[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postfix-users
Subject:    Re: Discard subject UTF8
From:       "Bill Cole" <postfixlists-070913 () billmail ! scconsult ! com>
Date:       2019-02-28 22:14:03
Message-ID: A105E8D0-FDCD-4AEA-8791-04172466836B () billmail ! scconsult ! com
[Download RAW message or body]

On 28 Feb 2019, at 8:43, Emanuel wrote:

> Hello,
>
> due to email accounts compromised by viruses, I have created filters 
> for the subject of these malicious emails
>
> /^Subject: Your Amazon\.co\.uk order \#[0-9]*$/    DISCARD

Side note: REJECT is a better choice than DISCARD, unless you're doing 
the check on a Postfix instance that doesn't receive mail directly from 
the Internet. Discarding means you appear to be accepting the message 
for delivery as far as the SMTP client can tell, making your system look 
like a promising target. Rejecting instead makes it clear that the spam 
isn't going anywhere and in cases where the source is a compromised 
account, it makes the abuse apparent to the victim and possibly their 
service provider.

> Now, I see that these malicious emails keep coming out but they are 
> not discarded because the subject is encoded in utf8.

And just as importantly: encoded with Base64.

> =?UTF-8?B?WW91ciBBbWF6b24uY28udWsgb3JkZXIgIzM2Njg1MDk2Nw==?=
>
> How can I discard these emails if they are encoded? yes or if I need 
> to create a regular expression for the ID in to the subject

2 possible solutions:

1. Match against the encoded form. "WW91ciBBbWF6b24uY28udWsgb3JkZXIg" is 
'Your Amazon.co.uk order ' encoded with Base64, so you could use this 
header_checks line:

/^Subject: =\?UTF-8\?B\?WW91ciBBbWF6b24uY28udWsgb3JkZXIg/    DISCARD

Note that this is error-prone because the standard for non-ASCII header 
encoding allows breaking a header into distinct words which may be 
encoded independently and even use different encodings. Someone actually 
believed that to be a good idea...

2. Do this in an external content filter (e.g. SpamAssassin) that 
decodes everything for you so that you can just match against the 
decoded header.

-- 
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
[prev in list] [next in list] [prev in thread] [next in thread]