#110: Simple content-based filtering for Postfix

Solved!
I am looking for a simple regex or text-matching based method to filter emails on my Postfix server. For the most part, my server does not get any spam, so there is no need for a heavy-duty antispam solution. On the other hand, there is just one very persistent malware spammer who keeps sending one particular type of trojan to my main email account. This has gotten out of hand.

Regex-based Postfix filtering

1
Postfix has content-based filtering capability. In fact, it has multiple ways to attach filters. However, its documentation is rather baroque, and the top Google hits tend to be how to integrate a separate filtering server into the mail process.

The simplest solution that I found involves the use of capabilities called mime_header_checks and body_checks, which are filtering behaviors that can be configured through Postfix's main.cf file.

There are also several ways to configure body_checks. I used pcre-based regex matching. On Ubuntu, this involved apt-get'ing the postfix-pcre package first.

Once the capability is installed, add a line to main.cf like so:
mime_header_checks=pcre:/etc/postfix/header_checks

where pcre: specifies a regex based filter and /etc/postfix/header_checks is a file containing regex filtering expressions, one filter per line.

The /etc/postfix/header_checks file looks something like:
/^(.*)name=\"(DHL_document).(zip|cmd)\"$/ REJECT /^(.*)name=\"(DHL_notification).(zip|cmd)\"$/ REJECT

Remember that mime_header_checks is used for attachment filtering, and body_checks is for message text filtering. The reference to this problem used the wrong filter, and it simply won't work.

Reload Postfix's configs and the next message that matches the regex will be rejected for content issues.

Comments

  1. I find this kind of filter basically useless. All you have to do is rename your file and the attachment will go through. change .exe to .ex1 and now you can send executable programs. Granted, you probably can't just double click them on the other side, but still.

    Nathan on April 19, 2011, 11:11 PM UTC
  2. @Nathan sure, but general spam is not the problem I want to solve. if you read the problem statement up there, I described that my problem -- blocking one specific set of emails exhibiting a specific set of known properties. I solve information retrieval problems for a living, but pulling out a support vector machine classifier is more than overkill for this issue.

    92049143cabb7ba896d7c06e19906303_small yliu on April 19, 2011, 11:58 PM UTC

Think you've got a better solution? Help 92049143cabb7ba896d7c06e19906303_small yliu out by posting your solution