Barry Callahan wrote: > I'm running SpamAssassin 3.1.0 with sendmail, and I think it's great. > I'm using milter-spamc to interface with SpamAssassin running as a daemon. > > It doesn't /quite/ catch everything, and some (very little, actually) > SPAM gets through untagged. > > I spent some time looking at the SPAM and compared it it to the > legitimate email I receive. > > On a large percentage of the SPAM that gets through, the only Received: > header that exists was put there by my mailserver. > > The legitimate email, on the other hand ALL has at least one additional > Received: header, OR the machine it was received from is allowed to > relay mail through the mailserver. (either via an entry in the access > database, or because the IP or machine name matches a line in > /etc/mail/relay_domains. > > So, I was wondering if the following set of logic would be possible to > implement in SpamAssassin, either as a collection of rules, or a plugin: > > IF: > The number of Received headers == 0 > AND > Client Server's IP is NOT in /etc/mail/relay_domains (or equivalent) > AND > Client Server does NOT have an entry in access_db allowing it to > relay mail > THEN: > Increase the spam score of the email by a significant amount. > ELSE: > Do nothing. (go to the next rule)
First, I assume that you mean "The number of Received headers == 1" instead of "The number of Received headers == 0". As for an answer. First, you'd need the AccessDB plugin: http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Plugin_AccessDB.html But you'd need to customize it. Currently it checks only for failure codes, and does no distinguish between OK and RELAY. This shouldn't be a difficult hack, but it does involve a little perl hacking. Next you'd have to detect there being a relay other than you.. I don't know how to detect the count exactly, but this should suffice. Substitute my_server_name below for your own by clause server name... header RCVD_BY_NOT_ME Received =~ /by (?!my_server_name).{3,100}/i Then you could meta these together. Seems like a lot of work however. And for me, most of the "single relay" spam winds up matching RCVD_IN_XBL...
