Testing the _REMOTEHOSTNAME_ in a rule

[Philip Prindeville <ph...@redfish-solutions.com>]

I'm trying to write a rule that gives some spamminess score to messages received from any host that resolves to protection.outlook.com.

I tried to use _REMOTEHOSTNAME_ to do this, but I think I got the header syntax wrong.

Can someone set me straight?

Thanks,

-Philip

Re: Testing the _REMOTEHOSTNAME_ in a rule

[Karsten Bräckelmann <gu...@rudersport.de>]

On Mon, 2013-10-21 at 13:19 -0600, Philip Prindeville wrote:
> On Oct 19, 2013, at 5:28 PM, Karsten Bräckelmann <gu...@rudersport.de> wrote:

> >   RULE_NAME  X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=evil.example.net /
> > 
> > That rdns value is added to the Received header by your SMTP, and your
> > MX actually should be listed as by value in that very [...] block.
> 
> Thanks.  By the way, in your example, the dots in evil.example.net need
> to be escaped, don't they?

It's not a must, but definitely best practice, yes.

(Properly escaping the dot if you want to literally match a dot, rather
than "any char" is even more important in the general case. In this very
example FPs are almost impossible due to the trailing space, anchoring
the TLD and "readable" domain.)


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Testing the _REMOTEHOSTNAME_ in a rule

[Philip Prindeville <ph...@redfish-solutions.com>]

On Oct 19, 2013, at 5:28 PM, Karsten Bräckelmann <gu...@rudersport.de> wrote:

> On Fri, 2013-10-18 at 18:34 -0600, Philip Prindeville wrote:
>> I'm trying to write a rule that gives some spamminess score to messages
>> received from any host that resolves to protection.outlook.com.
>> 
>> I tried to use _REMOTEHOSTNAME_ to do this, but I think I got the
>> header syntax wrong.
> 
> Template Tags cannot be used in rules. What you're looking for is the
> X-Spam-Relays-External or -Untrusted pseudo-header.
> 
>  http://wiki.apache.org/spamassassin/TrustedRelays
> 
> Run a sample through spamassassin -D and grep the debug output for the
> X-Spam-Relays headers. You'll likely want to match your rule against the
> rdns or helo values.
> 
> To ensure matching against the very last untrusted relay, no closing
> square bracket may appear before the match.
> 
>  RULE_NAME  X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=evil.example.net /
> 
> That rdns value is added to the Received header by your SMTP, and your
> MX actually should be listed as by value in that very [...] block.
> 
> 

Thanks.  By the way, in your example, the dots in evil.example.net need to be escaped, don't they?

I ended up going with:

header L_OUTLOOK                X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]*\.(ptr|outbound)\.protection\.outlook\.com /
describe L_OUTLOOK              Anything coming from outlook.com
score L_OUTLOOK                 4.95


and this seems to work.

-Philip

Re: Testing the _REMOTEHOSTNAME_ in a rule

[Karsten Bräckelmann <gu...@rudersport.de>]

On Fri, 2013-10-18 at 18:34 -0600, Philip Prindeville wrote:
> I'm trying to write a rule that gives some spamminess score to messages
> received from any host that resolves to protection.outlook.com.
> 
> I tried to use _REMOTEHOSTNAME_ to do this, but I think I got the
> header syntax wrong.

Template Tags cannot be used in rules. What you're looking for is the
X-Spam-Relays-External or -Untrusted pseudo-header.

  http://wiki.apache.org/spamassassin/TrustedRelays

Run a sample through spamassassin -D and grep the debug output for the
X-Spam-Relays headers. You'll likely want to match your rule against the
rdns or helo values.

To ensure matching against the very last untrusted relay, no closing
square bracket may appear before the match.

  RULE_NAME  X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=evil.example.net /

That rdns value is added to the Received header by your SMTP, and your
MX actually should be listed as by value in that very [...] block.


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}