From: Louis-David Mitterrand on
On Wed, May 05, 2010 at 07:00:37PM +0200, Laurent CARON wrote:
> Hi,
>
> I'm basically trying to protect my users from the following:
>
> Spam
> - Sent from accounts hosted on freemail providers (yahoo, ...)
> - Originating from AfriNIC ranges
> - Tergetted at several dozen of users
>
> The headers look like this:
> Received: from [41.207.213.162] by web1104.biz.mail.sk1.yahoo.com via HTTP; Tue, 04 May 2010 14:44:20 PDT
>
>
> It is fairly trivial to block suck things via a header access map
>
> if
> /^(Received|X-((Origin(ating)?|Client|MDRemote|Sender)-?IP|(Client|Remote_)Addr|PHP-Script)):/
> /\b(41\.\d+\.\d+\.\d+)\b/ REJECT regional junk 001 #Africa
> endif
>
> Some of my users receive a few legitimate emails from Africa.

You could try this in /etc/postfis/header_checks

if /^(Received|X-((Origin(ating)?|Client|MDRemote|Sender)-?IP|(Client|Remote_)Addr|PHP-Script)):/
if !/^(X-Original-)?To:[^@]*(africanspamlover1|africanspamlover2|etc..)@/
/\b(41\.1(6\d|7[0-5])\.\d+\.\d+)\b/ REJECT african spam rule 1
/\b(41\.3(6\d|7[0-5])\.\d+\.\d+)\b/ REJECT african spam rule 2
.. and all other rules ...
endif
endif

(the indent is purely for clarity. Not sure postfix accepts it.)

--
http://www.cruisefish.net

From: Louis-David Mitterrand on
On Wed, May 05, 2010 at 01:44:54PM -0400, Brian Evans - Postfix List wrote:
> >>
> > You could try this in /etc/postfis/header_checks
> >
> > if /^(Received|X-((Origin(ating)?|Client|MDRemote|Sender)-?IP|(Client|Remote_)Addr|PHP-Script)):/
> > if !/^(X-Original-)?To:[^@]*(africanspamlover1|africanspamlover2|etc..)@/
> > /\b(41\.1(6\d|7[0-5])\.\d+\.\d+)\b/ REJECT african spam rule 1
> > /\b(41\.3(6\d|7[0-5])\.\d+\.\d+)\b/ REJECT african spam rule 2
> > .. and all other rules ...
> > endif
> > endif
> >
> This will not work.
> Postfix analyzes headers one at a time.
> You cannot check multiple headers at once in header_checks.
> You need a milter or other filter to do that.

Could this be entered as a postfix wishlist item then? A 'm' flag to
pcre_table that would match on the whole headers (instead of
line-by-line), akin to Perl's 'm' regexp flag:

m Treat string as multiple lines. That is, change "^" and "$" from
matching the start or end of the string to matching the start or
end of any line anywhere within the string.

It would be very powerful, yet retain the ability to match on any
individual header line with ^ and $ anchors.

From: Louis-David Mitterrand on
On Thu, May 06, 2010 at 11:15:21AM +0200, Tom Hendrikx wrote:
> On 06/05/10 10:58, Louis-David Mitterrand wrote:
> > On Wed, May 05, 2010 at 01:44:54PM -0400, Brian Evans - Postfix List wrote:
> >>>>
> >>> You could try this in /etc/postfis/header_checks
> >>>
> >>> if /^(Received|X-((Origin(ating)?|Client|MDRemote|Sender)-?IP|(Client|Remote_)Addr|PHP-Script)):/
> >>> if !/^(X-Original-)?To:[^@]*(africanspamlover1|africanspamlover2|etc..)@/
> >>> /\b(41\.1(6\d|7[0-5])\.\d+\.\d+)\b/ REJECT african spam rule 1
> >>> /\b(41\.3(6\d|7[0-5])\.\d+\.\d+)\b/ REJECT african spam rule 2
> >>> .. and all other rules ...
> >>> endif
> >>> endif
> >>>
> >> This will not work.
> >> Postfix analyzes headers one at a time.
> >> You cannot check multiple headers at once in header_checks.
> >> You need a milter or other filter to do that.
> >
> > Could this be entered as a postfix wishlist item then? A 'm' flag to
> > pcre_table that would match on the whole headers (instead of
> > line-by-line), akin to Perl's 'm' regexp flag:
> >
> > m Treat string as multiple lines. That is, change "^" and "$" from
> > matching the start or end of the string to matching the start or
> > end of any line anywhere within the string.
> >
> > It would be very powerful, yet retain the ability to match on any
> > individual header line with ^ and $ anchors.
> >
>
> Hi,
>
> I think that postfwd can do all of this already, working as a policy
> daemon. See http://www.postfwd.org/
>
> No need to complicate postfix any further: it is an MTA, and should
> concentrate on mail delivery. There is a reason that you can hook up a
> myriad of external tools into postfix.

What is more complicated? Plug yet another policy daemon to one's
postfix installation (with all the care and feeding it entails) or add a
totally transparent and optional 'm' flag to postfix's pcre_table?

From: /dev/rob0 on
On Thu, May 06, 2010 at 10:58:01AM +0200, Louis-David Mitterrand
wrote:
> On Wed, May 05, 2010 at 01:44:54PM -0400, Brian Evans - Postfix
> List wrote:
> > >>
> > > You could try this in /etc/postfis/header_checks
> > >
> > > if /^(Received|X-((Origin(ating)?|Client|MDRemote|Sender)-?IP|(Client|Remote_)Addr|PHP-Script)):/
> > > if !/^(X-Original-)?To:[^@]*(africanspamlover1|africanspamlover2|etc..)@/
> > > /\b(41\.1(6\d|7[0-5])\.\d+\.\d+)\b/ REJECT african spam rule 1
> > > /\b(41\.3(6\d|7[0-5])\.\d+\.\d+)\b/ REJECT african spam rule 2
> > > .. and all other rules ...
> > > endif
> > > endif
> > >
> > This will not work.
> > Postfix analyzes headers one at a time.
> > You cannot check multiple headers at once in header_checks.
> > You need a milter or other filter to do that.
>
> Could this be entered as a postfix wishlist item then? A 'm' flag

I can't speak for Wietse, but: no. What you're talking about would
probably require major restructuring of cleanup(8). As you were told,
what you want to do is already possible by means of external content
filters and/or milters.

I believe you will find Wietse's answer to your wish here:
http://www.postfix.org/CONTENT_INSPECTION_README.html
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header