You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by David Touzeau <da...@touzeau.eu> on 2011/04/06 21:01:19 UTC
Create a rule to block MAX recipients
Dear All
I would like to create a rune in order to block messages that contains
more than X recipients in Spamassassin from these fields
To:
CC:
Bcc:
This without any MTA help
How can i do this
Best regards ?
Re: Create a rule to block MAX recipients
Posted by David Touzeau <da...@touzeau.eu>.
Le mercredi 06 avril 2011 à 16:05 -0300, Eduardo Casarero a écrit :
>
>
> 2011/4/6 David Touzeau <da...@touzeau.eu>
> Dear All
>
> I would like to create a rune in order to block messages that
> contains
> more than X recipients in Spamassassin from these fields
>
> To:
> CC:
> Bcc:
>
> This without any MTA help
>
> How can i do this
>
> Best regards ?
>
> In 2009 i wrote this email to the MailScanner List answering something
> like your issue, maybe is a good approach, or may be not. I didnt test
> this rule on production servers.
>
>
> -----------------------------------
>
>
> Some time ago i wrote this rule for SpamAssassin, i didnt test it a
> lot, so test it with precaution. I was for someone with the same
> problem than you.
>
> the logic of the rule is that if the email has more than
> 10 recipients at least 1 rule will hit, with combination is probable
> than more than one hits. you can also generate a new meta rule to have
> only 1 hit with an OR.
>
> header __TEST_TO_1 To =~ /(.*?(@).*?){1,}/i
> header __TEST_TO_2 To =~ /(.*?(@).*?){2,}/i
> header __TEST_TO_3 To =~ /(.*?(@).*?){3,}/i
> header __TEST_TO_4 To =~ /(.*?(@).*?){4,}/i
> header __TEST_TO_5 To =~ /(.*?(@).*?){5,}/i
> header __TEST_TO_6 To =~ /(.*?(@).*?){6,}/i
> header __TEST_TO_7 To =~ /(.*?(@).*?){7,}/i
> header __TEST_TO_8 To =~ /(.*?(@).*?){8,}/i
> header __TEST_TO_9 To =~ /(.*?(@).*?){9,}/i
> header __TEST_TO_10 To =~ /(.*?(@).*?){10,}/i
>
> header __TEST_CC_1 Cc =~ /(.*?(@).*?){1,}/i
> header __TEST_CC_2 Cc =~ /(.*?(@).*?){2,}/i
> header __TEST_CC_3 Cc =~ /(.*?(@).*?){3,}/i
> header __TEST_CC_4 Cc =~ /(.*?(@).*?){4,}/i
> header __TEST_CC_5 Cc =~ /(.*?(@).*?){5,}/i
> header __TEST_CC_6 Cc =~ /(.*?(@).*?){6,}/i
> header __TEST_CC_7 Cc =~ /(.*?(@).*?){7,}/i
> header __TEST_CC_8 Cc =~ /(.*?(@).*?){8,}/i
> header __TEST_CC_9 Cc =~ /(.*?(@).*?){9,}/i
> header __TEST_CC_10 Cc =~ /(.*?(@).*?){10,}/i
>
> #just for testing purposes
> #meta TEST_TO_1_CC_1 (__TEST_TO_1 && __TEST_CC_1)
> #
>
> meta TEST_TO_1_CC_9 (__TEST_TO_1 && __TEST_CC_9)
> meta TEST_TO_2_CC_8 (__TEST_TO_2 && __TEST_CC_8)
> meta TEST_TO_3_CC_7 (__TEST_TO_3 && __TEST_CC_7)
> meta TEST_TO_4_CC_6 (__TEST_TO_4 && __TEST_CC_6)
> meta TEST_TO_5_CC_5 (__TEST_TO_5 && __TEST_CC_5)
> meta TEST_TO_6_CC_4 (__TEST_TO_6 && __TEST_CC_4)
> meta TEST_TO_7_CC_3 (__TEST_TO_7 && __TEST_CC_3)
> meta TEST_TO_8_CC_2 (__TEST_TO_8 && __TEST_CC_2)
> meta TEST_TO_9_CC_1 (__TEST_TO_9 && __TEST_CC_1)
> meta TEST_TO_10_CC_0 (__TEST_TO_10)
> meta TEST_TO_10_CC_0 (__TEST_CC_10)
>
> score TEST_TO_1_CC_1 0.01
> score TEST_TO_1_CC_9 0.01
> score TEST_TO_2_CC_8 0.01
> score TEST_TO_3_CC_7 0.01
> score TEST_TO_4_CC_6 0.01
> score TEST_TO_5_CC_5 0.01
> score TEST_TO_6_CC_4 0.01
> score TEST_TO_7_CC_3 0.01
> score TEST_TO_8_CC_2 0.01
> score TEST_TO_9_CC_1 0.01
> score TEST_TO_10_CC_0 0.01
> score TEST_TO_0_CC_10 0.01
>
> hope it helps!
>
>
Many thanks all !!!
I love
the Spamassassin community !
Re: Create a rule to block MAX recipients
Posted by Eduardo Casarero <ec...@gmail.com>.
2011/4/6 David Touzeau <da...@touzeau.eu>
> Dear All
>
> I would like to create a rune in order to block messages that contains
> more than X recipients in Spamassassin from these fields
>
> To:
> CC:
> Bcc:
>
> This without any MTA help
>
> How can i do this
>
> Best regards ?
>
> In 2009 i wrote this email to the MailScanner List answering something like
your issue, maybe is a good approach, or may be not. I didnt test this rule
on production servers.
-----------------------------------
Some time ago i wrote this rule for SpamAssassin, i didnt test it a lot, so
test it with precaution. I was for someone with the same problem than you.
the logic of the rule is that if the email has more than 10 recipients at
least 1 rule will hit, with combination is probable than more than one hits.
you can also generate a new meta rule to have only 1 hit with an OR.
header __TEST_TO_1 To =~ /(.*?(@).*?){1,}/i
header __TEST_TO_2 To =~ /(.*?(@).*?){2,}/i
header __TEST_TO_3 To =~ /(.*?(@).*?){3,}/i
header __TEST_TO_4 To =~ /(.*?(@).*?){4,}/i
header __TEST_TO_5 To =~ /(.*?(@).*?){5,}/i
header __TEST_TO_6 To =~ /(.*?(@).*?){6,}/i
header __TEST_TO_7 To =~ /(.*?(@).*?){7,}/i
header __TEST_TO_8 To =~ /(.*?(@).*?){8,}/i
header __TEST_TO_9 To =~ /(.*?(@).*?){9,}/i
header __TEST_TO_10 To =~ /(.*?(@).*?){10,}/i
header __TEST_CC_1 Cc =~ /(.*?(@).*?){1,}/i
header __TEST_CC_2 Cc =~ /(.*?(@).*?){2,}/i
header __TEST_CC_3 Cc =~ /(.*?(@).*?){3,}/i
header __TEST_CC_4 Cc =~ /(.*?(@).*?){4,}/i
header __TEST_CC_5 Cc =~ /(.*?(@).*?){5,}/i
header __TEST_CC_6 Cc =~ /(.*?(@).*?){6,}/i
header __TEST_CC_7 Cc =~ /(.*?(@).*?){7,}/i
header __TEST_CC_8 Cc =~ /(.*?(@).*?){8,}/i
header __TEST_CC_9 Cc =~ /(.*?(@).*?){9,}/i
header __TEST_CC_10 Cc =~ /(.*?(@).*?){10,}/i
#just for testing purposes
#meta TEST_TO_1_CC_1 (__TEST_TO_1 && __TEST_CC_1)
#
meta TEST_TO_1_CC_9 (__TEST_TO_1 && __TEST_CC_9)
meta TEST_TO_2_CC_8 (__TEST_TO_2 && __TEST_CC_8)
meta TEST_TO_3_CC_7 (__TEST_TO_3 && __TEST_CC_7)
meta TEST_TO_4_CC_6 (__TEST_TO_4 && __TEST_CC_6)
meta TEST_TO_5_CC_5 (__TEST_TO_5 && __TEST_CC_5)
meta TEST_TO_6_CC_4 (__TEST_TO_6 && __TEST_CC_4)
meta TEST_TO_7_CC_3 (__TEST_TO_7 && __TEST_CC_3)
meta TEST_TO_8_CC_2 (__TEST_TO_8 && __TEST_CC_2)
meta TEST_TO_9_CC_1 (__TEST_TO_9 && __TEST_CC_1)
meta TEST_TO_10_CC_0 (__TEST_TO_10)
meta TEST_TO_10_CC_0 (__TEST_CC_10)
score TEST_TO_1_CC_1 0.01
score TEST_TO_1_CC_9 0.01
score TEST_TO_2_CC_8 0.01
score TEST_TO_3_CC_7 0.01
score TEST_TO_4_CC_6 0.01
score TEST_TO_5_CC_5 0.01
score TEST_TO_6_CC_4 0.01
score TEST_TO_7_CC_3 0.01
score TEST_TO_8_CC_2 0.01
score TEST_TO_9_CC_1 0.01
score TEST_TO_10_CC_0 0.01
score TEST_TO_0_CC_10 0.01
hope it helps!
Re: Create a rule to block MAX recipients
Posted by Adam Katz <an...@khopis.com>.
On 04/06/2011 01:00 PM, John Hardin wrote:
> Dang, I thought these were already in my sandbox:
>
> describe TO_TOO_MANY To: too many recipients
> header TO_TOO_MANY To =~ /(?:,[^,]{1,80}){30}/
>
> describe TO_WAY_TOO_MANY To: too many recipients
> header TO_WAY_TOO_MANY ToCc =~ /(?:,[^,]{1,80}){50}/
>
> describe CC_TOO_MANY Cc: too many recipients
> header CC_TOO_MANY Cc =~ /(?:,[^,]{1,80}){30}/
It's been in mine for ages:
header KHOP_BIG_TO_CC ToCc =~ /(?:[^,\@]{1,60}\@[^,]{4,25},){10}/
describe KHOP_BIG_TO_CC Sent to 10+ recipients instaed of Bcc or a list
I'm pretty sure I've had several other iterations of it as well, but
they've all been wiped because they perform miserably. This is a good
mark of a nontechnical user rather than spam. Most of its hits are ham.
http://ruleqa.spamassassin.org/20110319/%2FKHOP_BIG_TO_CC
MSECS SPAM% HAM% S/O RANK SCORE NAME
0 0.5786 0.6643 0.466 0.42 0.01 T_KHOP_BIG_TO_CC
Looking at the score map, most spam this hit is already easily marked as
such.
My recollection of earlier incarnations of these rules is that they were
reliably under the 0.400 S/O mark.
This is best implemented at the MTA. Reject too many recipients and
make sure that the sender knows what was wrong.
Re: Create a rule to block MAX recipients
Posted by John Hardin <jh...@impsec.org>.
On Wed, 6 Apr 2011, Eduardo Casarero wrote:
> 2011/4/6 John Hardin <jh...@impsec.org>
>
>> On Wed, 6 Apr 2011, David Touzeau wrote:
>>
>> I would like to create a rune in order to block messages that contains
>>> more than X recipients in Spamassassin from these fields
>>>
>>> To:
>>> CC:
>>> Bcc:
>>
>> Can you post an example of a populated BCC: header?
>
> BCC is useless because the sender MTA generates the copies, in the inbound
> MTA you will see 1 bcc at least.
That's the point I was gently trying to make... :)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
7 days until Thomas Jefferson's 268th Birthday
Re: Create a rule to block MAX recipients
Posted by Eduardo Casarero <ec...@gmail.com>.
2011/4/6 John Hardin <jh...@impsec.org>
> On Wed, 6 Apr 2011, David Touzeau wrote:
>
> I would like to create a rune in order to block messages that contains
>> more than X recipients in Spamassassin from these fields
>>
>> To:
>> CC:
>> Bcc:
>>
>> This without any MTA help
>>
>> How can i do this
>>
>
> Dang, I thought these were already in my sandbox:
>
>
> describe TO_TOO_MANY To: too many recipients
> header TO_TOO_MANY To =~ /(?:,[^,]{1,80}){30}/
>
> describe TO_WAY_TOO_MANY To: too many recipients
> header TO_WAY_TOO_MANY ToCc =~ /(?:,[^,]{1,80}){50}/
>
> describe CC_TOO_MANY Cc: too many recipients
> header CC_TOO_MANY Cc =~ /(?:,[^,]{1,80}){30}/
>
>
> Can you post an example of a populated BCC: header?
>
>
BCC is useless because the sender MTA generates the copies, in the inbound
MTA you will see 1 bcc at least.
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> Gun Control laws aren't enacted to control guns, they are enacted
> to control people: catholics (1500s), japanese peasants (1600s),
> blacks (1860s), italian immigrants (1911), the irish (1920s),
> jews (1930s), blacks (1960s), the poor (always)
> -----------------------------------------------------------------------
> 7 days until Thomas Jefferson's 268th Birthday
>
Re: Create a rule to block MAX recipients
Posted by John Hardin <jh...@impsec.org>.
On Wed, 6 Apr 2011, David Touzeau wrote:
> I would like to create a rune in order to block messages that contains
> more than X recipients in Spamassassin from these fields
>
> To:
> CC:
> Bcc:
>
> This without any MTA help
>
> How can i do this
Dang, I thought these were already in my sandbox:
describe TO_TOO_MANY To: too many recipients
header TO_TOO_MANY To =~ /(?:,[^,]{1,80}){30}/
describe TO_WAY_TOO_MANY To: too many recipients
header TO_WAY_TOO_MANY ToCc =~ /(?:,[^,]{1,80}){50}/
describe CC_TOO_MANY Cc: too many recipients
header CC_TOO_MANY Cc =~ /(?:,[^,]{1,80}){30}/
Can you post an example of a populated BCC: header?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Gun Control laws aren't enacted to control guns, they are enacted
to control people: catholics (1500s), japanese peasants (1600s),
blacks (1860s), italian immigrants (1911), the irish (1920s),
jews (1930s), blacks (1960s), the poor (always)
-----------------------------------------------------------------------
7 days until Thomas Jefferson's 268th Birthday