On Fri, 2009-05-15 at 23:36 +0200, Karsten Bräckelmann wrote: > On Fri, 2009-05-15 at 17:17 -0400, Bowie Bailey wrote: > > Here is a real sample. The only way I can get this message to pass > > VBounce as legitimate is to add bnifstg2.buc.com to the whitelist. > > However, this is *not* a mailserver, this is the client. > > bnofimage1.buc.com is my mailserver, and it is in the whitelist, but > > VBounce doesn't pick up on it.
Since that option supports wildcards, this might be a viable workaround. Just a hack, though, which includes the local client machines as per the one sample, like they where MTAs. whitelist_bounce_relays *.buc.com I just hope they're all set up like that, and that you fully control the domain. ;) Hmm, *might* actually exempt blow-backs with forged Received headers, so could result in less backscatter bounces caught. Still might be worth a try. > Ah, crap, that one again. It's a multi-line header with the whitelisted > relay not in the first line. Bug 5912 [1]. The relevant header from your > legit bounce sample: > > Received: (from bnifstg2.buc.com [172.16.17.14]) > by bnofimage1.buc.com (SAVSMTP 3.1.0.29) with SMTP [...] > > > [1] https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5912 -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
