Hi, I'm getting spam messages with a empty subject line. I would like to have Postfix to refuse these, so I need to have a line in my header-checks list. I'm new to this (I copied a list from http://www.securitysage.com/files/header_checks.short) and I'm unsure how to write such a line. Would '/^Subject:!.+/ REJECT ...' do the job ? I think it means 'Subject:' followed by 'not (more than zero characters)'. B.T.W. is it possible to modify the header checks 'on-the-fly', i.e. without restarting Postfix ? Maybe with MySQL ? Another though : should Amavis/Spamassassin do this ? TIA. -- Met vriendelijke groeten, Koenraad Lelong R&D Manager ACE electronics n.v.
Wed, 23 Jun 2004, by k.lelong@ace-electronics.be:
Hi, I'm getting spam messages with a empty subject line. I would like to have Postfix to refuse these, so I need to have a line in my header-checks list. I'm new to this (I copied a list from http://www.securitysage.com/files/header_checks.short) and I'm unsure how to write such a line. Would '/^Subject:!.+/ REJECT ...' do the job ?
I think it means 'Subject:' followed by 'not (more than zero characters)'.
There is a very nice tool for that called 'pcretest' $ pcretest PCRE version 4.4 21-August-2003 $ rpm -qf /usr/bin/pcretest pcre-4.4-109 Your e.g. means 'Subject:!' followed by at least 1 character. re> /^Subject:!.+/ data> Subject:!a 0: Subject:!a data> Subject:! No match data> What you want is: re> /^Subject:[[:blank:]]*$/ data> Subject: a No match data> Subject: 0: Subject:
B.T.W. is it possible to modify the header checks 'on-the-fly', i.e. without restarting Postfix ? Maybe with MySQL ?
Postfix does re-check these files on itself, so yes, but this could take a while depending on the workload.
Another though : should Amavis/Spamassassin do this ?
No imho. Using body/headercheck is only a very crude way to fight UCE, with a high possibility of false positives and negatives. Only use it for some well-defined cases (like the well known win32 executable strings, SoBig Subjects etc.) E.g. Subjects without content can better be dealt with by SA, with a local rule and a + score of a few points. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 27N , 4 29 45E. + ICQ: 277217131 SUSE 9.1 + Jabber: gurp@nedlinux.nl Kernel k_athlon-2.6.4 + MSN: twe-msn@ferrets4me.xs4all.nl See headers for PGP/GPG info. +
Theo v. Werkhoven wrote:
Wed, 23 Jun 2004, by k.lelong@ace-electronics.be:
....
There is a very nice tool for that called 'pcretest' $ pcretest PCRE version 4.4 21-August-2003
I'm going to look into this, but has pcre the same syntax as regexp ? As far as I could understand by reading the regexp man pages, the ! means 'not', inversion of the following rule. Maybe I forgot some brackets.
Another thought : should Amavis/Spamassassin do this ?
No imho. Using body/headercheck is only a very crude way to fight UCE, with a high possibility of false positives and negatives. Only use it for some well-defined cases (like the well known win32 executable strings, SoBig Subjects etc.)
Noted.
E.g. Subjects without content can better be dealt with by SA, with a local rule and a + score of a few points.
I was looking for some docs about setting up Spamassassin, but maybe I'm not looking good enough. That's why I wanted to try it with postfix's header checks. -- Met vriendelijke groeten, Koenraad Lelong R&D Manager ACE electronics n.v.
Mon, 28 Jun 2004, by k.lelong@ace-electronics.be:
Theo v. Werkhoven wrote:
Wed, 23 Jun 2004, by k.lelong@ace-electronics.be:
....
There is a very nice tool for that called 'pcretest' $ pcretest PCRE version 4.4 21-August-2003
I'm going to look into this, but has pcre the same syntax as regexp ? As far as I could understand by reading the regexp man pages, the ! means 'not', inversion of the following rule. Maybe I forgot some brackets.
Pcre (Perl Compatible Regular Expression) is an extension of the normal regexp library, comparible to Extended regexp. It knows expressions like \d for 'decimal number', \w for word, \s for 'whitespace' etc. From what I see in re_syntax(n) '!' to negate is only used in constraint matches: A constraint matches an empty string when specific condi tions are met. A constraint may not be followed by a quantifier. The simple constraints are as follows; some more constraints are described later, under ESCAPES. (?!re) negative lookahead (AREs only), matches at any point where no substring matching re begins I couldn't find this function in the pcre explanation in /usr/share/doc/packages/pcre/html/pcrepattern.html btw. In bracket expressions a '^' is used to negate a search: BRACKET EXPRESSIONS A bracket expression is a list of characters enclosed in `[]'. It normally matches any single character from the list (but see below). If the list begins with `^', it matches any single character (but see below) not from the rest of the list. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 27N , 4 29 45E. + ICQ: 277217131 SUSE 9.1 + Jabber: gurp@nedlinux.nl Kernel k_athlon-2.6.4 + MSN: twe-msn@ferrets4me.xs4all.nl See headers for PGP/GPG info. +
participants (2)
-
Koenraad Lelong
-
Theo v. Werkhoven