On 2022-06-17 at 04:51:08 UTC-0400 (Fri, 17 Jun 2022 09:51:08 +0100)
Eduardo Maia <em...@ipbrick.com>
is rumored to have said:
Hi,
I need to block emails with fake FROM like :
From: "Nick Blue <n...@domain.pt>" <yk...@omega-eng.co.jp>
The postfix has the feature header_checks and mime_header_checks. When
the FROM is with plain text, it works fine, but when the FROM is mime
encoded like this:
From: =?UTF-8?B?PElQQlJJQ0sgbsK6IDMyNTc0PiBhc2FudG9zQGlwYnJpY2suY29t?=
<alcal...@ayuntamientocamaleno.com>
the email is not blocked, even with mime_header_checks.
Correct. To catch patterns in headers that have been encoded like that,
you need to figure out patterns in the encoded bytes and match those. It
can be done in principle, but it is not worth doing.
Note that mime_header_checks matches *internal* headers on MIME parts,
it does not decode encoded headers.
Configuration for header_checks and mime_header_checks:
root@porto:/etc/postfix# cat mime_header_checks
if /From:/
/From:[[:space:]]+"(.*)[@](.*)"+(.*)/ REJECT NO MORE FAKES!
endif
root@porto:/etc/postfix#
Note that this can catch entirely legitimate mail where the 'display
name' part of the From header is just the address in double-quotes.
Where can i find more information about mime_header_checks? or other
solution?
The built-in simple header_checks (and mime_header_checks) facility is
not a good tool for this.
Apache SpamAssassin has a module designed to catch this sort of From
name spoofing, which handles encoded headers and cases where the display
name simply replicates the address part of the header. It can be
integrated with Postfix via a milter (MIMEDefang, MailMunge,
spamass-milter, amavisd-milter, etc.) via a SMTP proxy rig (amavisd) or
via a content_filter script.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
