Using body_checks.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Using body_checks.

Miguel Da Silva - Centro de Matemática-3
I wrote down the following regular expression, would it work properly?!

if /^[> ]*From:(.*)(cmat\.edu\.uy)/
if /^[> ]*Message-ID/
!/^[> ]*Message-ID:(.*)(cmat\.edu\.uy)/
     REJECT Message-ID and From incorrect
endif
endif

My idea is reject mail whose From header seems to have an e-mail from my
domain, but according to the Message-ID header this message could not be
sent from my server.

I'm using body_checks because these "headers" come as part of bounce
messages we're receiving (backscatter).

Thank you.
--
Miguel Da Silva
Administrador Junior de Sistemas Unix
Centro de Matemática - http://www.cmat.edu.uy
Facultad de Ciencias - http://www.fcien.edu.uy
Universidad de la República - http://www.rau.edu.uy
Reply | Threaded
Open this post in threaded view
|

Re: Using body_checks.

Wietse Venema
Miguel Da Silva - Centro de Matem?tica:
> I wrote down the following regular expression, would it work properly?!
>
> if /^[> ]*From:(.*)(cmat\.edu\.uy)/
> if /^[> ]*Message-ID/
> !/^[> ]*Message-ID:(.*)(cmat\.edu\.uy)/
>      REJECT Message-ID and From incorrect
> endif
> endif

AS DOCUMENTED, the above regexps MUST match the same string.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Using body_checks.

Miguel Da Silva - Centro de Matemática-3
In reply to this post by Miguel Da Silva - Centro de Matemática-3
Miguel Da Silva - Centro de Matemática escribió:

> I wrote down the following regular expression, would it work properly?!
>
> if /^[> ]*From:(.*)(cmat\.edu\.uy)/
> if /^[> ]*Message-ID/
> !/^[> ]*Message-ID:(.*)(cmat\.edu\.uy)/
>     REJECT Message-ID and From incorrect
> endif
> endif
>
> My idea is reject mail whose From header seems to have an e-mail from my
> domain, but according to the Message-ID header this message could not be
> sent from my server.
>
> I'm using body_checks because these "headers" come as part of bounce
> messages we're receiving (backscatter).
>
> Thank you.

Answering to myself...

if /pattern/flags

endif   Match the input string against the patterns between
        if and endif, if and only if the same input  string
        also matches /pattern/. The if..endif can nest.
       
Taken from header_checks(5) manual page. So, I will not find an input
string with From and Message-ID header at the same time. :(

Greetings.
--
Miguel Da Silva
Administrador Junior de Sistemas Unix
Centro de Matemática - http://www.cmat.edu.uy
Facultad de Ciencias - http://www.fcien.edu.uy
Universidad de la República - http://www.rau.edu.uy
Reply | Threaded
Open this post in threaded view
|

Re: Using body_checks.

mouss-2
In reply to this post by Miguel Da Silva - Centro de Matemática-3
Miguel Da Silva - Centro de Matemática wrote:

> I wrote down the following regular expression, would it work properly?!
>
> if /^[> ]*From:(.*)(cmat\.edu\.uy)/
> if /^[> ]*Message-ID/
> !/^[> ]*Message-ID:(.*)(cmat\.edu\.uy)/
>     REJECT Message-ID and From incorrect
> endif
> endif
>
> My idea is reject mail whose From header seems to have an e-mail from my
> domain, but according to the Message-ID header this message could not be
> sent from my server.

No. If you need to take decisions based on the contents of multiple
lines, use a content filter.

This is explained in body_checks(5), which you can read on your system
(man body_checks) or on the web:
        http://www.postfix.org/header_checks.5.html

In particular, read the part that says:
<cite>
...
        Many people overlook the main limitations  of  header  and
        body_checks rules.

        o      These  rules  operate on one logical message header
               or one body line at a time. A decision made for one
               line is not carried over to the next line.

        o      If  text  in the message body is encoded (RFC 2045)
               then the rules need to be specified for the encoded
               form.

        o      Likewise,  when  message  headers  are encoded (RFC
               2047) then the rules need to be specified  for  the
               encoded form.
...
</cite>



>
> I'm using body_checks because these "headers" come as part of bounce
> messages we're receiving (backscatter).
>
> Thank you.

Reply | Threaded
Open this post in threaded view
|

Re: Using body_checks.

Noel Jones-2
mouss wrote:

> Miguel Da Silva - Centro de Matemática wrote:
>> I wrote down the following regular expression, would it work properly?!
>>
>> if /^[> ]*From:(.*)(cmat\.edu\.uy)/
>> if /^[> ]*Message-ID/
>> !/^[> ]*Message-ID:(.*)(cmat\.edu\.uy)/
>>     REJECT Message-ID and From incorrect
>> endif
>> endif
>>
>> My idea is reject mail whose From header seems to have an e-mail from
>> my domain, but according to the Message-ID header this message could
>> not be sent from my server.
>
> No. If you need to take decisions based on the contents of multiple
> lines, use a content filter.
>
> This is explained in body_checks(5), which you can read on your system
> (man body_checks) or on the web:
>     http://www.postfix.org/header_checks.5.html
>
> In particular, read the part that says:
> <cite>
> ...
>        Many people overlook the main limitations  of  header  and
>        body_checks rules.
>
>        o      These  rules  operate on one logical message header
>               or one body line at a time. A decision made for one
>               line is not carried over to the next line.
>
>        o      If  text  in the message body is encoded (RFC 2045)
>               then the rules need to be specified for the encoded
>               form.
>
>        o      Likewise,  when  message  headers  are encoded (RFC
>               2047) then the rules need to be specified  for  the
>               encoded form.
> ...
> </cite>
>
>

Some suggestions on how to stop most backscatter using postfix
are found in
http://www.postfix.org/BACKSCATTER_README.html

For more in-depth checks, one must use a content_filter.
Spamassassin's vbounce ruleset does a pretty good job of
catching these.

--
Noel Jones

Reply | Threaded
Open this post in threaded view
|

Re: Using body_checks.

Miguel Da Silva - Centro de Matemática-3
Noel Jones escribió:

> mouss wrote:
>> Miguel Da Silva - Centro de Matemática wrote:
>>> I wrote down the following regular expression, would it work properly?!
>>>
>>> if /^[> ]*From:(.*)(cmat\.edu\.uy)/
>>> if /^[> ]*Message-ID/
>>> !/^[> ]*Message-ID:(.*)(cmat\.edu\.uy)/
>>>     REJECT Message-ID and From incorrect
>>> endif
>>> endif
>>>
>>> My idea is reject mail whose From header seems to have an e-mail from
>>> my domain, but according to the Message-ID header this message could
>>> not be sent from my server.
>>
>> No. If you need to take decisions based on the contents of multiple
>> lines, use a content filter.
>>
>> This is explained in body_checks(5), which you can read on your system
>> (man body_checks) or on the web:
>>     http://www.postfix.org/header_checks.5.html
>>
>> In particular, read the part that says:
>> <cite>
>> ...
>>        Many people overlook the main limitations  of  header  and
>>        body_checks rules.
>>
>>        o      These  rules  operate on one logical message header
>>               or one body line at a time. A decision made for one
>>               line is not carried over to the next line.
>>
>>        o      If  text  in the message body is encoded (RFC 2045)
>>               then the rules need to be specified for the encoded
>>               form.
>>
>>        o      Likewise,  when  message  headers  are encoded (RFC
>>               2047) then the rules need to be specified  for  the
>>               encoded form.
>> ...
>> </cite>
>>
>>
>
> Some suggestions on how to stop most backscatter using postfix are found in
> http://www.postfix.org/BACKSCATTER_README.html
>
> For more in-depth checks, one must use a content_filter. Spamassassin's
> vbounce ruleset does a pretty good job of catching these.
>

I'm using this ruleset. I could feel some improvements after setting up
this ruleset and also enabling header_checks, but some backscatter
messages are still being delivered to local users. The ratio is about 10
msgs/hour.

Greetings.
--
Miguel Da Silva
Administrador Junior de Sistemas Unix
Centro de Matemática - http://www.cmat.edu.uy
Facultad de Ciencias - http://www.fcien.edu.uy
Universidad de la República - http://www.rau.edu.uy
Reply | Threaded
Open this post in threaded view
|

Re: Using body_checks.

Ralf Hildebrandt
In reply to this post by Miguel Da Silva - Centro de Matemática-3
* Miguel Da Silva - Centro de Matemática <[hidden email]>:
> I wrote down the following regular expression, would it work properly?!

Didn't I just tell you im my other mail that you need a content_filter?

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de                              I'm looking for a job
Windows NT crashed.
I am the Blue Screen of Death.
No one hears your screams.
Reply | Threaded
Open this post in threaded view
|

Re: Using body_checks.

Miguel Da Silva - Centro de Matemática-3
Ralf Hildebrandt escreveu:
> * Miguel Da Silva - Centro de Matemática <[hidden email]>:
>> I wrote down the following regular expression, would it work properly?!
>
> Didn't I just tell you im my other mail that you need a content_filter?
>

You're sure... but just now I could read you other mail. :)

So, forgive me for doing so much noise. :)

Greetings.
--
Miguel Da Silva
Administrador Junior de Sistemas Unix
Centro de Matemática - http://www.cmat.edu.uy
Facultad de Ciencias - http://www.fcien.edu.uy
Universidad de la República - http://www.rau.edu.uy