Re: method to discard email with body containing gmail address

2021-11-14 Thread Vincent Lefevre 
On 2021-11-08 09:43:01 +0100, Ansgar Wiechers wrote:
> On 2021-11-06 Wietse Venema wrote:
> > li...@lazygranch.com:
> >> Reply-To: jm84450...@gmail.com
> >
> > Use header_checks (not body_checks) if you want to block that.
> > Still, I would be concerned about rejecting legitimate email.
> 
> It's true that this can reject legitimate e-mail. However, the abuse of
> Gmail Reply-To addresses by spammers/scammers is so rampant (at least in
> my experience) that on my personal mail server I decided to reject
> everything with a Gmail Reply-To except for whitelisted addresses.

FYI, mailing-list software adds "Reply-To:" headers with the
e-mail address of the sender, probably because of the "From:"
header munging due to DMARC. This also happens with mail sent
by Debian's BTS (so that replies are sent to both the sender
and the bug address). Some users also use a "Reply-To:" to
their address because some mailing-lists otherwise set it back
to the list.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: method to discard email with body containing gmail address

2021-11-08 Thread Dominic Raferd 

On 08/11/2021 08:43, Ansgar Wiechers wrote:

On 2021-11-06 Wietse Venema wrote:

li...@lazygranch.com:

Reply-To: jm84450...@gmail.com

Use header_checks (not body_checks) if you want to block that.
Still, I would be concerned about rejecting legitimate email.

It's true that this can reject legitimate e-mail. However, the abuse of
Gmail Reply-To addresses by spammers/scammers is so rampant (at least in
my experience) that on my personal mail server I decided to reject
everything with a Gmail Reply-To except for whitelisted addresses.
Thanks for raising this. I tested how it might have worked for us, going 
back 9 months. We see this abuse, but all attempts over that period have 
been blocked by our existing spam-prevention tools. Whitelisting a 
handful of 'From:' addresses could have avoided false positives 
(applying hindsight), but - for us at least - the strategy would appear 
to add nothing except a risk of future fps. YMMV, of course.

Re: method to discard email with body containing gmail address

2021-11-08 Thread Ansgar Wiechers 
On 2021-11-06 Wietse Venema wrote:
> li...@lazygranch.com:
>> Reply-To: jm84450...@gmail.com
>
> Use header_checks (not body_checks) if you want to block that.
> Still, I would be concerned about rejecting legitimate email.

It's true that this can reject legitimate e-mail. However, the abuse of
Gmail Reply-To addresses by spammers/scammers is so rampant (at least in
my experience) that on my personal mail server I decided to reject
everything with a Gmail Reply-To except for whitelisted addresses.

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

Re: method to discard email with body containing gmail address

2021-11-07 Thread Jaroslaw Rafa 
Dnia  6.11.2021 o godz. 16:56:01 li...@lazygranch.com pisze:
> Note a few of the spammers put their email address in the subject line.
> Maybe that should be my first attempt at discarding. I can't think of a
> non-spammer doing that.

Some MUAs do. I use mutt, and if you forward a message in mutt, it puts the
e-mail address of the original sender (not you) at the beginning of the
subject of the forwarded message.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

Re: method to discard email with body containing gmail address

2021-11-06 Thread Wietse Venema 
li...@lazygranch.com:
> Reply-To: jm84450...@gmail.com

Use header_checks (not body_checks) if you want to block that.
Still, I would be concerned about rejecting legitimate email.

Wietse

Re: method to discard email with body containing gmail address

2021-11-06 Thread li...@lazygranch.com 
Your comments on the regex are useful since I didn't consider email
addresses with delimiters though none of the spam does at the moment.
Note a few of the spammers put their email address in the subject line.
Maybe that should be my first attempt at discarding. I can't think of a
non-spammer doing that.

I read your tips and the postscreen page. Since postscreen doesn't read
the content of the email, I'm not sure what good it will do. I have
blocking lists set up in postfix itself. (Less is more. No additional
program in the chain.) I suppose I could use postscreen just to inpect
the email server (postscreen without blocking mail?) which I think you
mean it will still block funky email servers, but the gmail spam comes
from gmail. It is perfectly legit email other than sometimes the reply
and from don't match. That itself is legit but just odd. 

Here is a sanitized and shortened header. I am baffled why these
spammers include a gmail address in their email since the reply to
field is gmail anyway, but most do. Why google tolerates this crap is
another story. I gave up on emailing their abuse contact since nothing
changed by doing so. 


Return-Path: 
X-Original-To: m...@mydomain.com
Delivered-To: m...@mydomain.com
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; 
client-ip=209.85.222.46; helo=mail-ua1-f46.google.com; 
envelope-from=infoa0...@gmail.com; receiver=m...@mydomain.com
DMARC-Filter: OpenDMARC Filter v1.4.1 www.mydomain.com 8E2BF69A7B
Authentication-Results: mydomain.com; dmarc=pass (p=none dis=none) 
header.from=gmail.com
Authentication-Results: mydomain.com; spf=pass smtp.mailfrom=gmail.com
DKIM-Filter: OpenDKIM Filter v2.11.0 www.mydomain.com 8E2BF69A7B
Authentication-Results: www.mydomain.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com 
header.b="Mb0Z+9VO"
Received: from mail-ua1-f46.google.com (mail-ua1-f46.google.com [209.85.222.46])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
  key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by www.mydomain.com (Postfix) with ESMTPS id 8E2BF69A7B
 for ; Fri,  5 Nov 2021 12:09:13 + (UTC)
Received: by mail-ua1-f46.google.com with SMTP id az37so16607241uab.13
for ; Fri, 05 Nov 2021 05:09:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20210112;
h=mime-version:reply-to:from:date:message-id:subject:to;

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:reply-to:from:date:message-id
 :subject:to;

X-Gm-Message-State: AOAM532TS3ZNsUStUWlcBN56fBCGvVQTPu8NGAoz576BhScZapblMLfa
 MoJux1YhYW0kmDUg2jh6myKzaL7nRhQuLVO0sHg=
X-Google-Smtp-Source: 
ABdhPJwaGhpcfV5E2//9RLpCPT4+PXBI7XdCN/nLCgf6EYfgW+pcKLMeYoW+3Jk64pzSQ47l56P14h+8d7dMPlXuLE0=
X-Received: by 2002:ab0:5a93:: with SMTP id w19mr63371846uae.58.1636114152575;
 Fri, 05 Nov 2021 05:09:12 -0700 (PDT)
MIME-Version: 1.0
Reply-To: jm84450...@gmail.com
From: Abdulla Shahid 
Date: Fri, 5 Nov 2021 05:08:57 -0700
Message-ID: 


On Sat, 06 Nov 2021 10:54:48 -0500
Rob McGee  wrote:

> On 2021-11-06 06:15, li...@lazygranch.com wrote:
> > Most of my spam contains a gmail address to reply to the spammer. I
> > would like to discard email whose body contains a gmail address.
> > Since discarding mail could get ugly, I would hope someone on the
> > list can eyeball my plan.
> 
> Indeed it is ugly.  You just as well could have asked for a method
> to throw out the baby with the bathwater!
> 
> > I added
> > body_checks = pcre:/etc/postfix/body_checks
> > to main.cf. I made a null body_checks file and ran postmap on it,
> > then
> 
> postmap "compiles" hash: and other indexed map types.  It's not
> needed for a pcre_table(5) map.
> 
> > did a reload & restart. Postfix wouldn't send email if the file was
> > missing.
> > 
> > postconf -d mail_version
> > mail_version = 3.6.2
> > 
> > Trawling the internet I found this regix to match gmail addresses:
> > ^[\w.+\-]+@gmail\.com$
> > 
> > So if body_checks contained
> > /^[\w.+\-]+@gmail\.com$/ DISCARD
> > work.
> 
> Change DISCARD to WARN first, to see what it matches.
> 
> Also, you anchored the expression on both ends, ^ and $, so you're
> only going to match mail with ONLY the gmail address on one line.
> This line with zeixsgw9gufv2isophpdyisr0bgz0...@gmail.com will not
> match.  Neither will this, with the <> enclosing brackets:
> 
> 
> I think once you get the bugs worked out you will give up on this.
> 
> See my postscreen howto for a much more effective means of dealing
> with spam.

Re: method to discard email with body containing gmail address

2021-11-06 Thread Rob McGee 

On 2021-11-06 06:15, li...@lazygranch.com wrote:

Most of my spam contains a gmail address to reply to the spammer. I
would like to discard email whose body contains a gmail address. Since
discarding mail could get ugly, I would hope someone on the list can
eyeball my plan.


Indeed it is ugly.  You just as well could have asked for a method
to throw out the baby with the bathwater!


I added
body_checks = pcre:/etc/postfix/body_checks
to main.cf. I made a null body_checks file and ran postmap on it, then


postmap "compiles" hash: and other indexed map types.  It's not
needed for a pcre_table(5) map.


did a reload & restart. Postfix wouldn't send email if the file was
missing.

postconf -d mail_version
mail_version = 3.6.2

Trawling the internet I found this regix to match gmail addresses:
^[\w.+\-]+@gmail\.com$

So if body_checks contained
/^[\w.+\-]+@gmail\.com$/ DISCARD
work.


Change DISCARD to WARN first, to see what it matches.

Also, you anchored the expression on both ends, ^ and $, so you're
only going to match mail with ONLY the gmail address on one line.
This line with zeixsgw9gufv2isophpdyisr0bgz0...@gmail.com will not
match.  Neither will this, with the <> enclosing brackets:


I think once you get the bugs worked out you will give up on this.

See my postscreen howto for a much more effective means of dealing
with spam.
--
  http://rob0.nodns4.us/