LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Legitimate Mail getting discarded on Header (https://www.linuxquestions.org/questions/linux-server-73/legitimate-mail-getting-discarded-on-header-720399/)

rajesh.bahl 04-20-2009 07:51 AM
Legitimate Mail getting discarded on Header
 
Dear All,

Need help to resolve the issue.

Our CentOS 4.7 server is running Postfix properly. Since there was a lot of spam so I started using "Header_checks".

With this a lot of junk is getting filtered based on various "headers". At the same time some of the legitimate mail is also getting discarded.
On further analysis, I found that even if the subject line contains the words: "the", "heat" still the mail gets discarded.

The details of my main.cf are :

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
default_privs = nobody
myhostname = xxxx.net
mydomain = yy.net
myorigin = $mydomain
mynetworks = 127.0.0.0/8
relayhost = aa.bb.cc.dd
net_interfaces = all
mydestination = $myhostname, localhost.$mydomain, $mydomain
disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_sasl_auth_enable = yes
maps_rbl_domains = bl.spamcop.net
smtpd_recipient_restrictions = check_sender_access,
hash:/etc/postfix/sender_access,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_non_fqdn_sender,
reject_non_fqdn_hostname,
reject_invalid_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
check_helo_access
pcre:/etc/postfix/helo_checks,
reject_unauth_pipelining,
reject_maps_rbl,
# reject_rbl_client statements have been added on 28-06-2008
reject_rbl_client sbl-xbl.spamhaus.org,
rejct_rbl_client relays.ordb.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client dnsbl.njabl.org,
permit
smtpd_soft_error_limit = 3
smtpd_hard_errors_limit = 6
append_at_myorigin = yes
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains = $mydomain
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail
header_checks = pcre:/etc/postfix/header_checks
body_checks = regexp:/etc/postfix/mbl-body-deny
mime_header_checks = pcre:/etc/postfix/mime_header_checks
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.2.10/samples
readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
alias_database = hash:/etc/postfix/aliases
mailbox_size_limit = 1000000000
content_filter = smtp-amavis:[127.0.0.1]:10024
unknown_local_recipient_reject_code = 450
html_directory = no
broken_sasl_auth_clients = yes



The header_checks file is as under:-

/^Subject:.*Make Money Fast !!!/ DISCARD
/^Subject:.*Join Your Friends at Christian Mingle/ DISCARD
/^Subject:.*Pharma*/ DISCARD
/^From:.*Doctor*/ DISCARD
/^Subject:.*Ultimate Online Pharmaceutical/ DISCARD
/^Subject:.*Buy OEM Software/ DISCARD
/^To:.*<? Undisclosed Recipients?>$/ DISCARD
/^Subject:.*Large Gains Expected/ DISCARD
/^Subject:.*Your 10-day sample pack is ready/ DISCARD
/^Subject:.*Software*/ DISCARD
/^Subject:.*Online Pharmacy*/ DISCARD
/^Subject:.*Mortg* / DISCARD
/^Subject:.*wife*/ DISCARD
/^Subject:.*pleasure*/ DISCARD
/^Subject:.*atch*/ DISCARD
/^Subject:.*her*/ DISCARD
/^Subject:.*EM Software*/ DISCARD
/^Subject:.*singles*/ DISCARD
/^Subject:.*Diamond*/ DISCARD
/^Subject:.*Gaming*/ DISCARD
/^Subject:.*Need Cash*/ DISCARD
/^Subject:.*Lo*se weight*/ DISCARD
/^Subject:.*@indbs.com/ DISCARD
/^Subject:.*Best of*/ DISCARD
/^Subject:.*Degree*/ DISCARD
/^Subject:.*degree*/ DISCARD
/^Subject:.*Diploma*/ DISCARD
/^Subject:.*diploma*/ DISCARD
/^Subject:.*SALARY*/ DISCARD
/^Subject:.*Cheap*/ DISCARD
/^Subject:.*LOTTERY*/ DISCARD
/^Subject:.*lottery*/ DISCARD
/^Subject:.*MBA*/ DISCARD
/^Subject:.*Ph.D.*/ DISCARD
/^Subject:.*is it you*/ DISCARD
/^Subject: GOOD THOUGHT/ DISCARD
/^Subject: *STORY OF THE WEEK/ DISCARD
/^Subject: *INDIA IN MY POCKET/ DISCARD
/^Subject:.*manhood* / DISCARD
/^Subject:.*Credit Management* / DISCARD
/^Subject:.*Final Notice:*/ DISCARD
/^Subject:.*YOUR E-MAIL HAS WON*/ DISCARD
/^Subject: *prolonged erections*/ DISCARD
/^Subject:.*part time*/ DISCARD
/^Subject:.*attention*/ DISCARD
/^Subject: *Google Earth*/ DISCARD
/^Subject:.*seduce women*/ DISCARD
/^Subject:.*Girl*/ DISCARD
/^Subject:.*girl*/ DISCARD
/^Subject:.*night*/ DISCARD
/^Subject:.*No test, No class*/ DISCARD
/^Subject:.*Viagra*/ DISCARD
/^Subject:.*viagra*/ DISCARD
/^Subject:.*V?agra*/ DISCARD
/^Subject:.*Via?ra*/ DISCARD
/^Subject:.*pill*/ DISCARD
/^Subject:.*health*/ DISCARD
/^From:.*@email.de/ DISCARD
/^From:.*@optician.com / DISCARD
/^From:.*@ancestry.com / DISCARD
/^From:.*@humour.com / DISCARD
/^From:.*@email.cz / DISCARD
/^From:.*@torchmail.com / DISCARD
/^From:.*@plaza-cco.com.br / DISCARD
/^From:.*@about.com / DISCARD
/^From:.*@startribune.com / DISCARD
/^From:.*@acmecity.com / DISCARD
/^From:.*@cyberinbox.com / DISCARD
/^From:.*@uymail.com / DISCARD
/^From:.*@terra.cl / DISCARD
/^From:.*@mailops.com / DISCARD
/^From:.*@asianavenue.com / DISCARD
/^From:.*@.online.no / DISCARD
/^From:.*@liquidinformation.net / DISCARD
/^From:.*@nmonline.com.cn / DISCARD
/^From:.*@dreamer.com / DISCARD
/^From:.*@la.com / DISCARD
/^From:.*@myself.com / DISCARD
/^From:.*@sonicnet.com / DISCARD
/^From:.*@mypcera.com / DISCARD
/^From:.*@ukr.net / DISCARD
/^From:.*@apexmail.com / DISCARD
/^From:.*@kasparovch.com / DISCARD
/^From:.*@mediomail.com / DISCARD
/^From:.*@maktoob.com / DISCARD
/^From:.*@compuserve.com / DISCARD
/^From:.*@uolcat.com / DISCARD
/^From:.*@overcmail.de / DISCARD
/^From:.*@ningbo.net / DISCARD
/^From:.*@tls-spedition.de / DISCARD
/^From:.*@berkeleyheightspolice.com / DISCARD
/^From:.*@roadtripfever.com / DISCARD
/^From:.*@RX3Best.org / DISCARD
/^From:.*@dieter-roehm.de / DISCARD
/^From:.*@aymeric-ruiz.com / DISCARD
/^From:.*@lamarette.com / DISCARD
/^From:.*@eckman-danovitz.com / DISCARD
/^From:.*@ivers.com / DISCARD
/^From:.*@chello.fr / DISCARD
/^From:.*@stanleyjordan.com / DISCARD
/^From:.*@conspiracyboards.com / DISCARD
/^From:.*@hmjagtiani.com / DISCARD
/^From:.*@europills.com / DISCARD
/^From:.*@ubmindia.com / DISCARD
/^From:.*@artel.com / DISCARD
/^From:.*@webforall.dk / DISCARD
/^From:.*@ponchatoulachamber.com / DISCARD
/^From:.*@skicanadamag.com / DISCARD
/^From:.*@downsizeme.tv / DISCARD
/^From:.*@varitjournal.com / DISCARD
/^From:.*@mixmail.com / DISCARD
/^From:.*@dojotoolkit.org / DISCARD
/^From:.*@time-blog.com / DISCARD
/^From:.*@switchzoo.com / DISCARD
/^From:.*@specialevents.com / DISCARD
/^From:.*@choosereport.org / DISCARD
/^From:.*@techtree.com / DISCARD
/^From:.*@wrigley.com / DISCARD
/^From:.*@zapakannounce.com / DISCARD
/^From:.*@foxnews.com / DISCARD
/^From:.*@newsday.com / DISCARD
/^From:.*@marinecorpstimes.com / DISCARD
/^From:.*@team2000.us / DISCARD
/^From:.*@lists.cybermedia.in / DISCARD
/^From:.*@asturianus.com / DISCARD
/^From:.*@flickr.com / DISCARD
/^From:.*@psychcentral.com / DISCARD
/^From:.*@mediamatters.org / DISCARD
/^From:.*@icann.org / DISCARD
/^From:.*@myprofilepimp.com / DISCARD
/^From: .*@landsncash.com/ DISCARD
/^From: .*@amada.com.sg/ DISCARD
/^From: .*@googlegroups.com/ DISCARD
/^From:.*@yahoo.fr/ DISCARD
/^From:.*@yahoo.co.jp/ DISCARD
/^From:.*@serjicalstrike.com / DISCARD
/^From:.*@houses.com / DISCARD
/^From:.*@cp.com / DISCARD
/^From:.*@qx.com / DISCARD
/^From:.*@cifns.org / DISCARD
/^From:.*@123greetings.biz/ DISCARD
/^From:.*@convergingworld.com / DISCARD
/^From:.*@pantaiwan.com.tw / DISCARD
/^From:.*@oembrowser.com / DISCARD
/^From:.*@cyberia.net.lb / DISCARD
/^From:.*@barbf.com / DISCARD
/^From:.*@boston.com / DISCARD
/^From:.*@aperfectgiftonline.com / DISCARD
/^From:.*@maya123.com / DISCARD
/^From:.*@aktyw.pl / DISCARD
/^From:.*@nh.com / DISCARD
/^From:.*@embryo-films.com / DISCARD
/^From:.*@qef.com / DISCARD
/^From:.*@bmglabtech.com / DISCARD
/^From:.*@zenitel.biz / DISCARD
/^From:.*@channelworld.in / DISCARD
/^From:.*@surfeador.com / DISCARD
/^From:.*@washingtonpost.com / DISCARD
/^From:.*@workingaussieosource.com / DISCARD
/^From:.*@age-of-bronze.com / DISCARD
/^From:.*@buyselltix.com / DISCARD
/^From:.*@mine-engineer.com/ DISCARD
/^From:.*@consumerinfoline.com/ DISCARD
/^From:.*@channeltimes.com/ DISCARD
/^From:.*@channeltimes.in/ DISCARD
/^From:.*@crn.in/ DISCARD
/^From:.*@enterpriser.in/ DISCARD
/^From:.*@infofriend.com/ DISCARD
/^From:.*@in.constantcontact.com/ DISCARD
/^From:.*@flixter.com/ DISCARD
/^From: fusion.india@amd.com/ DISCARD
/^From:.*@googlegroups.com/ DISCARD
/^From:.*@verizon.net/ DISCARD
/^From:.*@manyzone.com/ DISCARD
/^From:.*@mercator.co.uk/ DISCARD
/^From:.*@nics.co.jp/ DISCARD
/^From:.*@wag-shop.de/ DISCARD
/^From:.*@supersolidaria.gov.co/ DISCARD
/^From:.*@indiatimes.com/ DISCARD


Can some one suggest how to rectify the situation ?


rajesh.bahl

billymayday 04-21-2009 12:55 AM
But what's in /etc/postfix/mime_header_checks?

rajesh.bahl 04-22-2009 12:33 AM
Here are the contents of mime_header_checks:

/name=\"(.*)\.(bat|bin|chm|cmd|com|do|exe|hta|jse|lnk|msi|ole)\"$/ DISCARD
/name=\"(.*)\.(pif|reg|rm|scr|shb|shm|shs|sys|vbe|vbs|vxd|xl|xsl)\"$/ DISCARD

IF YOU GO THROUGH THE LOGS I.E /var/log/maillog , there is a clear indication that the rejection has been done because of "Header".



rajesh.bahl

billymayday 04-22-2009 01:04 AM
Could you post applicable log entries please.

Edit - btw - you could catch a lot with *atch* and *her*


All times are GMT -5. The time now is 01:24 PM.