Re: HELO test rule-writing questions

[Justin Mason <jm...@jmason.org>]

Clifton Royston writes:
>   I'm trying to write some SA rules for additional tests on the
> connecting mailserver's SMTP HELO string, and I have some questions
> about how to do it.  Should I send them to this list or to the
> dev list?

hey Clifton! -- yep, this list.

>   Assuming it's this list, one of the things I'm trying to do is assign
> a modest score to helo strings containing a bracketed IP address. 
> (This is technically valid in SMTP.)
> 
>   I've read through some of the tests in 20_fake_helo_tests.cf, and it
> appears they rely on SA's parsing code creating a kind of magic
> pseudo-header X-Spam-Relays-Untrusted containing a string with the
> "helo" and other data?
> 
>   I'm not sure I get the point of the recurring [^\]]+ bits in the
> examples I looked at.

So, the deal is that 'X-Spam-Relays-Untrusted' will contain *all*
untrusted relays, one after the other.  /^[^\]]+ / ensures that
only the helo string from the *most recent* untrusted relay --
the handover into the trusted networks -- is checked.

This is required because it's perfectly fine for a user's MUA
to use this kind of helo string; the spammy case is when an
MTA which is supposedly run by an ISP is handing it over to
the recipient's MX, and that one should not use that style
of helo.

See http://wiki.apache.org/spamassassin/TrustedRelays for more info.

>   So would a test for a bracketed IP address look like this?
> 
> # [60.222.35.88]
> header HELO_BRACKETED_IP  X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\[\d+\.\d+\.\d+\.\d+\][^\]]+ auth= /i
>
>   I want to distinguish this case from a bare IP address (invalid!)
> which I also want to look at and score:
> 
> # [60.222.35.88]
> header HELO_BARE_IP  X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+[^\]]+ auth= /i

both look good.  be sure to let us know if you find something useful ;)

--j.