what-objects to block subject-content

V

virtual-error

New Member
Proxmox Subscriber
Jul 17, 2022
8
1
3
We have defined what-objects to block subject-content. At matchfield subject is .*Affäre.*.
This should block all entries that contain "Affäre". Unfortunately, this does not work. Does anyone know why this does not work? Vielen Dank für die Informationen



Sep 15 13:04:50 mx03 postfix/smtpd[29311]: connect from mail-ed1-f54.google.com[209.85.208.54]
Sep 15 13:04:50 mx03 postfix/smtpd[29311]: Anonymous TLS connection established from mail-ed1-f54.google.com[209.85.208.54]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Sep 15 13:04:51 mx03 postfix/smtpd[29311]: 123F9804BB: client=mail-ed1-f54.google.com[209.85.208.54]
Sep 15 13:04:51 mx03 postfix/cleanup[29313]: 123F9804BB: message-id=<3c678217-b83d-1763-e6d3-66d0cb78d0ed@gmail.com>
Sep 15 13:04:51 mx03 postfix/qmgr[767]: 123F9804BB: from=<hxyzuzz@gmail.com>, size=3515, nrcpt=1 (queue active)
Sep 15 13:04:51 mx03 pmg-smtp-filter[28007]: C11F1632306D348681: new mail message-id=<3c678217-b83d-1763-e6d3-66d0cb78d0ed@gmail.com>#012
Sep 15 13:04:51 mx03 pmg-smtp-filter[28007]: C11F1632306D348681: SA score=1/5 time=0.508 bayes=undefined autolearn=no autolearn_force=no hits=DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),FREEMAIL_ENVFROM_END_DIGIT(0.25),FREEMAIL_FROM(0.001),GB_FREEMAIL_NUM(1),RCVD_IN_DNSWL_BLOCKED(0.001),RCVD_IN_MSPIKE_H2(-0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_SCC_BODY_TEXT_LINE(-0.01)
Sep 15 13:04:52 mx03 postfix/smtpd[29319]: connect from localhost.localdomain[127.0.0.1]
Sep 15 13:04:52 mx03 postfix/smtpd[29319]: 04DA78225F: client=localhost.localdomain[127.0.0.1], orig_client=mail-ed1-f54.google.com[209.85.208.54]
Sep 15 13:04:52 mx03 postfix/cleanup[29313]: 04DA78225F: message-id=<3c678217-b83d-1763-e6d3-66d0cb78d0ed@gmail.com>
Sep 15 13:04:52 mx03 postfix/qmgr[767]: 04DA78225F: from=<hxyzuzz@gmail.com>, size=4765, nrcpt=1 (queue active)
Sep 15 13:04:52 mx03 postfix/smtpd[29319]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Sep 15 13:04:52 mx03 pmg-smtp-filter[28007]: C11F1632306D348681: accept mail to <xxx@xyz.de> (04DA78225F) (rule: default-accept)
Sep 15 13:04:52 mx03 pmg-smtp-filter[28007]: C11F1632306D348681: processing time: 0.763 seconds (0.508, 0.038, 0)
Sep 15 13:04:52 mx03 postfix/lmtp[29314]: 123F9804BB: to=<xxx@xyz.de>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.1, delays=0.3/0/0.01/0.78, dsn=2.5.0, status=sent (250 2.5.0 OK (C11F1632306D348681))
Sep 15 13:04:52 mx03 postfix/qmgr[767]: 123F9804BB: removed
 
hm - in general I'm quite certain that match field does work - so things that might need to be checked:
* does the rule have a priority where it actually gets considered (e.g. if all rules with higher priority already accept/block/quarantine mail, maybe it is just never reached)?
* is the rule configured for the correct direction (inbound (corresponding to mail arriving on port 25 (in the default config)), or outbound (mail arriving on port 26))?

the output of pmgdb dump (or screenshots of your rules and objects) and the log for a mail in question might help in debugging this further.
 
I made a mistake with my last statement. I was on the wrong server and wondered why the rule did not apply. Sorry.
However, I still have a question. If I define the following Rules in dangerous content, the Testmail with this content are not blocked. If I define them in SPAM, they will be blocked.


FOUND WHAT GROUP 8: Dangerous Content
OBJECT 187: From=Kundenservice@.*
OBJECT 188: From=kundenservice@.*
OBJECT 186: subject=.*ADMINISTRATOR.*
OBJECT 105: subject=.*Abnehmen.*
OBJECT 115: subject=.*Achtung.*
OBJECT 190: subject=.*Aff.re
OBJECT 156: subject=.*Aff.re.*
OBJECT 102: subject=.*Bitcoin.*
OBJECT 110: subject=.*Chance.*
OBJECT 114: subject=.*Darlehen.*
OBJECT 118: subject=.*Dates.*
OBJECT 93: subject=.*Dating.*
OBJECT 96: subject=.*EUR.*
FOUND WHAT GROUP 12: Spam (Level 10)


FOUND WHAT GROUP 12: Spam (Level 10)
OBJECT 25: Level 10
OBJECT 200: subject=.*ADMINISTRATOR.*
OBJECT 194: subject=.*Abnehmen.*
OBJECT 197: subject=.*Aff.*
OBJECT 198: subject=.*Bitcoin.*
OBJECT 193: subject=.*Chance.*
OBJECT 199: subject=.*Darlehen.*
OBJECT 195: subject=.*Dates.*
OBJECT 196: subject=.*Dating.*
OBJECT 201: subject=.*EURO.*
OBJECT 202: subject=.*Einkaufsgutschein.*
OBJECT 203: subject=.*Erektion.*
OBJECT 204: subject=.*Errektion.*


# pmgdb dump
Found RULE 4 (prio: 98, in, active): Blacklist
FOUND FROM GROUP 2: Blacklist
OBJECT 127: .*24ssd.had.de
OBJECT 58: .*biz
OBJECT 59: .*bo
OBJECT 60: .*br
OBJECT 121: .*buzz
OBJECT 88: .*cam
OBJECT 73: .*cf
OBJECT 46: .*club
OBJECT 57: .*co
OBJECT 122: .*co.kr
OBJECT 123: .*company
OBJECT 124: .*cyou
OBJECT 85: .*ec
OBJECT 47: .*email
OBJECT 78: .*faith
OBJECT 45: .*ga
OBJECT 61: .*gdn
OBJECT 48: .*host
OBJECT 62: .*icu
OBJECT 63: .*id
OBJECT 126: .*in
OBJECT 79: .*jp
OBJECT 64: .*ke
OBJECT 65: .*live
OBJECT 66: .*loan
OBJECT 80: .*me
OBJECT 74: .*ml
OBJECT 87: .*moscow
OBJECT 67: .*mx
OBJECT 129: .*my
OBJECT 75: .*nz
OBJECT 50: .*online
OBJECT 43: .*ovh
OBJECT 89: .*photos
OBJECT 130: .*pk
OBJECT 44: .*pro
OBJECT 68: .*pw
OBJECT 51: .*review
OBJECT 81: .*rs
OBJECT 185: .*ru.com
OBJECT 171: .*shop
OBJECT 52: .*site
OBJECT 56: .*solutions
OBJECT 53: .*space
OBJECT 131: .*store
OBJECT 77: .*tech
OBJECT 76: .*to
OBJECT 54: .*today
OBJECT 55: .*top
OBJECT 69: .*trade
OBJECT 70: .*tw
OBJECT 84: .*tz
OBJECT 83: .*uy
OBJECT 71: .*vn
OBJECT 132: .*vps175053.ovh.net
OBJECT 133: .*vu
OBJECT 72: .*xyz
OBJECT 134: .*za
OBJECT 82: .*zw
OBJECT 135: Kundenservice@enence.com
OBJECT 177: admin@seambee.buzz
OBJECT 175: amartinezv@tlalpan.cdmx.gob.mx
OBJECT 184: info@ciremg.com
OBJECT 41: info@mx2.pkv-finder.online
OBJECT 136: kundenservice@de.loccitane.com
OBJECT 170: kundenservice@dyson.de
OBJECT 174: kundenservice@makita.de
OBJECT 40: mbadasearch@gmail.com
OBJECT 137: mbadsearch@gmail.com
OBJECT 1: nomail@fromthisdomain.com
OBJECT 176: sup@alterne.com
OBJECT 138: 2wheelsparts.com
OBJECT 42: arnetbiz.com.ar
OBJECT 38: co.uk
OBJECT 37: fastbaseinc.com
OBJECT 36: installio.biz.ua
OBJECT 39: rvess.ml
OBJECT 183: shhvip.com
OBJECT 178: tripcul.com
OBJECT 172: visqual.com
FOUND ACTION GROUP 18: Block
OBJECT 31: block message
Found RULE 2 (prio: 96, in, active): Block Viruses
FOUND WHAT GROUP 9: Virus
OBJECT 22: active
FOUND ACTION GROUP 19: Quarantine
OBJECT 32: Move to quarantine.
FOUND ACTION GROUP 20: Notify Admin
OBJECT 33: notify __ADMIN__
Found RULE 3 (prio: 96, out, active): Virus Alert
FOUND WHAT GROUP 9: Virus
OBJECT 22: active
FOUND ACTION GROUP 19: Quarantine
OBJECT 32: Move to quarantine.
FOUND ACTION GROUP 20: Notify Admin
OBJECT 33: notify __ADMIN__
FOUND ACTION GROUP 21: Notify Sender
OBJECT 34: notify __SENDER__
Found RULE 1 (prio: 93, in, active): Block Dangerous Files
FOUND WHAT GROUP 8: Dangerous Content
OBJECT 187: From=Kundenservice@.*
OBJECT 188: From=kundenservice@.*
OBJECT 186: subject=.*ADMINISTRATOR.*
OBJECT 105: subject=.*Abnehmen.*
OBJECT 115: subject=.*Achtung.*
OBJECT 190: subject=.*Aff.re
OBJECT 156: subject=.*Aff.re.*
OBJECT 102: subject=.*Bitcoin.*
OBJECT 110: subject=.*Chance.*
OBJECT 114: subject=.*Darlehen.*
OBJECT 118: subject=.*Dates.*
OBJECT 93: subject=.*Dating.*
OBJECT 96: subject=.*EUR.*
OBJECT 157: subject=.*Einkaufsgutschein.*
OBJECT 92: subject=.*Erektion.*
OBJECT 158: subject=.*Errektion.*
OBJECT 104: subject=.*Fett.*
OBJECT 159: subject=.*Freispiele.*
OBJECT 113: subject=.*Gefahr.*
OBJECT 106: subject=.*Gelenk.*
OBJECT 160: subject=.*Gl�ckwunsch.*
OBJECT 109: subject=.*Gutschein.*
OBJECT 101: subject=.*Konto.*
OBJECT 116: subject=.*Kredit.*
OBJECT 161: subject=.*L�wen.*
OBJECT 111: subject=.*Moment.*
OBJECT 98: subject=.*Online Bankings.*
OBJECT 90: subject=.*Penis.*
OBJECT 94: subject=.*Potenz.*
OBJECT 107: subject=.*Preis.*
OBJECT 189: subject=.*Rekord-Jackpot.*
OBJECT 162: subject=.*Schnarchen.*
OBJECT 91: subject=.*Sex.*
OBJECT 163: subject=.*Super.*
OBJECT 182: subject=.*Traumfigur.*
OBJECT 99: subject=.*Verlosung.*
OBJECT 95: subject=.*Warnung.*
OBJECT 164: subject=.*Zehen.*
OBJECT 165: subject=.*blutjung.*
OBJECT 179: subject=.*brennen.*
OBJECT 166: subject=.*gratis.*
OBJECT 100: subject=.*gratulieren.*
OBJECT 119: subject=.*hei�e.*
OBJECT 112: subject=.*hilft.*
OBJECT 181: subject=.*hochdosiert.*
OBJECT 167: subject=.*kostenlos.*
OBJECT 168: subject=.*shoppen.*
OBJECT 117: subject=.*sparen.*
OBJECT 180: subject=.*verbrennen.*
OBJECT 108: subject=.*voegeln.*
OBJECT 97: subject=.*wichtige Mitteilung.*
OBJECT 169: subject=.*wunsch.*
OBJECT 16: content-type=application/javascript
OBJECT 17: content-type=application/x-executable
OBJECT 15: content-type=application/x-java
OBJECT 18: content-type=application/x-ms-dos-executable
OBJECT 14: content-type=application/x-ms-dos-executable
OBJECT 19: content-type=message/partial
OBJECT 20: filename=.*\.(vbs|pif|lnk|shs|shb)
OBJECT 21: filename=.*\.\{.+\}
FOUND ACTION GROUP 15: Remove attachments
OBJECT 28: remove matching attachments
Found RULE 5 (prio: 90, in, active): Modify Header
FOUND ACTION GROUP 13: Modify Spam Level
OBJECT 26: modify field: X-SPAM-LEVEL:__SPAM_INFO__
Found RULE 12 (prio: 87, in+out, inactive): Block Multimedia Files
FOUND WHAT GROUP 6: Multimedia
OBJECT 5: content-type=audio/.*
OBJECT 6: content-type=video/.*
FOUND ACTION GROUP 15: Remove attachments
OBJECT 28: remove matching attachments
FOUND ACTION GROUP 18: Block
OBJECT 31: block message
Found RULE 6 (prio: 85, in, active): Whitelist
FOUND FROM GROUP 3: Whitelist
OBJECT 86: bestellung@echtermann.de
OBJECT 139: info@tumeggy.com
OBJECT 140: jinsong.xiang@shhansi.com
OBJECT 141: jobs@mail.xing.com
OBJECT 142: kontakt@stellenanzeigen.tech
OBJECT 143: lingenthal@theboardroom.de
OBJECT 144: ma.link@freenet.de
OBJECT 2: mail@fromthisdomain.com
OBJECT 145: mailrobot@mail.xing.de
OBJECT 146: natascha.goetz@t-online.de
OBJECT 147: news@mail.xing.com
OBJECT 173: rainerfranz.derks@gmail.com
OBJECT 103: rechnungonline@telekom.de
OBJECT 120: rene-lutz@t-online.de
OBJECT 148: stuetz@berlinale.de
OBJECT 149: thomas.hartenstein@meffert.de
OBJECT 150: viktoria.benning@gmail.com
OBJECT 151: winter@germanwaterpartneship.de
OBJECT 155: bim-berlin.de
OBJECT 152: dzbank.de
OBJECT 154: fbz-kommunikation.de
OBJECT 153: lbbw.de
OBJECT 128: proton.me
FOUND ACTION GROUP 17: Accept
OBJECT 30: accept message
Found RULE 9 (prio: 82, in, active): Block Spam (Level 10)
FOUND WHAT GROUP 12: Spam (Level 10)
OBJECT 25: Level 10
OBJECT 200: subject=.*ADMINISTRATOR.*
OBJECT 194: subject=.*Abnehmen.*
OBJECT 197: subject=.*Aff.*
OBJECT 198: subject=.*Bitcoin.*
OBJECT 193: subject=.*Chance.*
OBJECT 199: subject=.*Darlehen.*
OBJECT 195: subject=.*Dates.*
OBJECT 196: subject=.*Dating.*
OBJECT 201: subject=.*EURO.*
OBJECT 202: subject=.*Einkaufsgutschein.*
OBJECT 203: subject=.*Erektion.*
OBJECT 204: subject=.*Errektion.*
FOUND ACTION GROUP 18: Block
OBJECT 31: block message
Found RULE 8 (prio: 81, in, active): Quarantine/Mark Spam (Level 5)
FOUND WHAT GROUP 11: Spam (Level 5)
OBJECT 24: Level 5
FOUND ACTION GROUP 14: Modify Spam Subject
OBJECT 27: modify field: subject:SPAM: __SUBJECT__
FOUND ACTION GROUP 19: Quarantine
OBJECT 32: Move to quarantine.
Found RULE 7 (prio: 80, in, active): Quarantine/Mark Spam (Level 3)
FOUND WHAT GROUP 10: Spam (Level 3)
OBJECT 23: Level 3
FOUND ACTION GROUP 14: Modify Spam Subject
OBJECT 27: modify field: subject:SPAM: __SUBJECT__
FOUND ACTION GROUP 19: Quarantine
OBJECT 32: Move to quarantine.
Found RULE 10 (prio: 70, out, inactive): Block outgoing Spam
FOUND WHAT GROUP 10: Spam (Level 3)
OBJECT 23: Level 3
FOUND ACTION GROUP 18: Block
OBJECT 31: block message
FOUND ACTION GROUP 20: Notify Admin
OBJECT 33: notify __ADMIN__
FOUND ACTION GROUP 21: Notify Sender
OBJECT 34: notify __SENDER__
Found RULE 11 (prio: 60, out, inactive): Add Disclaimer
FOUND ACTION GROUP 22: Disclaimer
OBJECT 35: disclaimer
 
If I read this correctly (sadly by not pasting as code the indentation, which makes this large text at least somewhat readable was lost) that's what the rule does:
Code: 
Found RULE 1 (prio: 93, in, active): Block Dangerous Files
  FOUND WHAT GROUP 8: Dangerous Content
    OBJECT 187: From=Kundenservice@.*
    ..... 
 FOUND ACTION GROUP 15: Remove attachments
   OBJECT 28: remove matching attachments
the only action for that rule is to remove the attachments - not to block the mail
(I'd also suggest to maybe reconsider putting subject matches down as 'dangerous content' and use it in the rule called 'block dangerous files'...)

check the reference documentation on the rule system:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#chapter_mailfilter

I hope this helps!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back