PostfixMail.com

Header Checks: Examples of What Not to Do

Posted by mike Filed Under Filters with Comments Off

Listed here are a number of header checks that do work but they are ineffective for the most part.  Here is the problem.  When you look at these examples they have a Subject that you are searching for.  As a result you will be writing header checks until the day you die, not good.    My thinking is that you will want to discard this methodology for header checks that are more general and throw a wider net over the problem.  Two reason for this are; first you have SpamAssassin or some other program to do actual Spam testing later.  Second, you need to preserver resources on your Postfix mail server.  Actually this is the most important aspect of what you are doing is trying to save yourself money and time by reducing the load on your server.   If you place too many header checks in Postfix you will begin to see a speed loss and resource loss.

So review your header checks and make sure you are using each line wisely.

/^Subject: Get Viagra Online Now !!!/                REJECT
/^Subject: ENLARGE YOUR PACAKGE GUARANTEED/            REJECT
/^Subject: Add REAL Inches To Your Package! GUARANTEED/    REJECT
/^Subject: At Last, Herbal V, the All Natural Alternative!/    REJECT
/^Subject: Have Hair Loss? We Can Help You!\.\.Read on\.\./    REJECT
/^Subject: Pill to Increase Your Ejaculation by \d{3}%/        REJECT
/^Subject: free trial herbal viagra good for men and women/    REJECT
/^Subject: STAYING POWER/                    REJECT
/^Subject: Isn\’t It Time You Solved Your \”little\” Problem\?\s*\d{2,6}/    REJECT
/^Subject: Non Prescription Alternative to Viagra/        REJECT

# financial / money

/^Subject: INSTANT Daily PAY!/                    REJECT
/^Subject: INSTANT Pay to \$\d{2,3} A Day!/            REJECT
/^Subject: The easiest way to make money on the internet!/    REJECT
/^Subject: INTEREST RATES HAVE DROPPED/                REJECT !
/^Subject: Make Money In Your Sleep! /                REJECT
/^Subject: Lowest Rates In Years! /                REJECT
/^Subject: make money now!!!!!/                    REJECT
/^Subject: HOME-BASED BUSINESSES /                REJECT
/^Subject: Sick of paying and paying and staying in debt? /    REJECT
/^Subject: Recession Hurts!/                    REJECT
/^Subject: Got Debt\?\s*Cut Your Bills in HALF!/            REJECT
/^Subject: Double your policy at No Extra Cost!/        REJECT
/^Subject: Make \d{2}% Yearly Fully Secured!/            REJECT
/^Subject: Have tax problems?\s*\[\w{4,6}\]/            REJECT
/^Subject: Got a Mortgage\?\s{1,9}\d.\d{2}% Fixed Rate Mortgage/    REJECT
/^Subject: Rates Have Fallen Again!\s{1,9}\d.\d{2}% Fixed Rate Mortgage/    REJECT
/^Subject: Take Advantage of Falling Interest Rates!/        REJECT
/^Subject: Double Your Life Insurance at NO EXTRA COST!/    REJECT
/^Subject: Got Debt\?.*\[\w{4,6}\\]/                REJECT
/^Subject: Are you in debt\?\s*\[\w{4,6}\\]/            REJECT
/^Subject: Refinance rates as low as \d.\d{2}%/            REJECT
/^Subject: Hot Casino Action – \d{2,3}% Bonus/            REJECT
/^Subject: Double your policy at No Extra Cost!/        REJECT
/^Subject: Need More Life Insurance\? Double it for No Extra Cost/    REJECT
/^Subject: Did you get your money\?/                REJECT
/^Subject: Tired of dropping stock prices\?\d{1,6}/        REJECT
/^Subject: \d{2,6}\s*Work From Home /                REJECT
/^Subject: Debt Consolidation.\s*\[\w{4,6}\]/            REJECT
/^Subject: Mortgage interest rates are lowered AGAIN/        REJECT
/^Subject: Re:  Easy money!  Muy dinero! \(/            REJECT
/^Subject: Feel the Excitement of CyberXCasino/            REJECT
/^Subject: Free Loan Quotations\.\.\.\.\.Lower your Rate!/        REJECT
/^Subject: Free Vacation$/                    REJECT
/^Subject: GUARANTEED MONTHLY INCOME- Join FREE NOW!/        REJECT
/^Subject: Is your mortgage APR as low as \d.\d{2}/        REJECT
/^Subject: Tired of the 40 X 40.*\?/                REJECT
/^Subject: NEVER REPAY, FREE CASH GRANTS\.*\s*\d{2,7}$/        REJECT
/^Subject: Are You Making \$\w{2,}\+ A Month Online\?\s*\d{2,7}$/    REJECT
/^Subject: Secure Your Financial Future!$/            REJECT
/^Subject: \d{2,3}% OFF Your Life Insurance/            REJECT

# piracy

/^Subject: Copy Your Favorite DVD Movies !!!/            REJECT
/^Subject: EASILY COPY ANY DVD MOVIE FOR FREE!/            REJECT
/^Subject: Favorite Movie not on DVD?/                REJECT

# random

/^Subject: Try this, it really works! /                REJECT
/^Subject: Increased Emotional Stability /            REJECT
/^Subject: Free Travel/                        REJECT
/^Subject: Chart Returns – Charles Taylor /            REJECT
/^Subject: You could search for a year and\.\.\.\.\./        REJECT
/^Subject: Escape the Ordinary\.\.\.\.\.\.New Opportunity for you\.\./    REJECT
/^Subject: This Is What You’ve Been Waiting For\..*\d{2,6}/    REJECT
/^Subject: Get Rid of those Paper Piles!\s*\d{2,6}/        REJECT
/^Subject: Imaging Software for the Home.*\d{2,6}/        REJECT
/^Subject: End static on the cell/                REJECT
/^Subject: Free Trials & HBC Updates!/                REJECT
/^Subject: Free Trials from Home Business Connection/        REJEC
/^Subject: Fw: Marketing your product or service just got easier!/    REJECT
/^Subject: Re: I did not hear back from you$/            REJECT
/^Subject: Safe, Easy Snoring Solution!\s*\w{2,7}/        REJECT

# search engines

/^Subject: Search Engine Bids Are Now Half Price!/        REJECT
/^Subject: Guaranteed Top Ten Search Engine Placement!!\s*\d{2,7}/    REJECT

# spamware / email addresses

/^Subject: \d{2,3} Million Fresh Email Addresses/        REJECT
/^Subject: \d{2,3} Million Email Addresses – \$\d{2,3}/        REJECT
/^Subject: Internet Marketing Works! -\w{48}/            REJECT
/^Subject: Lets Learn How to market successfully!\s*\d{2,7}/    REJECT

# spyware

/^Subject: Investigate Anyone or Anything now!/            REJECT
/^Subject: NEW!! Find out ANYTHING about ANYONE w\/ your PC!/    REJECT

# paranoia

/^Subject: Protect yourself from Small pox and Anthrax Naturally\s*\w{2,7}/    REJECT

# just plain unrealistic

/^Subject: Boost Your Windows Reliability/            REJECT
/^Subject: Give Windows Operating System A Boost In Reliability!/    REJECT

Dropping X-Mailers in Header Checks

Posted by mike Filed Under Filters with Comments Off

Header checks with Postfix can be used to deal with unwanted mail before your server wastes time with it.  Created the file /etc/postfix/header_checks and then add this line in your main.cf.

header_checks = pcre:/etc/postfix/header_checks

The format line for each header check follows this pattern:

/^HEADER:.*content_for_review/   ACTION

The HEADER that you usually will act on is the Subject header.  However, you can also filter headers based on the X-Mailer.  One idea is to DISCARD all mail that comes from typical X-Mailers that a Spammer will use.  Here is a list of X-Mailers that you could place in your header_checks file.  Note that often you will use REJECT to send a message back to the user but with these known mailers you probably do not want to send anything back to them.  Note also, that this method is bound to create some false positives, so test it for yourself before you make any final decisions.

# Following is a list of known mass mailer programs.
/^X-Mailer: 0001/                               DISCARD
/^X-Mailer: 007 Direct Email Easy/                          DISCARD
/^X-Mailer: Advanced Mass Sender/                          DISCARD
/^X-Mailer: Aristotle /                          DISCARD
/^X-Mailer: Aureate Group Mail/                          DISCARD
/^X-Mailer: Avalanche/                          DISCARD
/^X-Mailer: commercialmail /                          DISCARD
/^X-Mailer: Copia emailFacts /                          DISCARD
/^X-Mailer: Crescent Internet Tool/             DISCARD
/^X-Mailer: CyberCreek/                          DISCARD
/^X-Mailer: DiffondiCool/                       DISCARD
/^X-Mailer: Dynamic Opt-In Emailer /                          DISCARD
/^X-Mailer: DMailer /                          DISCARD
/^X-Mailer: eGroups Message Poster /                          DISCARD
/^X-Mailer: E-Mail Delivery Agent/              DISCARD
/^X-Mailer: Emailer Platinum/                   DISCARD
/^X-Mailer: E-mail sender /                          DISCARD
/^X-Mailer: e-Merge  /                          DISCARD
/^X-Mailer: Entity/                             DISCARD
/^X-Mailer: Extractor/                          DISCARD
/^X-Mailer: Floodgate/                          DISCARD
/^X-Mailer: GMail2 /                          DISCARD
/^X-Mailer: GOTO Software Sarbacane/            DISCARD
/^X-Mailer: Inet_Mail_Out /                          DISCARD
/^X-Mailer: jfmailer /                          DISCARD
/^X-Mailer: Mail Bomber /                          DISCARD
/^X-Mailer: MailWorkz/                          DISCARD
/^X-Mailer: MassE-Mail/                         DISCARD
/^X-Mailer: MaxBulk.Mailer/                     DISCARD
/^X-Mailer: MailKing /                          DISCARD
/^X-Mailer: Mailloop /                          DISCARD
/^X-Mailer: MailXSender /                          DISCARD
/^X-Mailer: MassE-Mail /                          DISCARD
/^X-Mailer: MultiMailer /                          DISCARD
/^X-Mailer: NetMasters SMTP /                          DISCARD
/^X-Mailer: Opt-In Lightning /                          DISCARD
/^X-Mailer: PersMail /                          DISCARD
/^X-Mailer: PLAUZIUM /                          DISCARD
/^X-Mailer: Power CGI Bulk /                          DISCARD
/^X-Mailer: Prospect Mailer /                          DISCARD
/^X-Mailer: News Breaker Pro/                   DISCARD
/^X-Mailer: SmartMailer/                        DISCARD
/^X-Mailer: Sparc12 /                          DISCARD
/^X-Mailer: StormPort/                          DISCARD
/^X-Mailer: SuperMail-2/                        DISCARD
/^X-Mailer: Super-Duper-FastMail/                          DISCARD

Built in Content Filters for Postfix

Posted by mike Filed Under Filters with Comments Off

One way to implement content filtering is to use regular expressions in your header, mime_header, nested_header and  body checks.  This should be simple matches to regular expressions.  The goal with this example is to eliminate non-English characters, since we cannot read them anyway.  This will drop all non-English mail.

header_checks = pcre:/etc/postfix/header_checks
mime_header_checks = pcre:/etc/postfix/mime_header_checks
nested_header_checks = pcre:/etc/postfix/nested_header_checks
body_checks = pcre:/etc/postfix/body_checks

Notice that the map is pcre in these examples, you could use regexp. Best performance is with pcre (Perl Compatible Regular Expression) tables.  Check that you can use pcre with:

postconf -m

If you do not have pcre support you can use regexp.

When you create the file header_checks here are a couple options, there are others.

/pattern/flags action

or

!/pattern/flags action

Decide which one you want to use.  The example below uses pattern matches.

If you want to reject or discard all email that is non-English you can take these steps.

Before you set up the header_checks you need to be somewhat familiar with the actions that you want to take.  Here is a list of actions with a brief description.

Actions
DISCARD             drop out of existence
DUNNO                pretend input line did not match pattern
FILTER               write a content filter and sent to external filter
HOLD                put in hold queue
IGNORE            delete current line and move to next line
PREPEND            prepend a one with text and inspect next line
REDIRECT             enter an email to be directed to
REPLACE              put text to replace line
REJECT optional text  reply with message
WARN optional text       warning with text message

In the example two actions are shown, the first is to DISCARD which means no message will be sent to the user, it is just dropped.  The second is to REJECT and then send to message to indicate an unacceptable character set.

# Header Checks
header_checks = pcre:/etc/postfix/header_checks

Create a new file, you can move the default header_checks man page to header_checks_bk and then start a new page.

Contents of header_checks.  Thanks to Wietse Venema for this suggestion.

/[^[:print:]]{8}/ DISCARD

# Chinese, Japanese and Korean
/^Content-Type:.*?charset\s*=\s*”?(Big5|gb2312|euc-cn)”?/
REJECT HDR2100: Unaccepted character set: “$1″
/^Content-Type:.*?charset\s*=\s*”?(euc-kr|iso-2022-kr)”?/
REJECT HDR2110: Unaccepted character set: “$1″
/^Content-Type:.*?charset\s*=\s*”?(iso-2022-\w+|euc-jp|shift_jis)”?/
REJECT HDR2120: Unaccepted character set: “$1″
# Cyrrilic character sets: Russian/Ukrainian
/^Content-Type:.*?charset\s*=\s*”?(koi8-(?:r|u))”?/
REJECT HDR2200: Unaccepted character set: “$1″
/^Content-Type:.*?charset\s*=\s*”?(windows-(?:1250|1251))”?/
REJECT HDR2210: Unaccepted character set: “$1″

Once you have the file created restart postfix and then test.  Create a testpattern file and place an example in that file to test the header check.

postmap -q – pcre:/etc/postfix/header_checks < testpattern

If the pattern matches that you placed in testpattern then you will get a return on the command.  If there is no match, you will get nothing in return.
: