Fedora Core 2 wishlists
Chuck Mead
csm at redhat.com
Wed Dec 10 19:14:28 UTC 2003
Chris Adams wrote:
> Once upon a time, Chuck Mead <csm at redhat.com> said:
>
>>Content based checks *ARE* done with postfix at the SMTP port and that
>>was my point... using postfix I can certainly block via host, email
>>address, network ip or range the same as I can with sendmail but I can
>>also block content at the SMTP port using mime_checks, header_checks, or
>>body_checks using regexp or pcre. I have a suspicion that the fact you
>>are unaware of that capability is *why* you prefer sendmail. :-)
>
>
> Okay, I guess I don't know what you mean by "at the SMTP port".
inbound mail ----- > regexp/pcre at port 25 [pre-receipt match will bounce]
It is about that simple.
URL http://moongroup.com/outbound.config shows a postfix config which
does this.
Expression matches could look like this:
/etc/postfix/header_checks:
/^Subject: .*Viagra/ REJECT
Reference: http://www.postfix.org/uce.html#header_checks
/etc/postfix/body_checks:
/This Is A One[-\ ]*Time (email|e-mail|mailing|offer)/ REJECT
Reference: http://www.postfix.org/uce.html#body_checks
/etc/postfix/mime_header_checks:
/name=[^>]*your_details.zip/ REJECT SecuritySage mail filters have
determined that your email appears to be infected with the Sobig virus.
Please see
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html
for information about the virus.
Reference: mime checks are actually an extension of existing checks
executed via config... not an added capability.
So a match on one of these expressions would reject the mail and
delivery is never attempted, nor is the mail accepted on the host.
body_checks rejection sample:
Sep 28 21:03:30 varmint postfix/cleanup[12671]: 30FA2DA60D: reject: body
ver-co.com/rm/remove.php"><font color=3D"#0000FF" size=3D"1"
face=3D"Arial"= from unknown[200.180.154.68];
from=<frankie at gorgeousgeorge.biz> to=<xxxxx at moongroup.com> proto=ESMTP
helo=<mail.focuspro.com.br>
mime or header_checks rejection sample:
Sep 29 13:18:44 varmint postfix/cleanup[30994]: 63C23DA60C: reject:
header Content-Type: application/octet-stream;??name=SRC.scr from
smtp3.arnet.com.ar[200.45.191.14]; from=<iactucuman at arnet.com.ar>
to=<xxxxxx at xfce.org> proto=SMTP helo=<smtp3.arnet.com.ar>: Potentially
dangerous file attachment
header_checks rejection samples:
Dec 4 16:43:26 varmint postfix/cleanup[24627]: 9A09DDA4BF: reject:
header Subject: bsi The lowest priced Sildenafil Citrate (Viagra) for
xxxxx at xfce.org. ore from ACB9EB9B.ipt.aol.com[172.185.235.155];
from=<ndsuree at iname.com> to=<xxxxx at xfce.org> proto=ESMTP
helo=<ACB9EB9B.ipt.aol.com>
Sep 29 04:50:50 varmint postfix/cleanup[21880]: EB9F9DA4BF: reject:
header Subject: Merchant Accounts Increase Sales fxje vghnnt c from
unknown[203.131.110.14]; from=<Pmcxa4eR05Q3 at esuperhotwebdeals.com>
to=<xxxxx at moongroup.com> proto=SMTP helo=<adsl-131.110.14.info.com.ph>
--
Chuck Mead <csm at redhat.com>
Instructor II, GLS
Disclaimer: "It's Thursday and my name is Locutus of B0rk!"
Addendum: "Bwahahaha! Fire up the orbital mind-control lasers!"
More information about the fedora-devel-list
mailing list