You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Arlyle Consulting <co...@arlyle.com> on 2008/01/26 03:58:23 UTC
'mx' appearing in the host portion of the return address
Hi,
I have a question, and possible feature request.
I just installed SpamAssassin on my mail server a couple of days ago.
I've been closely studying the messages that get by SA and are spam,
and I've noticed something.
Many of the messages that are spam that SA misses has return addresses
that have 'mx' in the host part of the address. Here are examples:
colon23@mx5.bagofpretzels.com
credit360@mx8.abacan.net
sattelitetv@mx15.staticisbad.com
I've had an email account on the Internet for 14 years, and I have
NEVER had to put anything like "mx5" in an email address. The only
thing I can think of that remotely resembles this is the old days of
Netcom when the addresses were all "ix.netcom.com". I suspect they
are including these "mx" subzone names because they are all valid
hosts in those domains (I checked with "dig", and they all return a
valid IP address).
What is needed is a rule that checks these return addresses and, if it
finds 'mx' as a subdomain, it gives it points. Regular expressions
are not my strong suit, but I think it would look something like this:
/\@mx[0-9].*\..*\..*/
Hopefully everyone gets the jist.
It doesn't appear there's a rule like this currently. I'm wondering
if there is a way to add this type of rule?
Thanks,
Robert Case...
Arlyle Consulting
Re: 'mx' appearing in the host portion of the return address
Posted by Matt Kettler <mk...@verizon.net>.
Arlyle Consulting wrote:
> Hi,
>
> I have a question, and possible feature request.
>
> I just installed SpamAssassin on my mail server a couple of days ago.
> I've been closely studying the messages that get by SA and are spam,
> and I've noticed something.
>
> Many of the messages that are spam that SA misses has return addresses
> that have 'mx' in the host part of the address. Here are examples:
>
> colon23@mx5.bagofpretzels.com
> credit360@mx8.abacan.net
> sattelitetv@mx15.staticisbad.com
>
> I've had an email account on the Internet for 14 years, and I have
> NEVER had to put anything like "mx5" in an email address. The only
> thing I can think of that remotely resembles this is the old days of
> Netcom when the addresses were all "ix.netcom.com". I suspect they
> are including these "mx" subzone names because they are all valid
> hosts in those domains (I checked with "dig", and they all return a
> valid IP address).
>
> What is needed is a rule that checks these return addresses and, if it
> finds 'mx' as a subdomain, it gives it points. Regular expressions
> are not my strong suit, but I think it would look something like this:
>
> /\@mx[0-9].*\..*\..*/
>
> Hopefully everyone gets the jist.
>
> It doesn't appear there's a rule like this currently. I'm wondering
> if there is a way to add this type of rule?
You could easily add your own....
header MY_FROM_MX From =~ /\@mx[0-9].*\..*\./
score MY_FROM_MX 0.01
note: I removed the trailing .*, becuase it's redundant to end a regex
in a wildcard. They match substrings, so there's no value in adding them
on the end like that.
My only caution to you is this rule may match a lot of legitimate
commercial newsletters. If they're not important to you, that's not much
of a concern, but you might want to keep an eye out for it if you care
about them.