Custom Rules

[Jaysen Johnson <ja...@gmail.com>]

Hello,

I have been asked by my boss to setup SpamAssassin on the corporate email server with the following rules. A single header should record the cumulative scores for the following:

SPF record not available or not accurate for the sending server- 2 points  
Date in the mail header more than 10 minutes out of sync     -  1 point
Date in the mail header more than 30 mintues out of sync    -  2 points
>From address contains only email address   - 1 point
for example flag these xxx@domain.com or <xx...@domain.com> not "X X"
<xx...@domain.com>

Since I am new to SpamAssassin,  I am not sure where to begin or if this is even possible.  If someone could assist me in setting up these rules I would be greatful.



Regards,



Jaysen B. Johnson

Re: Custom Rules

[Jonas Eckerman <jo...@frukt.org>]

Jaysen Johnson wrote:
> Date in the mail header more than 10 minutes out of sync     -  1 point
> Date in the mail header more than 30 mintues out of sync    -  2 points

Out of sync with what?

There's nothing meaningful to compare the dates to that can show you that they are 10 or 30 minutes ot of sync with whatrever.

The actual "Date:" header should be created when the users saves the mail to the mail clients outgoing queue.
If the user has a dial-up connection, it might well be hours (sometimes days) before (s)he decides to send the outgoing mails to a server, so you can expect a long delay between the "Date:" field and the first "Received:" field.

In each server the mail passes it might be delayed. Servers usually tries to send mail as fast as possible, but more that 10 minutes delay is perfectly normal, and more than 30 minues isn't that uncommon.

Regards
/Jonas
-- 
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/

Re: Custom Rules

[Jo Rhett <jr...@netconsonance.com>]

Jaysen Johnson wrote:
> Hello,
>  
> I have been asked by my boss to setup SpamAssassin on the corporate 
> email server with the following rules. A single header should record the 
> cumulative scores for the following:
>  
> SPF record not available or not accurate for the sending server- 2 points 

No.  The current module just returns false if it can't find SPF results. 
  You could submit at patch for /Mail/SpamAssassin/Plugin/SPF.pm
to fix that.
(I just might, since I agree with your logic but it's not as high on my 
list as other things)

> Date in the mail header more than 10 minutes out of sync     -  1 point
> Date in the mail header more than 30 mintues out of sync    -  2 points

No.  The rules which deal with dates are:

describe DATE_IN_PAST_03_06    Date: is 3 to 6 hours before Received: date
describe DATE_IN_PAST_06_12    Date: is 6 to 12 hours before Received: date
describe DATE_IN_PAST_12_24    Date: is 12 to 24 hours before Received: date
...etc

And I doubt that a 10-minute variance will catch a lot of spam, really. 
  It will absolutely catch a lot of ham, especially messages which are 
queued and sent later (person working disconnected on a laptop)

>  From address contains only email address   - 1 point
> for example flag these xxx@domain.com <ma...@domain.com> or 
> <xxx@domain.com <ma...@domain.com>> not "X X"
> <xx@domain.com <ma...@domain.com>>

score NO_REAL_NAME  1

There is no matching for From header mapping, but you can add your own

header FROM_ADDRESS_EQ_REAL   From =~ /^\s*"([^"@]+\@[^"@]+)"\s+<\1>\s*$/i
describe FROM_ADDRESS_EQ_REAL To: repeats address as real name
score FROM_ADDRESS_EQ_REAL  1

-- 
Jo Rhett
Network/Software Engineer
Net Consonance

Re: Custom Rules

[Theo Van Dinter <fe...@apache.org>]

On Sun, Dec 03, 2006 at 01:16:40PM -0800, Jaysen Johnson wrote:
> SPF record not available or not accurate for the sending server- 2 points  

Check out the current SPF rules.  Not available may need some plugin changes.

> Date in the mail header more than 10 minutes out of sync     -  1 point
> Date in the mail header more than 30 mintues out of sync    -  2 points

What does this mean?  That the Date header, after timezone standardization,
says the message is > X minutes old?  If so, that's going to be a bad rule
since a mail can be delayed at any point during its travels to the
destination.

-- 
Randomly Selected Tagline:
"It's a chicken finger device."            - Theo, looking at entree

Re: Custom Rules

["John D. Hardin" <jh...@impsec.org>]

On Sun, 3 Dec 2006, Jaysen Johnson wrote:

> I have been asked by my boss to setup SpamAssassin on the
> corporate email server with the following rules.

> Date in the mail header more than 10 minutes out of sync - 1 point
> Date in the mail header more than 30 mintues out of sync - 2 points

You need to gently adjust your boss' expectations for the promptness
of email delivery.

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Men by their constitutions are naturally divided in to two parties:
  1. Those who fear and distrust the people and wish to draw all
  powers from them into the hands of the higher classes. 2. Those who
  identify themselves with the people, have confidence in them,
  cherish and consider them as the most honest and safe, although not
  the most wise, depository of the public interests.
					          -- Thomas Jefferson
-----------------------------------------------------------------------
 12 days until Bill of Rights day