|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: about some questions in PCRE used in body_checks
From: Noel Jones (njones
megan.vbhcs.org)
Date: Wed Nov 08 2006 - 11:12:29 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At 09:41 AM 11/8/2006, Bruce Cheng wrote:
>Dear all,
>
>I have some doubts about using PCRE in body_checks. I am
>not sure
>where I am wrong so that it sometimes can reject the SPAMs, but
>sometimes can't.
>The followings are my conifiguration, please help me, it
>has been
>confused me for a long time and I did a log of changes,
>but still
>can't figure out what happened.
>
># grep body_checks /etc/postfix/main.cf
>body_checks_size_limit = 204800
>body_checks = pcre:/etc/postfix/conf/my_body_checks
>
># more /etc/postfix/conf/my_body_checks
>...
>/61\.67\.214\.22\// REJECT
>/\/natallwa\.info/ REJECT
>/\/[0-9]\.xps\.to/ REJECT
># http://www.twgirl-vcd03.com/ http://www.twgirl-dvd03.com/
>/\.twgirl\-(vcd|dvd)\d\d\.com\// REJECT
>/\.avmai\d\d\d\d\.com/ REJECT
>/\.quick\-sys\-to\-rich\.com/ REJECT
>/\/*sexangel\.com\// REJECT
>
>I read some perl articles and read Ralf & Patrick's
>postfix (the great
>book) , it seems to be used "\d" "\s" and so on, need to
>protect - . *
>/ and so on. But it is very strange that sometimes can
>work but not
>forever.
>
>I thought it was due to "body_checks_size_limit" so that I
>changed it
>from default value 51200 to 204800. Somes message are not
>rejected at
>smtp session but blocked in Spamassassin and the size are
>less then
>51K.
>
>Would you please advise me how to do it ?
>
>How should I set the rules to reject like the following link?
>These(the same link) are happened more than 20 times per
>day, I don't
>want to receive them and pass to Spamassassin, I hope I
>can reject
>them right away. And is there any tools to decode this CGI
>link ?
>
>http://%73%65%61%72%63%68%2e%77%77%77%2e%69%6e%66%6f%73%65%65%6b%2e%63%6f%2e%6a%70/%72%65%64%69%72%65%63%74?%72%64=%
>68%74%74%70%3a%2f%2f%77%77%77%2e%64%76%64%31%30%30%6e%74%2e%63%6f%6d%2f%69%6e%64%65%78%2e%70%68%70%3f%6d%69%64%3d%6d%6
>1%69%6c%65%72%38%38%38
>
>And from my test, postfix seems to parse this to be normal
>strings, doesn't it ?
>
>Please advise me and thank you in advance.
postfix body_checks and header_checks parse the literal
content of the message, not the decoded part shown by your
mail reader.
To reject an encoded link, you must use an exact match in
your body_checks expression. Also note that an encoded
link may span several physical lines, postfix body_checks
can only match one line.
# body_checks
~http://%73%65%61%72%63%68%2e%77%77%77%2e%69%6e%66%6f%73%65%65%6b~
REJECT unwanted link.
There is a URL deobfuscator on dnsstuff.com that will
decode the link.
--
Noel Jones
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]