Re: First Received Header only

2006-10-09 Thread Justin Mason
John Rudd writes: > Justin Mason wrote: > > As Clifton said, this is very similar to what the HELO_DYNAMIC_* ruleset > > does. I strongly recommend taking a look at those and getting your > > head around them to ensure you don't duplicate them... and if you find > > new ones with good hitrates, p

Re: First Received Header only

2006-10-09 Thread John Rudd
Justin Mason wrote: As Clifton said, this is very similar to what the HELO_DYNAMIC_* ruleset does. I strongly recommend taking a look at those and getting your head around them to ensure you don't duplicate them... and if you find new ones with good hitrates, please drop us a line with the rul

Re: First Received Header only

2006-10-09 Thread Justin Mason
[btw the duplication should be fixed since Mon, 09 Oct 2006 05:45:35 - (06:45 IST).] Loren Wilton writes: > > Here's an odd perl question: can you reference $1 and its siblings within > > the regex itself? such as: > > > > /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) rdns=\S*(0*($1|$2|$3|$4)\S){2,4}\

Re: First Received Header only

2006-10-08 Thread John Rudd
John D. Hardin wrote: On Sun, 8 Oct 2006, Clifton Royston wrote: This is closely related to the question I was asking a few days ago, and Justin Mason pointed me to the answer: I've now gotten five copies of this message. Is anybody els

Re: First Received Header only

2006-10-08 Thread John D. Hardin
On Sun, 8 Oct 2006, Clifton Royston wrote: > This is closely related to the question I was asking a few days > ago, and Justin Mason pointed me to the answer: > > I've now gotten five copies of this message. Is anybody else getting dupes to

Re: First Received Header only

2006-10-08 Thread John Rudd
Loren Wilton wrote: Here's an odd perl question: can you reference $1 and its siblings within the regex itself? such as: /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) rdns=\S*(0*($1|$2|$3|$4)\S){2,4}\S* [^\]]* auth= / You can do it, but it slows down the whole regex system as soon as you have a captu

Re: First Received Header only

2006-10-08 Thread Loren Wilton
Here's an odd perl question: can you reference $1 and its siblings within the regex itself? such as: /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) rdns=\S*(0*($1|$2|$3|$4)\S){2,4}\S* [^\]]* auth= / You can do it, but it slows down the whole regex system as soon as you have a capturing regex. Or so I'

Re: First Received Header only

2006-10-08 Thread Clifton Royston
On Sun, Oct 08, 2006 at 02:53:47PM -0700, John Rudd wrote: > Clifton Royston wrote: > > Also, IIRC there's already a set of rules closely related to what > >you're asking, so you can base it off those. Try looking for the > >definition of HELO_DYNAMIC_IPADDR and related rules. > > Yeah, HELO_DYN

Re: First Received Header only

2006-10-08 Thread John D. Hardin
On Sun, 8 Oct 2006, John Rudd wrote: > Right, but if it came from a machine in my network, I don't want > the dynamic IP addr checks to increase the score. Thus, I need to > look at both. If there's anyone in the Trusted pseudo-header, > then don't bother with the checks, basically. Set up a lo

Re: First Received Header only

2006-10-08 Thread John Rudd
Clifton Royston wrote: On Sun, Oct 08, 2006 at 02:53:47PM -0700, John Rudd wrote: Clifton Royston wrote: Also, IIRC there's already a set of rules closely related to what you're asking, so you can base it off those. Try looking for the definition of HELO_DYNAMIC_IPADDR and related rules. Yeah

Re: First Received Header only

2006-10-08 Thread John Rudd
Clifton Royston wrote: On Sun, Oct 08, 2006 at 02:13:19AM -0700, John Rudd wrote: Is there a way to have spam assassin look at the first received header only? I want to check certain characteristics of the first received header (for the current relay), like whether or not it looks like a

Re: First Received Header only

2006-10-08 Thread John D. Hardin
On Sun, 8 Oct 2006, John Rudd wrote: > > I assume you have a clear idea of what you mean by "first"? The > > Received header that *your* MTA is adding? The Received header that > > the outermost MTA you trust is adding? > > I mean the topmost header that my MTA is adding. That's the simplest cas

Re: First Received Header only

2006-10-08 Thread Clifton Royston
On Sun, Oct 08, 2006 at 02:13:19AM -0700, John Rudd wrote: > > Is there a way to have spam assassin look at the first received header only? > > I want to check certain characteristics of the first received header > (for the current relay), like whether or not it looks like a dyna

Re: First Received Header only

2006-10-08 Thread John Rudd
John D. Hardin wrote: On Sun, 8 Oct 2006, John Rudd wrote: Is there a way to have spam assassin look at the first received header only? I assume you have a clear idea of what you mean by "first"? The Received header that *your* MTA is adding? The Received header that the outermo

Re: First Received Header only

2006-10-08 Thread John D. Hardin
On Sun, 8 Oct 2006, John Rudd wrote: > Is there a way to have spam assassin look at the first received > header only? I assume you have a clear idea of what you mean by "first"? The Received header that *your* MTA is adding? The Received header that the outermost MTA you trust

First Received Header only

2006-10-08 Thread John Rudd
Is there a way to have spam assassin look at the first received header only? I want to check certain characteristics of the first received header (for the current relay), like whether or not it looks like a dynamic hostname, etc., and boost the score based on that. Can I do that with