption. However the above proved to be
quite effective fending spam and viruses.

Lena
