You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Loren Wilton <lw...@earthlink.net> on 2021/02/11 12:00:13 UTC
Points for improbable Received header date?
I'm getting a lot of spams that all have a series of completely bogus
Received headers in them. A characteristic of these headers is a rather
improbable datestamp, considering today's date:
Received: from 69-171-232-143.mail-mail.facebook.com ([69.171.232.143])
by oxsus1nmtai03p.internal.vadesecure.com with ngmta
id 0574d1a8-1628c15907fbaba1; Thu, 06 Aug 2020 18:30:56 +0000
Note that this message must have been in flight for about a year and a half
according to that header.
Anyone know an easy way to check for a Received header date more than say a
week old and add some points?
Loren
Re: Points for improbable Received header date?
Posted by Loren Wilton <lw...@earthlink.net>.
> why is date important ?, spamassassin do test it already
>
> DATE_IN_PAST *
Well, the date is a spam sign. That is good enough for me to be important.
And the DATE_IN_PAST * rules don't hit these spams.
Loren
Re: Points for improbable Received header date?
Posted by Benny Pedersen <me...@junc.eu>.
On 2021-02-11 13:00, Loren Wilton wrote:
> Anyone know an easy way to check for a Received header date more than
> say a week old and add some points?
http://multirbl.valli.org/lookup/69.171.232.143.html
why is date important ?, spamassassin do test it already
DATE_IN_PAST *
Re: Points for improbable Received header date?
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 11 Feb 2021, at 8:55, Giovanni Bechis wrote:
> On Thu, Feb 11, 2021 at 08:52:59AM -0500, Bill Cole wrote:
[...]
>> There is a received_within_months() eval in the HeaderEval plugin which
>> someone wrote at some point but failed to suitably document or even use.
>> There are also private functions there (e.g.
>> _get_received_header_times()) which seem potentially useful but which
>> <sigh> are also undocumented. If you feel like being a pioneer, you
>> could try creating rules to make use of that code.
>>
> and if you want to become an hero patches to document those evals are always
> welcome ;-)
YES!
Anyone who is minimally fluent in POD could become a hero to the whole SA universe by adding documentation to the various bits of mystery code like this scattered throughout the tree. The ability to run 'perldoc Mail::SpamAssassin::SomeModule' and get useful current documentation of any part of SA would be a huge step forward.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: Points for improbable Received header date?
Posted by Loren Wilton <lw...@earthlink.net>.
> and if you want to become an hero patches to document those evals are
> always
> welcome ;-)
Well, if I use undocumented code I have to figure out, I always do my own
documentation, since my memory these days is about five minutes long. The
trick for me will be figuring out how I could submit those changes as a
patch, since I'm an old mainframe and now Windows guy, and not used to
creating Unix patch files. I guess there must be a tool somewhere to diff
two file versions and create a proper format file.
Loren
Re: Points for improbable Received header date?
Posted by Giovanni Bechis <gi...@paclan.it>.
On Thu, Feb 11, 2021 at 08:52:59AM -0500, Bill Cole wrote:
> On 11 Feb 2021, at 7:00, Loren Wilton wrote:
>
> > I'm getting a lot of spams that all have a series of completely bogus
> > Received headers in them. A characteristic of these headers is a
> > rather improbable datestamp, considering today's date:
> >
> > Received: from 69-171-232-143.mail-mail.facebook.com
> > ([69.171.232.143])
> > by oxsus1nmtai03p.internal.vadesecure.com with ngmta
> > id 0574d1a8-1628c15907fbaba1; Thu, 06 Aug 2020 18:30:56 +0000
> >
> > Note that this message must have been in flight for about a year and a
> > half according to that header.
>
> Minor pedantry: Actually just a few days more than half a year.
>
> > Anyone know an easy way to check for a Received header date more than
> > say a week old and add some points?
>
> There is a received_within_months() eval in the HeaderEval plugin which
> someone wrote at some point but failed to suitably document or even use.
> There are also private functions there (e.g.
> _get_received_header_times()) which seem potentially useful but which
> <sigh> are also undocumented. If you feel like being a pioneer, you
> could try creating rules to make use of that code.
>
and if you want to become an hero patches to document those evals are always
welcome ;-)
Giovanni
Re: Points for improbable Received header date?
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 11 Feb 2021, at 7:00, Loren Wilton wrote:
> I'm getting a lot of spams that all have a series of completely bogus
> Received headers in them. A characteristic of these headers is a
> rather improbable datestamp, considering today's date:
>
> Received: from 69-171-232-143.mail-mail.facebook.com
> ([69.171.232.143])
> by oxsus1nmtai03p.internal.vadesecure.com with ngmta
> id 0574d1a8-1628c15907fbaba1; Thu, 06 Aug 2020 18:30:56 +0000
>
> Note that this message must have been in flight for about a year and a
> half according to that header.
Minor pedantry: Actually just a few days more than half a year.
> Anyone know an easy way to check for a Received header date more than
> say a week old and add some points?
There is a received_within_months() eval in the HeaderEval plugin which
someone wrote at some point but failed to suitably document or even use.
There are also private functions there (e.g.
_get_received_header_times()) which seem potentially useful but which
<sigh> are also undocumented. If you feel like being a pioneer, you
could try creating rules to make use of that code.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire