A compound bounce/(spf/dk/dkim) rule I'd like to see.

["Dan Mahoney, System Admin" <da...@prime.gushi.org>]

In pseudocode...

IF (message is a recognizable bounce || message is from <>)...

AND (we can guess the domain being sent to (can't trust the "to" header, 
but maybe the X-Envelope-To or some MTA token?)

AND the domain being sent TO supports SPF and/or DKIM...(i.e. implying a 
misdirected bounce)

Score a compound rule hit.

My logic here is that I would eventually like to compile an rfc-ignorant 
list of the senders of such bounces, and aid them in not SENDING such 
bounce messages, or at the very least, set up a ruleset in the future to 
block bounces from them, based on a low signal/noise ratio.

I am not trying at all to claim that this should be something SCORABLE, 
immediately: I don't think SA's detection of legitimate bounce messages 
versus illegitmate bounce messages is good enough (please feel free to 
tell me differently).

-Dan Mahoney

--

"GO HOME AND COOK!!!"

Donielle Cocossa, Taco Bell, 2:30 AM

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------