You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Nick Gilbert <ni...@x-rm.com> on 2006/10/27 11:51:10 UTC

Rules to reject bounce messages for mail not sent by me

Hi,

I've been trying to write some SA rules to reject bounce messages which 
I did not send.

I've made a good start, but some bounce messages still get through but I 
don't understand why.

The theory is that viruses and spammers don't seem to use my full e-mail 
address nick@mydomain.com but change the username part of it and send 
from an address uxntf@mydomain.com. I would like to reject all bounce 
messages which have arisen from mail sent from *@mydomain.com but NOT 
nick@mydomain.com.

This works for about 50% of mail, but I think one serious problem is 
that the line:

header  __NICK_BOUNCE_REAL      To =~ /nick\@mydomain\.com/i

...matches on the header:

X-MDaemon-Deliver-To: nick@mydomain.com

Which I'm pretty sure it shouldn't! Why does it think that header is the 
same as a normal To header? Surely it's not scanning for headers simply 
ending in "To"?

My rules are below for comment/improvement but please let me know if 
there's a better way to do this or an existing set of working rules 
somewhere.

Nick...


# ---------- BOUNCE DETECTION (stolen from
# bogus_virus_warnings.cf)---------
# General rule to indicate bounce or otherwise - used for some other
# rules
header __BOUNCE_HEADER          X-Is-A-Bounce =~ /.+/

# This won't match for scanning done at SMTP time, at least with Exim
header __BOUNCE_RP1             Return-Path =~  /^<>$/

# NL says this is added by amavisd-new before passing to SA
header __BOUNCE_RP2             X-Return-Path =~ /^<>$/

# Mark Martinec says the above is incorrect, and it's X-Envelope-From
header __BOUNCE_RP3             X-Envelope-From =~ /^<>$/

meta __NULL_SENDER              __BOUNCE_HEADER || __BOUNCE_RP1 || 
__BOUNCE_RP2 || __BOUNCE_RP3

# Thanks to AF
header __CT_DEL_STATUS          Content-Type =~ 
/report-type=delivery-status/

meta __NICK_IS_A_BOUNCE         __NULL_SENDER || __CT_DEL_STATUS

header  __NICK_BOUNCE_REAL      To =~ /nick\@mydomain\.com/i
header  __NICK_TO_NOT_ME        To =~ /.*\@mydomain\.com/i

meta NICK_SPOOF_BOUNCE (( __NICK_IS_A_BOUNCE && __NICK_TO_NOT_ME) && 
(!__NICK_BOUNCE_REAL))
score NICK_SPOOF_BOUNCE 10
describe  NICK_SPOOF_BOUNCE "Attached bounce contains my address but I 
never sent this!"