You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by RW <rw...@googlemail.com> on 2009/10/31 14:58:25 UTC
Re: HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of
FROM list?
On Sat, 31 Oct 2009 07:59:24 +0000
"richard@buzzhost.co.uk" <ri...@buzzhost.co.uk> wrote:
> A couple of observations;
> 123.160.198.207 - is on the PBL {deep in the heart of China} so is
> possible to extend the network tests to look for fairly constant
> custom headers with the originating IP?
Why would that be a sign of spam?
Re: HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of
FROM list?
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Sat, 2009-10-31 at 18:49 +0200, Henrik K wrote:
> On Sat, Oct 31, 2009 at 03:33:59PM +0000, richard@buzzhost.co.uk wrote:
> > >
> > > Uh, SpamAssassin parses X-Originating-IP and friends just fine. Of course
> > > PBL isn't going to hit it, since it's an lastexternal rule.
> >
> > That has totally escaped me Henrik and I'm not sure I fully understand
> > it.
>
> There is lots of undocumented black magic in SA.
>
> DNSEval.pm defines atleast these headers to be added into end of the
> "Received chain".
>
> X-Yahoo-Post-IP
> X-Originating-IP
> X-Apparently-From
> X-SenderIP
>
> So they will be looked in RBLs as necessary. If you don't get the
> lastexternal part:
>
> http://wiki.apache.org/spamassassin/TrustedRelays
>
> Also:
>
> http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html
>
> Selecting just the last external IP
> By using '-lastexternal' at the end of the set name, you can select only the
> external host that connected to your internal network, or at least the last
> external host with a public IP.
>
Ah, yes. I understand. Thanks. My understanding would be that it's not a
good idea to use the PBL further up the list of hops from the last
external source, for the very reason you may well pick up the initial
client to sending relay connection - which would most likely be in the
PBL {dynamic DSL customer connecting into to his/her ISP mail server}.
Thank you for taking the time to give me the pointers Henrik.
Appreciated. And John, thanks too. Scores adjusted to suit my instance.
Re: HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of
FROM list?
Posted by Henrik K <he...@hege.li>.
On Sat, Oct 31, 2009 at 03:33:59PM +0000, richard@buzzhost.co.uk wrote:
> >
> > Uh, SpamAssassin parses X-Originating-IP and friends just fine. Of course
> > PBL isn't going to hit it, since it's an lastexternal rule.
>
> That has totally escaped me Henrik and I'm not sure I fully understand
> it.
There is lots of undocumented black magic in SA.
DNSEval.pm defines atleast these headers to be added into end of the
"Received chain".
X-Yahoo-Post-IP
X-Originating-IP
X-Apparently-From
X-SenderIP
So they will be looked in RBLs as necessary. If you don't get the
lastexternal part:
http://wiki.apache.org/spamassassin/TrustedRelays
Also:
http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html
Selecting just the last external IP
By using '-lastexternal' at the end of the set name, you can select only the
external host that connected to your internal network, or at least the last
external host with a public IP.
Re: HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of
FROM list?
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Sat, 2009-10-31 at 16:30 +0200, Henrik K wrote:
> On Sat, Oct 31, 2009 at 02:13:45PM +0000, richard@buzzhost.co.uk wrote:
> > On Sat, 2009-10-31 at 13:58 +0000, RW wrote:
> > > On Sat, 31 Oct 2009 07:59:24 +0000
> > > "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk> wrote:
> > > > A couple of observations;
> > > > 123.160.198.207 - is on the PBL {deep in the heart of China} so is
> > > > possible to extend the network tests to look for fairly constant
> > > > custom headers with the originating IP?
> > >
> > >
> > > Why would that be a sign of spam?
> > It's not, necessarily - when I think about it. All clients that hook up
> > to Hotmail are most likely going to be in the PBL being probably
> > dynamic. So the plan is flawed!
> >
> > That said, if I could press the 'I would like' button, it would be nice
> > to geo-lookup this IP and be able to score it higher if it's from China,
> > Brazil, Argentina, Columbia etc... That, of course, is in an ideal
> > world.
>
> Uh, SpamAssassin parses X-Originating-IP and friends just fine. Of course
> PBL isn't going to hit it, since it's an lastexternal rule.
That has totally escaped me Henrik and I'm not sure I fully understand
it.
>
> Likewise the RelayCountry plugin does what you want:
> http://wiki.apache.org/spamassassin/RelayCountryPlugin
>
> header FROM_XX_ATLEAST_2_HOPS_AWAY X-Relay-Countries =~ /.. .. (?:CN|BR)$/
>
OK, I've added the dependencies IP::Country::Fast {which in turn wanted
-> Geography::Countries), applied the small header patch, enabled the
module and I'll sit back and wait in anticipation.
Thanks for the advice and help. Appreciated.
Re: HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of FROM
list?
Posted by Michael Scheidell <sc...@secnap.net>.
Henrik K wrote:
> Uh, SpamAssassin parses X-Originating-IP and friends just fine. Of course
> PBL isn't going to hit it, since it's an lastexternal rule.
>
> Likewise the RelayCountry plugin does what you want:
> http://wiki.apache.org/spamassassin/RelayCountryPlugin
>
> header FROM_XX_ATLEAST_2_HOPS_AWAY X-Relay-Countries =~ /.. .. (?:CN|BR)$/
>
>
and, of course bayes can keep track of those 'tokens', I think
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
Re: HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of
FROM list?
Posted by Henrik K <he...@hege.li>.
On Sat, Oct 31, 2009 at 02:13:45PM +0000, richard@buzzhost.co.uk wrote:
> On Sat, 2009-10-31 at 13:58 +0000, RW wrote:
> > On Sat, 31 Oct 2009 07:59:24 +0000
> > "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk> wrote:
> > > A couple of observations;
> > > 123.160.198.207 - is on the PBL {deep in the heart of China} so is
> > > possible to extend the network tests to look for fairly constant
> > > custom headers with the originating IP?
> >
> >
> > Why would that be a sign of spam?
> It's not, necessarily - when I think about it. All clients that hook up
> to Hotmail are most likely going to be in the PBL being probably
> dynamic. So the plan is flawed!
>
> That said, if I could press the 'I would like' button, it would be nice
> to geo-lookup this IP and be able to score it higher if it's from China,
> Brazil, Argentina, Columbia etc... That, of course, is in an ideal
> world.
Uh, SpamAssassin parses X-Originating-IP and friends just fine. Of course
PBL isn't going to hit it, since it's an lastexternal rule.
Likewise the RelayCountry plugin does what you want:
http://wiki.apache.org/spamassassin/RelayCountryPlugin
header FROM_XX_ATLEAST_2_HOPS_AWAY X-Relay-Countries =~ /.. .. (?:CN|BR)$/
Re: HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of
FROM list?
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Sat, 2009-10-31 at 13:58 +0000, RW wrote:
> On Sat, 31 Oct 2009 07:59:24 +0000
> "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk> wrote:
> > A couple of observations;
> > 123.160.198.207 - is on the PBL {deep in the heart of China} so is
> > possible to extend the network tests to look for fairly constant
> > custom headers with the originating IP?
>
>
> Why would that be a sign of spam?
It's not, necessarily - when I think about it. All clients that hook up
to Hotmail are most likely going to be in the PBL being probably
dynamic. So the plan is flawed!
That said, if I could press the 'I would like' button, it would be nice
to geo-lookup this IP and be able to score it higher if it's from China,
Brazil, Argentina, Columbia etc... That, of course, is in an ideal
world.