header_checks
# vi /etc/postfix/header_checks for Postfix
--
In main.cf:
header_checks = regexp:/etc/postfix/header_checks
header_checks = pcre:/etc/postfix/header_checks
header_checks = pcre:/etc/postfix/header_checks mime_header_checks = pcre:/etc/postfix/mime_header_checks body_checks = pcre:/etc/postfix/body_checks
vi /etc/postfix/header_checks
/^Subject:/ WARN
/^User-Agent:/ IGNORE
/^From:.*<#.*@.*>/ REJECT
/^Return-Path:.*<#.*@.*>/ REJECT
/^Received: from 127.0.0.1/ IGNORE
/^Received:/ IGNORE /^User-Agent:/ IGNORE /^X-Mailer:/ IGNORE /^X-Originating-IP:/ IGNORE /^x-cr-[a-z]*:/ IGNORE /^Thread-Index:/ IGNORE
/^Subject:/ WARN
/^User-Agent:/ IGNORE
/^X-Mailer:/ IGNORE
/^X-Originating-IP:/ IGNORE
/^Received:.*with ESMTPSA/ IGNORE
# Sample For Dropping Headers:
/^X-Sanitizer:/ IGNORE
/^X-Spam-Status:/ IGNORE # not show Spam Tag ]
/^X-Spam-Level:/ IGNORE
/^Received:/ IGNORE
/^Message-ID:/ IGNORE
/^X-MimeOLE:/ IGNORE
/^X-MSMail-Priority:/ IGNORE
---------------------------------------------------------------------------------------------
Redirect specific e-mail address sent to a user, to another user
Sent from: user@isp.com
Addressesd to: user@ourcompany.com
Result: redirect e-mail to: user2@ourcompany.com.
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
# vi sender_access
sender@otherdomain.com REDIRECT you@yourdomain.com
sender@otherdomain.com REDIRECT you@yourdomain.com | your2@secondomain.com
-----------------------
#cat main.cf .. header_checks = pcre:/etc/postfix/header_checks .. #cat /etc/postfix/header_checks /From:.*@extdomain1.ltd/ REDIRECT specialuser@domain.ltd
------------------------------------
# Sample For Dropping Headers: #/^Header: IfContains/ IGNORE /^Received: from 127.0.0.1/ IGNORE /^User-Agent:/ IGNORE /^X-Mailer:/ IGNORE /^X-Originating-IP:/ IGNORE # Sample For Dropping Headers: #/^Header: IfContains/ IGNORE /^X-Sanitizer:/ IGNORE /^X-Spam-Status:/ IGNORE /^X-Spam-Level:/ IGNORE # Sample For Dropping Headers: #/^Header: IfContains/ IGNORE /^Received:/ IGNORE /^Message-ID:/ IGNORE /^X-MimeOLE:/ IGNORE /^X-MSMail-Priority:/ IGNORE /^Received:.*with ESMTPSA/ IGNORE /^From:.*<#.*@.*>/ REJECT /^Return-Path:.*<#.*@.*>/ REJECT
/^.*=20[a-z]*=20[a-z]*=20[a-z]*=20[a-z]*/ IGNORE
/^Subject: .*f[ _\.\*\-]+r[ _\.\*\-]+e[ _\.\*\-]+e/ REJECT Hidden Word 1
/^Received:s+.*/ IGNORE #To hide server IP address from headers:
/E-mail Storage Limit Exhausted/ REJECT /Your email account was recently logged into from another computer/ REJECT /Update Mail From Admin Server/ REJECT /Urgent Mail From Server/ REJECT /mailbox will be terminated after 24 hours/ REJECT /hot g!rl want you!/ REJECT /Hi!/ REJECT /Your E-mail Account storage capacity is low/ REJECT /The part-time employment/ REJECT /Rapid-Acting Supplement For Outstanding Results/ REJECT /Mail From Admin Server/ REJECT /Urgent Mail From Server/ REJECT /Your E-mail De-activation/ REJECT #/invoice/ REJECT -----file attachment types not allowed [invoice] #/scan/ REJECT -----file attachment types not allowed [scan] 550 5.7.1 "file attachment types not allowed" . Please zip and resend.
/my new photo/ REJECT /Your mailbox is almost full/ REJECT /account has been Blocked due to system error/ REJECT /mailbox will be terminated after 24 hours/ REJECT /Mailbox Will Be Suspended!/ REJECT /Your Account Will Be Blocked!/ REJECT /WILL LOSE YOUR EMAIL ADDRESS/ REJECT /add more MB to your mailbox/ REJECT /Account will be Suspended soon/ REJECT /UPGRADE IS FREE OFF CHARGE/ REJECT /Validate Your Webmail Account/ REJECT /incoming important 'Message' blocked/ REJECT /Your account has been renewed/ REJECT /Minimum Top-up Deposit Now/ REJECT
/account has been Blocked due to system error/ REJECT
/mailbox will be terminated after 24 hours/ REJECT
/Your account has been renewed/ DISCARD
/Your account has been hacked/ REDIRECT junkmail@abc.com
/You need to unlock/ REDIRECT junkmail@abc.com
/almost reached their disk quota/ REDIRECT junkmail@abc.com
/Shutdown email account on/ REDIRECT junkmail@abc.com
/Upgrade Email Quota/ REDIRECT junkmail@abc.com
and in /etc/postfix/header_checks you write:
Postfix: log message from, to and subject
Append the below line in ‘/etc/postfix/header_checks’
/^Subject:/ WARN
/^From.*)user005@badspammerdomain.com/ DISCARD #spam Known spammer address
/^From.*)Tarot Reading/ DISCARD #spam rule No Tarot reading
/^From.*)someaccount@yahoo.com/ REDIRECTceo@domainexample.com #spam rule redirect all messages from this address
/^From.*)<(.*)@yahoo.com>(.*)/ REDIRECTmonitor@domainexample.com
/^To.*)<(.*)@yahoo.com>(.*)/ REDIRECTmonitor@domainexample.com
--------------------------------------------
/^From:(.*@)+(.*@)/ HOLD it looks like you are spam
D6CAE2811C34: hold: header From: "imanudin@imanudin.net" <spam@spam.xyz> from unknown[120.xxx.xxx.xx]; from=<spam@spam.xyz> to=<cilox@imanudin.com> proto=ESMTP helo=: it looks like you are spam Nov 1 23:45:45 myzimbra postfix/cleanup[17284]: D6CAE2811C34: message-id=<c8432028-4616-fcea-2280-699b7e22058e@spam.xyz>
Step:3 Restart the postfix server
#service postfix restart
#postmap /etc/postfix/header_checks
# /^subject: *$/ REJECT Please add subject Line to your mail.
For global configuration /etc/spamassassin/local.cf and for user configuration ~/.spamassassin/user_prefs add:
score MISSING_SUBJECT 30
will block XXX word separated by spaces
/^Subject:.*\b(XXX)\b/ DISCARD
/^Subject:.*viagra/ DISCARD
If an email is sent to bob on my server, forward it bob’s real email address
/^To: bob@here.com/ REDIRECT bob@there.com
Mime Header Checks : main.cf mime_header_checks = regexp:/etc/postfix/maps/mime_header_checks
/name=[^>]*\.(bat|com|exe|dll)/ REJECT file attachment types not allowed
# These were once common in junk mail.
/^Subject: make money fast/ REJECT /^To: friend@public\.com/ REJECT
Body Filter Map
# First skip over base 64 encoded text to save CPU cycles. ~^[[:alnum:]+/]{60,}$~ OK # Put your own body patterns here.
-----------------------------------------------------------------------------------------------------------------
/etc/postfix/main.cf: header_checks = pcre:/etc/postfix/header_checks.pcre /etc/postfix/header_checks.pcre: /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)( ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe| hlp|ht[at]| inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws| \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}| ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf| vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x REJECT Attachment name "$2" may not end with ".$4"
Some very basic anit spam stuff
/^From: "spammer/ REJECT
/^From: "ipupiice@aderispharm.com/ REJECT
/^Subject:.*viagra/ DISCARD
/^Subject: .*Make Money Fast!/ REJECT
#attachments
/^(.*)name=\"(.*)\.(exe|lnk|dll|shs|vbe|hta|com|vbs|vbe|js|jse|bat|cmd|vxd|scr|shm|pif|chm)\"$/ DISCARD
/^(.*)name=(.*)\.(exe|lnk|dll|eml|shs|vbe|hta|com|vbs|vbe|js|jse|bat|cmd|vxd|scr|shm|pif|chm)$/ DISCARD
#cs some more good ones
/^Subject: \{Virus\?\}/ REJECT Bogus antivirus warning (1)
/^Subject: Virus Detected by Network Associates, Inc\. Webshield/ REJECT Bogus antivirus warning (2)
/^Subject: ---- Virus Detected ----$/ REJECT Bogus antivirus warning (3)
/^Subject: Virus detected$/ REJECT Bogus antivirus warning (4)
/^Subject: Virus Alert$/ REJECT Bogus antivirus warning (5)
/^(To|From|Cc|Reply-To):.*@optonline/ REJECT Sorry, your message is probably spam
/^Subject: =?big5?/ REJECT Chinese encoding not accepted by this server
3
/^Subject: =?EUC-KR?/ REJECT Korean encoding not allowed by this server 4
/^Subject: ADV:/ REJECT Advertisements not accepted by this server 5
/^Subject: =?Windows-1251?/ REJECT Russian encoding not allowed by this server 6
/^Subject: =\?KOI8-R\?/ REJECT Russian encoding not allowed by this server 7
/^Subject:.*=\?(big5|euc-kr|gb2312|ks_c_5601-1987)\?/ REJECT Language not accepted by this server as it is probably spam 8
/[^[:print:]]{8}/ REJECT Sorry, ascii characters only permitted by this server 9
/^From:.*\@.*\.cn/ REJECT Sorry, Chinese mail not allowed here
http://www.t29.dk/antiantivirus.txt
Then you issue a "postfix reload".
Check and amend message size limit
postconf -n | grep message_size_limit
postconf -d would show the default
Set to 20MB
postconf -e 'message_size_limit = 20971520'
/etc/init.d/postfix restart
Remove error messages from the mailq
mailq | grep MAILER-DAEMON | sed -e 's/!$//' | cut -d! -f 1 | postsuper -d -
Remove mail from a sender eg. double-bounces@example.com
mailq | grep double | cut -d" " -f1 | uniq > doubles
cat doubles
cat doubles | wc -l
postsuper -d - < doubles
Check the size of the mail queue:
mailq | tail -15
Display a message in a queue use
postcat <ID> | head -50
Remove all messages containing STRING
for MESSAGE in `grep -R STRING *|awk '{ print substr($3,1,12) }'`; do postsuper -d $MESSAGE; done
Remove all messages containing STRING (When there are subdirectories)
cd /var/spool/postfix/deferred/ [code]for MESSAGE in `grep -R STRING *|awk '{ print substr($3,3,12) }'`; do postsuper -d $MESSAGE; done
Flush queue
postfix flush
or postqueue -f
Re-queue all messages (ie requeue messages in all queues)
postsuper -r ALL
Remove all messages in deferred folder (/var/spool/postfix/deferred)
postsuper -d ALL deferred
Catching errors while changing postfix Chances are that configuration errors during implementation cause Postfix to bounce legitimate messages. Setting the soft_bounce parameter during integration and reloading the Postfix configuration afterwards prevents Postfix from bouncing legitimate mail during that time:
postconf -e "soft_bounce = yes"
postfix reload
As soon as soft_bounce has been activated Postfix will treat all delivery errors as temporary errors - any client that wants to send messages to Postfix will keep mail in the mailqueue and it will suspend delivery until the soft_bounce parameter has been removed or set to no. Once the integration of amavisd-new into the Postfix delivery process has been completed successfully soft_bounce must be removed or Postfix will not generate bounce messages for legitimate mail.
## Putting messages on hold and releasing ##
Put messages on hold that meet search criteria
mailq |grep "user@domain" |awk '{print $1}'|sed 's/\!//' > t for MESSAGE in `cat t`; do postsuper -h $MESSAGE; done]
Put all messages over 2Mb on hold:
cd /var/spool/postfix/active
for MESSAGE in `find ./ -type f -size +2000k|awk '{ print substr($1,3,12) }'`; do postsuper -h $MESSAGE; done
Release messages on hold that match a criteria
mailq |grep "user@domain" |grep "\!" |awk '{print $1}'|sed 's/\!//' > t for MESSAGE in `cat t`; do postsuper -H $MESSAGE; done
Check the sizes of the queues:
du -sh /var/spool/postfix/*
Check the amount of inbound messages ie by sending domain in the active queue:
qshape -s active (leaving out -s when you want to check by recpient)
Some tuning options (turning off scanning with amavis):
# Amavis support
# content_filter=amavisfeed:[127.0.0.1]:10024
header_checks = regexp:/etc/postfix/header_checks
data_directory = /var/lib/postfix
# cs Performance tuning
smtpd_error_sleep_time = 0
default_process_limit = 200
maximal_backoff_time = 6000
queue_run_delay = 900
minimal_backoff_time = 600
#disable_dns_lookups = yes
EExtract messages form the log file for a user: [code] cat maillog |grep "Mar 4" |grep -v "127.0.0.1" |grep -i "to="|awk '{print $6}'|tee - |egrep -f - maillog|grep -v "127.0.0.1" |grep -v "removed"[/code] Convert maildir to mbox format [code]#!/bin/bash for file in `find /home/user/{current.mdir,new.mbox}/ -type f` do cat $file | formail >> mbox done[/code] This will grab the mdir directory at /home/user/ and convert it to an mbox file at /home/user/new.mbox Squirrelmail Preferances http://www.squirrelmail.org/docs/admin/admin-5.html
/^Subject: .*Make Money Fast!/ Header Filter Searches for the string Make Money Fast! in the Subject line. /name=[^>]*\.(bat|com|exe|dll)/ MIME-Header Filter This will match all messages that have attachments whose files end in .bat, .com, .exe or .dll. /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/ Body Filter Body pattern to stop a specific HTML browser vulnerability exploit. /^From: joe@example.com/ Header Filter Matches all messages sent by joe@example.com. /^From: .*@example.com/ Header Filter Matches all messages sent from the example.com domain.
---
# header_checks = pcre:/etc/postfix/header_checks.pcre
# Noel Jones
/^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.com(\.\S{2,4})?(\?=)?"?(;|$)/ REJECT ".com" file attachment types not allowed
/^Content-(Disposition|Type):\s+.*?message\/partial\b/ REJECT
/^Content-(Disposition|Type):\s+.*?(file)?name="?.*?(your_details|application|copy|Invoice|scan|document|screensaver|movie)\.zip/ REJECT
/^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?\.(386|ad[ept]|ace|app|as[dpx]|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT ".$2" file attachment types not allowed
# *Any* zip file: just log a warning...
/^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.zip\b/ WARN
---------------------------------------------------------------------
/name=[^>]*\.(bat|com|exe)/ REJECT
/^Subject: .*f[ _\.\*\-]+r[ _\.\*\-]+e[ _\.\*\-]+e/ REJECT Hidden Word 1
/^Subject:(.*)fuck|(.*)viagra/ REJECT Dont Bother Sending Rubbish Emails
/^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.com(\.\S{2,4})?(\?=)?"?(;|$)/ REJECT ".com" file attachment types not allowed
/^Content-(Disposition|Type):\s+.*?message\/partial\b/ REJECT
/^Content-(Disposition|Type):\s+.*?(file)?name="?.*?(your_details|application|document|EU|bill|copy|Invoice|scan|screensaver|movie)\.zip/ REJECT
/^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?\.(386|ad[ept]|app|as[dpx]|ace|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT ".$2" file attachment types not allowed
# *Any* zip file: just log a warning...
/^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.zip\b/ WARN
---------------X------------------
F
---- --------------------------------------------------------------------
##
/service@gtnexus\.com/ FILTER smtp:[127.0.0.1]:10025
---------------XXXXXXXXXXXXX____________________________________________________________________________________
https://jimsun.linxnet.com/misc/header_checks.txt
Install
# yum -y install pcre-devel pcre
Download
--------------------
# header_checks = pcre:/etc/postfix/header_checks.pcre
# NAME
# header_checks - Postfix built-in content inspection
#
# SYNOPSIS
# header_checks = pcre:/etc/postfix/header_checks
# mime_header_checks = pcre:/etc/postfix/mime_header_checks
# nested_header_checks = pcre:/etc/postfix/nested_header_checks
# body_checks = pcre:/etc/postfix/body_checks
#
# postmap -q "string" pcre:/etc/postfix/filename
# postmap -q - pcre:/etc/postfix/filename <inputfile
#
#
# /etc/postfix/main.cf:
# header_checks = pcre:/etc/postfix/header_checks.pcre
#
# /etc/postfix/header_checks.pcre:
# /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
# ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
# hlp|ht[at]|
# inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
# \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
# ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
# vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
# REJECT Attachment name "$2" may not end with ".$4"
#
# Body pattern to stop a specific HTML browser vulnerability
# exploit.
#
# /etc/postfix/main.cf:
# body_checks = regexp:/etc/postfix/body_checks
#
# /etc/postfix/body_checks:
# /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/
# REJECT IFRAME vulnerability exploit
#
# SEE ALSO # # Generic M$ email-borne worm/trojan/virus protection # # M$-Windoze vulnerable to all these as email-borne viruses/worms/trojans # Added .ade, .adp, .bas, .cpl, .crt, .hlp, .inf, .ins, .isp, .lnk, .mdb, # .mde, .msc, .msi, .msp, .mst, .pcd, .reg, .sct, .shs, .url, .vb, and .wsc # due to: # http://support.microsoft.com/support/kb/articles/q262/6/31.asp?LN=EN-US&SD=gn&FR=0 # (As of 2003-08-24, this URL appears dead. Thank you, M$) # Noel Jones supplied the following two informative URLS: # http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631 # http://www.cknow.com/vtutor/vtextensions.htm # For .shs vulnerability, see: http://www.pc-help.org/security/scrap.htm # v2 list: (bat|chm|cmd|com|exe|hta|jse?|pif|scr|sh[bs]|vb[esx]|ws[fh]) # v3 list: Added .asd, .dll, .ocx, .vxd as per Perry E. Metzger # <perry-at-piermont-dot-com> # v4 list: Added .386, .asp, .asx, .bin, .cab, .cgi, .cil, .cpe, .cvp, .eml, # .ex_, .inp, .jar, .keyreg, .mda, .mdw, .mp3, .nte, .nws, .pl, .pm, .pot, # .pps, .slb, .swf, .swt, .sys, .vir, .vmx, .wmd, .wms, .wmz, .xlw, .xms # as per Tim Boyer (tim@denmantire.com) # v5 list: As per "manatworkyes moderator" <devekboy@hotmail.com> # in firewall-wizards mailing list on Wed Jan 29 10:31:32 2003, # added: .htr # v6 list: Missed the following in the M$ bulletin: .app, .csh, .fxp, .ksh, # .mdt, .ops, .prg. If .ksh and .csh belong, so does .sh - added. # v7 list: added .dot, extension for M$ Office templates could possibly # contain harmful macros. # v8 list: added .adt, .btm, .cbt, .cla(ss)?, .cs[cs], .drv, .email, .fon, # .ini, .lib, .mht(m|ml)?, .mso, .obj, .ov., .pgm, .smm. Expanded .xlw to # .xl. (Ref: http://www.cknow.com/vtutor/vtextensions.htm) # (.doc, .html?, .ppt, .prc, .rtf not added, but probably should be.) # ("Source" [.asm, .c, .cpp., .pas, .for] seem unlikely to me) # v9 list: added CLSIDs (e.g.: "name.{FBF23B40-E3F0-101B-8488-00AA003E56F8}") # (Complements of Victor Duchovni and Noel Jones) # v10 list: added .cbl # /^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?\.(386|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xl.|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT ".$2" file attachment types not allowed # ".com" handled differently as above lines would catch attachments like # "user@example.com PGP Keys.txt" # "(\.\S{2,4})?(\?=)?"?(;|$)" terminator idea (modified) compliments of # Noel Jones /^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.com(\.\S{2,4})?(\?=)?"?(;|$)/ REJECT ".com" file attachment types not allowed # Disallow message fragmentation, as it will bypass the other tests # Ref: http://www.securiteam.com/securitynews/5YP0A0K8CM.html /^Content-(Disposition|Type):\s+.*?message\/partial\b/ REJECT # Specific virus/worm/trojan attachments that we cannot block by file # type/extension (yet?) # # Sobig.E: your_details|application|document|screensaver|movie # /^Content-(Disposition|Type):\s+.*?(file)?name="?.*?(your_details|application|document|screensaver|movie)\.zip/ REJECT # *Any* zip file: just log a warning... /^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.zip\b/ WARN