Re: Rejecting emails with invalid/unlikely dates?
mouss wrote:
Darren Pilgrim a écrit :
IBBoard wrote:
I've been looking around but so far haven't been able to find anything
(partly because it's difficult to phrase a search query!). If someone
has a solution/config for this then that'd be great.
Before anyone points out issues with GMail and lack of control, this
is all being done on a domain on a VPS. I'm just using my Gmail
address for the mailing list :)
Basically, 99% of the spam I get (which is only a small amount
compared to some people) is either a) purporting to be from me, to me
or b) has a date that Thunderbird reports as 1976 or 2038 (but is
really 3609 or just 38). I've resolved the first part with SPF
records and checking them in Postfix, but I can't work out how to get
Postfix to reject mail that is outside a 14 day window from today (or
silently dispose of it if it's not possible because it has to get too
far in to the system to fail it).
You need a content filter for this.
and to reject, he needs to run it in pre-queue mode (proxy_filter). or
he could use a milter such as milter-regex.
Header checks can do this; however,
they're static, so you have the problem of updating them constantly to
keep the validity window moving.
He can use a cron to update the header_checks daily. This is simpler
than milter/proxy_filter.
Plus there's the issue of date
formats.
This is not a problem here, since he wants to block known spam. so he
can write expressions for that spam. and if he only wants to block on
the year, then it's even easier.
The best way, IMO, is a policy service that can grok a wide
variety of date formats and check if the date is within 14 days of the
current time.
a policy service doesn't see headers. a milter or a proxy_filter does.
There are spamassassin rules for future dates in message headers, so you
might try that route instead of rolling your own.
this is indeed easier and maybe safer (well, if OP uses spamassassin).
Once upon a time, these pcre header_checks were posted to this
list:
(beware line wrapping; each of these are a single line)
### Date checks
IF /^Date:/
/Date:.*([3-9].:..:|2[4-9]:..:|:[6-9].:|:..:6[0-9])/
HOLD invalid time in Date header
/ \d\d:\d\d:\d\d [^+-][2-9][5-9][0-9][0-9]\s*$/ HOLD invalid
time zone offset in Date header
/^Date: .* 19[0-9][0-9]/ HOLD UBE Header - Past Date #1
/^Date: .* 200[0-6]/ HOLD UBE Header - Past Date #2
/^Date:.*((3[2-9]|[4-9][0-9]) Jan|[3-9][0-9]
Feb|(3[2-9]|[4-9][0-9]) Mar|(3[1-9]|[4-9][0-9])
Apr|(3[2-9]|[4-9][0-9]) May|(3[
1-9]|[4-9][0-9]) Jun|(3[2-9]|[4-9][0-9])
Jul|(3[2-9]|[4-9][0-9]) Aug|(3[1-9]|[4-9][0-9])
Sep|(3[2-9]|[4-9][0-9]) Oct|(3[1-9]
|[4-9][0-9]) Nov|(3[2-9]|[4-9][0-9]) Dec)/ HOLD Invalid date
header. Correct your clock and resend please.
/^Date:.*(2[4-9]:[0-9]{2}:[0-9]{2}|[3-9][0-9]:[0-9]{2}:[0-9]{2}|[0-9]{1,2}:[6-9][0-9]:[0-9]{2}|[0-9]{1,2}:[0-9]{2}:(6[2-9]|[
7-9][0-9]))/ HOLD Invalid time header. Correct your clock
and resend please.
ENDIF
### END DATE CHECKS
I have these set to HOLD since they rarely catch anything
other than the occasional legit mail with a bad year. YMMV.
--
Noel Jones
Re: Rejecting emails with invalid/unlikely dates?
There are some very definite patterns in the dates of the spam I'm
getting (xx/xx/3609 and 19 Jan 38) so a modification of those regex's
should do the trick for now.
As for SpamAssassin, I don't use it at the moment. I'm running a small
VPS with 128MB of memory and a handful of email accounts. My recent
tally of spam has been about half-a-dozen per day at most, and the
majority of those were cut by checking SPF records to stop emails that
pretend to be from me.
Presumably there is some way of parsing the various formats of date used
in email headers, otherwise email clients couldn't display it. If anyone
knows of or could create a script that could do a more generic job (such
as the 14 day window I mentioned earlier) then that'd be great.
Thanks,
IBBoard
Noel Jones wrote:
mouss wrote:
Darren Pilgrim a écrit :
IBBoard wrote:
I've been looking around but so far haven't been able to find anything
(partly because it's difficult to phrase a search query!). If someone
has a solution/config for this then that'd be great.
Before anyone points out issues with GMail and lack of control, this
is all being done on a domain on a VPS. I'm just using my Gmail
address for the mailing list :)
Basically, 99% of the spam I get (which is only a small amount
compared to some people) is either a) purporting to be from me, to me
or b) has a date that Thunderbird reports as 1976 or 2038 (but is
really 3609 or just 38). I've resolved the first part with SPF
records and checking them in Postfix, but I can't work out how to get
Postfix to reject mail that is outside a 14 day window from today (or
silently dispose of it if it's not possible because it has to get too
far in to the system to fail it).
You need a content filter for this.
and to reject, he needs to run it in pre-queue mode (proxy_filter). or
he could use a milter such as milter-regex.
Header checks can do this; however,
they're static, so you have the problem of updating them constantly to
keep the validity window moving.
He can use a cron to update the header_checks daily. This is simpler
than milter/proxy_filter.
Plus there's the issue of date
formats.
This is not a problem here, since he wants to block known spam. so he
can write expressions for that spam. and if he only wants to block on
the year, then it's even easier.
The best way, IMO, is a policy service that can grok a wide
variety of date formats and check if the date is within 14 days of the
current time.
a policy service doesn't see headers. a milter or a proxy_filter does.
There are spamassassin rules for future dates in message headers, so you
might try that route instead of rolling your own.
this is indeed easier and maybe safer (well, if OP uses spamassassin).
Once upon a time, these pcre header_checks were posted to this list:
(beware line wrapping; each of these are a single line)
### Date checks
IF /^Date:/
/Date:.*([3-9].:..:|2[4-9]:..:|:[6-9].:|:..:6[0-9])/
HOLD invalid time in Date header
/ \d\d:\d\d:\d\d [^+-][2-9][5-9][0-9][0-9]\s*$/ HOLD invalid time zone
offset in Date header
/^Date: .* 19[0-9][0-9]/ HOLD UBE Header - Past Date #1
/^Date: .* 200[0-6]/ HOLD UBE Header - Past Date #2
/^Date:.*((3[2-9]|[4-9][0-9]) Jan|[3-9][0-9] Feb|(3[2-9]|[4-9][0-9])
Mar|(3[1-9]|[4-9][0-9]) Apr|(3[2-9]|[4-9][0-9]) May|(3[
1-9]|[4-9][0-9]) Jun|(3[2-9]|[4-9][0-9]) Jul|(3[2-9]|[4-9][0-9])
Aug|(3[1-9]|[4-9][0-9]) Sep|(3[2-9]|[4-9][0-9]) Oct|(3[1-9]
|[4-9][0-9]) Nov|(3[2-9]|[4-9][0-9]) Dec)/ HOLD Invalid date header.
Correct your clock and resend please.
/^Date:.*(2[4-9]:[0-9]{2}:[0-9]{2}|[3-9][0-9]:[0-9]{2}:[0-9]{2}|[0-9]{1,2}:[6-9][0-9]:[0-9]{2}|[0-9]{1,2}:[0-9]{2}:(6[2-9]|[
7-9][0-9]))/ HOLD Invalid time header. Correct your clock and resend
please.
ENDIF
### END DATE CHECKS
I have these set to HOLD since they rarely catch anything other than the
occasional legit mail with a bad year. YMMV.
Rejecting emails with invalid/unlikely dates?
Hi, I've been looking around but so far haven't been able to find anything (partly because it's difficult to phrase a search query!). If someone has a solution/config for this then that'd be great. Before anyone points out issues with GMail and lack of control, this is all being done on a domain on a VPS. I'm just using my Gmail address for the mailing list :) Basically, 99% of the spam I get (which is only a small amount compared to some people) is either a) purporting to be from me, to me or b) has a date that Thunderbird reports as 1976 or 2038 (but is really 3609 or just 38). I've resolved the first part with SPF records and checking them in Postfix, but I can't work out how to get Postfix to reject mail that is outside a 14 day window from today (or silently dispose of it if it's not possible because it has to get too far in to the system to fail it). Any suggestions would be great. Thanks, IBBoard
Re: Rejecting emails with invalid/unlikely dates?
IBBoard wrote: I've been looking around but so far haven't been able to find anything (partly because it's difficult to phrase a search query!). If someone has a solution/config for this then that'd be great. Before anyone points out issues with GMail and lack of control, this is all being done on a domain on a VPS. I'm just using my Gmail address for the mailing list :) Basically, 99% of the spam I get (which is only a small amount compared to some people) is either a) purporting to be from me, to me or b) has a date that Thunderbird reports as 1976 or 2038 (but is really 3609 or just 38). I've resolved the first part with SPF records and checking them in Postfix, but I can't work out how to get Postfix to reject mail that is outside a 14 day window from today (or silently dispose of it if it's not possible because it has to get too far in to the system to fail it). You need a content filter for this. Header checks can do this; however, they're static, so you have the problem of updating them constantly to keep the validity window moving. Plus there's the issue of date formats. The best way, IMO, is a policy service that can grok a wide variety of date formats and check if the date is within 14 days of the current time. There are spamassassin rules for future dates in message headers, so you might try that route instead of rolling your own.
Re: Rejecting emails with invalid/unlikely dates?
Darren Pilgrim a écrit : IBBoard wrote: I've been looking around but so far haven't been able to find anything (partly because it's difficult to phrase a search query!). If someone has a solution/config for this then that'd be great. Before anyone points out issues with GMail and lack of control, this is all being done on a domain on a VPS. I'm just using my Gmail address for the mailing list :) Basically, 99% of the spam I get (which is only a small amount compared to some people) is either a) purporting to be from me, to me or b) has a date that Thunderbird reports as 1976 or 2038 (but is really 3609 or just 38). I've resolved the first part with SPF records and checking them in Postfix, but I can't work out how to get Postfix to reject mail that is outside a 14 day window from today (or silently dispose of it if it's not possible because it has to get too far in to the system to fail it). You need a content filter for this. and to reject, he needs to run it in pre-queue mode (proxy_filter). or he could use a milter such as milter-regex. Header checks can do this; however, they're static, so you have the problem of updating them constantly to keep the validity window moving. He can use a cron to update the header_checks daily. This is simpler than milter/proxy_filter. Plus there's the issue of date formats. This is not a problem here, since he wants to block known spam. so he can write expressions for that spam. and if he only wants to block on the year, then it's even easier. The best way, IMO, is a policy service that can grok a wide variety of date formats and check if the date is within 14 days of the current time. a policy service doesn't see headers. a milter or a proxy_filter does. There are spamassassin rules for future dates in message headers, so you might try that route instead of rolling your own. this is indeed easier and maybe safer (well, if OP uses spamassassin).
