On 26/11/11 01:21, Karsten Bräckelmann wrote:
On Fri, 2011-11-25 at 20:27 +0000, Ned Slider wrote:
header __L_BT_YAHOO_WEBMAIL01 Received =~ /from
\[86\.1[2-9][0-9]\.\d{1,3}\.\d{1,3}] by
web\d{4,6}\.mail\.\w{3}\.yahoo\.com via HTTP/i
but it would be far easier if I could somehow do a rDNS lookup on the
IP, see if it matches btcentralplus.com and score those that don't.
No, it would not be easier. It would require writing a plugin, rather
than the IP-range catching Received header rule. ;)
Alas that's where I was hoping you would say there was a plugin that
would do this type of thing that I wasn't aware of. Or maybe some geoip
type plugin to establish if the County of origin was the UK or not
(assuming that most hacked attempts probably originate outside of the UK).
Since you mentioned rDNS, you probably had the RDNS_NONE and friends
rules in mind. SA does not do these rDNS lookups, but depends on the MTA
to do them and note it in the Received headers.
There *might* be one alternative. The ASN plugin. I once had a similar
problem with a really spammy ASN [1], continuing to send out specific
German junk that for some reason managed to fly low and definitely under
the radar of Bayes. Alas, the ASN metadata was not available for rules.
IIRC there are some changes in trunk, that might fix this, and actually
make the ASN metadata also available for rules (and Bayes).
Without this option, I ended up writing a few X-Spam-Relays-External
rules with RE-encoded IP-ranges.
Looks like I'll be doing similar here. I just need to collect the BT ranges.
Thanks for the ideas though - much appreciated.
