'mx' appearing in the host portion of the return address

[Arlyle Consulting <co...@arlyle.com>]

Hi,

I have a question, and possible feature request.

I just installed SpamAssassin on my mail server a couple of days ago.   
I've been closely studying the messages that get by SA and are spam,  
and I've noticed something.

Many of the messages that are spam that SA misses has return addresses  
that have 'mx' in the host part of the address.  Here are examples:

colon23@mx5.bagofpretzels.com
credit360@mx8.abacan.net
sattelitetv@mx15.staticisbad.com

I've had an email account on the Internet for 14 years, and I have  
NEVER had to put anything like "mx5" in an email address.  The only  
thing I can think of that remotely resembles this is the old days of  
Netcom when the addresses were all "ix.netcom.com".  I suspect they  
are including these "mx" subzone names because they are all valid  
hosts in those domains (I checked with "dig", and they all return a  
valid IP address).

What is needed is a rule that checks these return addresses and, if it  
finds 'mx' as a subdomain, it gives it points.  Regular expressions  
are not my strong suit, but I think it would look something like this:

/\@mx[0-9].*\..*\..*/

Hopefully everyone gets the jist.

It doesn't appear there's a rule like this currently.  I'm wondering  
if there is a way to add this type of rule?

Thanks,

Robert Case...
Arlyle Consulting

Re: 'mx' appearing in the host portion of the return address

[Matt Kettler <mk...@verizon.net>]

Arlyle Consulting wrote:
> Hi,
>
> I have a question, and possible feature request.
>
> I just installed SpamAssassin on my mail server a couple of days ago.  
> I've been closely studying the messages that get by SA and are spam, 
> and I've noticed something.
>
> Many of the messages that are spam that SA misses has return addresses 
> that have 'mx' in the host part of the address.  Here are examples:
>
> colon23@mx5.bagofpretzels.com
> credit360@mx8.abacan.net
> sattelitetv@mx15.staticisbad.com
>
> I've had an email account on the Internet for 14 years, and I have 
> NEVER had to put anything like "mx5" in an email address.  The only 
> thing I can think of that remotely resembles this is the old days of 
> Netcom when the addresses were all "ix.netcom.com".  I suspect they 
> are including these "mx" subzone names because they are all valid 
> hosts in those domains (I checked with "dig", and they all return a 
> valid IP address).
>
> What is needed is a rule that checks these return addresses and, if it 
> finds 'mx' as a subdomain, it gives it points.  Regular expressions 
> are not my strong suit, but I think it would look something like this:
>
> /\@mx[0-9].*\..*\..*/
>
> Hopefully everyone gets the jist.
>
> It doesn't appear there's a rule like this currently.  I'm wondering 
> if there is a way to add this type of rule? 

You could easily add your own....

header MY_FROM_MX  From =~ /\@mx[0-9].*\..*\./
score MY_FROM_MX 0.01

note: I removed the trailing .*, becuase it's redundant to end a regex 
in a wildcard. They match substrings, so there's no value in adding them 
on the end like that.

My only caution to you is this rule may match a lot of legitimate 
commercial newsletters. If they're not important to you, that's not much 
of a concern, but you might want to keep an eye out for it if you care 
about them.