Robert,
I think what you might find more useful is to look at the "First
Received Header Only" thread on this list from Oct 8th and 9th.
If you write the rule the way you plan to, you'll be checking _every_
received header. That's not good. For example, some end client does a
SMTP-AUTH to their ISP's mail server, mail server sends to you. That's
a good situation, you don't want to flag that. If that same end client
connects to you, THEN you can to smack 'em down.
I was thinking about doing this in a plugin, because I have some extra
DNS checks I want to do on that information (be sure the PTR record
points to an A record, be sure that the A record resolves back to the
relaying IP address). Then look to see if the hostname in question
looks like a dynamic hostname.
In particular, you might want to look at variations of this pattern, to
match against the X-Spam-Relays-Untrusted psudoheader:
/^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) rdns=\S*(0*(\1|\2|\3|\4)\S?){2,4}\S*
[^\]]* auth= /
/^\[ [^\]]* rdns=\S*(dynamic|dsl|dial-?up|ppp|cable|dhcp|ddns|catv)/
/^\[ [^\]]* rnds=\s/
#1 looks for IP address within the hostname
#2 looks for words that seem like dynamic host names
#3 looks for no PTR record at all
In all 3 cases, the [^\]]* makes sure you don't look past the first
element of the list (so the data obtained from the first received header).
I'd probably assign a score of 4.5 to #1 and #2, and 6 to #3 (but that's
because I want to be sure to flag them as spam, but not exceed a score
of 10 if #1 and #2 are both true ... because I reject at a score >= 10;
if you aren't worried about exceeding 10, then I might assign a score of
5 or 6 to all 3 rules ... keeping in mind that #3 wont happen in
combination with #1 and #2, but #1 and #2 might happen together).
Right now, I don't use SA for this. I use mimedefang. And it rejects
the message outright for this... but some people suggested I might look
into merely quarantining these messages for those few legitimate
businesses who are stuck on a bad ISP, and are too thick headed to use
their ISP's mail server.
