Rerouting spam or viruses with postfix and SpamAssassin

Go to /etc/mail/spamassassin/local.cf
Add or change this line. You can change THIS_IS_SPAM to any constant, just remember to add it to the header check as well. Spelling counts, double check it. It’ll be put in front of anything that SA flags as spam.

# Change the subject of suspected spam
rewrite_header subject THIS_IS_SPAM

Go to /etc/postfix/main.cf
Add the following. Postfix uses this to check or alter headers across the entire server. Don’t use this for trivial activities.

# Spam
header_checks = regexp:/etc/postfix/header_checks

Go to /etc/postfix/header_checks
Put this at the end. It routes all spam to a catch-all email account.

header_checks
/^Subject: THIS_IS_SPAM/ REDIRECT spam@yourdomain.tld

Under ideal circumstances, you really don’t want to do this. You want to reject as much spam as possible BEFORE your email server processes this. Invalid helo, impersonating the server (by IP or host), not RFC 2821 compliant, etc. Blacklists are… problematic at times, but shouldn’t be ignored.

This is however handy if a) your users don’t have/use email programs with build in filters (like a Blackberry not tied to a BES) or b) your users are using low-bandwidth lines to get their email.

Additionally, you can add more filtering to header_checks, such as attachment filtering. Lot of folks block .EXE and .VBS. To do so, add the following to /etc/postfix/header_checks:

/^content-(type|disposition):.*name[[:space:]]*=.*.(exe|vbs)/
REJECT Bad attachment file name extension: $2

Some folks use a plain Linux box running postfix as solely a cheap virus/spam/etc filter for their Exchange environment. It’s not a bad idea, especially if you load balance between two or three very thin Linux boxes. Theoretically, you could also use it for cheap mail retention for DR purposes.

If you are not using virtual users/domains, you probably want to use procmail and an individual template .procmailrc (per user).

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>