HELO test rule-writing questions

[Clifton Royston <cl...@lava.net>]

Hi all,

  I'm trying to write some SA rules for additional tests on the
connecting mailserver's SMTP HELO string, and I have some questions
about how to do it.  Should I send them to this list or to the
dev list?

  Assuming it's this list, one of the things I'm trying to do is assign
a modest score to helo strings containing a bracketed IP address. 
(This is technically valid in SMTP.)

  I've read through some of the tests in 20_fake_helo_tests.cf, and it
appears they rely on SA's parsing code creating a kind of magic
pseudo-header X-Spam-Relays-Untrusted containing a string with the
"helo" and other data?

  I'm not sure I get the point of the recurring [^\]]+ bits in the
examples I looked at.

  So would a test for a bracketed IP address look like this?

# [60.222.35.88]
header HELO_BRACKETED_IP  X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\[\d+\.\d+\.\d+\.\d+\][^\]]+ auth= /i

  I want to distinguish this case from a bare IP address (invalid!)
which I also want to look at and score:

# [60.222.35.88]
header HELO_BARE_IP  X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+[^\]]+ auth= /i

  -- Clifton

-- 
    Clifton Royston  --  cliftonr@iandicomputing.com / cliftonr@lava.net
       President  - I and I Computing * http://www.iandicomputing.com/
 Custom programming, network design, systems and network consulting services