# Header Check - Postfix Hits on Date of Forwarded Message



## Ruler2112 (Mar 4, 2010)

I've been developing a series of filters to block spam from being accepted by my mail server.  One of them is as follows in the file referenced by the header_checks parameter in my Postfix main.cf:


```
/^Date: .* 19[0-9][0-9]/ REJECT Please update your computer clock and try again.  SHC01
/^Date: .* 200[0-9]/     REJECT Please update your computer clock and try again.  SHC02
```


It basically looks at the date the system sending the message has set in the message.  If it's before this year, the message is blocked and the person told to update his computer clock, then a rule number for my own use.  This works great at blocking the spam messages that are sent with a date far in the past to make it appear at the top of your inbox.  However, I have run into a problem.

One of my users called me and said he couldn't send a message.  I looked at what he was doing and he was trying to forward a message that he received in mid-2009 to somebody else as an attachment.  The mail server responded with the above message because the _attached_ message has a date set before this year.

Any ideas of how I could prevent a situation like this from happening again?  I just removed the second line (2000-2009) from my header check file as a temporary workaround for the problem, but would very much like to find something permanent that will allow me to block what I want while ignoring the date- & time-stamps on forwarded messages.


----------



## ohauer (Mar 5, 2010)

you can solve this by changing the sequence of the header checks.

postfix defaults

```
postconf -d | grep header_check
 header_checks =
 ...
 nested_header_checks = $header_checks
```

divide you check into two separate files

```
[FILE]# file main.cf[/FILE]
header_checks           = pcre:${config_directory}/header_checks.pcre
                          $nested_header_checks
nested_header_checks    = pcre:${config_directory}/nested_header_checks.pcre
```


```
[FILE]# file header_checks.pcre[/FILE]
/^Date: .* 19[0-9][0-9]/ REJECT Please update your computer clock and try again.  SHC01
/^Date: .* 200[0-9]/     REJECT Please update your computer clock and try again.  SHC02
```


```
[FILE]# file nested_header_checks.pcre[/FILE]
...
/^Return-Path:.*bulk.yahoo.com/     REJECT Yahoo list spam (h20090820)
...
```

This way you don't check the date in the attached mail (nested_header_check).
However If the mail is forwarded with all headers it is possible it contains a date from 200?.
Hint: I increment the date for the check mostly in the second quarter of the year to avoid a hit for the date check.


----------



## Ruler2112 (Mar 8, 2010)

Dude, that is awesome!  That accomplishes the exact thing I was hoping to.  I never knew there was a separate check available for messages nested inside another before...  

From the last line of your message, it sounds like you've done this before.  Would you mind sharing some of your checks?  (I can give you my e-mail address if you'd rather not publicly show spammers how to get around your checks.)  I've just started building sets of regex's to block this crap.


----------

