John D. Hardin wrote:
On Sun, 8 Oct 2006, John Rudd wrote:
Is there a way to have spam assassin look at the first received
header only?
I assume you have a clear idea of what you mean by "first"? The
Received header that *your* MTA is adding? The Received header that
the outermost MTA you trust is adding?
I mean the topmost header that my MTA is adding. Though, I can see how
the 2nd one might have more generic meaning to larger SA audience.
I want to check certain characteristics of the first received header
(for the current relay), like whether or not it looks like a dynamic
hostname, etc., and boost the score based on that. Can I do that with
regular rules, or do I need to do that with a plug-in, or what? (or,
has someone else already done that?)
Some of that is already done automatically by SA. That is why you
define the trust path. But if that's not sufficient:
There is probably some static information in the desired Received
header that you can key off, e.g. the "by {hostname}" part:
header FNORD Received =~ /some_test.*(?:\bby\sfirst\.trusted\.host)/i
...where you'd vary the some_test part over multiple rules to check
for different things in the header picked out by the constant
first.trusted.host hostname part.
How robust this is will depend on how complex your mail relay chain
is. If your trusted ISP has lots of exposed mail servers it may be
difficult to do it this way.
We don't trust any ISP. We trust our internal hosts, and that's it
(and, as soon as I can force the policy change, we wont even trust them;
it will be "do SMTP-AUTH or we treat you like a random host on the
net"). We have 3 scanning hosts that are our MX servers. I suppose the
above might work, as I could have the "first.trusted.host" be
"smtp-prod-mx-?[1-4]\.ucsc\.edu".
Though, some of what I want to do is going to be complex enough, that I
may want to do it with a plugin anyway. (checking to see if the host's
IP address segments are contained within the hostname) Just looking for
things like "dhcp", "dsl", "dynamic", etc. in the hostname could be done
with the above, though.
'course, now somebody will chime in with a SA facility for doing this
neatly that I'm not aware of, and make me look silly (again)... :)
Like: is there a pseudo-header available to rules that is the
outermost Received header in the trust path? If not, then it might be
a useful addition.
That was my hope (that such a thing existed)
