You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Matt <ma...@gmail.com> on 2020/12/17 23:05:41 UTC

Scoring Based on IP Address

Is there a way with spamassassin local.conf to add a higher score
based on source ip address or subnet?  Basically the last IP in
"Received:" header.

bad_subnet_add_20_points: 192.168.240.0/24

Raising the score if that IP appeared anywhere in headers or body
might work too.

Re: Scoring Based on IP Address

Posted by John Hardin <jh...@impsec.org>.

On Fri, 18 Dec 2020, @lbutlr wrote:

> On 17 Dec 2020, at 16:19, Dave Wreski <dw...@guardiandigital.com> wrote:
>> On 12/17/20 6:05 PM, Matt wrote:
>>> Is there a way with spamassassin local.conf to add a higher score
>>> based on source ip address or subnet?  Basically the last IP in
>>> "Received:" header.
>>> bad_subnet_add_20_points: 192.168.240.0/24
>>> Raising the score if that IP appeared anywhere in headers or body
>>> might work too.
>
>> Yes, but if you're effectively going to create a "poison pill" rule where any mail from a particular network is quarantined, you might be better of doing this at the firewall or in postfix directly and just rejecting it outright.
>>
>> header __BAD_IP_RCVD  Received  =~ /192\.168\.240\.\d{1,3}/
>> body   __BAD_IP_BODY /192\.168\.240\.\d{1,3}/
>> rawbody __BAD_IP_RAWBODY /192\.168\.240\.\d{1,3}/
>> meta MY_BAD_SENDER __BAD_IP_RCVD || __BAD_IP_BODY || __BAD_IP_RAWBODY
>> score MY_BAD_SENDER 20
>> describe MY_BAD_SENDER Contains bad IP
>
> Won't this match for that IP in ANY Received: header?

Yes. That's "deep inspection", and runs the risk of a hit on a legitimate 
"bad" IP in the sender's local network (assuming their MTA records the 
initial submission).

It would be better to check the last external IP in X-Spam-Relays-External:

   header __EXT_MTA_IP_BAD  X-Spam-Relays-External =~ /^\[ ip=192\.168\.240\.\d+ /


And, as Dave said, if you're going to poison pill based on the external 
MTA's IP address, then do it with an MTA IP rule or at the firewall, it's 
a lot easier (and lighter-weight) than all this SA stuff.

For example, in /etc/mail/access (for sendmail):

   93.159.212.159	550 5.7.1 Spammed a mailing list - go away.
   65.49.16.2		550 5.7.1 Open relay - go away.
   202.65.168.39		550 5.7.1 Seven 419 spams in one hour - go away.
   213.171.44.75		550 5.7.1 Open relay - email worms - go away.


-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org                         pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
   does quite what I want. I wish Christopher Robin was here."
                                            -- Peter da Silva in a.s.r
-----------------------------------------------------------------------
  7 days until Christmas

Re: Scoring Based on IP Address

Posted by "@lbutlr" <kr...@kreme.com>.

On 17 Dec 2020, at 16:19, Dave Wreski <dw...@guardiandigital.com> wrote:
> On 12/17/20 6:05 PM, Matt wrote:
>> Is there a way with spamassassin local.conf to add a higher score
>> based on source ip address or subnet?  Basically the last IP in
>> "Received:" header.
>> bad_subnet_add_20_points: 192.168.240.0/24
>> Raising the score if that IP appeared anywhere in headers or body
>> might work too.

> Yes, but if you're effectively going to create a "poison pill" rule where any mail from a particular network is quarantined, you might be better of doing this at the firewall or in postfix directly and just rejecting it outright.
> 
> header __BAD_IP_RCVD  Received  =~ /192\.168\.240\.\d{1,3}/
> body   __BAD_IP_BODY /192\.168\.240\.\d{1,3}/
> rawbody __BAD_IP_RAWBODY /192\.168\.240\.\d{1,3}/
> meta MY_BAD_SENDER __BAD_IP_RCVD || __BAD_IP_BODY || __BAD_IP_RAWBODY
> score MY_BAD_SENDER 20
> describe MY_BAD_SENDER Contains bad IP

Won't this match for that IP in ANY Received: header?

-- 
"How good bad music and bad reasons sound when we march against an
	enemy." -  Friedrich Nietzsche

Re: Scoring Based on IP Address

Posted by Dave Wreski <dw...@guardiandigital.com>.

Hi,

On 12/17/20 6:05 PM, Matt wrote:
> Is there a way with spamassassin local.conf to add a higher score
> based on source ip address or subnet?  Basically the last IP in
> "Received:" header.
> 
> bad_subnet_add_20_points: 192.168.240.0/24
> 
> Raising the score if that IP appeared anywhere in headers or body
> might work too.

Yes, but if you're effectively going to create a "poison pill" rule 
where any mail from a particular network is quarantined, you might be 
better of doing this at the firewall or in postfix directly and just 
rejecting it outright.

header __BAD_IP_RCVD  Received  =~ /192\.168\.240\.\d{1,3}/
body   __BAD_IP_BODY /192\.168\.240\.\d{1,3}/
rawbody __BAD_IP_RAWBODY /192\.168\.240\.\d{1,3}/
meta MY_BAD_SENDER __BAD_IP_RCVD || __BAD_IP_BODY || __BAD_IP_RAWBODY
score MY_BAD_SENDER 20
describe MY_BAD_SENDER Contains bad IP

Regards,
Dave