From: Adam D (emlistsgmail.com)
Date: Fri Oct 20 2006 - 18:11:15 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[snip] from other thread to combine 2 threads into one

mouss wrote:
> Adam D wrote:
>> mouss wrote:
>>
>>> Adam D wrote:
>>>
>>>> That is a bummer with that example. But I hope I may pickup something
>>>> else that will at lease help if not put me in a different direction.
>>>>
>>> regex is good to learn. but don't try to much header/body checks. if you
>>> thing regex will help, use spamassassin and write rules for that.
>>> postfix header and body checks are limited and should not be abused.
>>>
>>>
>>
>> Good point. There are some definite header/body checks that are
>> keeping some mail that are SPAM such as anything to do with certain
>> drugs in the headers. This does have to be careful because thinking
>> of blocking one word for SPAM and not recognizing that it can belong
>> inside another legit word can cause trouble. Another desire is to not
>> accept any mail attachment that has to do with images such as:
>> gif,ps,tif,jpeg etc. from Debian mailing lists that I subscribe.
>> Going back to 2002 when I started to use Debian I have not seen any
>> reason to even accept a message with an image attachment from the
>> lists. I would rather stop those mail at the door and not have to
>> deal with processing time telling me it is SPAM as it is most certain
>> to be 99.99%.
>>
>
> true, but postfix doesn't decode MIME when doing header/body checks. so
> you need to have additionnal rules for base64 for instance.
> also, you need to reject those those foo.txt.exe ...
>
>
>> As for rules in spamassassin, can one write a rule after knowing it is
>> SPAM (again some meds) and automatically delete them before they are
>> sent back into the delivery cue?
>>
>>
>
> spamassassin is too expensive to use at SMTP time (as a proxy filter).
> but you can write a perl script and use it with proxsmtp if you insist
> on rejecting at smtp time but don't care running a perl script. Up so
> far, I just quarantine those to a Junk folder. I am working on doing
> better but this not a priority for me.

[snip] from other thread to combine 2 threads into one

Charles Gregory wrote:
> On Wed, 18 Oct 2006, Adam D wrote:
>>>> if address=xyzgmail.com and attachment=*.gif then DISCARD
>
> Even though this can't be done in postfix, it occurred to me that
> you could place individual tests for these in your header_checks, and
> set them to just log a WARNING. Then you could run a small script to
> tail -f the maillog and check for pairs of warnings, then use the IP
> address info to update an IP blacklist.....
>
> Of course, to avoid false positives, you might want to have another
> mechanism to 'age' and remove the listings after a day or two....
>
> - Charles

From all your inputs, it has made me rethink this over. At the time I was receiving a high volume of spam from all the Debian mailing lists I subscribe and there was a large abundance of stock spam with .gif attachments. I was hoping to curtail the spam from entering the server and wasting spamassassin cycles, postfix delivery, cyrus IMAP, and sieve all having their hands on the same piece of spam. Now I have noticed that the .gif attachment mail from Debian (murphy) has slowed or even stopped (I have not seen any in a while) does make me rethink to go back to my original plan, create a sieve script to look for headers from debian (murphy) and content-type *.gif deliver it to a mail box of tagged/untagged spam.

I was thinking it would be nice to curtail all this at the SMTP however I can just go back to the original plan of using sieve.

I do appreciate all the help and suggestions on the different parts of the thread. The regular expressions idea was very invaluable and I would have never thought of reading up on regex.

Thanks again,

-Adam

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]