Matt Kettler writes: > .rp wrote: > > One of the users (actually the boss) had the email address harvested and we > > got clobbered > > by backscatter. Looking at the emails of the various 'unable to deliver' > > type messages, I saw > > what these could be filtered on, but don't know how to write up and > > implement the rule > > outside of procmail. I don't want to use procmail for this since it I think > > it would be an > > expensive routine for procmail to run. > > > > In the body of the 'unable to deliver' message, the original message is > > quoted. One of the > > lines quoted is the Message-ID: header from the original. The format of > > this line is always > > wrong as it does not contain the FQDN that our server appends to the end of > > the hash > > number , following the '@' symbol . > > > > So, need a rule that would parse the "Message-ID:" in the body (or > > attachment) and not > > header, and look for the @FQDN > > Is this rule already out in the wild? > > > (note: your To: was the bogofilter list, but this appeared on > spamassassin-users as well.. It looks like you bcc'ed the SA list. > Anyway, I'm answering on the SA list because that's where I picked up > the message from) > > Not that I know of, but it would be fairly quick as a spamassassin rule. > > You'd likely need a meta of some sort. > > Theoretically, something like this should work. I'm leveraging some of > the stock ruleset here, by reusing BOUNCE_MESSAGE to detect if the > message really is a bounce, make sure it is in your ruleset.
Actually, that's overkill -- BOUNCE_MESSAGE _already_ does this. the VBounce plugin is intended to catch backscatter -- bounces in response to mail you didn't send -- so it'll ignore bounces in response to mail you _did_ send, by parsing the bounced message's Received: headers and looking for the mailserver's name in there. See the FAQ for more info... --j.
