Fedora Core 2 wishlists

Chuck Mead csm at redhat.com
Wed Dec 10 19:14:28 UTC 2003 

Chris Adams wrote:
> Once upon a time, Chuck Mead <csm at redhat.com> said:
> 
>>Content based checks *ARE* done with postfix at the SMTP port and that 
>>was my point... using postfix I can certainly block via host, email 
>>address, network ip or range the same as I can with sendmail but I can 
>>also block content at the SMTP port using mime_checks, header_checks, or 
>>body_checks using regexp or pcre. I have a suspicion that the fact you 
>>are unaware of that capability is *why* you prefer sendmail. :-)
> 
> 
> Okay, I guess I don't know what you mean by "at the SMTP port".

inbound mail ----- > regexp/pcre at port 25 [pre-receipt match will bounce]

It is about that simple.

URL http://moongroup.com/outbound.config shows a postfix config which 
does this.

Expression matches could look like this:

/etc/postfix/header_checks:

/^Subject: .*Viagra/                            REJECT

Reference: http://www.postfix.org/uce.html#header_checks

/etc/postfix/body_checks:

/This Is A One[-\ ]*Time (email|e-mail|mailing|offer)/  REJECT

Reference: http://www.postfix.org/uce.html#body_checks

/etc/postfix/mime_header_checks:

/name=[^>]*your_details.zip/ REJECT SecuritySage mail filters have 
determined that your email appears to be infected with the Sobig virus. 
Please see 
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html 
for information about the virus.

Reference: mime checks are actually an extension of existing checks 
executed via config... not an added capability.

So a match on one of these expressions would reject the mail and 
delivery is never attempted, nor is the mail accepted on the host.

body_checks rejection sample:

Sep 28 21:03:30 varmint postfix/cleanup[12671]: 30FA2DA60D: reject: body 
ver-co.com/rm/remove.php"><font color=3D"#0000FF" size=3D"1" 
face=3D"Arial"= from unknown[200.180.154.68]; 
from=<frankie at gorgeousgeorge.biz> to=<xxxxx at moongroup.com> proto=ESMTP 
helo=<mail.focuspro.com.br>

mime or header_checks rejection sample:

Sep 29 13:18:44 varmint postfix/cleanup[30994]: 63C23DA60C: reject: 
header Content-Type: application/octet-stream;??name=SRC.scr from 
smtp3.arnet.com.ar[200.45.191.14]; from=<iactucuman at arnet.com.ar> 
to=<xxxxxx at xfce.org> proto=SMTP helo=<smtp3.arnet.com.ar>: Potentially 
dangerous file attachment

header_checks rejection samples:

Dec  4 16:43:26 varmint postfix/cleanup[24627]: 9A09DDA4BF: reject: 
header Subject: bsi The lowest priced Sildenafil Citrate (Viagra) for 
xxxxx at xfce.org. ore from ACB9EB9B.ipt.aol.com[172.185.235.155]; 
from=<ndsuree at iname.com> to=<xxxxx at xfce.org> proto=ESMTP 
helo=<ACB9EB9B.ipt.aol.com>

Sep 29 04:50:50 varmint postfix/cleanup[21880]: EB9F9DA4BF: reject: 
header Subject: Merchant Accounts Increase Sales fxje   vghnnt c from 
unknown[203.131.110.14]; from=<Pmcxa4eR05Q3 at esuperhotwebdeals.com> 
to=<xxxxx at moongroup.com> proto=SMTP helo=<adsl-131.110.14.info.com.ph>




-- 
Chuck Mead <csm at redhat.com>
Instructor II, GLS
Disclaimer: "It's Thursday and my name is Locutus of B0rk!"
Addendum: "Bwahahaha! Fire up the orbital mind-control lasers!"

More information about the fedora-devel-list mailing list