Clifton Royston wrote:
On Sun, Oct 08, 2006 at 02:13:19AM -0700, John Rudd wrote:
Is there a way to have spam assassin look at the first received header only?
I want to check certain characteristics of the first received header
(for the current relay), like whether or not it looks like a dynamic
hostname, etc., and boost the score based on that. Can I do that with
regular rules, or do I need to do that with a plug-in, or what? (or,
has someone else already done that?)
This is closely related to the question I was asking a few days ago,
and Justin Mason pointed me to the answer:
<http://wiki.apache.org/spamassassin/TrustedRelays>
To check the first received header, you need to make sure that you
have TrustedNetworks correctly configured, and write your regex to only
look at the first entry within the 'X-Spam-Relays-Untrusted'
pseudoheader.
Also, IIRC there's already a set of rules closely related to what
you're asking, so you can base it off those. Try looking for the
definition of HELO_DYNAMIC_IPADDR and related rules.
Yeah, HELO_DYNAMIC_IPADDR is interesting. It shows me how to start
looking at what I want to look for. I want to look at the rdns part,
not the helo part (I don't care at all about the helo string) ... but I
can write something from that for the rdns= part of the pseudo-header.
Excellent information, thanks :-)
I'm guessing I need to look at the first segment of
X-Spam-Relays-Untrusted, but ONLY if there's nothing in
X-Spam-Relays-Trusted ... Guess I have to learn how to do meta rules, too.
Here's an odd perl question: can you reference $1 and its siblings
within the regex itself? such as:
/^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) rdns=\S*(0*($1|$2|$3|$4)\S){2,4}\S*
[^\]]* auth= /
If that works, that handles looking for the IP addr in the host name in
_decimal_, but not in hex. If not, then I probably need to go with a
plugin. And I probably need to go with a plugin in if I'm going to look
for the hex IP address.
Anyone know how to reference the pseudo-headers from within a plugin? :-}
Right now I do all of this within mimedefang ... but I think I might
want to have it feed the SA score instead. The things I check now are:
1) no rdns (can do with a pseudo-header rule)
2) rdns name is a CNAME not an A record (I'm sure that needs a plugin)
3) rdns name leads to an A record, A record doesn't lead to IP (plugin)
4) rdns name contains any of these strings: catv, cable, dsl, dhcp,
ddns, dial-up, dialup, dynamic, ppp (easy with the pseudo-header rule)
5) rdns name contains 2 or more of the IP address segments (in decimal
or hex format), optionally separated by any single character, with or
without leading zeros. (see above)
Right now, these all lead to SMTP rejections. I'm thinking that, with
SA, though, I'd set the scores as: 4 + (# of those checks that didn't
pass) (so, each rule scores 1, and a meta rule adds 4 if any of them was
triggered). So a total score in the range 5-9. Or maybe just a flat 6.
I haven't decided.
(and I have mimedefang set to SMTP reject anything with a score >= 10;
so these rules themselves wouldn't trigger a rejection, but the more
spammy the message itself is, the more likely the combination would; and
as long as the rest of the SA score isn't negative, these rules alone
would cause it to get put into my quarantine)
BTW: the purpose of this is to catch spambots on dynamic IP addresses,
or in people's homes, etc. So, I make allowances for my own network's
dynamic hosts, and for people who authenticate ... everyone else should
go through their ISP's mail server. The reason I'm moving away from
automatic rejection, though, is that while I absolutely consider this to
be a requirement, some legitimate businesses are stubborn about not
sending their email through their ISP even though their ISP wont give
them a custom PTR record. I'm fine with automatically rejecting those
sites at home, but my users may not be comfortable with me automatically
rejecting them at work. But, at home, it has been _amazingly_ successful.
