RE: Poor man's high MX spam Trap

[Dan Barker]

I don't understand the use of an invalid IP address. Additionally, my
version of the "ip" command requires syntactically correct dotted decimal ip
numbers (Well, who'd a thunk it - it DOES accept the .256 octet. Of course,
it goes in as .0)

Dan

# ip address add 20.43.15.256/24 brd + dev eth0 label eth0:mx2
# ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:e0:4c:90:05:8d brd ff:ff:ff:ff:ff:ff
    inet 74.254.46.138/27 brd 74.254.46.159 scope global eth0
    inet 20.43.15.0/24 brd 20.43.15.255 scope global eth0:mx2th1
# ip addr del 20.43.15.0 dev eth0
#

-----Original Message-----
From: Raul Dias [mailto:[EMAIL PROTECTED]
Sent: Friday, January 26, 2007 10:04 PM
To: users@spamassassin.apache.org
Subject: Poor man's high MX spam Trap


Hi,

This is what I did to flag spam that goes to the Highest MX server
without having a secondary MX.

First you need a different valid IP address for you SMTP, lets say
20.43.15.256. ;)

Add this ip as an alias to your network interface.
# /sbin/ip address add 20.43.15.256/24 brd + dev eth0 label eth0:mx2

Give the IP address a valid hostname and register it as MX.
....
@       IN      MX      10000   mx2.domain.
mx2     IN      A       20.43.15.256
...
Not forgetting the reverse:
---
256     IN      PTR     mx2.domain.
---
And pumping the serials.

Now add a custom header in the SMTP to find which ip address was used.
In the case of sendmail this will do in a mc file:
-----------
dnl Custom Headers

LOCAL_CONFIG
HX-Name-Your-Header-Here: ${if_addr}
--------

At this point you will have a fake high MX and the messages will be
flagged by the ip used on the connection.

Now write your rule:
-----
header          MX_TRAP     X-Name-Your-Header-Here =~ /20.43.15.256/
describe        MX_TRAP     Message sent to the MX trap
score           MX_TRAP     4
-----

Of course, adjust the score accordly.  After much testing, I never got a
HAM in the high MX.

In case you want to monitor what is being flagged, if you use procmail,
you can try:
------------
# High MX trap
:0 c
* ^X-Name-Your-Header-Here: 20.43.15.256
/path/to/somewhere/mx2.mbox
-----------

This will create a copy of every hit in the high MX even if not using SA
to catch it yet.  So you may decide on how to proceed after checking it
out with some MUA, like mutt.

This is not the most elegant solution.  As this accomplished what I
needed I stopped here.  A better solution would be to write a plugin
that could check the high mx ip via Net::Dns for example (something like
WrongMX does).  however after taking all non SA steps, the hand made
rule is faster.



-Raul Dias