Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Header and Body Checks

0 views
Skip to first unread message

Kevin L. Collins

unread,
Nov 3, 2004, 12:33:11 PM11/3/04
to

--=-8hm4hLHka0VZLjF+sIrT
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

I've been using Postfix (in conjuction with Amavis-new / SpamAssassin /
ClamAV) for about a year as my Mail Gateway/SPAM filter with very good
success.

But I just recently started to use the "header_checks" and "body_checks"
to kill messages with certain content. This also has had an incredible
effect on the reduction of SPAM into my company's Inboxes. This is
*all* good! But I've ran into trouble in the past couple of days that
I've not been able to work out. =20

What I'm running into is Binary Attachments. My company gets a *lot* of
legit attachments - everything from AutoCAD drawings to Microsoft Word
documents. These attachments are getting hit by my body checks because
of the random text that makeup these attachements. As an example, here
is one rule that I have in my body_checks file.

/porn/ REJECT No SPAM allowed

and here is the mail log entry where the a problem e-mail got killed.

Oct 27 16:36:44 freedom postfix/cleanup[2565]: 4628D2715E: reject: body
p+vnK9f10otHW6LkksnoBByI/zWARwaFPORncMD04KecAS5Z63Sh6fM4wMH4H7wOHvKjN80
+d3qp from sccmmhc91.asp.att.net[204.127.203.211];
from=3D<ste...@sjscadd.com> to=3D<bsim...@nesbittengineering.com>
proto=3DESMTP helo=3D<sccmmhc91.asp.att.net>: No SPAM allowed

=46rom rom what I can tell, this piece is what triggered the rule..'PORn'

This was a legit e-mail, and had nothing special about it other than an
AutoCAD drawing attached to it with that random string that couldn't be
predicted.

So my question is this: Can I have the body_checks only apply to
e-mails that do *NOT* attachements? If so how?

--
Kevin L. Collins, MCSE
Systems Manager
Nesbitt Engineering, Inc.
---------------------------------------------------
Reality continues to ruin my life.
-- Calvin

--=-8hm4hLHka0VZLjF+sIrT
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQBBiRVlBJfVkRK/55oRAoe5AJ9jvLc9DvKssa7QENrOgKDPmBAkggCeJnP7
qr1At+z5vRH8qtewIGZ/jho=
=jGfW
-----END PGP SIGNATURE-----

--=-8hm4hLHka0VZLjF+sIrT--

Ralf Hildebrandt

unread,
Nov 3, 2004, 12:36:52 PM11/3/04
to
* Kevin L. Collins <kcol...@klcollins.org>:

> What I'm running into is Binary Attachments. My company gets a *lot* of
> legit attachments - everything from AutoCAD drawings to Microsoft Word
> documents. These attachments are getting hit by my body checks because
> of the random text that makeup these attachements. As an example, here
> is one rule that I have in my body_checks file.
>
> /porn/ REJECT No SPAM allowed

this four letter combination is not very unlikely in BASE64 encoded mail

> Oct 27 16:36:44 freedom postfix/cleanup[2565]: 4628D2715E: reject: body
> p+vnK9f10otHW6LkksnoBByI/zWARwaFPORncMD04KecAS5Z63Sh6fM4wMH4H7wOHvKjN80
> +d3qp from sccmmhc91.asp.att.net[204.127.203.211];

> from=<ste...@sjscadd.com> to=<bsim...@nesbittengineering.com>
> proto=ESMTP helo=<sccmmhc91.asp.att.net>: No SPAM allowed
>
> From rom what I can tell, this piece is what triggered the rule..'PORn'

Yes.

> This was a legit e-mail, and had nothing special about it other than an
> AutoCAD drawing attached to it with that random string that couldn't be
> predicted.
>
> So my question is this: Can I have the body_checks only apply to
> e-mails that do *NOT* attachements? If so how?

I don't think so. Maybe refine your check with word boundaries...

--
Ralf Hildebrandt (Ralf.Hil...@charite.de) spam...@charite.de
http://www.arschkrebs.de/postfix/ Tel. +49 (0)30-450 570-155
"C makes it easy to shoot yourself in the foot. C++ makes it harder,
but when you do, it blows away your whole leg." -- Bjarne Stroustrup

Victor Duchovni

unread,
Nov 3, 2004, 12:55:52 PM11/3/04
to
On Wed, Nov 03, 2004 at 06:36:00PM +0100, Ralf Hildebrandt wrote:

> > /<p><o><r><n>/ REJECT No SPAM allowed


>
> this four letter combination is not very unlikely in BASE64 encoded mail

One should never block on single words. The OP is working too hard. Crafting
lots of point blocks for specific words is not a good use of his time. He
should deploy Spam Assasin, Dspam (tricky integration on gateway systems)
or similar, the various commercial products are often easier to setup for
non-experts.

> > So my question is this: Can I have the body_checks only apply to
> > e-mails that do *NOT* attachements? If so how?
>
> I don't think so. Maybe refine your check with word boundaries...
>

Ralf you must be forgetting the defensive rule in the (no longer shipped)
sample body-checks file.

# Skip over base 64 encoded blocks. This saves lots of CPU cycles.
# Expressions by Liviu Daia, amended by Victor Duchovni.
# Requires PCRE version 3.
~^[[:alnum:]+/]{60,}\s*$~ OK

This rule and its regexp companion (somewhat less general without the
trailing "\s*") are documented near the end of:

http://www.postfix.org/pcre_table.5.html
http://www.postfix.org/regexp_table.5.html

I still strongly advice the OP to not use header/body checks to maintain
an evolving corpus of anti-spam defenses. These mechanisms are best used
sparingly to defend agaist specific traffic (say a virus outbreak before
signatures become available) and should be pruned quickly as the threat
passes. The mime_header_checks attachment filters are a more reasonable
use. Also detection of forged backscatter where possible.

--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majo...@postfix.org?body=unsubscribe%20postfix-users>

0 new messages