On 7/5/19 1:54 AM, Henrik K wrote: > On Fri, Jul 05, 2019 at 09:50:35AM +0300, Henrik K wrote: >> On Fri, Jul 05, 2019 at 02:42:28AM +0000, David Jones wrote: >>> Maybe allow the RelayCountry check to happen on the msa network or the >>> first relay? >>> >>> Or something like trusted_countries that could provide a limit/boundary >>> to the trust of trusted_networks? >>> >>> Compromised accounts often get abused from foreign/unusual countries. I >>> have meta rules and DWL/DBL for emails combined with RelayCountry but >>> these are useless in this situation. >> >> Perhaps adding new datadata X-Relay-Countries-External would be enough, it >> would check all external IPs (vs untrusted for the default >> X-Relay-Countries). I think it could use useful in this and other >> situations when there are lots of additional trusted networks. >> >> Maybe also the X-Relay-Countries-MSA to check client IPs from msa_networks. >> >> Might even make it to 3.4.3 if KAM wants to delay rc4 just a little bit more. >> :-D > > See https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7731 >
Thank you Henrik! Very nice and quick work. Depending on how this sorts out, I may have to duplicate all of my existing X-Relay-Countries rules and add these to other meta rules with an "or" but that would be fine. For the sake of others, it would be beneficial if the default behavior of X-Relay-Countries changed to the X-Relay-Countries-MSA. That shouldn't be too much of a change to cause adverse effects since it would still be hitting ALL_TRUSTED and no RBL checks happen. If the RelayCountry.pm plugin was not enabled (default?) then this would result in no change for the majority of SA instances and only enhance those that have enabled it. -- David Jones
