Your comments on the regex are useful since I didn't consider email
addresses with delimiters though none of the spam does at the moment.
Note a few of the spammers put their email address in the subject line.
Maybe that should be my first attempt at discarding. I can't think of a
non-spammer doing that.
I read your tips and the postscreen page. Since postscreen doesn't read
the content of the email, I'm not sure what good it will do. I have
blocking lists set up in postfix itself. (Less is more. No additional
program in the chain.) I suppose I could use postscreen just to inpect
the email server (postscreen without blocking mail?) which I think you
mean it will still block funky email servers, but the gmail spam comes
from gmail. It is perfectly legit email other than sometimes the reply
and from don't match. That itself is legit but just odd.
Here is a sanitized and shortened header. I am baffled why these
spammers include a gmail address in their email since the reply to
field is gmail anyway, but most do. Why google tolerates this crap is
another story. I gave up on emailing their abuse contact since nothing
changed by doing so.
Return-Path: <infoa0...@gmail.com>
X-Original-To: m...@mydomain.com
Delivered-To: m...@mydomain.com
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
client-ip=209.85.222.46; helo=mail-ua1-f46.google.com;
envelope-from=infoa0...@gmail.com; receiver=m...@mydomain.com
DMARC-Filter: OpenDMARC Filter v1.4.1 www.mydomain.com 8E2BF69A7B
Authentication-Results: mydomain.com; dmarc=pass (p=none dis=none)
header.from=gmail.com
Authentication-Results: mydomain.com; spf=pass smtp.mailfrom=gmail.com
DKIM-Filter: OpenDKIM Filter v2.11.0 www.mydomain.com 8E2BF69A7B
Authentication-Results: www.mydomain.com;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.b="Mb0Z+9VO"
Received: from mail-ua1-f46.google.com (mail-ua1-f46.google.com [209.85.222.46])
(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by www.mydomain.com (Postfix) with ESMTPS id 8E2BF69A7B
for <m...@mydomain.com>; Fri, 5 Nov 2021 12:09:13 +0000 (UTC)
Received: by mail-ua1-f46.google.com with SMTP id az37so16607241uab.13
for <m...@mydomain.com>; Fri, 05 Nov 2021 05:09:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20210112;
h=mime-version:reply-to:from:date:message-id:subject:to;
<snip>
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:reply-to:from:date:message-id
:subject:to;
<snip>
X-Gm-Message-State: AOAM532TS3ZNsUStUWlcBN56fBCGvVQTPu8NGAoz576BhScZapblMLfa
MoJux1YhYW0kmDUg2jh6myKzaL7nRhQuLVO0sHg=
X-Google-Smtp-Source:
ABdhPJwaGhpcfV5E2//9RLpCPT4+PXBI7XdCN/nLCgf6EYfgW+pcKLMeYoW+3Jk64pzSQ47l56P14h+8d7dMPlXuLE0=
X-Received: by 2002:ab0:5a93:: with SMTP id w19mr63371846uae.58.1636114152575;
Fri, 05 Nov 2021 05:09:12 -0700 (PDT)
MIME-Version: 1.0
Reply-To: jm84450...@gmail.com
From: Abdulla Shahid <infoa0...@gmail.com>
Date: Fri, 5 Nov 2021 05:08:57 -0700
Message-ID: <ca+7rq_da3z67g0arnrjqv4-yghoewnv72no8t2rdyqmdjds...@mail.gmail.com>
On Sat, 06 Nov 2021 10:54:48 -0500
Rob McGee <r...@nodns4.us> wrote:
> On 2021-11-06 06:15, li...@lazygranch.com wrote:
> > Most of my spam contains a gmail address to reply to the spammer. I
> > would like to discard email whose body contains a gmail address.
> > Since discarding mail could get ugly, I would hope someone on the
> > list can eyeball my plan.
>
> Indeed it is ugly. You just as well could have asked for a method
> to throw out the baby with the bathwater!
>
> > I added
> > body_checks = pcre:/etc/postfix/body_checks
> > to main.cf. I made a null body_checks file and ran postmap on it,
> > then
>
> postmap "compiles" hash: and other indexed map types. It's not
> needed for a pcre_table(5) map.
>
> > did a reload & restart. Postfix wouldn't send email if the file was
> > missing.
> >
> > postconf -d mail_version
> > mail_version = 3.6.2
> >
> > Trawling the internet I found this regix to match gmail addresses:
> > ^[\w.+\-]+@gmail\.com$
> >
> > So if body_checks contained
> > /^[\w.+\-]+@gmail\.com$/ DISCARD
> > work.
>
> Change DISCARD to WARN first, to see what it matches.
>
> Also, you anchored the expression on both ends, ^ and $, so you're
> only going to match mail with ONLY the gmail address on one line.
> This line with zeixsgw9gufv2isophpdyisr0bgz0...@gmail.com will not
> match. Neither will this, with the <> enclosing brackets:
> <zeixsgw9gufv2isophpdyisr0bgz0...@gmail.com>
>
> I think once you get the bugs worked out you will give up on this.
>
> See my postscreen howto for a much more effective means of dealing
> with spam.
