Menü schliessen
Created: April 15th 2017
Last updated: May 1st 2020
Categories: IT Support,  Linux
Author: Marcus Fleuti

[solved] Postfix Server - Filtering Viagra Spam Junk E-Mails with REGEX

Tags:  Antispam,  Debian,  E-Mail,  email,  Junk,  Linux,  Postfix,  regex,  Spam,  Ubuntu,  Viagra
Donation Section: Background
Monero Badge: QR-Code
Monero Badge: Logo Icon Donate with Monero Badge: Logo Text
82uymVXLkvVbB4c4JpTd1tYm1yj1cKPKR2wqmw3XF8YXKTmY7JrTriP4pVwp2EJYBnCFdXhLq4zfFA6ic7VAWCFX5wfQbCC

Howto filter out viagra e-mails on your mail server using REGEX

The word "viagra" can be written in many ways. It's difficult to create proper filtering to filter out all variations of spam e-mails containing the word viagra. We've written a regex expression that manages to filter out many different kinds of viagra e-mails.

Here's a list of possible kinds of "viagra" terms:

[code]

VIagra
V.i.a.gra
Viiaaagr4
Vi@gra
V i a g r a
V1AGR@
V1agra
VI.A.G.R.A
VIAGR@
Viagra
Viagra
viagr@
VlAGR@
V.l.A.G.R.A
V_iagra
vi.a.g.r.a
Vi-agra
V I A G R A
V1AGRA
VViagra
V.iagra
Viagr a
V.I.A.G.R.A
Via-gra
Vviagra
Viagara
VlAGRA
Vi@gr@
V-i-@-g-r-a
V.IAGRA
V1@GRA
Viagraa
Via.gra
Viagrra
viagra
VIAGRA
Viagr@
Viagra
V%iagra
V|agr@
V,I,A,G,R,A
V.I,A.G,R.A
V iagra
Viagr*a
Vi^agra
V'1'a'g'r'a
Viagraaaaa
Via.graa
V-i-a-g-r-a
Vi.agra
v-i-a-g''r''a
V'l'a'g'r'a
Viagr.a
vit&agra

[/code]

The regex code to detect all these terms

[code]

[v|4]{1,2}(.){0,1}[li1j\!\|]{1,2}(.){0,1}[a4@]{1,2}(.){0,1}[g]{1,2}(.){0,1}[r]{1,2}(.){0,1}[a4@]{1,2}

[/code]

How can this be implemented in Postfix?

That is fairly easy.

  1. Edit your main.cf configuration file (usually found in /etc/postfix/main.cf)
  2. Add the following line (if not yet existing):
    [code]header_checks = pcre:/etc/postfix/header_checks.pcre[/code]
  3. Now create a new file using your favorite editor - in this example we use nano:
    [code]nano /etc/postfix/header_checks.pcre[/code]
  4. Add the following lines to that file:
    [code]/^From:.*\b([v|4]{1,2}(.){0,1}[li1j\!\|]{1,2}(.){0,1}[a4@]{1,2}(.){0,1}[g]{1,2}(.){0,1}[r]{1,2}(.){0,1}[a4@]{1,2})\b.*/                         REJECT          [HEADCHK] Sorry. We do not accept mail from you because of internal spamming policies [Viagra]
    /^Subject:.*(?=.*\b([v|4]{1,2}(.){0,1}[li1j\!\|]{1,2}(.){0,1}[a4@]{1,2}(.){0,1}[g]{1,2}(.){0,1}[r]{1,2}(.){0,1}[a4@]{1,2})\b)(?=.*(urgent|immediate|fast|cheap|sofort|g(.){0,2}nstig(e|es)?|preis|generica)).*/                   REJECT          [HEADCHK] Sorry. We do not accept mail from you because of internal spamming policies [Viagra][/code]
  5. These 2 lines tell Postfix to reject all e-mails that have the word "Viagra" in any kind as sender name OR if the incoming e-mail has the word "Viagra" in the subject combined with some trigger words like immediate, cheap, urgent etc.
  6. You can extend this rule however you like by adding new trigger words to it
  7. Exit the file and initialize the database with the following command:
    [code]postmap /etc/postfix/header_checks.pcre[/code]
  8. Restart postfix (usually you do not need to after issuing the postmap command. Postfix automatically re-reads the content of the PCRE database upon recreating it). The restart command depends on the operating system you're using. In Debian/Ubuntu it works like this:
    [code]/etc/init.d/postfix restart[/code]

Let us know if you have any questions or further inputs regarding this matter.
Enjoy! 🙂

How to test my Regex?

If you want to test if the regex is working properly you can go here: http://regexr.com/

Additional information

The above rules use the ignore case (/i) flag. They are explictly written to ignore cases because Postfix ignores cases in its PCRE config files by default.