Body_checks: How to filter base64 encoded content

emailhtmllinuxpostfixspam-filter

The idiomatic answer is probably "don't – use a filter that decodes the message first", but as can be seen in the second answer to that question, it should also be possible with body_checks which is also what the BUILTIN_FILTER_README @ postfix.org says – and that's what I'd like to do.

Here's one that's been bugging me for quite some time:

--===============6489786132958404869==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

SmFnIGhhciByZWRhbiBza3Jpdml0IHRpbGwgZGlnLCBtZW4gZHUgc3ZhcmFyIG1pZyBpbnRlLiBM
w6V0IG1pZyB2ZXRhLCBqYWcgaGFyIG7DpWdyYSBzYWtlciBhdHQgYmVyw6R0dGEuIEtvbnRha3Rh
IG1pZyBpIG1pbiBwcml2YXRhIGUtcG9zdDogaXJlbmUub3NiZXJnNzNAZ21haWwuY29tCg==

--===============6489786132958404869==--

For this, I've added the body_checks rule:

/SmFnIGhhciByZWRhbiBza3Jpdml0IHRpbGwgZGlnLCBtZW4gZHUgc3ZhcmFyIG1pZyBpbnRl/ REJECT Spam

but it just won't catch it when it's in such a block. It caught one attempted delivery when the same string was embedded in an html body:
<div dir="ltr"><pre class="gmail-moz-quote-pre"><pre>SmFnIHZpbGwgcHJhdGEgbWVkIGRpZywgbWVuIGRldCBmaW5ucyBmw7ZyIG3DpW5nYSBtZWRkZWxh</pre> but that's the only time the rule has successfully caught this. I have added quite a few of these base64 encoded rules but none of them catch anything when embedded like above.

The base64 encoding in this particular case is always exactly the same, so I don't have to make a base64 tripple to catch variants, which I've done for other cases:

/aHR0cHM6Ly9jbGNrLnJ1|dHRwczovL2NsY2sucnUv|dHBzOi8vY2xjay5y/ REJECT Please remove the link to clck.ru

The above doesn't catch anything when embedded in a block like above either.

I've tried adding the postfix main.cf setting

disable_mime_input_processing = yes

which seems to have improved things. It catches some of them now, but not all those than I can manually verify should catch messages that slips though the cracks.

Any idea why this doesn't work and what I can do about it? I'm using postfix 3.6.4-1.fc35.

Best Answer

There is a builtin feature for diagnosing postfix map lookups, specifically for body_checks as well. Pass the same map configuration you configured for your smtpd cleanup service to the postmap utility and add one or more -v for detailed output:

# postconf body_checks
body_checks=pcre:/etc/postfix/body.pcre
# cat known_bad.eml | postmap -v -b -q - pcre:/etc/postfix/body.pcre
...
postmap: dict_pcre_lookup: body.pcre: test line 1
postmap: dict_pcre_lookup: body.pcre: test line 2
postmap: dict_pcre_lookup: body.pcre: test line 3
test line 3 DUNNO

This will tell you, for each body line, which (if any) entry in your map matched against your line.

One possible reason your map might not behave the way you expect it to would be a too-broad match with DUNNO result preceding your intended REJECT spam result, instructing the cleanup server to proceed with the next line instead of trying further expressions.

Related Solutions

Linux – How to sort du -h output by size

As of GNU coreutils 7.5 released in August 2009, sort allows a -h parameter, which allows numeric suffixes of the kind produced by du -h:

du -hs * | sort -h

If you are using a sort that does not support -h, you can install GNU Coreutils. E.g. on an older Mac OS X:

brew install coreutils
du -hs * | gsort -h

From sort manual:

-h, --human-numeric-sort compare human readable numbers (e.g., 2K 1G)

Linux – Postfix: content-filter vs. milter

The main difference is that Milter happens pre-queue, i.e. before Postfix accepts the mail. Content filtering happens post-queue.

It depends on the circumstances and the resources you have available. In general, post-queue content filtering in my experience is less resource intensive. Postfix handles the SMTP transactions, queue's the mail and this can happen relatively quickly and painlessly. Postfix is very efficient in this regard and then the content filter can appear (in your case amavis) and take over scanning the email.

The downside to the post-queue approach is that Postfix cannot reject the mail in real-time. It is preferable to reject as much email as possible within the SMTP transaction itself, to avoid bouncing mail. Why? Because lots of spam, viruses and other emails you want to block/reject are sent from non-existent or bogus email addresses. When this occurs, you have a double-bounce effect and these mails tend to fill your queue. Another alternative is that your mailserver is bouncing email to an unintended recipient (i.e. an email that exists that was used for spamming.)

I would always suggest using lightweight stuff via the milter or SMTPD proxy readme and leave the heavy processing until the content-filter stage. So it would depend what amavis is using and what resources you have available to you. It is preferable to be able to run amavis as a milter during the SMTP transaction phase, but it may not be practical.

My advice would be to try this if you are unsure and to benchmark the before and after. Noone is really going to be able to advise you definitively on your situation, as your mail volume, profile and hardware will differ from most people.

Best Answer

Related Solutions

Linux – How to sort du -h output by size

Linux – Postfix: content-filter vs. milter

Related Topic