Loading ...
Sorry, an error occurred while loading the content.

header checks not working

Expand Messages
  • Rob Brandt
    I m trying to set up a basic header check to get rid of emails sa marks as spam. I ve added the following link to main.cf: header_checks =
    Message 1 of 20 , Jun 30, 2009
    • 0 Attachment
      I'm trying to set up a basic header check to get rid of emails sa marks
      as spam. I've added the following link to main.cf:

      header_checks = regexp:/etc/postfix/filter

      /etc/postfix/filter has:


      # No ***SPAM***
      /^Subject .*\*\*\*SPAM\*\*\*/ DISCARD ***SPAM***
      # SPam flag
      /^X-Spam-Flag .YES/ DISCARD Spam Flag

      The intent is to discard emails where either the subject contains
      ***SPAM*** or the X-Spam-Flag is YES

      But the filters aren't working. I am by no means a regex expert. What
      am I missing?

      Rob
    • Jason Bailey, Sun Advocate Webmaster
      ... I m no Postfix master (not by a long shot), nor do I have a machine I can test this on, but try this: /^X -Spam -Status :.*YES/i DISCARD Since you say your
      Message 2 of 20 , Jun 30, 2009
      • 0 Attachment
        Rob Brandt wrote:
        > I'm trying to set up a basic header check to get rid of emails sa marks
        > as spam. I've added the following link to main.cf:
        >
        > header_checks = regexp:/etc/postfix/filter
        >
        > /etc/postfix/filter has:
        >
        >
        > # No ***SPAM***
        > /^Subject .*\*\*\*SPAM\*\*\*/ DISCARD ***SPAM***
        > # SPam flag
        > /^X-Spam-Flag .YES/ DISCARD Spam Flag
        >
        > The intent is to discard emails where either the subject contains
        > ***SPAM*** or the X-Spam-Flag is YES
        >
        > But the filters aren't working. I am by no means a regex expert. What
        > am I missing?
        >
        > Rob
        >

        I'm no Postfix master (not by a long shot), nor do I have a machine I
        can test this on, but try this:

        /^X\-Spam\-Status\:.*YES/i DISCARD

        Since you say your header is different, maybe this:
        /^X\-Spam\-Flag\:.*YES/i DISCARD

        I suppose it depends on the name of the header. I have SpamAssassin
        marking my email and the header is X-Spam-Status, not X-Spam-Flag.

        The "/i" at the end implies case insensitivity when matching. I'm not
        sure if Postfix honors such pattern modifiers, but generally speaking,
        when dealing with Perl-compatible regex, that's what the "i" does. If
        Postfix doesn't like it, just take the "i" out.

        Jason
      • Sahil Tandon
        ... I prefer pcre:, but the following patterns should work with regexp: as well. ... /^Subject:.* *{3}SPAM *{3}/ DISCARD ***SPAM*** ... /^X-Spam-Flag: YES$/
        Message 3 of 20 , Jun 30, 2009
        • 0 Attachment
          On Tue, 30 Jun 2009, Rob Brandt wrote:

          > I'm trying to set up a basic header check to get rid of emails sa marks
          > as spam. I've added the following link to main.cf:
          >
          > header_checks = regexp:/etc/postfix/filter

          I prefer pcre:, but the following patterns should work with regexp: as well.

          > # No ***SPAM***
          > /^Subject .*\*\*\*SPAM\*\*\*/ DISCARD ***SPAM***

          /^Subject:.*\*{3}SPAM\*{3}/ DISCARD ***SPAM***

          > # SPam flag
          > /^X-Spam-Flag .YES/ DISCARD Spam Flag

          /^X-Spam-Flag: YES$/ DISCARD Spam Flag

          --
          Sahil Tandon <sahil@...>
        • Jason Bailey, Sun Advocate
          ... I was thinking pcre instead of regexp when I replied. Yes, I also suggest pcre. ... Maybe it s not necessary, but I ve always seem to have better luck with
          Message 4 of 20 , Jun 30, 2009
          • 0 Attachment
            Sahil Tandon wrote:
            > On Tue, 30 Jun 2009, Rob Brandt wrote:
            >
            >
            >> I'm trying to set up a basic header check to get rid of emails sa marks
            >> as spam. I've added the following link to main.cf:
            >>
            >> header_checks = regexp:/etc/postfix/filter
            >>
            >
            > I prefer pcre:, but the following patterns should work with regexp: as well.
            >
            >

            I was thinking pcre instead of regexp when I replied. Yes, I also
            suggest pcre.

            >> # No ***SPAM***
            >> /^Subject .*\*\*\*SPAM\*\*\*/ DISCARD ***SPAM***
            >>
            >
            > /^Subject:.*\*{3}SPAM\*{3}/ DISCARD ***SPAM***
            >
            >
            >> # SPam flag
            >> /^X-Spam-Flag .YES/ DISCARD Spam Flag
            >>
            >
            > /^X-Spam-Flag: YES$/ DISCARD Spam Flag
            >
            >
            Maybe it's not necessary, but I've always seem to have better luck with
            Perl compatible regular expressions (as a general rule, not necessarily
            just with Postfix pcre) when I escape the hyphens (i.e. "\-"). I suppose
            if Postfix works without them, great. The simpler you can keep things,
            the better.
          • Rob Brandt
            Still doesn t seem to be working. Still using regexp, it seems I don t have pcre installed as postfix throws errors when I try it. I m focusing on the
            Message 5 of 20 , Jun 30, 2009
            • 0 Attachment
              Still doesn't seem to be working. Still using regexp, it seems I don't
              have pcre installed as postfix throws errors when I try it. I'm
              focusing on the X-Spam-Flag one since they both should eliminate the
              same emails anyway. I've tried it both with the colon and without. Is
              here a log somewhere where I can see what's going on?

              Rob


              Sahil Tandon wrote:
              > On Tue, 30 Jun 2009, Rob Brandt wrote:
              >
              >> I'm trying to set up a basic header check to get rid of emails sa marks
              >> as spam. I've added the following link to main.cf:
              >>
              >> header_checks = regexp:/etc/postfix/filter
              >
              > I prefer pcre:, but the following patterns should work with regexp: as well.
              >
              >> # No ***SPAM***
              >> /^Subject .*\*\*\*SPAM\*\*\*/ DISCARD ***SPAM***
              >
              > /^Subject:.*\*{3}SPAM\*{3}/ DISCARD ***SPAM***
              >
              >> # SPam flag
              >> /^X-Spam-Flag .YES/ DISCARD Spam Flag
              >
              > /^X-Spam-Flag: YES$/ DISCARD Spam Flag
              >
            • Magnus Bäck
              On Wednesday, July 01, 2009 at 07:02 CEST, ... No, {n} isn t supported by regexp. ... postconf -m indicates which map types are supported. ... You can use
              Message 6 of 20 , Jun 30, 2009
              • 0 Attachment
                On Wednesday, July 01, 2009 at 07:02 CEST,
                Rob Brandt <bronto@...> wrote:


                > Sahil Tandon wrote:
                >
                > > I prefer pcre:, but the following patterns should work with regexp:
                > > as well.

                No, {n} isn't supported by regexp.

                > > /^Subject:.*\*{3}SPAM\*{3}/ DISCARD ***SPAM***
                > >
                > > /^X-Spam-Flag: YES$/ DISCARD Spam Flag
                >
                > Still doesn't seem to be working. Still using regexp, it seems I
                > don't have pcre installed as postfix throws errors when I try it.

                "postconf -m" indicates which map types are supported.

                > I'm focusing on the X-Spam-Flag one since they both should eliminate
                > the same emails anyway. I've tried it both with the colon and
                > without. Is here a log somewhere where I can see what's going on?

                You can use "postmap -q" to test input strings. The following patterns
                are regexp-compatible:

                /^Subject:.*\*\*\*SPAM\*\*\*/ DISCARD ***SPAM***
                /^X-Spam-Flag: YES$/ DISCARD Spam Flag

                Test them with "postmap -q" first. If it doesn't work you need to
                provide an example email with these headers.

                Please do not top-post.

                --
                Magnus Bäck
                magnus@...
              • Magnus Bäck
                On Wednesday, July 01, 2009 at 03:25 CEST, Jason Bailey, Sun Advocate Webmaster wrote: [...] ... As documented in regexp_table(5) and
                Message 7 of 20 , Jun 30, 2009
                • 0 Attachment
                  On Wednesday, July 01, 2009 at 03:25 CEST,
                  "Jason Bailey, Sun Advocate Webmaster" <webmaster@...> wrote:

                  [...]

                  > The "/i" at the end implies case insensitivity when matching. I'm not
                  > sure if Postfix honors such pattern modifiers, but generally speaking,
                  > when dealing with Perl-compatible regex, that's what the "i" does. If
                  > Postfix doesn't like it, just take the "i" out.

                  As documented in regexp_table(5) and pcre_table(5), /i is supported but
                  is used to DISABLE case-insensitivity.

                  --
                  Magnus Bäck
                  magnus@...
                • Rob Brandt
                  ... Thanks. postconf -m confirms that I have regexp but not pcre. Could I get an example of how to use postmap -q? I have tried: postmap -q X-Spam-Flag:
                  Message 8 of 20 , Jun 30, 2009
                  • 0 Attachment
                    Magnus Bäck wrote:
                    > On Wednesday, July 01, 2009 at 07:02 CEST,
                    > Rob Brandt <bronto@...> wrote:
                    >
                    >
                    >> Sahil Tandon wrote:
                    >>
                    >>> I prefer pcre:, but the following patterns should work with regexp:
                    >>> as well.
                    >
                    > No, {n} isn't supported by regexp.
                    >
                    >>> /^Subject:.*\*{3}SPAM\*{3}/ DISCARD ***SPAM***
                    >>>
                    >>> /^X-Spam-Flag: YES$/ DISCARD Spam Flag
                    >> Still doesn't seem to be working. Still using regexp, it seems I
                    >> don't have pcre installed as postfix throws errors when I try it.
                    >
                    > "postconf -m" indicates which map types are supported.
                    >
                    >> I'm focusing on the X-Spam-Flag one since they both should eliminate
                    >> the same emails anyway. I've tried it both with the colon and
                    >> without. Is here a log somewhere where I can see what's going on?
                    >
                    > You can use "postmap -q" to test input strings. The following patterns
                    > are regexp-compatible:
                    >
                    > /^Subject:.*\*\*\*SPAM\*\*\*/ DISCARD ***SPAM***
                    > /^X-Spam-Flag: YES$/ DISCARD Spam Flag
                    >
                    > Test them with "postmap -q" first. If it doesn't work you need to
                    > provide an example email with these headers.
                    >
                    > Please do not top-post.
                    >

                    Thanks. postconf -m confirms that I have regexp but not pcre.

                    Could I get an example of how to use postmap -q? I have tried:

                    postmap -q "X-Spam-Flag: YES" /etc/postfix/header_checks

                    where "X-Spam-Flag: YES" is the header I am trying to check and
                    /etc/postfix/header_checks is the current name of my header_checks file.
                    I get no return values, I've read the man and I think I'm supposed to
                    get a 0 when it matches.

                    Rob
                  • Magnus Bäck
                    ... Yes, but you need to tell Postfix that it s a regexp map: postmap -q X-Spam-Flag: YES regexp:/etc/postfix/header_checks ... Correct. If you get a match
                    Message 9 of 20 , Jun 30, 2009
                    • 0 Attachment
                      On Wed, July 1, 2009 8:13 am, Rob Brandt said:

                      > Could I get an example of how to use postmap -q? I have tried:
                      >
                      > postmap -q "X-Spam-Flag: YES" /etc/postfix/header_checks
                      >
                      > where "X-Spam-Flag: YES" is the header I am trying to check and
                      > /etc/postfix/header_checks is the current name of my header_checks file.

                      Yes, but you need to tell Postfix that it's a regexp map:

                      postmap -q "X-Spam-Flag: YES" regexp:/etc/postfix/header_checks

                      > I get no return values, I've read the man and I think I'm supposed to
                      > get a 0 when it matches.

                      Correct. If you get a match postmap(1) will print the matching line.

                      --
                      Magnus Bäck
                      magnus@...
                    • Sahil Tandon
                      ... I too was surprised that {n} seems to work with regexp when tested on the command line with postmap(1): # cat header_test /^X-Spam-Flag: YES$/ DISCARD
                      Message 10 of 20 , Jul 1, 2009
                      • 0 Attachment
                        On Wed, 01 Jul 2009, Magnus Bäck wrote:

                        > On Wednesday, July 01, 2009 at 07:02 CEST,
                        > Rob Brandt <bronto@...> wrote:
                        >
                        >
                        > > Sahil Tandon wrote:
                        > >
                        > > > I prefer pcre:, but the following patterns should work with regexp:
                        > > > as well.
                        >
                        > No, {n} isn't supported by regexp.

                        I too was surprised that {n} seems to work with regexp when tested on the
                        command line with postmap(1):

                        # cat header_test
                        /^X-Spam-Flag: YES$/ DISCARD
                        /^Subject:.*\*{3}SPAM\*{3}/ DISCARD

                        # postmap -q "Subject: foo ***SPAM*** bar" regexp:header_test
                        DISCARD

                        --
                        Sahil Tandon <sahil@...>
                      • Noel Jones
                        ... No need to escape - or : , and postfix turns on the /i flag by default - adding the flag to a postfix expression turns on case sensitivity.
                        Message 11 of 20 , Jul 1, 2009
                        • 0 Attachment
                          Jason Bailey, Sun Advocate Webmaster wrote:
                          > Rob Brandt wrote:
                          >> I'm trying to set up a basic header check to get rid of emails sa
                          >> marks as spam. I've added the following link to main.cf:
                          >>
                          >> header_checks = regexp:/etc/postfix/filter
                          >>
                          >> /etc/postfix/filter has:
                          >>
                          >>
                          >> # No ***SPAM***
                          >> /^Subject .*\*\*\*SPAM\*\*\*/ DISCARD ***SPAM***
                          >> # SPam flag
                          >> /^X-Spam-Flag .YES/ DISCARD Spam Flag
                          >>
                          >> The intent is to discard emails where either the subject contains
                          >> ***SPAM*** or the X-Spam-Flag is YES
                          >>
                          >> But the filters aren't working. I am by no means a regex expert.
                          >> What am I missing?
                          >>
                          >> Rob
                          >>
                          >
                          > I'm no Postfix master (not by a long shot), nor do I have a machine I
                          > can test this on, but try this:
                          >
                          > /^X\-Spam\-Status\:.*YES/i DISCARD
                          >
                          > Since you say your header is different, maybe this:
                          > /^X\-Spam\-Flag\:.*YES/i DISCARD
                          >
                          > I suppose it depends on the name of the header. I have SpamAssassin
                          > marking my email and the header is X-Spam-Status, not X-Spam-Flag.
                          >
                          > The "/i" at the end implies case insensitivity when matching. I'm not
                          > sure if Postfix honors such pattern modifiers, but generally speaking,
                          > when dealing with Perl-compatible regex, that's what the "i" does. If
                          > Postfix doesn't like it, just take the "i" out.
                          >
                          > Jason


                          No need to escape "-" or ":", and postfix turns on the /i flag
                          by default - adding the flag to a postfix expression turns on
                          case sensitivity.
                          http://www.postfix.org/pcre_table.5.html

                          Rob's trouble is he forgot the ":" at the end of the header name.

                          -- Noel Jones
                        • Rob Brandt
                          ... Excellent, I now get a match using postmap. If the spam doesn t cease, I ll be back. Thanks everyone! Rob
                          Message 12 of 20 , Jul 1, 2009
                          • 0 Attachment
                            Magnus Bäck wrote, On 6/30/2009 11:39 PM:
                            > On Wed, July 1, 2009 8:13 am, Rob Brandt said:
                            >
                            >> Could I get an example of how to use postmap -q? I have tried:
                            >>
                            >> postmap -q "X-Spam-Flag: YES" /etc/postfix/header_checks
                            >>
                            >> where "X-Spam-Flag: YES" is the header I am trying to check and
                            >> /etc/postfix/header_checks is the current name of my header_checks file.
                            >
                            > Yes, but you need to tell Postfix that it's a regexp map:
                            >
                            > postmap -q "X-Spam-Flag: YES" regexp:/etc/postfix/header_checks
                            >
                            >> I get no return values, I've read the man and I think I'm supposed to
                            >> get a 0 when it matches.
                            >
                            > Correct. If you get a match postmap(1) will print the matching line.
                            >


                            Excellent, I now get a match using postmap. If the spam doesn't cease,
                            I'll be back. Thanks everyone!

                            Rob
                          • Rob Brandt
                            ... Nuts. I am still getting spam. Is there any reason header_checks might not be enabled? Is header_checks being run before SA processes it? Here s my
                            Message 13 of 20 , Jul 1, 2009
                            • 0 Attachment
                              Rob Brandt wrote, On 7/1/2009 9:09 AM:

                              >
                              > Excellent, I now get a match using postmap. If the spam doesn't cease,
                              > I'll be back. Thanks everyone!
                              >
                              > Rob
                              >

                              Nuts. I am still getting spam. Is there any reason header_checks might
                              not be enabled? Is header_checks being run before SA processes it?

                              Here's my header_checks file:
                              *********************************************
                              # X-Spam-Flag
                              /^X-Spam-Flag: YES$/ DISCARD X-Spam-Flag

                              Here's my current main.cf:
                              *********************************************
                              # See /usr/share/postfix/main.cf.dist for a commented, more complete version


                              # Debian specific: Specifying a file name will cause the first
                              # line of that file to be used as the name. The Debian default
                              # is /etc/mailname.
                              #myorigin = /etc/mailname

                              smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
                              biff = no

                              # appending .domain is the MUA's job.
                              append_dot_mydomain = no

                              # Uncomment the next line to generate "delayed mail" warnings
                              #delay_warning_time = 4h

                              readme_directory = no

                              # TLS parameters
                              smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
                              smtpd_tls_key_file = /etc/ssl/private/smtpd.key
                              smtpd_use_tls=yes
                              smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
                              smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

                              # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
                              # information on enabling SSL in the smtp client.

                              myhostname = mail.dom.ain
                              alias_maps = hash:/etc/aliases,hash:/usr/local/mailman/data/aliases
                              alias_database = hash:/etc/aliases
                              myorigin = /etc/mailname
                              mydestination = amd64.dom.ain, localhost.dom.ain,localhost
                              mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
                              mailbox_size_limit = 0
                              recipient_delimiter = +
                              virtual_alias_maps =
                              hash:/etc/postfix/virtual,hash:/usr/local/mailman/data/virtual-mailman
                              home_mailbox = Maildir/
                              content_filter = smtp-amavis:[127.0.0.1]:10024
                              debug_peer_list = amd64.dom.ain

                              unknown_local_recipient_reject_code = 550
                              transport_maps = hash:/etc/postfix/transport
                              smtpd_sasl_type = dovecot
                              smtpd_sasl_path = private/auth-client
                              smtpd_sasl_local_domain =
                              smtpd_sasl_security_options = noanonymous
                              broken_sasl_auth_clients = yes
                              smtpd_sasl_auth_enable = yes
                              smtpd_recipient_restrictions =
                              permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
                              inet_interfaces = all
                              smtpd_tls_auth_only = no
                              smtpd_use_tls = yes
                              smtp_use_tls = yes
                              smtp_tls_note_starttls_offer = yes
                              smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
                              smtpd_tls_loglevel = 1
                              smtpd_tls_received_header = yes
                              smtpd_tls_session_cache_timeout = 3600s
                              tls_random_source = dev:/dev/urandom
                              header_checks = regexp:/etc/postfix/header_checks

                              Here's the headers from a very spammy email I just received:
                              *************************************************************
                              Return-Path: <alenka@...-88-5-123.dynamicIP.rima-tde.net>
                              X-Original-To: bronto-dom.ain@...
                              Delivered-To: bronto-dom.ain@...
                              Received: from localhost (localhost [127.0.0.1])
                              by mail.dom.ain (Postfix) with ESMTP id A24B1422C5
                              for <bronto-dom.ain@...>; Wed, 1 Jul 2009 10:10:54 -0700 (PDT)
                              X-Virus-Scanned: Debian amavisd-new at amd64.dom.ain
                              X-Spam-Flag: YES
                              X-Spam-Score: 27.191
                              X-Spam-Level: ***************************
                              X-Spam-Status: Yes, score=27.191 tagged_above=-999 required=6.31
                              tests=[BAYES_99=3.5, DIGEST_MULTIPLE=0.001, FH_HELO_ALMOST_IP=3.565,
                              FH_HOST_EQ_DYNAMICIP=4.058, HELO_DYNAMIC_SPLIT_IP=3.493,
                              HTML_FONT_SIZE_LARGE=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457,
                              PYZOR_CHECK=3.7, RAZOR2_CF_RANGE_51_100=0.5,
                              RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905,
                              RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1]
                              X-Spam-Report:
                              * 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
                              * [score: 1.0000]
                              * 4.1 FH_HOST_EQ_DYNAMICIP Host is dynamicip
                              * 3.5 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split
                              * IP)
                              * 3.6 FH_HELO_ALMOST_IP Helo is almost an IP addr.
                              * 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
                              * [88.5.123.52 listed in zen.spamhaus.org]
                              * 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
                              * 0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
                              * [88.5.123.52 listed in dnsbl.sorbs.net]
                              * 0.0 HTML_MESSAGE BODY: HTML included in message
                              * 0.0 HTML_FONT_SIZE_LARGE BODY: HTML font size is large
                              * 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
                              * 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
                              * above 50%
                              * [cf: 100]
                              * 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
                              * 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                              * [cf: 100]
                              * 3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
                              * 0.0 DIGEST_MULTIPLE Message hits more than one network digest check
                              * 0.1 RDNS_DYNAMIC Delivered to trusted network by host with
                              * dynamic-looking rDNS
                              Received: from mail.dom.ain ([127.0.0.1])
                              by localhost (amd64.dom.ain [127.0.0.1]) (amavisd-new, port 10024)
                              with ESMTP id z1oE2BXbOpmz for <bronto-dom.ain@...>;
                              Wed, 1 Jul 2009 10:10:49 -0700 (PDT)
                              Received: from 52.Red-88-5-123.dynamicIP.rima-tde.net
                              (52.Red-88-5-123.dynamicIP.rima-tde.net [88.5.123.52])
                              by mail.dom.ain (Postfix) with ESMTP id 39BCB42208
                              for <bronto@...>; Wed, 1 Jul 2009 10:10:43 -0700 (PDT)
                              Received: from localhost (nr.ru [127.0.0.1])
                              by nr.ru (8.14.2/8.14.2) with SMTP id ywaeec63;
                              Wed, 1 Jul 2009 18:10:21 +0100
                              (envelope-from lyqin@...)
                              To: Bronto <bronto@...>
                              Subject: ***SPAM*** =?koi8-r?B?8sHT0M/T1NLBztHFzSDJzsbP0s3Bw8nA?=
                              X-PHP-Script: nr.ru/index.php
                              From: =?koi8-r?B?7cHSyyD7wdLP1w==?= <lyqin@...>
                              Auto-Submitted: auto-generated
                              Message-ID: <4694156114.20090701181021@...>
                              MIME-Version: 1.0
                              Content-Type: text/html; charset="koi8-r"
                              Content-Transfer-Encoding: 8bit
                              X-Priority: 3
                              X-Mailer: IPB PHP
                            • Brian Evans - Postfix List
                              ... postconf -n is preferred here over pasting main.cf. You re eyes may play tricks on you. Do you have anything like:
                              Message 14 of 20 , Jul 1, 2009
                              • 0 Attachment
                                Rob Brandt wrote:
                                >
                                >
                                > Rob Brandt wrote, On 7/1/2009 9:09 AM:
                                >
                                >>
                                >> Excellent, I now get a match using postmap. If the spam doesn't
                                >> cease, I'll be back. Thanks everyone!
                                >>
                                >> Rob
                                >>
                                >
                                > Nuts. I am still getting spam. Is there any reason header_checks
                                > might not be enabled? Is header_checks being run before SA processes it?
                                >
                                > Here's my header_checks file:
                                > *********************************************
                                > # X-Spam-Flag
                                > /^X-Spam-Flag: YES$/ DISCARD X-Spam-Flag
                                >
                                > Here's my current main.cf:
                                > *********************************************
                                > content_filter = smtp-amavis:[127.0.0.1]:10024

                                'postconf -n' is preferred here over pasting main.cf. You're eyes may
                                play tricks on you.

                                Do you have anything like:
                                "receive_override_options=no_header_body_checks" in master.cf for the
                                content_filter reinjection?
                                This will not match if so.
                              • Terry Carmen
                                ... You ll pretty much always get spam. The question is how spammy does spamassassin think it is, is it being flagged with the spam header, and is your header
                                Message 15 of 20 , Jul 1, 2009
                                • 0 Attachment
                                  > Rob Brandt wrote, On 7/1/2009 9:09 AM:
                                  >
                                  >>
                                  >> Excellent, I now get a match using postmap. If the spam doesn't cease,
                                  >> I'll be back. Thanks everyone!
                                  >>
                                  >> Rob
                                  >>
                                  >
                                  > Nuts. I am still getting spam. Is there any reason header_checks might
                                  > not be enabled? Is header_checks being run before SA processes it?

                                  You'll pretty much always get spam. The question is how spammy does
                                  spamassassin think it is, is it being flagged with the spam header, and is
                                  your header check macthing it?

                                  >
                                  > Here's my header_checks file:
                                  > *********************************************
                                  > # X-Spam-Flag
                                  > /^X-Spam-Flag: YES$/ DISCARD X-Spam-Flag
                                  >
                                  > Here's my current main.cf:
                                  > *********************************************

                                  Without trying to be a "Master of the Obvious", are you actually getting the
                                  X-Spam-Flag header in your messages? If you're using amavis, it may eat the
                                  spam headers depending on configuration.

                                  Also, you don't need the "$". at the end of the string.

                                  FWIW, you might want to use X-Spam-Level instead of X-Spam-Flag, since it
                                  gives you more control over how spammy something is before you take action:

                                  /^X-Spam-Level.*\*\*\*\*\*/ HOLD

                                  works nicely, for example.

                                  When you fire up postfix are there any error messages in the log?

                                  Terry


                                  > # See /usr/share/postfix/main.cf.dist for a commented, more complete version
                                  >
                                  >
                                  > # Debian specific: Specifying a file name will cause the first
                                  > # line of that file to be used as the name. The Debian default
                                  > # is /etc/mailname.
                                  > #myorigin = /etc/mailname
                                  >
                                  > smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
                                  > biff = no
                                  >
                                  > # appending .domain is the MUA's job.
                                  > append_dot_mydomain = no
                                  >
                                  > # Uncomment the next line to generate "delayed mail" warnings
                                  > #delay_warning_time = 4h
                                  >
                                  > readme_directory = no
                                  >
                                  > # TLS parameters
                                  > smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
                                  > smtpd_tls_key_file = /etc/ssl/private/smtpd.key
                                  > smtpd_use_tls=yes
                                  > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
                                  > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
                                  >
                                  > # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
                                  > # information on enabling SSL in the smtp client.
                                  >
                                  > myhostname = mail.dom.ain
                                  > alias_maps = hash:/etc/aliases,hash:/usr/local/mailman/data/aliases
                                  > alias_database = hash:/etc/aliases
                                  > myorigin = /etc/mailname
                                  > mydestination = amd64.dom.ain, localhost.dom.ain,localhost
                                  > mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
                                  > mailbox_size_limit = 0
                                  > recipient_delimiter = +
                                  > virtual_alias_maps =
                                  > hash:/etc/postfix/virtual,hash:/usr/local/mailman/data/virtual-mailman
                                  > home_mailbox = Maildir/
                                  > content_filter = smtp-amavis:[127.0.0.1]:10024
                                  > debug_peer_list = amd64.dom.ain
                                  >
                                  > unknown_local_recipient_reject_code = 550
                                  > transport_maps = hash:/etc/postfix/transport
                                  > smtpd_sasl_type = dovecot
                                  > smtpd_sasl_path = private/auth-client
                                  > smtpd_sasl_local_domain =
                                  > smtpd_sasl_security_options = noanonymous
                                  > broken_sasl_auth_clients = yes
                                  > smtpd_sasl_auth_enable = yes
                                  > smtpd_recipient_restrictions =
                                  > permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
                                  > inet_interfaces = all
                                  > smtpd_tls_auth_only = no
                                  > smtpd_use_tls = yes
                                  > smtp_use_tls = yes
                                  > smtp_tls_note_starttls_offer = yes
                                  > smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
                                  > smtpd_tls_loglevel = 1
                                  > smtpd_tls_received_header = yes
                                  > smtpd_tls_session_cache_timeout = 3600s
                                  > tls_random_source = dev:/dev/urandom
                                  > header_checks = regexp:/etc/postfix/header_checks
                                  >
                                  > Here's the headers from a very spammy email I just received:
                                  > *************************************************************
                                  > Return-Path: <alenka@...-88-5-123.dynamicIP.rima-tde.net>
                                  > X-Original-To: bronto-dom.ain@...
                                  > Delivered-To: bronto-dom.ain@...
                                  > Received: from localhost (localhost [127.0.0.1])
                                  > by mail.dom.ain (Postfix) with ESMTP id A24B1422C5
                                  > for <bronto-dom.ain@...>; Wed, 1 Jul 2009 10:10:54 -0700 (PDT)
                                  > X-Virus-Scanned: Debian amavisd-new at amd64.dom.ain
                                  > X-Spam-Flag: YES
                                  > X-Spam-Score: 27.191
                                  > X-Spam-Level: ***************************
                                  > X-Spam-Status: Yes, score=27.191 tagged_above=-999 required=6.31
                                  > tests=[BAYES_99=3.5, DIGEST_MULTIPLE=0.001, FH_HELO_ALMOST_IP=3.565,
                                  > FH_HOST_EQ_DYNAMICIP=4.058, HELO_DYNAMIC_SPLIT_IP=3.493,
                                  > HTML_FONT_SIZE_LARGE=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457,
                                  > PYZOR_CHECK=3.7, RAZOR2_CF_RANGE_51_100=0.5,
                                  > RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905,
                                  > RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1]
                                  > X-Spam-Report:
                                  > * 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
                                  > * [score: 1.0000]
                                  > * 4.1 FH_HOST_EQ_DYNAMICIP Host is dynamicip
                                  > * 3.5 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split
                                  > * IP)
                                  > * 3.6 FH_HELO_ALMOST_IP Helo is almost an IP addr.
                                  > * 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
                                  > * [88.5.123.52 listed in zen.spamhaus.org]
                                  > * 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
                                  > * 0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
                                  > * [88.5.123.52 listed in dnsbl.sorbs.net]
                                  > * 0.0 HTML_MESSAGE BODY: HTML included in message
                                  > * 0.0 HTML_FONT_SIZE_LARGE BODY: HTML font size is large
                                  > * 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
                                  > * 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
                                  > * above 50%
                                  > * [cf: 100]
                                  > * 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
                                  > * 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                                  > * [cf: 100]
                                  > * 3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
                                  > * 0.0 DIGEST_MULTIPLE Message hits more than one network digest check
                                  > * 0.1 RDNS_DYNAMIC Delivered to trusted network by host with
                                  > * dynamic-looking rDNS
                                  > Received: from mail.dom.ain ([127.0.0.1])
                                  > by localhost (amd64.dom.ain [127.0.0.1]) (amavisd-new, port 10024)
                                  > with ESMTP id z1oE2BXbOpmz for <bronto-dom.ain@...>;
                                  > Wed, 1 Jul 2009 10:10:49 -0700 (PDT)
                                  > Received: from 52.Red-88-5-123.dynamicIP.rima-tde.net
                                  > (52.Red-88-5-123.dynamicIP.rima-tde.net [88.5.123.52])
                                  > by mail.dom.ain (Postfix) with ESMTP id 39BCB42208
                                  > for <bronto@...>; Wed, 1 Jul 2009 10:10:43 -0700 (PDT)
                                  > Received: from localhost (nr.ru [127.0.0.1])
                                  > by nr.ru (8.14.2/8.14.2) with SMTP id ywaeec63;
                                  > Wed, 1 Jul 2009 18:10:21 +0100
                                  > (envelope-from lyqin@...)
                                  > To: Bronto <bronto@...>
                                  > Subject: ***SPAM*** =?koi8-r?B?8sHT0M/T1NLBztHFzSDJzsbP0s3Bw8nA?=
                                  > X-PHP-Script: nr.ru/index.php
                                  > From: íÁÒË ûÁÒÏ× <lyqin@...>
                                  > Auto-Submitted: auto-generated
                                  > Message-ID: <4694156114.20090701181021@...>
                                  > MIME-Version: 1.0
                                  > Content-Type: text/html; charset="koi8-r"
                                  > Content-Transfer-Encoding: 8bit
                                  > X-Priority: 3
                                  > X-Mailer: IPB PHP
                                  >
                                  >


                                  --
                                  CNY Support, LLC
                                  Web. Database. Business
                                  http://www.cnysupport.com
                                • Rob Brandt
                                  ... Bingo: -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks Any negative consequences for eliminating this line, or changing it
                                  Message 16 of 20 , Jul 1, 2009
                                  • 0 Attachment
                                    Brian Evans - Postfix List wrote, On 7/1/2009 10:40 AM:

                                    >
                                    > Do you have anything like:
                                    > "receive_override_options=no_header_body_checks" in master.cf for the
                                    > content_filter reinjection?
                                    > This will not match if so.


                                    Bingo:

                                    -o
                                    receive_override_options=no_header_body_checks,no_unknown_recipient_checks

                                    Any negative consequences for eliminating this line, or changing it to:

                                    -o receive_override_options=no_unknown_recipient_checks

                                    Rob
                                  • Jan P. Kessler
                                    ... header_checks will be executed twice
                                    Message 17 of 20 , Jul 1, 2009
                                    • 0 Attachment
                                      > Bingo:
                                      >
                                      > -o
                                      > receive_override_options=no_header_body_checks,no_unknown_recipient_checks
                                      >
                                      >
                                      > Any negative consequences for eliminating this line, or changing it to:
                                      >
                                      > -o receive_override_options=no_unknown_recipient_checks

                                      header_checks will be executed twice
                                    • Rob Brandt
                                      ... That doesn t sound right or good. What s the right way to do this? Rob
                                      Message 18 of 20 , Jul 1, 2009
                                      • 0 Attachment
                                        Jan P. Kessler wrote, On 7/1/2009 12:34 PM:
                                        >> Bingo:
                                        >>
                                        >> -o
                                        >> receive_override_options=no_header_body_checks,no_unknown_recipient_checks
                                        >>
                                        >>
                                        >> Any negative consequences for eliminating this line, or changing it to:
                                        >>
                                        >> -o receive_override_options=no_unknown_recipient_checks
                                        >
                                        > header_checks will be executed twice
                                        >
                                        >

                                        That doesn't sound right or good. What's the right way to do this?

                                        Rob
                                      • Victor Duchovni
                                        ... Nothing wrong with that, especially if your header_checks file is reasonably short and simple (as it should be). If you are using 2.6, you could try a
                                        Message 19 of 20 , Jul 1, 2009
                                        • 0 Attachment
                                          On Wed, Jul 01, 2009 at 01:50:02PM -0700, Rob Brandt wrote:

                                          >
                                          >
                                          > Jan P. Kessler wrote, On 7/1/2009 12:34 PM:
                                          >>> Bingo:
                                          >>>
                                          >>> -o
                                          >>> receive_override_options=no_header_body_checks,no_unknown_recipient_checks
                                          >>>
                                          >>>
                                          >>> Any negative consequences for eliminating this line, or changing it to:
                                          >>>
                                          >>> -o receive_override_options=no_unknown_recipient_checks
                                          >> header_checks will be executed twice
                                          >
                                          > That doesn't sound right or good. What's the right way to do this?

                                          Nothing wrong with that, especially if your header_checks file is
                                          reasonably short and simple (as it should be).

                                          If you are using 2.6, you could try a multi-instance config, with
                                          separate header checks before and after the filter.

                                          http://www.postfix.org/MULTI_INSTANCE_README.html

                                          --
                                          Viktor.

                                          Disclaimer: off-list followups get on-list replies or get ignored.
                                          Please do not ignore the "Reply-To" header.

                                          To unsubscribe from the postfix-users list, visit
                                          http://www.postfix.org/lists.html or click the link below:
                                          <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                                          If my response solves your problem, the best way to thank me is to not
                                          send an "it worked, thanks" follow-up. If you must respond, please put
                                          "It worked, thanks" in the "Subject" so I can delete these quickly.
                                        • Sahil Tandon
                                          ... It is. As noted in regexp_table(5), each pattern is a POSIX regular expression, whose syntax is documented in re_format(7). For posterity (and the
                                          Message 20 of 20 , Jul 1, 2009
                                          • 0 Attachment
                                            On Wed, 01 Jul 2009, Magnus Bäck wrote:

                                            > > Sahil Tandon wrote:
                                            > >
                                            > > > I prefer pcre:, but the following patterns should work with regexp:
                                            > > > as well.
                                            >
                                            > No, {n} isn't supported by regexp.

                                            It is. As noted in regexp_table(5), each pattern is a POSIX regular
                                            expression, whose syntax is documented in re_format(7). For posterity (and
                                            the interested reader), a relevant excerpt from the man page:

                                            A bound is `{' followed by an unsigned decimal integer, possibly followed
                                            by `,' possibly followed by another unsigned decimal integer, always fol-
                                            lowed by `}'. The integers must lie between 0 and RE_DUP_MAX (255=)
                                            inclusive, and if there are two of them, the first may not exceed the
                                            second. An atom followed by a bound containing one integer i and no
                                            comma matches a sequence of exactly i matches of the atom. An atom fol-
                                            lowed by a bound containing one integer i and a comma matches a sequence
                                            of i or more matches of the atom. An atom followed by a bound containing
                                            two integers i and j matches a sequence of i through j (inclusive)
                                            matches of the atom.

                                            Also see the EXAMPLE BODY FILTER MAP in regexp_table(5) for another example
                                            of how to use bounds with regexp.

                                            --
                                            Sahil Tandon <sahil@...>
                                          Your message has been successfully submitted and would be delivered to recipients shortly.