I found this type of rule to be very helpful in catching 'zombie spam relay' emails from specific 'problem' networks.
The problem I faced with an all inclusive ban on these networks was that our customer's connect to our SMTP servers from all around the world. Banning Dynamic, DSL, Cable, or Dialup connections at the SMTP level was not an option, because that would prevent our customers from establishing a valid SMTP connection to us. Luckily, our Spam Assassin configuration is set up to bypass Spam Assassin processing when a customer has authenticated themselves for the SMTP connection. So 'local to local' and 'local to remote' deliveries are not scanned, and are not affected by these rules. I can safely assume any mail running through Spam Assassin is from a remote sender intended for a local customer. When Spam Assassin receives an email (at least under my setup), the first line of that email is always the Received line added by our SMTP server. With this in mind, I created a number of rules like this, which are based on the dynamic / cable / dialup / DSL hosts names of large ISPs: describe SKM_SPAM_HOST_3 Received via Insecure Networks - *.user.veloxzone.com.br full SKM_SPAM_HOST_3 /^[^\n]+\.user\.veloxzone\.com\.br\b/i score SKM_SPAM_HOST_3 0.1 describe SKM_SPAM_HOST_25 Received via Insecure Networks - *.pool*.interbusiness.it full SKM_SPAM_HOST_25 /^[^\n]+\.pool\d+\.interbusiness\.it\b/i score SKM_SPAM_HOST_25 0.1 This rule will match hosts like 123-123-123-123.pool54321.interbusiness.it in the first line of the email (which is our SMTP Received line). In my logic, there is no valid reason that a remote sender would connect directly to our SMTP server from their dynamic/DSL/cable IP to send our customer's an email ... I think ? Valid 'remote to local' emails being sent from these DSL/cable/dialup IP would normally be relayed via their own network's SMTP server, which would then be delved to us by a host that didn't match the dynamic/DSL/cable custom rule. Right? It would either be a 'zombie' spam relay', or some one who setup a SMTP server on a dynamic IP (which just isn't what valid businesses do ... )? So far I have had 100% spam, 0% ham marked by these rules. Does anyone see any error in this logic? I would like to begin automatically deleting emails that match these rules, but I am curious if there are obscure cases where a non-authenticated SMTP connection (remote to local), delivering a valid email, would be connecting from these dynamic/DSL/cable IPs? Thanks in advance, Shane P.S. If there isn't some sort of error in this logic, I will be happy to post the full set of rules which match the 20-30 major 'zombie relay' networks that we receive Spam from.
