body_checks

body_checks = pcre:/etc/postfix/body_checks

# Requires PCRE version 3.

~^[[:alnum:]+/]{60,}$~          OK

Body pattern to stop a specific HTML browser vulnerability exploit.

/etc/postfix/main.cf:     body_checks = regexp:/etc/postfix/body_checks /etc/postfix/body_checks:     /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/         REJECT IFRAME vulnerability exploit

# vi /etc/postfix/body_checks

/^TV[nopqr]....[AB]..A.A/i  REJECT Email with EXE files attached denied

/^M35[GHIJK].`..`..*````/i  REJECT Email with EXE files attached denied

/^[A-Za-z0-9+\/=]{4,76}$/ OK

# Skip pflogsumm report lines

/^ {6,11}\d{1,6}[ km] / OK

/^ {4}blocked using / OK

/^begin\s+\d+\s+.+?\.(386|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|com|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xl.|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT ".$1" filetype not allowed

/<\s*(object\s+data)\s*=/                 REJECT Email with "$1" tags not allowed

/<\s*(script\s+language\s*="vbs")/             REJECT Email with "$1" tags not allowed

/<\s*(script\s+language\s*="VBScript\.Encode")/     REJECT Email with "$1" tags not allowed

/Viagra/ REJECT

/pron/ REJECT

/sex/ REJECT

/free money/ REJECT

/^.*=20[a-z]*=20[a-z]*=20[a-z]*=20[a-z]*/ REJECT

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX---------------XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

https://jimsun.linxnet.com/misc/body_checks.txt

body_checks = pcre:/etc/postfix/body_checks.pcre

# vi body_checks.pcre

# First skip over base 64 encoded text to save CPU cycles.

# Requires PCRE version 3.

~^[[:alnum:]+/]{60,}$~          OK

# Put your own body patterns here.

/Viagra/ REJECT

/pron/ REJECT

/sex/ REJECT

/free money/ REJECT

/^.*=20[a-z]*=20[a-z]*=20[a-z]*=20[a-z]*/ REJECT

vim /etc/postfix/header_checks

/etc/postfix/header_checks

/^Received:.*with ESMTPSA/  IGNORE

/^X-Originating-IP:/        IGNORE

/^X-Mailer:/                IGNORE

/^User-Agent:/              IGNORE

# Faruque Ahmed

# WARNING: Use at your own risk! No warranty of suitability or fitness for

# any particular use is expressed or implied.

#

# NOTE: These are PCRE (map type "pcre:") expressions.  Your copy of Postfix

# must have been built with PCRE support for these.

#

# Information on body checks, and other Postfix anti-UCE measures, can

# be found at http://jimsun.LinxNet.com/misc/postfix-anti-UCE.txt.  Also,

# at the bottom of that URL, are references to additional Postfix anti-UCE

# resources.

#

# As per Tom Betz <tbetz-at-pobox-dot-com> in NANAE:

#  I just block everything that is a base-64 starting with this:

#  TVqQAAMAAAAEAAAA

#  It blocks all Windows executables.

# As per *Hobbit* <hobbit-at-avian-dot-orb> in the postfix-users mailing list:

#  These two body_checks regexes detect several real-life observed VARIANTS

#  of winbloze PE headers and are THE most reliable way I've found to nail

#  this stuff:

#     /^TV[nopqr]....[AB]..A.A....*AAAA...*AAAA/i  REJECT EXE files denied

#     /^M35[GHIJK].`..`..*````/i           REJECT EXE files denied

# I'll compromise on the first one--making it a cross between Tom's and

# *Hobbit*'s

/^TV[nopqr]....[AB]..A.A/i  REJECT Email with EXE files attached denied

/^M35[GHIJK].`..`..*````/i  REJECT Email with EXE files attached denied

# Skip further analysis of base64-encoded lines

# See: http://www.fourmilab.ch/webtools/base64/rfc1341.html

/^[A-Za-z0-9+\/=]{4,76}$/    OK

# Skip pflogsumm report lines

/^ {6,11}\d{1,6}[ km] /    OK

/^ {4}blocked using /    OK

#

# Generic M$ email-borne worm/trojan/virus protection

#

# Note that this catches uuencoded executables in the email body, *not*

# MIME attachments.

#

# M$-Windoze vulnerable to all these as email-borne viruses/worms/trojans

# Added .ade, .adp, .bas, .cpl, .crt, .hlp, .inf, .ins, .isp, .lnk, .mdb,

# .mde, .msc, .msi, .msp, .mst, .pcd, .reg, .sct, .shs, .url, .vb, and .wsc

# due to:

# http://support.microsoft.com/support/kb/articles/q262/6/31.asp?LN=EN-US&SD=gn&FR=0

# (As of 2003-08-24, this URL appears dead.  Thank you, M$)

# Noel Jones supplied the following two informative URLS:

#  http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631

#  http://www.cknow.com/vtutor/vtextensions.htm

# For .shs vulnerability, see: http://www.pc-help.org/security/scrap.htm

# v2 list: (bat|chm|cmd|com|exe|hta|jse?|pif|scr|sh[bs]|vb[esx]|ws[fh])

# v3 list: Added .asd, .dll, .ocx, .vxd as per Perry E. Metzger

# <perry-at-piermont-dot-com>

# v4 list: Added .386, .asp, .asx, .bin, .cab, .cgi, .cil, .cpe, .cvp, .eml,

# .ex_, .inp, .jar, .keyreg, .mda, .mdw, .mp3, .nte, .nws, .pl, .pm, .pot,

# .pps, .slb, .swf, .swt, .sys, .vir, .vmx, .wmd, .wms, .wmz, .xlw, .xms

# as per Tim Boyer (tim@denmantire.com)

# v5 list: As per "manatworkyes moderator" <devekboy@hotmail.com>

# in firewall-wizards mailing list on Wed Jan 29 10:31:32 2003,

# added: .htr

# v6 list: Missed the following in the M$ bulletin: .app, .csh, .fxp, .ksh,

# .mdt, .ops, .prg.  If .ksh and .csh belong, so does .sh - added.

# v7 list: added .dot, extension for M$ Office templates could possibly

# contain harmful macros.

# v8 list: added .adt, .btm, .cbt, .cla(ss)?, .cs[cs], .drv, .email, .fon,

# .ini, .lib, .mht(m|ml)?, .mso, .obj, .ov., .pgm, .smm.  Expanded .xlw to

# .xl.  (Ref: http://www.cknow.com/vtutor/vtextensions.htm)

# (.doc, .html?, .ppt, .prc, .rtf not added, but probably should be.)

# ("Source" [.asm, .c, .cpp., .pas, .for] seem unlikely to me)

# v8.1 list: Put missing .com in!

# v9 list: added CLSIDs (e.g.: "name.{FBF23B40-E3F0-101B-8488-00AA003E56F8}")

# (Complements of Victor Duchovni and Noel Jones)

# v10 list: added .cbl

#

/^begin\s+\d+\s+.+?\.(386|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|com|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xl.|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/    REJECT ".$1" filetype not allowed

#

# Possibly script embedded in email that attempts to write a .exe that'll

# install a proxy on victim's 'doze PeeCee

# (ref: Message-ID: <40adf117$0$17764$cc9e4d1f@news.dial.pipex.com> in

# news.admin.net-abuse.email)

#

/<\s*(object\s+data)\s*=/            REJECT Email with "$1" tags not allowed

/<\s*(script\s+language\s*="vbs")/        REJECT Email with "$1" tags not allowed

/<\s*(script\s+language\s*="VBScript\.Encode")/    REJECT Email with "$1" tags not allowed

#----------------