Postfix header_checks using tcp_table and checkdbl.pl script

Postfix implements the header_checks as built-in content inspection classes while receiving mail. Usually the best performance is obtained with pcre (Perl Compatible Regular Expression) tables or slower regexp (POSIX regular expressions). Googling on the net, i’ve found tiny perl script that can queries to dbl.spamhaus.org, multi.surbl.org, black.uribl.com. ( Sahil Tandon wrote it, based on  João Gouveia perl script, i think..)

first download the script

# cd /etc/postfix
# wget http://people.freebsd.org/~sahil/scripts/checkdbl.pl.txt

Rename and make it executable

# mv checkdbl.pl.txt checkdbl.pl
# chmod 755 checkdbl.pl

Edit master.cf add this two lines

127.0.0.1:2526 inet  n       n       n       -       0      spawn
user=nobody argv=/etc/postfix/checkdbl.pl

Make preliminary test, to ensure checkdb.pl sih really spawned and answering our queries

# postfix reload
# telnet 127.0.0.1 2526

Let’s try with Message-ID header (it is real spam in my inbox hehehe)

Trying 127.0.0.1...
Connected to mx.example.com (127.0.0.1).
Escape character is '^]'.
get Message-ID: <243589555829862551ca6a14e9bf5c6b@vldu204.eusensyv.info>
200 REJECT

Reply-To header

Trying 127.0.0.1...
Connected to mx.example.com (127.0.0.1).
Escape character is '^]'.
get reply-to: <software_innovations5@buyinhe.com>
200 REJECT

From header

Trying 127.0.0.1...
Connected to mx.example.com (127.0.0.1).
Escape character is '^]'.
get from: <software_innovations5@buyinhe.com>
200 REJECT

Or we can query by using postmap tool

# postmap -q "from: <software_innovations5@buyinhe.com>" tcp:127.0.0.1:2526
REJECT buyinhe.com, which appears in the 'from' header, is listed on black.uribl.com

We’ve seen that checkdbl.pl realy work as expected, now it’s time to make it realy working in real life.
put this two lines in main.cf

127.0.0.1:2526_time_limit = 3600s
header_checks = tcp:[127.0.0.1]:2526

Reload postfix

# postfix reload

And these are real rejected spam logs made by postfix and checkdbl.pl

Month date 15:15:35 mx.example.com postfix/smtpd[24907]: 152CB30012A: client=unknown[69.162.108.69]
Month date 15:15:35 mx.example.com postfix/cleanup[28392]: 152CB30012A: reject: header Message-ID: <4507031@creditreports.tampocopica.com> from unknown[69.162.108.69]; from=<Nancy@tampocopica.com> to=<example-user@example.com> proto=ESMTP helo=<creditreports.tampocopica.com>: 5.7.1 creditreports.tampocopica.com, which appears in the 'Message-ID' header, is listed on dbl.spamhaus.org
Month date 15:15:35 mx.example.com postfix/cleanup[28392]: 152CB30012A: message-id=<4507031@creditreports.tampocopica.com>
Month date 15:50:04 mx.example.com postfix/smtpd[29412]: 7837130012F: client=unknown[66.90.109.40]
Month date 15:50:05 mx.example.com postfix/cleanup[31734]: 7837130012F: reject: header From: "Personalized-Christmas-Ornaments" <Alicia@diaseven.info> from unknown[66.90.109.40]; from=<Alicia@diaseven.info> to=<example-user@example.com> proto=ESMTP helo=<iyio40.diaseven.info>: 5.7.1 diaseven.info, which appears in the 'From' header, is listed on dbl.spamhaus.org

Month date 14:15:28 mx.example.com checkdbl[22069]: Hit: vldu204.eusensyv.info on dbl.spamhaus.org
Month date 14:17:53 mx.example.com checkdbl[22360]: Hit: buyinhe.com on black.uribl.com

Yes, they are real spammer and rejected. sweet…

You may also want to read these posts:

• Postfix Randomizing Outgoing IP Using TCP_TABLE And Perl
• postfix, integrating memcache as a lookup table using tcp_table
• Postfix, Dynamic OverQuota User Map Script Using Bash And Inotifywait
• Postfix Rotating Outgoing IP Using TCP_TABLE And Perl
• Postfix GeoIP Based Rejections
• Postfix Changing Outgoing IP By Time Interval Using TCP_TABLE And Perl
• Postfix, Omar Kilani’s Memcache Patch Try-Out
• postfix-2.9.20110323 SRC RPM
• postfix-2.8.0-RC3, postfix-2.9.20110118 rpm source
• Postfix Smtp Auth using pam_mysql On Fedora 12