On Wed, 13 Jan 2010, David B Funk wrote:
On Wed, 13 Jan 2010, John Hardin wrote:
header AUTH_SMTP Received =~ /\(authenticated bits=\d+\) by
mail\.impsec\.org /
One risk to this rule, a savvy spammer could forge a "Received" header
to mimic that information to gain your white-list score (now that it's
been publicized on this list they know ;).
That's why I included the MTA name in the rule. Including that forces the
spammer to forge site-specific Received: headers to get a hit.
To prevent forgeries from getting that free ride, test against the
special Received pseudo-headers, either "X-Spam-Relays-Internal" or
"X-Spam-Relays-Trusted" You might want to experiment to see what works
best.
That's probably a much better solution.
On Thu, 14 Jan 2010, Daryl C. W. O'Shea wrote:
meta AUTHD_RELAY !__LAST_UNTRUSTED_RELAY_NO_AUTH
describe AUTHD_RELAY Message submission was via an authenticated user
score AUTHD_RELAY -10
And that's better still.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #20: The faster you finish the fight,
the less shot you will get.
-----------------------------------------------------------------------
3 days until Benjamin Franklin's 304th Birthday
