Postfix Body Checks

Ecky · February 3, 2009, 7:37pm

Decided to have a look at using these and looked up what info I can find, set up files for the checks as described and added the paths to main.cf

The header checking seems to work ok, in as much as one mail blocked so far and no error msgs relating to them

I’ve added the subject ones to look something like this:

/^Subject: .university * d1ploma/ REJECT Blocked by header filters

I’m not getting anywhere with body checks though, most of the info I’ve been able to find give an example for the header ones but not the body ones

They tend to just say something like this:

The format for each line in the body_checks file is as follows:

/content_to_act_on/ ACTION

It seems to suggest using something like:

/university d1ploma/ REJECT Blocked by header filters

I would have expected there to be something needed that tells postfix it’s actually the mail’s body to check against the filter you’re defining

I’ve also gotten errors like these:

warning: regexp map /etc/postfix/body_checks, line 5: Invalid preceding regular expression

Anyone know what the correct format for entries to use in body checks should be?

ken_yap · February 3, 2009, 10:12pm

It’s explained in detail here:

Postfix manual - header_checks(5)

You would specify the file containing the REs like this:

/etc/postfix/main.cf:
 body_checks = regexp:/etc/postfix/body_checks

It has limitations as documented and if you want a more extensive solution you need something like amavis and a virus/spam filter like clamav.

There’s little point in maintaining your own file of blacklisted phrases, as spammers keep coming up with new phrases and ways to get around filter REs. My experience is that dynamic IP address blacklists block out most of the senders.

Ecky · February 4, 2009, 4:08pm

Hi ken

I’d already looked at the postfix manual mate, doesn’t really give much helpful info on body checks, this is about as good as the manual gets there:

EXAMPLE HEADER FILTER MAP
# These were once common in junk mail.
/^Subject: make money fast/ REJECT
/^To: friend@public\.com/ REJECT

EXAMPLE BODY FILTER MAP
# First skip over base 64 encoded text to save CPU cycles.
~^:alnum:]+/]{60,}$~ OK

   # Put your own body patterns here.

The body filter example is of little or no use as an example for people wishing to add checks for particular phrases etc

I was trying it along the lines of the subject ones, trying things like /^body: /^content: etc

Already had the entries in main.cf, without those in there I wouldn’t have been getting the errors like: warning: regexp map /etc/postfix/body_checks, line 5: Invalid preceding regular expression

I’m already using amavis with spamassassin and clamav, that’s all working ok, I just wanted a look at header and body filtering to decide on it’s usefulness for cutting down even further on mails I’d like to block that get through these mechanisms on a regular basis … playing around a bit basically

I’ve worked it out myself now by deliberately sending myself some test mails from another account

Thanks for the input

ken_yap · February 4, 2009, 11:12pm

Without seeing your REs, I can’t tell why they are malformed, but why the REs /^body and /^content? The body doesn’t start with either of those words. (And besides you should close the RE with another /.) The body of the email is everything after the first totally blank line. If I send out an email like this:

From: foo
To: bar
Subject: something

Hello there.

the body is just the line “Hello there”. No “body” or “content” prefixed to it.

LittleRedRooster · February 4, 2009, 11:49pm

Ecky wrote:
> Hi ken
>
> I’d already looked at the postfix manual mate, doesn’t really give much
> helpful info on body checks, this is about as good as the manual gets
> there:
>
> EXAMPLE HEADER FILTER MAP
> # These were once common in junk mail.
> /^Subject: make money fast/ REJECT
> /^To: friend@public\.com/ REJECT
>
> EXAMPLE BODY FILTER MAP
> # First skip over base 64 encoded text to save CPU cycles.
> ~^:alnum:]+/]{60,}$~ OK
>
> # Put your own body patterns here.
>
>
> The body filter example is of little or no use as an example for people
> wishing to add checks for particular phrases etc

Remember that the headerchecks deal with all content up to and including
the Subject: line.
Anything after that is dealt with by bodychecks.
So putting a rule for a subject in bodychecks won’t work.

As example, here’s my headerchecks file, although it’s almost never
activated anymore these days.


/^Received: +from +(localhost|ferrets4me\.xs4all\.nl).*\[127\.0\.0\.1\]/ IGNORE
/^Subject:.*   ._]{3,}:digit:]]+$/  DISCARD sub1
/^Subject:.*   ._]{3,}\^ ]+\]$/  DISCARD sub2
/^Subject:.*{(<:.:alpha:]]]+ADV:.})>\]:alpha:]]]+\b/  DISCARD sub3
/^Subject:.*{(<:.:alpha:]]]+ADV:.})>\]:alpha:]]]*$/ DISCARD sub4
/^Subject:.*(Last|New(est)*)\s+Net\s+(Critical)*\s+(Pack|Update)/ DISCARD sub5
/^SUBJECT: /i      DISCARD sub6
#/^Message-ID:.*\<(:alnum:]]{14})\.(:alnum:]]{5})\.(qmail\@.*)\>/ DISCARD MID1
#
#
/^:print:]]{8}/               REJECT Your mailer is not RFC 2047 compliant
#
#/From:.*(microsoft|\"\s?\")/
/^From:.*microsoft/   DISCARD frm1
/^From:.*(delivery|security|e?mail|technical|public|storage|message|technical|(i|inter)+net)+\s+(system|section|assistance|service(s)?|bulletin|division|support|center)+/

WARN frm2