Loading ...
Sorry, an error occurred while loading the content.
 

Re: header checks not working

Expand Messages
  • Rob Brandt
    ... Nuts. I am still getting spam. Is there any reason header_checks might not be enabled? Is header_checks being run before SA processes it? Here s my
    Message 1 of 20 , Jul 1, 2009
      Rob Brandt wrote, On 7/1/2009 9:09 AM:

      >
      > Excellent, I now get a match using postmap. If the spam doesn't cease,
      > I'll be back. Thanks everyone!
      >
      > Rob
      >

      Nuts. I am still getting spam. Is there any reason header_checks might
      not be enabled? Is header_checks being run before SA processes it?

      Here's my header_checks file:
      *********************************************
      # X-Spam-Flag
      /^X-Spam-Flag: YES$/ DISCARD X-Spam-Flag

      Here's my current main.cf:
      *********************************************
      # See /usr/share/postfix/main.cf.dist for a commented, more complete version


      # Debian specific: Specifying a file name will cause the first
      # line of that file to be used as the name. The Debian default
      # is /etc/mailname.
      #myorigin = /etc/mailname

      smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
      biff = no

      # appending .domain is the MUA's job.
      append_dot_mydomain = no

      # Uncomment the next line to generate "delayed mail" warnings
      #delay_warning_time = 4h

      readme_directory = no

      # TLS parameters
      smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
      smtpd_tls_key_file = /etc/ssl/private/smtpd.key
      smtpd_use_tls=yes
      smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
      smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

      # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
      # information on enabling SSL in the smtp client.

      myhostname = mail.dom.ain
      alias_maps = hash:/etc/aliases,hash:/usr/local/mailman/data/aliases
      alias_database = hash:/etc/aliases
      myorigin = /etc/mailname
      mydestination = amd64.dom.ain, localhost.dom.ain,localhost
      mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
      mailbox_size_limit = 0
      recipient_delimiter = +
      virtual_alias_maps =
      hash:/etc/postfix/virtual,hash:/usr/local/mailman/data/virtual-mailman
      home_mailbox = Maildir/
      content_filter = smtp-amavis:[127.0.0.1]:10024
      debug_peer_list = amd64.dom.ain

      unknown_local_recipient_reject_code = 550
      transport_maps = hash:/etc/postfix/transport
      smtpd_sasl_type = dovecot
      smtpd_sasl_path = private/auth-client
      smtpd_sasl_local_domain =
      smtpd_sasl_security_options = noanonymous
      broken_sasl_auth_clients = yes
      smtpd_sasl_auth_enable = yes
      smtpd_recipient_restrictions =
      permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
      inet_interfaces = all
      smtpd_tls_auth_only = no
      smtpd_use_tls = yes
      smtp_use_tls = yes
      smtp_tls_note_starttls_offer = yes
      smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
      smtpd_tls_loglevel = 1
      smtpd_tls_received_header = yes
      smtpd_tls_session_cache_timeout = 3600s
      tls_random_source = dev:/dev/urandom
      header_checks = regexp:/etc/postfix/header_checks

      Here's the headers from a very spammy email I just received:
      *************************************************************
      Return-Path: <alenka@...-88-5-123.dynamicIP.rima-tde.net>
      X-Original-To: bronto-dom.ain@...
      Delivered-To: bronto-dom.ain@...
      Received: from localhost (localhost [127.0.0.1])
      by mail.dom.ain (Postfix) with ESMTP id A24B1422C5
      for <bronto-dom.ain@...>; Wed, 1 Jul 2009 10:10:54 -0700 (PDT)
      X-Virus-Scanned: Debian amavisd-new at amd64.dom.ain
      X-Spam-Flag: YES
      X-Spam-Score: 27.191
      X-Spam-Level: ***************************
      X-Spam-Status: Yes, score=27.191 tagged_above=-999 required=6.31
      tests=[BAYES_99=3.5, DIGEST_MULTIPLE=0.001, FH_HELO_ALMOST_IP=3.565,
      FH_HOST_EQ_DYNAMICIP=4.058, HELO_DYNAMIC_SPLIT_IP=3.493,
      HTML_FONT_SIZE_LARGE=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457,
      PYZOR_CHECK=3.7, RAZOR2_CF_RANGE_51_100=0.5,
      RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905,
      RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1]
      X-Spam-Report:
      * 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
      * [score: 1.0000]
      * 4.1 FH_HOST_EQ_DYNAMICIP Host is dynamicip
      * 3.5 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split
      * IP)
      * 3.6 FH_HELO_ALMOST_IP Helo is almost an IP addr.
      * 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
      * [88.5.123.52 listed in zen.spamhaus.org]
      * 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
      * 0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
      * [88.5.123.52 listed in dnsbl.sorbs.net]
      * 0.0 HTML_MESSAGE BODY: HTML included in message
      * 0.0 HTML_FONT_SIZE_LARGE BODY: HTML font size is large
      * 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
      * 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
      * above 50%
      * [cf: 100]
      * 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
      * 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
      * [cf: 100]
      * 3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
      * 0.0 DIGEST_MULTIPLE Message hits more than one network digest check
      * 0.1 RDNS_DYNAMIC Delivered to trusted network by host with
      * dynamic-looking rDNS
      Received: from mail.dom.ain ([127.0.0.1])
      by localhost (amd64.dom.ain [127.0.0.1]) (amavisd-new, port 10024)
      with ESMTP id z1oE2BXbOpmz for <bronto-dom.ain@...>;
      Wed, 1 Jul 2009 10:10:49 -0700 (PDT)
      Received: from 52.Red-88-5-123.dynamicIP.rima-tde.net
      (52.Red-88-5-123.dynamicIP.rima-tde.net [88.5.123.52])
      by mail.dom.ain (Postfix) with ESMTP id 39BCB42208
      for <bronto@...>; Wed, 1 Jul 2009 10:10:43 -0700 (PDT)
      Received: from localhost (nr.ru [127.0.0.1])
      by nr.ru (8.14.2/8.14.2) with SMTP id ywaeec63;
      Wed, 1 Jul 2009 18:10:21 +0100
      (envelope-from lyqin@...)
      To: Bronto <bronto@...>
      Subject: ***SPAM*** =?koi8-r?B?8sHT0M/T1NLBztHFzSDJzsbP0s3Bw8nA?=
      X-PHP-Script: nr.ru/index.php
      From: =?koi8-r?B?7cHSyyD7wdLP1w==?= <lyqin@...>
      Auto-Submitted: auto-generated
      Message-ID: <4694156114.20090701181021@...>
      MIME-Version: 1.0
      Content-Type: text/html; charset="koi8-r"
      Content-Transfer-Encoding: 8bit
      X-Priority: 3
      X-Mailer: IPB PHP
    • Brian Evans - Postfix List
      ... postconf -n is preferred here over pasting main.cf. You re eyes may play tricks on you. Do you have anything like:
      Message 2 of 20 , Jul 1, 2009
        Rob Brandt wrote:
        >
        >
        > Rob Brandt wrote, On 7/1/2009 9:09 AM:
        >
        >>
        >> Excellent, I now get a match using postmap. If the spam doesn't
        >> cease, I'll be back. Thanks everyone!
        >>
        >> Rob
        >>
        >
        > Nuts. I am still getting spam. Is there any reason header_checks
        > might not be enabled? Is header_checks being run before SA processes it?
        >
        > Here's my header_checks file:
        > *********************************************
        > # X-Spam-Flag
        > /^X-Spam-Flag: YES$/ DISCARD X-Spam-Flag
        >
        > Here's my current main.cf:
        > *********************************************
        > content_filter = smtp-amavis:[127.0.0.1]:10024

        'postconf -n' is preferred here over pasting main.cf. You're eyes may
        play tricks on you.

        Do you have anything like:
        "receive_override_options=no_header_body_checks" in master.cf for the
        content_filter reinjection?
        This will not match if so.
      • Terry Carmen
        ... You ll pretty much always get spam. The question is how spammy does spamassassin think it is, is it being flagged with the spam header, and is your header
        Message 3 of 20 , Jul 1, 2009
          > Rob Brandt wrote, On 7/1/2009 9:09 AM:
          >
          >>
          >> Excellent, I now get a match using postmap. If the spam doesn't cease,
          >> I'll be back. Thanks everyone!
          >>
          >> Rob
          >>
          >
          > Nuts. I am still getting spam. Is there any reason header_checks might
          > not be enabled? Is header_checks being run before SA processes it?

          You'll pretty much always get spam. The question is how spammy does
          spamassassin think it is, is it being flagged with the spam header, and is
          your header check macthing it?

          >
          > Here's my header_checks file:
          > *********************************************
          > # X-Spam-Flag
          > /^X-Spam-Flag: YES$/ DISCARD X-Spam-Flag
          >
          > Here's my current main.cf:
          > *********************************************

          Without trying to be a "Master of the Obvious", are you actually getting the
          X-Spam-Flag header in your messages? If you're using amavis, it may eat the
          spam headers depending on configuration.

          Also, you don't need the "$". at the end of the string.

          FWIW, you might want to use X-Spam-Level instead of X-Spam-Flag, since it
          gives you more control over how spammy something is before you take action:

          /^X-Spam-Level.*\*\*\*\*\*/ HOLD

          works nicely, for example.

          When you fire up postfix are there any error messages in the log?

          Terry


          > # See /usr/share/postfix/main.cf.dist for a commented, more complete version
          >
          >
          > # Debian specific: Specifying a file name will cause the first
          > # line of that file to be used as the name. The Debian default
          > # is /etc/mailname.
          > #myorigin = /etc/mailname
          >
          > smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
          > biff = no
          >
          > # appending .domain is the MUA's job.
          > append_dot_mydomain = no
          >
          > # Uncomment the next line to generate "delayed mail" warnings
          > #delay_warning_time = 4h
          >
          > readme_directory = no
          >
          > # TLS parameters
          > smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
          > smtpd_tls_key_file = /etc/ssl/private/smtpd.key
          > smtpd_use_tls=yes
          > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
          > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
          >
          > # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
          > # information on enabling SSL in the smtp client.
          >
          > myhostname = mail.dom.ain
          > alias_maps = hash:/etc/aliases,hash:/usr/local/mailman/data/aliases
          > alias_database = hash:/etc/aliases
          > myorigin = /etc/mailname
          > mydestination = amd64.dom.ain, localhost.dom.ain,localhost
          > mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
          > mailbox_size_limit = 0
          > recipient_delimiter = +
          > virtual_alias_maps =
          > hash:/etc/postfix/virtual,hash:/usr/local/mailman/data/virtual-mailman
          > home_mailbox = Maildir/
          > content_filter = smtp-amavis:[127.0.0.1]:10024
          > debug_peer_list = amd64.dom.ain
          >
          > unknown_local_recipient_reject_code = 550
          > transport_maps = hash:/etc/postfix/transport
          > smtpd_sasl_type = dovecot
          > smtpd_sasl_path = private/auth-client
          > smtpd_sasl_local_domain =
          > smtpd_sasl_security_options = noanonymous
          > broken_sasl_auth_clients = yes
          > smtpd_sasl_auth_enable = yes
          > smtpd_recipient_restrictions =
          > permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
          > inet_interfaces = all
          > smtpd_tls_auth_only = no
          > smtpd_use_tls = yes
          > smtp_use_tls = yes
          > smtp_tls_note_starttls_offer = yes
          > smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
          > smtpd_tls_loglevel = 1
          > smtpd_tls_received_header = yes
          > smtpd_tls_session_cache_timeout = 3600s
          > tls_random_source = dev:/dev/urandom
          > header_checks = regexp:/etc/postfix/header_checks
          >
          > Here's the headers from a very spammy email I just received:
          > *************************************************************
          > Return-Path: <alenka@...-88-5-123.dynamicIP.rima-tde.net>
          > X-Original-To: bronto-dom.ain@...
          > Delivered-To: bronto-dom.ain@...
          > Received: from localhost (localhost [127.0.0.1])
          > by mail.dom.ain (Postfix) with ESMTP id A24B1422C5
          > for <bronto-dom.ain@...>; Wed, 1 Jul 2009 10:10:54 -0700 (PDT)
          > X-Virus-Scanned: Debian amavisd-new at amd64.dom.ain
          > X-Spam-Flag: YES
          > X-Spam-Score: 27.191
          > X-Spam-Level: ***************************
          > X-Spam-Status: Yes, score=27.191 tagged_above=-999 required=6.31
          > tests=[BAYES_99=3.5, DIGEST_MULTIPLE=0.001, FH_HELO_ALMOST_IP=3.565,
          > FH_HOST_EQ_DYNAMICIP=4.058, HELO_DYNAMIC_SPLIT_IP=3.493,
          > HTML_FONT_SIZE_LARGE=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457,
          > PYZOR_CHECK=3.7, RAZOR2_CF_RANGE_51_100=0.5,
          > RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905,
          > RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1]
          > X-Spam-Report:
          > * 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
          > * [score: 1.0000]
          > * 4.1 FH_HOST_EQ_DYNAMICIP Host is dynamicip
          > * 3.5 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split
          > * IP)
          > * 3.6 FH_HELO_ALMOST_IP Helo is almost an IP addr.
          > * 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
          > * [88.5.123.52 listed in zen.spamhaus.org]
          > * 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
          > * 0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
          > * [88.5.123.52 listed in dnsbl.sorbs.net]
          > * 0.0 HTML_MESSAGE BODY: HTML included in message
          > * 0.0 HTML_FONT_SIZE_LARGE BODY: HTML font size is large
          > * 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
          > * 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
          > * above 50%
          > * [cf: 100]
          > * 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
          > * 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
          > * [cf: 100]
          > * 3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
          > * 0.0 DIGEST_MULTIPLE Message hits more than one network digest check
          > * 0.1 RDNS_DYNAMIC Delivered to trusted network by host with
          > * dynamic-looking rDNS
          > Received: from mail.dom.ain ([127.0.0.1])
          > by localhost (amd64.dom.ain [127.0.0.1]) (amavisd-new, port 10024)
          > with ESMTP id z1oE2BXbOpmz for <bronto-dom.ain@...>;
          > Wed, 1 Jul 2009 10:10:49 -0700 (PDT)
          > Received: from 52.Red-88-5-123.dynamicIP.rima-tde.net
          > (52.Red-88-5-123.dynamicIP.rima-tde.net [88.5.123.52])
          > by mail.dom.ain (Postfix) with ESMTP id 39BCB42208
          > for <bronto@...>; Wed, 1 Jul 2009 10:10:43 -0700 (PDT)
          > Received: from localhost (nr.ru [127.0.0.1])
          > by nr.ru (8.14.2/8.14.2) with SMTP id ywaeec63;
          > Wed, 1 Jul 2009 18:10:21 +0100
          > (envelope-from lyqin@...)
          > To: Bronto <bronto@...>
          > Subject: ***SPAM*** =?koi8-r?B?8sHT0M/T1NLBztHFzSDJzsbP0s3Bw8nA?=
          > X-PHP-Script: nr.ru/index.php
          > From: íÁÒË ûÁÒÏ× <lyqin@...>
          > Auto-Submitted: auto-generated
          > Message-ID: <4694156114.20090701181021@...>
          > MIME-Version: 1.0
          > Content-Type: text/html; charset="koi8-r"
          > Content-Transfer-Encoding: 8bit
          > X-Priority: 3
          > X-Mailer: IPB PHP
          >
          >


          --
          CNY Support, LLC
          Web. Database. Business
          http://www.cnysupport.com
        • Rob Brandt
          ... Bingo: -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks Any negative consequences for eliminating this line, or changing it
          Message 4 of 20 , Jul 1, 2009
            Brian Evans - Postfix List wrote, On 7/1/2009 10:40 AM:

            >
            > Do you have anything like:
            > "receive_override_options=no_header_body_checks" in master.cf for the
            > content_filter reinjection?
            > This will not match if so.


            Bingo:

            -o
            receive_override_options=no_header_body_checks,no_unknown_recipient_checks

            Any negative consequences for eliminating this line, or changing it to:

            -o receive_override_options=no_unknown_recipient_checks

            Rob
          • Jan P. Kessler
            ... header_checks will be executed twice
            Message 5 of 20 , Jul 1, 2009
              > Bingo:
              >
              > -o
              > receive_override_options=no_header_body_checks,no_unknown_recipient_checks
              >
              >
              > Any negative consequences for eliminating this line, or changing it to:
              >
              > -o receive_override_options=no_unknown_recipient_checks

              header_checks will be executed twice
            • Rob Brandt
              ... That doesn t sound right or good. What s the right way to do this? Rob
              Message 6 of 20 , Jul 1, 2009
                Jan P. Kessler wrote, On 7/1/2009 12:34 PM:
                >> Bingo:
                >>
                >> -o
                >> receive_override_options=no_header_body_checks,no_unknown_recipient_checks
                >>
                >>
                >> Any negative consequences for eliminating this line, or changing it to:
                >>
                >> -o receive_override_options=no_unknown_recipient_checks
                >
                > header_checks will be executed twice
                >
                >

                That doesn't sound right or good. What's the right way to do this?

                Rob
              • Victor Duchovni
                ... Nothing wrong with that, especially if your header_checks file is reasonably short and simple (as it should be). If you are using 2.6, you could try a
                Message 7 of 20 , Jul 1, 2009
                  On Wed, Jul 01, 2009 at 01:50:02PM -0700, Rob Brandt wrote:

                  >
                  >
                  > Jan P. Kessler wrote, On 7/1/2009 12:34 PM:
                  >>> Bingo:
                  >>>
                  >>> -o
                  >>> receive_override_options=no_header_body_checks,no_unknown_recipient_checks
                  >>>
                  >>>
                  >>> Any negative consequences for eliminating this line, or changing it to:
                  >>>
                  >>> -o receive_override_options=no_unknown_recipient_checks
                  >> header_checks will be executed twice
                  >
                  > That doesn't sound right or good. What's the right way to do this?

                  Nothing wrong with that, especially if your header_checks file is
                  reasonably short and simple (as it should be).

                  If you are using 2.6, you could try a multi-instance config, with
                  separate header checks before and after the filter.

                  http://www.postfix.org/MULTI_INSTANCE_README.html

                  --
                  Viktor.

                  Disclaimer: off-list followups get on-list replies or get ignored.
                  Please do not ignore the "Reply-To" header.

                  To unsubscribe from the postfix-users list, visit
                  http://www.postfix.org/lists.html or click the link below:
                  <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                  If my response solves your problem, the best way to thank me is to not
                  send an "it worked, thanks" follow-up. If you must respond, please put
                  "It worked, thanks" in the "Subject" so I can delete these quickly.
                • Sahil Tandon
                  ... It is. As noted in regexp_table(5), each pattern is a POSIX regular expression, whose syntax is documented in re_format(7). For posterity (and the
                  Message 8 of 20 , Jul 1, 2009
                    On Wed, 01 Jul 2009, Magnus Bäck wrote:

                    > > Sahil Tandon wrote:
                    > >
                    > > > I prefer pcre:, but the following patterns should work with regexp:
                    > > > as well.
                    >
                    > No, {n} isn't supported by regexp.

                    It is. As noted in regexp_table(5), each pattern is a POSIX regular
                    expression, whose syntax is documented in re_format(7). For posterity (and
                    the interested reader), a relevant excerpt from the man page:

                    A bound is `{' followed by an unsigned decimal integer, possibly followed
                    by `,' possibly followed by another unsigned decimal integer, always fol-
                    lowed by `}'. The integers must lie between 0 and RE_DUP_MAX (255=)
                    inclusive, and if there are two of them, the first may not exceed the
                    second. An atom followed by a bound containing one integer i and no
                    comma matches a sequence of exactly i matches of the atom. An atom fol-
                    lowed by a bound containing one integer i and a comma matches a sequence
                    of i or more matches of the atom. An atom followed by a bound containing
                    two integers i and j matches a sequence of i through j (inclusive)
                    matches of the atom.

                    Also see the EXAMPLE BODY FILTER MAP in regexp_table(5) for another example
                    of how to use bounds with regexp.

                    --
                    Sahil Tandon <sahil@...>
                  Your message has been successfully submitted and would be delivered to recipients shortly.