[SLUG] Postfix and PCRE filtering
Hi all, I'm messing postfix-pcre version 2.6.5-3 from Debian testing. In the /etc/postfix/pcre_table I have the following rule: /^Subject: .*(casino|nline pharmacy).*/i REJECT I also have in /etc/postfix/main.sf I have: header_checks = pcre:/etc/postfix/pcre_table to enable pcre checks. If I send email from a gmail account with the word 'casino' in the subject line, the email is rejected and the gmail account gets a 'Delivery Status Notification' message. However, even with all the above, I'm still getting emails with 'casino' in the subject line. Anybody have any idea why PCRE is only working with postfix some of the time? Cheers, Erik -- -- Erik de Castro Lopo http://www.mega-nerd.com/ -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix and PCRE filtering
Erik de Castro Lopo mle+s...@mega-nerd.com writes: I'm messing postfix-pcre version 2.6.5-3 from Debian testing. In the /etc/postfix/pcre_table I have the following rule: [...] However, even with all the above, I'm still getting emails with 'casino' in the subject line. Anybody have any idea why PCRE is only working with postfix some of the time? IIRC, header_checks see only raw headers, so anything encoded with RFC 2047 syntax might look nothing like that. For example, 2047 base-64 encoded headers seem popular in spam, and those could contain 'casino' without, y'know, containing 'casino'. Daniel I suggest you use something like amavisd-new which pushes the email through all the relevant normalization before it applies rules like that. -- ✣ Daniel Pittman✉ dan...@rimspace.net☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix and PCRE filtering
On 06/06/10 20:10, Erik de Castro Lopo wrote: If I send email from a gmail account with the word 'casino' in the subject line, the email is rejected and the gmail account gets a 'Delivery Status Notification' message. However, even with all the above, I'm still getting emails with 'casino' in the subject line. Anybody have any idea why PCRE is only working with postfix some of the time? I have never set up Postfix filtering before, so this is probably a stupid question, but is it possible the rules you added are only matching when sent with your e-mail address in the “To:” header (rather than the “Delivered-To:” header)? Most spam I get doesn’t contain my address in the To header. Try sending a “casino” e-mail from your Gmail account with some other address (i.e. your Gmail account) in the To field, and then Bcc with your Postfix address. Any difference? Sorry in advance if I’m sending you on a wild goose chase. Other things you could try is piping the mail through a hex editor to see if there are any funny U+ characters lurking in there. Cheers, Jeremy. signature.asc Description: OpenPGP digital signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix and PCRE filtering
Jeremy Visser jer...@visser.name writes: On 06/06/10 20:10, Erik de Castro Lopo wrote: If I send email from a gmail account with the word 'casino' in the subject line, the email is rejected and the gmail account gets a 'Delivery Status Notification' message. However, even with all the above, I'm still getting emails with 'casino' in the subject line. Anybody have any idea why PCRE is only working with postfix some of the time? I have never set up Postfix filtering before, so this is probably a stupid question, but is it possible the rules you added are only matching when sent with your e-mail address in the “To:” header (rather than the “Delivered-To:” header)? They are not in either: the {header,body}_checks in Postfix are very blunt tools, inside the MTA. [...] Sorry in advance if I’m sending you on a wild goose chase. It might have helped if you had a better understanding of the tool you were giving advice about... Other things you could try is piping the mail through a hex editor to see if there are any funny U+ characters lurking in there. ...and possibly about the data transfer formats, too, since this is extremely unlikely: having a NUL byte embedded in the word would, y'know, show up (and the U+ notation means the Unicode code point with the 16-bit value 0.) I suspect you actually meant check if the data is encoding in UCS2/UTF16, in which you would see ASCII characters as a series of regular characters separated by NUL bytes, because it is a 16-bit[1] encoding of Unicode. ...which you wouldn't try and transit through an email system even if it /was/ 8-bit clean, which most of them are not. Daniel Footnotes: [1] ...more or less, leaving aside the complications of the variable width encoding used. -- ✣ Daniel Pittman✉ dan...@rimspace.net☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html