Postfix MTA - Match string in header fields

Question

I'm trying to block some spammer by filtering some fields in the mail header, but it isn't working. The spammer is adding random domains in the headers, but the "user" is always the same, like this: www-data@domain1.com , www-data@domain2 and so on. I don't expect to have anyone sending legitimate mails with the sender name "www-data", so I'm ok if all of them be discarded.

The regex I'm trying to use but isn't working is:

/^(From|Return-Path|Reply-To):.*www-data@.*/ DISCARD known spam sender in $1: header: $2

I have other rules also filtering other aspects, like forging my own domain, which is working:

/^(From|Return-Path|Reply-To):.*\b(@mydomain\.com)\b/ DISCARD forged sender address in $1: header: $2

What could I be doing wrong? Thanks!

Answer 1

www-data is the name of a web server user, frequently used for transactional email, for example Wikipedia notifications, so you should consider that you may be blocking legitimate mail as well as mail sent from compromised servers. In any case, you don't usually see it in the From header. More likely it is in the envelope sender and that could be why your regex isn't working - it's looking in the wrong place.

To block envelope senders, add a check_sender_access table in smtpd_sender_restrictions and specify a localpart@ to reject. You don't need to use a regex, although you can if necessary using the pcre: table type.

In regexes, you should escape the @, like \@. Also note that in your first example, there is no pattern $2, because you have only one set of parentheses. For more information man 5 postconf, or look at SMTPD_ACCESS_README.