Re: IP country plugin - can we look for two countries?

Mon, 30 Jun 2008 15:18:10 -0700 

On Mon, 2008-06-30 at 22:04 +0200, mouss wrote:
> McDonald, Dan wrote:
> > On Sat, 2008-06-28 at 01:40 +0200, mouss wrote:
> >   
> >> mouss wrote:
> >>     
> >>>> Is there some way to grab the metadata from IPCountry to count the
> >>>> number of countries that were involved in sending a mail, and set a
> >>>> score based on that?
> >>>>         
> >>> you mean catching the "Junkman traveller"?
> >>>
> >>> you can try
> >>>
> >>> header THREE_COUNTRIES X-Relay-Countries =~ /\s[a-z]{2}\s/
> >>> score THREE_COUNTRIES 0.01
> >>>
> >>> header FOUR_COUNTRIES X-Relay-Countries =~ /\s[a-z]{2}\s[a-z]{2}\s/
> >>> score FOUR_COUNTRIES 0.01
> >>>
> >>>       
> >> argh. This is wrong as it will hit things like "US US FR FR"...
> >>     
> >>> and so on...
> >>>       
> >
> > Correct.  And Spamassassin rules developers generally frown on using
> > back-tracking, as it slows down the whole ruleset even if only used for
> > one rule....

> it would be good to have two other meta-headers (in addition to 
> X-Relay-Countries):
> X-Relay-Country-Count: the total number of different countries
> X-Relay-Country-Cross: the numbre of country "switches"
> 
> so "FR US FR US" would yield 2 countries but 3 switches, which should be 
> less "normal" than "FR FR US US".

Ok, how about this very messy patch to RelayCountry.pm?

--- /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/Plugin/RelayCountry.pm  
2008-01-05 15:10:50.000000000 -0600
+++ RelayCountry.pm     2008-06-30 17:11:35.000000000 -0500
@@ -76,15 +76,30 @@
   my $msg = $opts->{msg};
 
   my $countries = '';
+  my $crosscountries=0;
+  my $lcc = '';
+  my %countriesvisited;
   foreach my $relay (@{$msg->{metadata}->{relays_untrusted}}) {
     my $ip = $relay->{ip};
     my $cc = $reg->inet_atocc($ip) || "XX";
+    $crosscountries +=1 if (($lcc ne '') and ($lcc ne $cc) and ($cc ne 'XX'));
+    $countriesvisited{$cc}++ if $cc ne 'XX';
     $countries .= $cc." ";
+    $lcc = $cc if $cc ne "XX";
   }
-
+  my @visited = keys %countriesvisited;
+  my $visits = $#visited;
   chop $countries;
   $msg->put_metadata("X-Relay-Countries", $countries);
   dbg("metadata: X-Relay-Countries: $countries");
+  if ($visits++ > -1) {
+         $msg->put_metadata("X-Relay-Country-Count", $visits);
+         dbg("metadata: X-Relay-Country-Count: $visits");
+  }
+  if ($crosscountries >0) {
+         $msg->put_metadata("X-Relay-Country-Cross", $crosscountries);
+         dbg("metadata: X-Relay-Country-Cross: $crosscountries");
+  }
 
   return 1;
 }

-- 
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to