McDonald, Dan wrote:
I have been using the IPcountry plugin for a while, giving a slight
boost to the scores of some countries that we get more spam from and do
less work with. I have noticed, recently, that a fair number of really
obnoxious spam is relayed between two countries before being delivered.
Is there some way to grab the metadata from IPCountry to count the
number of countries that were involved in sending a mail, and set a
score based on that?
For example, the last phish I received originated in the Netherlands and
was forwarded through Hong Kong, before delivery in the US.
Any thoughts?
you mean catching the "Junkman traveller"?
you can try
header THREE_COUNTRIES X-Relay-Countries =~ /\s[a-z]{2}\s/
score THREE_COUNTRIES 0.01
header FOUR_COUNTRIES X-Relay-Countries =~ /\s[a-z]{2}\s[a-z]{2}\s/
score FOUR_COUNTRIES 0.01
and so on...
but you need to exclude mailing-lists and resent mail, so a meta (to
detect Resent-*, List-*, ...) is better.
but even then, I am not sure this is safe. worth a test...
