Matt Kettler wrote: > Clunk Werclick wrote: > >> Howdie; >> >> I'm starting to see plenty of these and they are new to us: >> >> zgrep "address not listed" /var/log/mail.info >> Sep 3 05:26:59 ....: warning: 222.252.239.56: address not listed for >> hostname localhost >> dig -x 222.252.239.56 >> >> ... >> ;; QUESTION SECTION: >> ;56.239.252.222.in-addr.arpa. IN PTR >> >> ;; ANSWER SECTION: >> 56.239.252.222.in-addr.arpa. 83651 IN PTR localhost. >> ... >> >> Taking to one side the various RBL's which are catching these, and not >> going the whole 'PTR must match' route - would it be practical to craft >> a 10 point rule based on PTR = localhost? Is it even possible to build a >> rule based upon DNS returns? >> >> Forgive the stupidity of the question, but I'm not sure how to, or even >> if it can be implemented? >> > Not without writing a plugin. Although if your MTA inserts a "may be > forged" note into the Received: headers, SA will pick up on this. > Correction, SA dropped this rule a LONG time ago in the 2.5x series due to wild false positives.
The legacy rule from 2.4x header MAY_BE_FORGED Received =~ /\(may be forged\)/i describe MAY_BE_FORGED 'Received:' has 'may be forged' warning score MAY_BE_FORGED 0.038 OVERALL% SPAM% NONSPAM% S/O RANK SCORE NAME 2.530 3.757 2.290 0.62 0.34 0.04 MAY_BE_FORGED 0.62 S/O is not so good (ie: 62% of the email matched was spam, but 38% was nonspam) > > >
