You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by hospice admin <ho...@outlook.com> on 2017/08/11 15:27:52 UTC
I know what I want to do ... BUT ...
Hi Team,
There's a particularly annoying ESP bugging us. Their clients always include a reference to them in their SPF records, which look something like this:
text = "v=spf1 exists:%{i}._spf.xyz.com ~all"
So, if a message is dropped from 1.2.3.4
nslookup 1.2.3.4._spf.xyz.com
returns
Non-authoritative answer:
Name: 1.2.3.4._spf.xyz.com
Address: 1.2.3.4
if the IP is on the ESP's SPF list.
What I'd like to do is turn this into an RBL check, but
eval:check_rbl('Evil-ESP','_spf.xyz.com')
Is going to flip the IP address around.
Is there an easy way of doing this in SA, or is this a job for MimeDefang?
Thanks
Judy
Re: I know what I want to do ... BUT ...
Posted by John Hardin <jh...@impsec.org>.
On Fri, 11 Aug 2017, Dianne Skoll wrote:
> On Fri, 11 Aug 2017 15:27:52 +0000
> hospice admin <ho...@outlook.com> wrote:
>
>> text = "v=spf1 exists:%{i}._spf.xyz.com ~all"
>> What I'd like to do is turn this into an RBL check, but
>> eval:check_rbl('Evil-ESP','_spf.xyz.com')
>
> I understand what you're trying to do, but have you thought about the
> implications? You are allowing an evil (your word) organization to be
> an RBL for you. They may very well put every possible IPv4 address in
> their exists: SPF record which would not bode well for your spam
> filtering...
Indeed.
If it's an email service provider, then you might be better served
checking for a specific domain name or IP(s) in the Received header chain,
or potentially doing MTA checks to reject them up front if you don't want
their garbage at all.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
4 days until the 72nd anniversary of the end of World War II
Re: I know what I want to do ... BUT ...
Posted by hospice admin <ho...@outlook.com>.
Nice!
I'll take a look at this.
Thanks!
________________________________
From: RW <rw...@googlemail.com>
Sent: 11 August 2017 18:29
To: users@spamassassin.apache.org
Subject: Re: I know what I want to do ... BUT ...
On Fri, 11 Aug 2017 17:25:59 +0100
RW wrote:
> On Fri, 11 Aug 2017 11:49:29 -0400
> Dianne Skoll wrote:
>
> > On Fri, 11 Aug 2017 15:27:52 +0000
> > hospice admin <ho...@outlook.com> wrote:
> >
> > > text = "v=spf1 exists:%{i}._spf.xyz.com ~all"
> > > What I'd like to do is turn this into an RBL check, but
> > > eval:check_rbl('Evil-ESP','_spf.xyz.com')
> >
> > I understand what you're trying to do, but have you thought about
> > the implications? You are allowing an evil (your word)
> > organization to be an RBL for you. They may very well put every
> > possible IPv4 address in their exists: SPF record which would not
> > bode well for your spam filtering...
> >
> > If you still want to do it, I suspect it'd have to be done outside
> > of SpamAssassin in the glue code you're using.
>
> It's not quite the questioned asked, but it is possible to run a regex
> match on the actual text record using AskDNS. See the documentation
> for Mail::SpamAssassin::Plugin::AskDNS.
or if you want to get a hit with domains that don't use that style of
SPF but use the same addresses, you can do the IP lookup using AskDNS
with the _LASTEXTERNALIP_ tag.
Re: I know what I want to do ... BUT ...
Posted by RW <rw...@googlemail.com>.
On Fri, 11 Aug 2017 17:25:59 +0100
RW wrote:
> On Fri, 11 Aug 2017 11:49:29 -0400
> Dianne Skoll wrote:
>
> > On Fri, 11 Aug 2017 15:27:52 +0000
> > hospice admin <ho...@outlook.com> wrote:
> >
> > > text = "v=spf1 exists:%{i}._spf.xyz.com ~all"
> > > What I'd like to do is turn this into an RBL check, but
> > > eval:check_rbl('Evil-ESP','_spf.xyz.com')
> >
> > I understand what you're trying to do, but have you thought about
> > the implications? You are allowing an evil (your word)
> > organization to be an RBL for you. They may very well put every
> > possible IPv4 address in their exists: SPF record which would not
> > bode well for your spam filtering...
> >
> > If you still want to do it, I suspect it'd have to be done outside
> > of SpamAssassin in the glue code you're using.
>
> It's not quite the questioned asked, but it is possible to run a regex
> match on the actual text record using AskDNS. See the documentation
> for Mail::SpamAssassin::Plugin::AskDNS.
or if you want to get a hit with domains that don't use that style of
SPF but use the same addresses, you can do the IP lookup using AskDNS
with the _LASTEXTERNALIP_ tag.
Re: I know what I want to do ... BUT ...
Posted by RW <rw...@googlemail.com>.
On Fri, 11 Aug 2017 11:49:29 -0400
Dianne Skoll wrote:
> On Fri, 11 Aug 2017 15:27:52 +0000
> hospice admin <ho...@outlook.com> wrote:
>
> > text = "v=spf1 exists:%{i}._spf.xyz.com ~all"
> > What I'd like to do is turn this into an RBL check, but
> > eval:check_rbl('Evil-ESP','_spf.xyz.com')
>
> I understand what you're trying to do, but have you thought about the
> implications? You are allowing an evil (your word) organization to be
> an RBL for you. They may very well put every possible IPv4 address in
> their exists: SPF record which would not bode well for your spam
> filtering...
>
> If you still want to do it, I suspect it'd have to be done outside of
> SpamAssassin in the glue code you're using.
It's not quite the questioned asked, but it is possible to run a regex
match on the actual text record using AskDNS. See the documentation for
Mail::SpamAssassin::Plugin::AskDNS.
Re: I know what I want to do ... BUT ...
Posted by Dianne Skoll <df...@roaringpenguin.com>.
On Fri, 11 Aug 2017 15:27:52 +0000
hospice admin <ho...@outlook.com> wrote:
> text = "v=spf1 exists:%{i}._spf.xyz.com ~all"
> What I'd like to do is turn this into an RBL check, but
> eval:check_rbl('Evil-ESP','_spf.xyz.com')
I understand what you're trying to do, but have you thought about the
implications? You are allowing an evil (your word) organization to be
an RBL for you. They may very well put every possible IPv4 address in
their exists: SPF record which would not bode well for your spam
filtering...
If you still want to do it, I suspect it'd have to be done outside of
SpamAssassin in the glue code you're using.
Regards,
Dianne.