You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Tracee <tr...@yahoo.ca> on 2006/04/20 01:16:09 UTC

Re: X-AntiAbuse: Original Domain header

Good questions.  Not being the one who configures SpamAssassin, I thought it might be configured to know it's own domain name.

If the header "indicates the original domain *to which the message was sent*" then I guess I was misinterpretting the meaning.

Thanks for the input.

----- Original Message ----
From: Tracee <tr...@yahoo.ca>
To: Tracee <tr...@yahoo.ca>; users@spamassassin.apache.org
Sent: Wednesday, April 19, 2006 10:19:12 AM
Subject: X-AntiAbuse: Original Domain header

<!-- DIV {margin:0px} -->!-- DIV {margin:0px} -->Hi guys, 

I'm a little green to SA & its rules but wouldn't it make sense to have a rule that acts upon the 

     X-AntiAbuse: Original Domain: your.domain.here header?  

If it matches your own domain name then give it high rating.  There must be a good reason why SA hasn't done this already so I'd like your input before I attempt to write my own rule.

Thanks!

Re: X-AntiAbuse: Original Domain header

Posted by Kelson <ke...@speed.net>.

Tracee wrote:
> Good questions.  Not being the one who configures SpamAssassin, I 
> thought it might be configured to know it's own domain name.

You could write a rule on a site-by-site basis, or perhaps introduce a 
configuration option.  Even then, it wouldn't work quite right for sites 
that receive mail for multiple domains.

> If the header "indicates the original domain *to which the message was 
> sent*" then I guess I was misinterpretting the meaning.

I did some digging, and all the examples I can find use a set of 5 
headers.  Here's an example of the headers in a message sent to the 
Fedora legacy mailing list last week:

X-AntiAbuse: This header was added to track abuse,
	please include it with any abuse report
X-AntiAbuse: Primary Hostname - hyperion.nettuning.net
X-AntiAbuse: Original Domain - redhat.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - nettuning.net

Some things to note:

1. The first header is usually all one line.  In this case, it was wrapped.

2. The Primary Hostname seems to be the HELO string of the MTA that 
added the header.

3. This was sent to a mailing list at redhat.com, matching the Original 
Domain header.

4. The Caller UID/GID (the second pair) was almost always 47 and 12.  On 
my Red Hat-based Linux systems, these are the user ID for mailnull and 
group ID for mail.  A sizable minority were 26 and 6 -- all running Evim 
on FreeBSD, so I assume those are the defaults there.  It's remarkably 
consistent, but the exceptions were all legit, so there's not much spam 
classification value in this one.

5. The Sender Address Domain was, as you might expect, the domain of the 
sender's email address.  However, a lot of the ones I've seen match the 
server name

Thoughts on what you could do with this info for detecting abuse, rather 
than for reporting it:

1. Does the Primary Hostname show up in the Received: headers?
2. Does the Primary Hostname claim to be one of your servers?  (sort of 
a forged-HELO check a couple of hops back)
3. If the Sender Address Domain has an SPF record, does the Primary 
Hostname pass?
4. Does the Sender Address Domain claim to be one of your domains? (what 
you originally suggested, but with the more appropriate header)

I have no idea how effective any of these would be, though if I were to 
guess, there would be a lot of overlap with other header checks.

-- 
Kelson Vibber
SpeedGate Communications <www.speed.net>