You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Tracee <tr...@yahoo.ca> on 2006/04/20 01:16:09 UTC
Re: X-AntiAbuse: Original Domain header
Good questions. Not being the one who configures SpamAssassin, I thought it might be configured to know it's own domain name.
If the header "indicates the original domain *to which the message was sent*" then I guess I was misinterpretting the meaning.
Thanks for the input.
----- Original Message ----
From: Tracee <tr...@yahoo.ca>
To: Tracee <tr...@yahoo.ca>; users@spamassassin.apache.org
Sent: Wednesday, April 19, 2006 10:19:12 AM
Subject: X-AntiAbuse: Original Domain header
<!-- DIV {margin:0px} -->!-- DIV {margin:0px} -->Hi guys,
I'm a little green to SA & its rules but wouldn't it make sense to have a rule that acts upon the
X-AntiAbuse: Original Domain: your.domain.here header?
If it matches your own domain name then give it high rating. There must be a good reason why SA hasn't done this already so I'd like your input before I attempt to write my own rule.
Thanks!
Re: X-AntiAbuse: Original Domain header
Posted by Kelson <ke...@speed.net>.
Tracee wrote:
> Good questions. Not being the one who configures SpamAssassin, I
> thought it might be configured to know it's own domain name.
You could write a rule on a site-by-site basis, or perhaps introduce a
configuration option. Even then, it wouldn't work quite right for sites
that receive mail for multiple domains.
> If the header "indicates the original domain *to which the message was
> sent*" then I guess I was misinterpretting the meaning.
I did some digging, and all the examples I can find use a set of 5
headers. Here's an example of the headers in a message sent to the
Fedora legacy mailing list last week:
X-AntiAbuse: This header was added to track abuse,
please include it with any abuse report
X-AntiAbuse: Primary Hostname - hyperion.nettuning.net
X-AntiAbuse: Original Domain - redhat.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - nettuning.net
Some things to note:
1. The first header is usually all one line. In this case, it was wrapped.
2. The Primary Hostname seems to be the HELO string of the MTA that
added the header.
3. This was sent to a mailing list at redhat.com, matching the Original
Domain header.
4. The Caller UID/GID (the second pair) was almost always 47 and 12. On
my Red Hat-based Linux systems, these are the user ID for mailnull and
group ID for mail. A sizable minority were 26 and 6 -- all running Evim
on FreeBSD, so I assume those are the defaults there. It's remarkably
consistent, but the exceptions were all legit, so there's not much spam
classification value in this one.
5. The Sender Address Domain was, as you might expect, the domain of the
sender's email address. However, a lot of the ones I've seen match the
server name
Thoughts on what you could do with this info for detecting abuse, rather
than for reporting it:
1. Does the Primary Hostname show up in the Received: headers?
2. Does the Primary Hostname claim to be one of your servers? (sort of
a forged-HELO check a couple of hops back)
3. If the Sender Address Domain has an SPF record, does the Primary
Hostname pass?
4. Does the Sender Address Domain claim to be one of your domains? (what
you originally suggested, but with the more appropriate header)
I have no idea how effective any of these would be, though if I were to
guess, there would be a lot of overlap with other header checks.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>