You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by ".rp" <pr...@afts.com> on 2008/05/07 23:58:34 UTC
possible idea for backscatter problem
One of the users (actually the boss) had the email address harvested and we got clobbered
by backscatter. Looking at the emails of the various 'unable to deliver' type messages, I saw
what these could be filtered on, but don't know how to write up and implement the rule
outside of procmail. I don't want to use procmail for this since it I think it would be an
expensive routine for procmail to run.
In the body of the 'unable to deliver' message, the original message is quoted. One of the
lines quoted is the Message-ID: header from the original. The format of this line is always
wrong as it does not contain the FQDN that our server appends to the end of the hash
number , following the '@' symbol .
So, need a rule that would parse the "Message-ID:" in the body (or attachment) and not
header, and look for the @FQDN
Is this rule already out in the wild?
-p
Re: possible idea for backscatter problem
Posted by Matt Kettler <mk...@verizon.net>.
.rp wrote:
> One of the users (actually the boss) had the email address harvested and we got clobbered
> by backscatter. Looking at the emails of the various 'unable to deliver' type messages, I saw
> what these could be filtered on, but don't know how to write up and implement the rule
> outside of procmail. I don't want to use procmail for this since it I think it would be an
> expensive routine for procmail to run.
>
> In the body of the 'unable to deliver' message, the original message is quoted. One of the
> lines quoted is the Message-ID: header from the original. The format of this line is always
> wrong as it does not contain the FQDN that our server appends to the end of the hash
> number , following the '@' symbol .
>
> So, need a rule that would parse the "Message-ID:" in the body (or attachment) and not
> header, and look for the @FQDN
> Is this rule already out in the wild?
>
(note: your To: was the bogofilter list, but this appeared on
spamassassin-users as well.. It looks like you bcc'ed the SA list.
Anyway, I'm answering on the SA list because that's where I picked up
the message from)
Not that I know of, but it would be fairly quick as a spamassassin rule.
You'd likely need a meta of some sort.
Theoretically, something like this should work. I'm leveraging some of
the stock ruleset here, by reusing BOUNCE_MESSAGE to detect if the
message really is a bounce, make sure it is in your ruleset.
----------
body __BOUNCE_HASMSGID /Message-ID:/
body __BOUNCE_MINE /Message-ID:.{1,40}.\@example\.com/
meta BOUNCE_NOTMINE (BOUNCE_MESSAGE && __BOUNCE_HASMSGID && !__BOUNCE_MINE)
score BOUNCE_NOTMINE 0.1
describe BOUNCE_NOTMINE Appears to be a bounce with a message without a
valid message ID.
----------
Modify the example.com part to suit your needs.
Be sure to run spamassassin --lint after adding it.
Note: I've intentionally set to score to 0.1, as this rule isn't tested.
It theoretically should do its job, but make sure it works properly
before you increase the score.