On Aug 29, 2014, at 6:45 AM, Kevin A. McGrail <kmcgr...@pccc.com> wrote:
> On 8/29/2014 5:48 AM, emailitis.com wrote: >> I have a lot of Spam getting into our mail servers where the common thread >> is cloudapp >> >> /root/weeklymail/Thumaillog:Aug 27 11:58:15 plesk3 qmail-scanner-queue.pl: >> qmail-scanner[12013]: Clear:RC:0(216.170.115.184):SA:0(0.9/4.0): 4.409458 >> 6225 comp...@franking-expert.co.uk user@domain.comSaving_by_Switching >> <3442703078ef969a9f97133682d9e...@expert.cloudapp.net> >> 1409137091.12021-1.plesk3.hostname.co.uk:3019 >> 1409137091.12021-0.plesk3.emailitis.co.uk:1263 >> orig-plesk3.hostname.co.uk140913709079712013:6225 >> >> And the hyperlinks in the emails are http://expert.cloudapp.net/..... >> >> Please could you advise on how I can block by the information on the maillog >> on that, or using a rule which checks the URL to include the above thread? >> >> Many thanks in advance for any help, >> >> Christoph >> > Christoph, > > There is a new feature in trunk that I believe will help you easily called > URILocalBL.pm > > See https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7060 > > Philip, your thoughts? > > Regards, > KAM That should do it. There’s a configuration example in the bug, and POD documentation in the plugin, but in this particular case you’d do something like: uri_block_cidr L_BLOCK_CLOUDAPP 191.237.208.246 body L_BLOCK_CLOUDAPP eval:check_uri_local_bl() describe L_BLOCK_CLOUDAPP Block URI’s pointing to expert.cloudapp.net score L_BLOCK_CLOUDAPP 5.0 You should be able to drop in the patch fairly easily. -Philip
