In pseudocode...
IF (message is a recognizable bounce || message is from <>)...
AND (we can guess the domain being sent to (can't trust the "to" header,
but maybe the X-Envelope-To or some MTA token?)
AND the domain being sent TO supports SPF and/or DKIM...(i.e. implying a
misdirected bounce)
Score a compound rule hit.
My logic here is that I would eventually like to compile an rfc-ignorant
list of the senders of such bounces, and aid them in not SENDING such
bounce messages, or at the very least, set up a ruleset in the future to
block bounces from them, based on a low signal/noise ratio.
I am not trying at all to claim that this should be something SCORABLE,
immediately: I don't think SA's detection of legitimate bounce messages
versus illegitmate bounce messages is good enough (please feel free to
tell me differently).
-Dan Mahoney
--
"GO HOME AND COOK!!!"
Donielle Cocossa, Taco Bell, 2:30 AM
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
