I've had a rule like this from way back. Works great! header MY_IP Received =~/\b(from xxx\.xxx\.xxx\.xxx)\b/i describe MY_IP WHy would I get email from myself? score MY_IP 1.0
Where xxx is your server ip address. I highly recommend people use this rule. 81 hits in December. It used to be a LOT more. --Chris > -----Original Message----- > From: Pierre Thomson [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 14, 2004 2:52 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] a goof-proof (?) test for evil mailers > > > I have noticed that some spam engines (zombies?) use the > receiving relay's IP address as the HELO name, presumably > trying to look like a trusted source. I made a simple test > for this, and it triggers for nearly 10% of inbound spam. > > # substitute your relay's numeric IP address for AAA BBB CCC DDD below > > header PT_SPOOFME Received =~ /from AAA\.BBB\.CCC\.DDD/ > describe PT_SPOOFME pretending to be from ourselves! > score PT_SPOOFME 3.0 > > I can't imagine a configuration where a relay would receive > mail from itself; that's the definition of a mail loop. (And > if it did, it would use the loopback interface...) Therefore > I gave this test a pretty high score. I have been using it > for at least a month with no FP's. > > Does anyone want to run a mass check against a large corpus? > Has anyone seen a valid sending MTA that behaves this way? > Improvements? > > [BTW, it was neat to see my crude "WORDWORD" test taken to > pieces. Someone streamlined the regexp, several more tweaked > it, it got a new name and a second-level test, and now we > have another weapon against Bayes poison. Keep up the good work!] > > Pierre Thomson > BIC > > > > > # a sample spam header fragment as seen by SA on a box with > address 64.72.85.5 : > > Received: from 64.72.85.5 ([219.248.110.109]) > by mail1.rifton.com (8.11.6/8.11.6) with SMTP id i0EJC2Z07868 > for <[EMAIL PROTECTED]>; Wed, 14 Jan 2004 14:12:02 -0500 > Received: from [219.248.110.109] by 3001hosting.comIP with HTTP; > Thu, 15 Jan 2004 00:09:43 +0500 > > > # and another spam from a different X-mailer: > > Received: from 64.72.85.5 (c-24-2-238-98.client.comcast.net > [24.2.238.98]) > by mail1.rifton.com (8.11.6/8.11.6) with SMTP id i0EJM4Z09102 > for <[EMAIL PROTECTED]>; Wed, 14 Jan 2004 14:22:06 -0500 > Received: from [46.12.70.8] by 64.72.85.5 with SMTP; Wed, 14 > Jan 2004 05:11:32 -0200 > > > # and a valid mail from a known ISP: > > Received: from imo-r08.mx.aol.com (imo-r08.mx.aol.com > [152.163.225.104]) > by mail1.rifton.com (8.11.6/8.11.6) with SMTP id i0EJhYZ12005 > for <[EMAIL PROTECTED]>; Wed, 14 Jan 2004 14:43:34 -0500 > Received: from [EMAIL PROTECTED] > by imo-r08.mx.aol.com (mail_out_v36_r4.12.) id > r.1e1.1761647e (18555); > Wed, 14 Jan 2004 14:41:05 -0500 (EST) > > > ------------------------------------------------------- > This SF.net email is sponsored by: Perforce Software. > Perforce is the Fast Software Configuration Management System offering > advanced branching capabilities and atomic changes on 50+ platforms. > Free Eval! http://www.perforce.com/perforce/loadprog.html > _______________________________________________ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
