Hi Sebastian, yes but this would require me to actually know all the hostnames upfront, i.e. I cannot use a PCRE regex if I am not mistaken, or?
Thanks. Best regards Sebastian > Am 31.01.2016 um 12:52 schrieb Sebastian Nielsen <sebast...@sebbe.eu>: > > I would suggest use check_sender_access intead of header checks. Then you can > reject based on MAIL FROM:, since apparently the hosts are using their e**. > hostname in MAIL FROM. > > -----Ursprungligt meddelande----- > Från: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] För Sebastian Wolfgarten > Skickat: den 31 januari 2016 11:56 > Till: postfix-users@postfix.org > Ämne: PCRE regex in header_checks ignored - why? [Invalid] > > Hi, > > I have a problem with a PCRE-based rule in header_checks which seems to be > ignored and I can’t understand why this is the case. Hopefully you guys have > an idea on how to fix this :-) > > So here is my setup: I am using Postfix 2.11.7 on FreeBSD 10 and as I am > being bombarded with emails from certain hosts in France (and I have no idea > why). These hosts are always following this format: > > letter e > 1-2 digit number > hostname > .fr > > Here are some samples from today: > > e16.sodipoc.fr > e38.info-essentiel.fr > e42.1jour1news.fr > > I have defined a rule in SpamAssassin which successfully marks the related > spam accordingly (works like a charm): > > header French_Spam ALL =~ / e\d{1,2}\.\S+\.fr /i score French_Spam 4.8 > > Now I am trying not to mark the unsolicited emails anymore but block them > entirely. As such I have defined the following rule in header_checks based on > the rule that I have defined in SpamAssassin: > > /e\d{1,2}\.\S+\.fr/i REJECT French Spam > > I reloaded Postfix (postmap is not necessary for PCRE files, or?) but still I > have received three spam mails today. Still the rule seems okay from my > perspective - here is a test of the rule with three hosts I have received > spam from today: > > $ postmap -q "e16.sodipoc.fr" pcre:/etc/postfix/header_checks REJECT French > Spam > > $ postmap -q "e38.info-essentiel.fr" pcre:/etc/postfix/header_checks REJECT > French Spam > > $ postmap -q "e42.1jour1news.fr" pcre:/etc/postfix/header_checks REJECT > French Spam > > Any idea why this is happening? > > Here an extract of the headers of one of the emails received today (note: The > message was marked as spam by Postfix but I manually removed all the related > headers and information not to end up in your spam filters): > > Return-Path: <bou...@e42.1jour1news.fr> > Delivered-To: sebast...@wolfgarten.com > Received: from waldfest (localhost [127.0.0.1]) > by waldfest.wolfgarten.com (Postfix) with ESMTP id 4154D704B9 > for <sebast...@wolfgarten.com>; Sun, 31 Jan 2016 11:06:58 +0100 (CET) > X-Quarantine-ID: <xg91jhFD9UJP> > Received: from waldfest.wolfgarten.com ([127.0.0.1]) > by waldfest (waldfest.wolfgarten.com [127.0.0.1]) (amavisd-new, port > 10024) > with LMTP id xg91jhFD9UJP for <sebast...@wolfgarten.com>; > Sun, 31 Jan 2016 11:06:44 +0100 (CET) > X-Greylist: delayed 300 seconds by postgrey-1.36 at waldfest; Sun, 31 Jan > 2016 11:06:44 CET > Received: from e42.1jour1news.fr (e42.1jour1news.fr [62.210.13.102]) > by waldfest.wolfgarten.com (Postfix) with ESMTP id A6750704AC > for <sebast...@wolfgarten.com>; Sun, 31 Jan 2016 11:06:44 +0100 (CET) > DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key; > d=e42.1jour1news.fr; > h=List-Unsubscribe:Message-ID:Date:Subject:From:Reply-To:To:MIME-Version:Content-Type; > i=s...@e42.1jour1news.fr; bh=zQj93n30egRyo2hFB5OnJZSylLw=; > b=FSLGriDlKRcl/NXBkxXU7ANj7JEO3+ltGllwY3hZu2bXxjJLXjFbz+fTZljB2BHbYMaKFmZxd6cF > 6OhoV689FNZPqC1SBUt7rA2qMTRP0gqpuCGkMqTZ9KaSObrSNlZgCsxnsOuLWt7zrjF1OHL6jT8C > y0Nre8XUjO0vR+d2Jbs= > DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=key; d=e42.1jour1news.fr; > b=Y4c0lfDPkQ4YaimLaY4exKzB9WpnZVLpQ+HP7976BIB5gFzWEIF+n9wYB7afXxThUNNWaomOHcJs > LxgAMqLl9nmkNLI6FRS0zn3cC/Pq8wUoUxdhyity3JWxiTo3q12ZP2/UxsYaOcWccB03Ch8VsB2u > 9dhJQsHlnHCxcvj2Grs=; > List-Unsubscribe: > <http://link.lilinews.fr/t/u/mT2NTvqG3IQSUL1gyO7Px8zP42vuolnECda87eT2bELfB63CFJolSx2R-d9wMmfhSsIzs-RQFBJ7mGmt1RffM79Wt7YeSHwsbbVWTpjRwEE> > Message-ID: <1454234504.tinkiwinkilalapo56addb880b...@link.lilinews.fr> > Date: Sun, 31 Jan 2016 11:01:44 +0100 > Subject: =?UTF-8?Q?15=E2=82=AC?= offerts sur la nouvelle collection > > Finally, here is Postfix config: > > alias_maps = hash:/etc/aliases,mysql:/etc/postfix/mysql_virtual_alias_maps.cf > body_checks = pcre:/etc/postfix/body_checks,pcre:/etc/postfix/bad_urls > canonical_maps = regexp:/etc/postfix/rewrite command_directory = /usr/sbin > config_directory = /etc/postfix content_filter = amavisfeed:[127.0.0.1]:10024 > daemon_directory = /usr/libexec/postfix data_directory = /var/db/postfix > debug_peer_level = 2 debugger_command = > PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd > $daemon_directory/$process_name $process_id & sleep 5 > default_destination_concurrency_limit = 20 > dovecot_destination_recipient_limit = 1 header_checks = > pcre:/etc/postfix/header_checks html_directory = /usr/share/doc/postfix > in_flow_delay = 1s inet_interfaces = all inet_protocols = ipv4 > local_destination_concurrency_limit = 2 mail_owner = postfix > mail_spool_directory = /var/mail mailbox_size_limit = 0 mailq_path = > /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 0 > milter_default_action = accept milter_protocol = 2 > mlmmj_destination_recipient_limit = 1 mydestination = $myhostname, > sms.wolfgarten.com mydomain = wolfgarten.com myhostname = > waldfest.wolfgarten.com mynetworks = ***REMOVED*** mynetworks_style = host > myorigin = $myhostname newaliases_path = /usr/bin/newaliases > non_smtpd_milters = $smtpd_milters propagate_unmatched_extensions = virtual > queue_directory = /var/spool/postfix readme_directory = > /usr/share/doc/postfix receive_override_options = no_address_mappings > recipient_delimiter = + sample_directory = /etc/postfix sendmail_path = > /usr/sbin/sendmail setgid_group = maildrop smtpd_banner = $myhostname ESMTP > smtpd_helo_required = yes smtpd_milters = inet:127.0.0.1:8891 > smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_sender, > reject_non_fqdn_recipient, permit_sasl_authenticated, > reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname, > reject_unknown_sender_domain, check_sender_access > hash:/etc/postfix/sender_access, check_client_access > cidr:/etc/postfix/access-client, reject_rbl_client b.barracudacentral.org, > reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client > ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net, reject_rbl_client > cbl.abuseat.org, reject_rbl_client truncate.gbudb.net, reject_rbl_client > dul.dnsbl.sorbs.net, check_policy_service inet:127.0.0.1:10023 > smtpd_reject_unlisted_sender = yes smtpd_relay_restrictions = > permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination > smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = > dovecot smtpd_sender_restrictions = check_sender_access > hash:/etc/postfix/sender_access, permit_sasl_authenticated, > permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, > reject_unknown_recipient_domain, reject_unknown_sender_domain, > reject_non_fqdn_sender soft_bounce = no transport_maps = > regexp:/etc/postfix/transport,hash:/var/spool/mlmmj/transport > unknown_local_recipient_reject_code = 550 virtual_alias_maps = > hash:/etc/postfix/virtual,hash:/var/spool/mlmmj/virtual,mysql:/etc/postfix/mysql_virtual_alias_maps.cf > virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domain_maps.cf > virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf > virtual_transport = dovecot > > Thank you. > > Best regards > Sebastian > >
signature.asc
Description: Message signed with OpenPGP using GPGMail
