existing set: http://wiki.apache.org/spamassassin/VBounceRuleset ;)
--j. Nick Gilbert writes: > Hi, > > I've been trying to write some SA rules to reject bounce messages which > I did not send. > > I've made a good start, but some bounce messages still get through but I > don't understand why. > > The theory is that viruses and spammers don't seem to use my full e-mail > address [EMAIL PROTECTED] but change the username part of it and send > from an address [EMAIL PROTECTED] I would like to reject all bounce > messages which have arisen from mail sent from [EMAIL PROTECTED] but NOT > [EMAIL PROTECTED] > > This works for about 50% of mail, but I think one serious problem is > that the line: > > header __NICK_BOUNCE_REAL To =~ /[EMAIL PROTECTED]/i > > ...matches on the header: > > X-MDaemon-Deliver-To: [EMAIL PROTECTED] > > Which I'm pretty sure it shouldn't! Why does it think that header is the > same as a normal To header? Surely it's not scanning for headers simply > ending in "To"? > > My rules are below for comment/improvement but please let me know if > there's a better way to do this or an existing set of working rules > somewhere. > > Nick... > > > # ---------- BOUNCE DETECTION (stolen from > # bogus_virus_warnings.cf)--------- > # General rule to indicate bounce or otherwise - used for some other > # rules > header __BOUNCE_HEADER X-Is-A-Bounce =~ /.+/ > > # This won't match for scanning done at SMTP time, at least with Exim > header __BOUNCE_RP1 Return-Path =~ /^<>$/ > > # NL says this is added by amavisd-new before passing to SA > header __BOUNCE_RP2 X-Return-Path =~ /^<>$/ > > # Mark Martinec says the above is incorrect, and it's X-Envelope-From > header __BOUNCE_RP3 X-Envelope-From =~ /^<>$/ > > meta __NULL_SENDER __BOUNCE_HEADER || __BOUNCE_RP1 || > __BOUNCE_RP2 || __BOUNCE_RP3 > > # Thanks to AF > header __CT_DEL_STATUS Content-Type =~ > /report-type=delivery-status/ > > meta __NICK_IS_A_BOUNCE __NULL_SENDER || __CT_DEL_STATUS > > header __NICK_BOUNCE_REAL To =~ /[EMAIL PROTECTED]/i > header __NICK_TO_NOT_ME To =~ /[EMAIL PROTECTED]/i > > meta NICK_SPOOF_BOUNCE (( __NICK_IS_A_BOUNCE && __NICK_TO_NOT_ME) && > (!__NICK_BOUNCE_REAL)) > score NICK_SPOOF_BOUNCE 10 > describe NICK_SPOOF_BOUNCE "Attached bounce contains my address but I > never sent this!"
