You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Nick Gilbert <ni...@x-rm.com> on 2006/10/27 11:51:10 UTC
Rules to reject bounce messages for mail not sent by me
Hi,
I've been trying to write some SA rules to reject bounce messages which
I did not send.
I've made a good start, but some bounce messages still get through but I
don't understand why.
The theory is that viruses and spammers don't seem to use my full e-mail
address nick@mydomain.com but change the username part of it and send
from an address uxntf@mydomain.com. I would like to reject all bounce
messages which have arisen from mail sent from *@mydomain.com but NOT
nick@mydomain.com.
This works for about 50% of mail, but I think one serious problem is
that the line:
header __NICK_BOUNCE_REAL To =~ /nick\@mydomain\.com/i
...matches on the header:
X-MDaemon-Deliver-To: nick@mydomain.com
Which I'm pretty sure it shouldn't! Why does it think that header is the
same as a normal To header? Surely it's not scanning for headers simply
ending in "To"?
My rules are below for comment/improvement but please let me know if
there's a better way to do this or an existing set of working rules
somewhere.
Nick...
# ---------- BOUNCE DETECTION (stolen from
# bogus_virus_warnings.cf)---------
# General rule to indicate bounce or otherwise - used for some other
# rules
header __BOUNCE_HEADER X-Is-A-Bounce =~ /.+/
# This won't match for scanning done at SMTP time, at least with Exim
header __BOUNCE_RP1 Return-Path =~ /^<>$/
# NL says this is added by amavisd-new before passing to SA
header __BOUNCE_RP2 X-Return-Path =~ /^<>$/
# Mark Martinec says the above is incorrect, and it's X-Envelope-From
header __BOUNCE_RP3 X-Envelope-From =~ /^<>$/
meta __NULL_SENDER __BOUNCE_HEADER || __BOUNCE_RP1 ||
__BOUNCE_RP2 || __BOUNCE_RP3
# Thanks to AF
header __CT_DEL_STATUS Content-Type =~
/report-type=delivery-status/
meta __NICK_IS_A_BOUNCE __NULL_SENDER || __CT_DEL_STATUS
header __NICK_BOUNCE_REAL To =~ /nick\@mydomain\.com/i
header __NICK_TO_NOT_ME To =~ /.*\@mydomain\.com/i
meta NICK_SPOOF_BOUNCE (( __NICK_IS_A_BOUNCE && __NICK_TO_NOT_ME) &&
(!__NICK_BOUNCE_REAL))
score NICK_SPOOF_BOUNCE 10
describe NICK_SPOOF_BOUNCE "Attached bounce contains my address but I
never sent this!"