NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2006-11

about some questions in PCRE used in body_checks

From: Bruce Cheng (etbrucegmail.com)
Date: Wed Nov 08 2006 - 09:41:03 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear all,

I have some doubts about using PCRE in body_checks. I am not sure
where I am wrong so that it sometimes can reject the SPAMs, but
sometimes can't.
The followings are my conifiguration, please help me, it has been
confused me for a long time and I did a log of changes, but still
can't figure out what happened.

# grep body_checks /etc/postfix/main.cf
body_checks_size_limit = 204800
body_checks = pcre:/etc/postfix/conf/my_body_checks

# more /etc/postfix/conf/my_body_checks
...
/61\.67\.214\.22\// REJECT
/\/natallwa\.info/ REJECT
/\/[0-9]\.xps\.to/ REJECT
# http://www.twgirl-vcd03.com/ http://www.twgirl-dvd03.com/
/\.twgirl\-(vcd|dvd)\d\d\.com\// REJECT
/\.avmai\d\d\d\d\.com/ REJECT
/\.quick\-sys\-to\-rich\.com/ REJECT
/\/*sexangel\.com\// REJECT

I read some perl articles and read Ralf & Patrick's postfix (the great
book) , it seems to be used "\d" "\s" and so on, need to protect - . *
/ and so on. But it is very strange that sometimes can work but not
forever.

I thought it was due to "body_checks_size_limit" so that I changed it
from default value 51200 to 204800. Somes message are not rejected at
smtp session but blocked in Spamassassin and the size are less then
51K.

Would you please advise me how to do it ?

How should I set the rules to reject like the following link?
These(the same link) are happened more than 20 times per day, I don't
want to receive them and pass to Spamassassin, I hope I can reject
them right away. And is there any tools to decode this CGI link ?

http://%73%65%61%72%63%68%2e%77%77%77%2e%69%6e%66%6f%73%65%65%6b%2e%63%6f%2e%6a%70/%72%65%64%69%72%65%63%74?%72%64=%
68%74%74%70%3a%2f%2f%77%77%77%2e%64%76%64%31%30%30%6e%74%2e%63%6f%6d%2f%69%6e%64%65%78%2e%70%68%70%3f%6d%69%64%3d%6d%6
1%69%6c%65%72%38%38%38

And from my test, postfix seems to parse this to be normal strings, doesn't it ?

Please advise me and thank you in advance.

--
Best Regards,
Bruce Cheng

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]