Recently, one of the idiot tags by some ratware have been using the
X-Originating-IP: header in the style of [somdhost.comIP] or similar. Which
got me to writing the following:
header __HAS_XOIP exists:X-Originating-IP
describe __HAS_XOIP Header contains X-Originating-IP:
header __INVALID_XOIP X-Originating-IP !~
/\[((?:1?\d\d?|2[0-4]\d|25[0-4])\.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])\]/
describe __INVALID_XOIP XOIP header does not have an IP
meta MALFORMED_XOIP __HAS_XOIP && __INVALID_XOIP
desccribe MALFORMED_XOIP X-Originating-IP: malformed viz ham samples
score MALFORMED_XOIP 2.0
This is based on the fact that
a) X-Originating-IP does appear in ham; it seems
to be a header tacked on by real hotmail accounts (at least, from my ham).
This seems to be an effective test to detect forged "hotmail" headers, and
b) I tried to have a regex for a "legitimate" IP. Is there a way that we can
create that as a variable and (re)use it in rules, like (I don't know perl
well) @IPADDRESS or similar? Is this useful, or is there a better way?
Comments welcome and appreciated.
-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
