Loading ...
Sorry, an error occurred while loading the content.

Re: Rejecting emails with invalid/unlikely dates?

Expand Messages
  • IBBoard
    There are some very definite patterns in the dates of the spam I m getting (xx/xx/3609 and 19 Jan 38) so a modification of those regex s should do the trick
    Message 1 of 5 , Jan 1, 2009
    • 0 Attachment
      There are some very definite patterns in the dates of the spam I'm
      getting (xx/xx/3609 and 19 Jan 38) so a modification of those regex's
      should do the trick for now.

      As for SpamAssassin, I don't use it at the moment. I'm running a small
      VPS with 128MB of memory and a handful of email accounts. My recent
      tally of spam has been about half-a-dozen per day at most, and the
      majority of those were cut by checking SPF records to stop emails that
      pretend to be from me.

      Presumably there is some way of parsing the various formats of date used
      in email headers, otherwise email clients couldn't display it. If anyone
      knows of or could create a script that could do a more generic job (such
      as the 14 day window I mentioned earlier) then that'd be great.

      Thanks,

      IBBoard


      Noel Jones wrote:
      > mouss wrote:
      >> Darren Pilgrim a écrit :
      >>> IBBoard wrote:
      >>>> I've been looking around but so far haven't been able to find anything
      >>>> (partly because it's difficult to phrase a search query!). If someone
      >>>> has a solution/config for this then that'd be great.
      >>>>
      >>>> Before anyone points out issues with GMail and lack of control, this
      >>>> is all being done on a domain on a VPS. I'm just using my Gmail
      >>>> address for the mailing list :)
      >>>>
      >>>> Basically, 99% of the spam I get (which is only a small amount
      >>>> compared to some people) is either a) purporting to be from me, to me
      >>>> or b) has a date that Thunderbird reports as 1976 or 2038 (but is
      >>>> really 3609 or just "38"). I've resolved the first part with SPF
      >>>> records and checking them in Postfix, but I can't work out how to get
      >>>> Postfix to reject mail that is outside a 14 day window from today (or
      >>>> silently dispose of it if it's not possible because it has to get too
      >>>> far in to the system to fail it).
      >>> You need a content filter for this.
      >>
      >> and to reject, he needs to run it in pre-queue mode (proxy_filter). or
      >> he could use a milter such as milter-regex.
      >>
      >>> Header checks can do this; however,
      >>> they're static, so you have the problem of updating them constantly to
      >>> keep the validity window moving.
      >>
      >> He can use a cron to update the header_checks daily. This is "simpler"
      >> than milter/proxy_filter.
      >>
      >>> Plus there's the issue of date
      >>> formats.
      >>
      >> This is not a problem here, since he wants to block "known" spam. so he
      >> can write expressions for that spam. and if he only wants to block on
      >> the year, then it's even easier.
      >>
      >>> The best way, IMO, is a policy service that can grok a wide
      >>> variety of date formats and check if the date is within 14 days of the
      >>> current time.
      >>>
      >>
      >> a policy service doesn't see headers. a milter or a proxy_filter does.
      >>
      >>> There are spamassassin rules for future dates in message headers, so you
      >>> might try that route instead of rolling your own.
      >>
      >> this is indeed easier and maybe safer (well, if OP uses spamassassin).
      >
      > Once upon a time, these pcre header_checks were posted to this list:
      > (beware line wrapping; each of these are a single line)
      >
      > ### Date checks
      > IF /^Date:/
      > /Date:.*([3-9].:..:|2[4-9]:..:|:[6-9].:|:..:6[0-9])/
      > HOLD invalid time in Date header
      >
      > / \d\d:\d\d:\d\d [^+-][2-9][5-9][0-9][0-9]\s*$/ HOLD invalid time zone
      > offset in Date header
      >
      >
      > /^Date: .* 19[0-9][0-9]/ HOLD UBE Header - Past Date #1
      > /^Date: .* 200[0-6]/ HOLD UBE Header - Past Date #2
      >
      > /^Date:.*((3[2-9]|[4-9][0-9]) Jan|[3-9][0-9] Feb|(3[2-9]|[4-9][0-9])
      > Mar|(3[1-9]|[4-9][0-9]) Apr|(3[2-9]|[4-9][0-9]) May|(3[
      > 1-9]|[4-9][0-9]) Jun|(3[2-9]|[4-9][0-9]) Jul|(3[2-9]|[4-9][0-9])
      > Aug|(3[1-9]|[4-9][0-9]) Sep|(3[2-9]|[4-9][0-9]) Oct|(3[1-9]
      > |[4-9][0-9]) Nov|(3[2-9]|[4-9][0-9]) Dec)/ HOLD Invalid date header.
      > Correct your clock and resend please.
      >
      > /^Date:.*(2[4-9]:[0-9]{2}:[0-9]{2}|[3-9][0-9]:[0-9]{2}:[0-9]{2}|[0-9]{1,2}:[6-9][0-9]:[0-9]{2}|[0-9]{1,2}:[0-9]{2}:(6[2-9]|[
      >
      > 7-9][0-9]))/ HOLD Invalid time header. Correct your clock and resend
      > please.
      >
      > ENDIF
      > ### END DATE CHECKS
      >
      > I have these set to HOLD since they rarely catch anything other than the
      > occasional legit mail with a bad year. YMMV.
      >
    Your message has been successfully submitted and would be delivered to recipients shortly.