OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Using '/' in a regex rule just as a reg character

From: /dev/rob0 (rob0gmx.co.uk)
Date: Thu Oct 26 2006 - 22:27:48 CDT

On Thursday 26 October 2006 21:29, Adam D wrote:
> I am trying to stop the spam of the drug 'antrim' (disscized because
> the actual word is blocked and now even that will be blocked soon)
> and they keep changing the way it is spelled and I wrote a nice rule
> that rejects it but for some odd reason for the newest spelling of
> ana/trim, I can't stop it at the SMTP door.

I haven't seen it, which leads me to believe I must be blocking it.
Effective steps against viral spew include:
 + HELO checks:
   - reject_non_fqdn_helo_hostname
   - reject_invalid_helo_hostname
   - check_helo_access lookup to reject your domain name[s]
 + RBL's:
   - xbl.spamhaus.org (I query as part of sbl-xbl.spamhaus.org)
   - list.dsbl.org
   - combined.njabl.org (WARNING: blocks dynamic IP ranges)
 + Greylisting
   - Perhaps targeted at no reverse DNS clients and ones with dynamic-
     looking client names
   - Might inconvenience some of your users some of the time!
 + Other: http://www.postfix.org/addon.html#policy
   - http://www.policyd-weight.org/
   - http://policyd.sourceforge.net/ (does greylisting too)

All the above have the benefit of blocking before DATA, so it reduces
the load on your server and its Internet connection.

If you're willing to be more aggressive, there is much more you can do.
 + Client checks:
   - reject_unknown_client_hostname
 + HELO checks:
   - reject_unknown_helo_hostname

These will block a few misconfigured MTA's, but will take out a lot of
spam with them. Also:
 + RBL's:
   - dul.dnsbl.sorbs.net (WARNING: blocks dynamic IP ranges)
   - bl.spamcop.net (WARNING: often blocks freemail providers)

> I am a bit nervous giving out the actual rule because I just don't
> want the creeps to inundate me with more.. lol

You can't win this race against the creeps. There are more of them than
there is of you. Check the list archives and you'll see the general
consensus: header/body_checks are a weak tool against spam.
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header