Built-in content inspection introduction

Postfix supports a built-in filter mechanism that examines message header and message body content, one line at a time, before it is stored in the Postfix queue. The filter is usually implemented with POSIX or PCRE regular expressions, as described in the header_checks(5) manual page.

The original purpose of the built-in filter is to stop an outbreak of specific email worms or viruses, and it does this job well. The filter has also helped to block bounced junk email, bounced email from worms or viruses, and notifications from virus detection systems.

Because the built-in filter is optimized for stopping specific worms and virus outbreaks, it has limitations that make it NOT suitable for general junk email and virus detection. For that, you should use one of the external content inspection methods.

Simple method to block email messages by specific headers

In main.cf

header_checks = regexp:/etc/postfix/header_checks

Example file: ‘/etc/postfix/header_checks’

/^From:.*Casino/ REJECT Casino spam detected in headers. Your message was marked as spam. #Rule 1
/^Subject:.*naked/ REJECT Explicit content detected in headers. Your message was marked as spam. #Rule 2

Simple method to block email messages by content (body)

In main.cf:

regexp:/etc/postfix/body_checks

Example file: ‘/etc/postfix/body_checks’

/mdaemon/ REJECT Your email client is used for spam. #Rule 1
/cialis/ REJECT Email messages with drugs are not allowed. #Rule 2
/casino/ REJECT Email messages regarding casino are not allowed. #Rule 3
/search engine registration/ REJECT Nigga. I dont need your fake services. #Rule 4
/thecreativelogos.com/ REJECT Invaders must die #Rule 5

After file creation, you must run ‘postmap filename’ and reload postfix.

Examples:

postmap /etc/postfix/body_checks
postmap /etc/postfix/header_checks

References:
– http://www.postfix.org/BUILTIN_FILTER_README.html
– http://www.postfix.org/BACKSCATTER_README.html
– https://en.wikipedia.org/wiki/Regular_expression