You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Robert Swan <rs...@nskinc.com> on 2006/10/13 16:30:03 UTC

Is there any way to score this?

Is there anyway to get points added if the sending mail server has no
PTR record (unknown [196.211.162.65])?

I am using Redhat Fedora and Spamassassin 3.1.2 and Postfix

 

X-Spam-Checker-Version: SpamAssassin 3.1.2 (2006-05-25) on SPAM1

X-Spam-Level: **

X-Spam-Status: No, score=3.0 required=4.9
tests=BAYES_50,EXTRA_MPART_TYPE,

            HTML_IMAGE_ONLY_28,HTML_MESSAGE autolearn=no version=3.1.2

Received: from lyonop.com (unknown [196.211.162.65])

 

Thanks in advance

 

Robert

 

 

 

 

 

 

Peace he would say instead of goodbye....peace my brother.

Re: Is there any way to score this?

Posted by "Peter H. Lemieux" <ph...@cyways.com>.

Micke Andersson wrote:

> excuse me for my ignorance, but is this really the correct approach 
> right now, since it is quite a lot of badly configured DNS servers out
> there. Should this not be handled by the SMTP server as is instead! 
> And return an error code of 421 or something like this. Like AOL has
> implemented at their servers, you will be informed as sender about the
> problem, with an URL link to
> http://postmaster.info.aol.com/errors/421dnsnr.html

Whatever opinions you may have about AOL, when they began rejecting mail 
without reverse-DNS entries a few years' back, AOL's sheer size forced 
mail admins to make sure that their servers have both forward and reverse 
lookups enable.  Heck, even random cable/DSL hosts usually have reverse 
lookups configured, usually something like 123-123-123-123.someisp.com. 
Most of the mail I see coming from servers without reverse-resolution is 
spam, usually from hosts in places like China.

Moreover, I'd much rather give such messages a relatively high SA score 
than reject them at the SMTP level.  False positives in the SMTP exchange 
cause ill-will with clients and their correspondents.

> Or if one should have this above Rule, me my self would not for the time 
> being, have that high of a score,

I give these messages a score of 3.3 with an SA criterion of 4.0; I get 
very few false positives.

Peter

Re: Is there any way to score this?

Posted by Micke Andersson <mi...@swemic.net>.

James Lay wrote:
>  
>
> -----Original Message-----
> From: Wolfgang Zeikat [mailto:wolfgang.zeikat@desy.de] 
> Sent: Friday, October 13, 2006 9:49 AM
> To: users@spamassassin.apache.org
> Subject: Re: Is there any way to score this?
>
>
>
> On 10/13/06 17:34, Wolfgang Zeikat wrote:
>   
>> Received =~ /from \S{1,30} \(unknown
>> \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\)\s+by\s+your\.smtp\.server\.de
>> sy/
>>
>> Replace "your.smtp.server" by your server's name ...
>>     
>
> Oops, and leave out "\.desy" of course ;) And - just to make sure - that's a
> header rule.
>
>   
>> Cheers,
>>
>> wolfgang
>>
>>     
>
>
> So does:
>
> header          UNKNOWN         Received =~ /from \S{1,30}
> \(unknown\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\)\s+by\s+mail\.slave-tothe-b
> ox\.net/
> score           UNKNOWN         3
> describe        UNKNOWN         Unknown hosts
>
> Look about right?
>
> James
>   
Hi all,

excuse me for my ignorance, but is this really the correct approach 
right now,
since it is quite a lot of badly configured DNS servers out there.
Should this not be handled by the SMTP server as is instead!
And return an error code of 421 or something like this.

Like AOL has implemented at their servers, you will be informed as 
sender about the problem,
with an URL link to http://postmaster.info.aol.com/errors/421dnsnr.html

Or if one should have this above Rule, me my self would not for the time 
being, have that high of a score,
check out your legitimate and non SPAM incoming mails, you will find 
tons of e-mail server IP's that is not registered with a good PTR.

And even further, if this test is done at SMTP server level, there will 
not be that much of CPU consuming processing to check if the sender is
an "unknown" sender IP.

/Micke

RE: Is there any way to score this?

Posted by James Lay <jl...@slave-tothe-box.net>.

 

-----Original Message-----
From: Wolfgang Zeikat [mailto:wolfgang.zeikat@desy.de] 
Sent: Friday, October 13, 2006 9:49 AM
To: users@spamassassin.apache.org
Subject: Re: Is there any way to score this?



On 10/13/06 17:34, Wolfgang Zeikat wrote:
> Received =~ /from \S{1,30} \(unknown
> \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\)\s+by\s+your\.smtp\.server\.de
> sy/
> 
> Replace "your.smtp.server" by your server's name ...

Oops, and leave out "\.desy" of course ;) And - just to make sure - that's a
header rule.

> 
> Cheers,
> 
> wolfgang
> 


So does:

header          UNKNOWN         Received =~ /from \S{1,30}
\(unknown\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\)\s+by\s+mail\.slave-tothe-b
ox\.net/
score           UNKNOWN         3
describe        UNKNOWN         Unknown hosts

Look about right?

James

Re: Is there any way to score this?

Posted by Wolfgang Zeikat <wo...@desy.de>.


On 10/13/06 17:34, Wolfgang Zeikat wrote:
> Received =~ /from \S{1,30} \(unknown 
> \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\)\s+by\s+your\.smtp\.server\.desy/
> 
> Replace "your.smtp.server" by your server's name ...

Oops, and leave out "\.desy" of course ;)
And - just to make sure - that's a header rule.

> 
> Cheers,
> 
> wolfgang
>

Re: Is there any way to score this?

Posted by Wolfgang Zeikat <wo...@desy.de>.


On 10/13/06 17:12, Andreas Pettersson wrote:
> Robert Swan wrote:
> 
>> Is there anyway to get points added if the sending mail server has no 
>> PTR record *(unknown [196.211.162.65])?*
>>
>> I am using Redhat Fedora and Spamassassin 3.1.2 and Postfix

With a postfix mail gateway, I use a local SA rule like:

Received =~ /from \S{1,30} \(unknown 
\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\)\s+by\s+your\.smtp\.server\.desy/

Replace "your.smtp.server" by your server's name ...

Cheers,

wolfgang

Re: Is there any way to score this?

Posted by Andreas Pettersson <an...@telia.com>.

Robert Swan wrote:

> Is there anyway to get points added if the sending mail server has no 
> PTR record *(unknown [196.211.162.65])?*
>
> I am using Redhat Fedora and Spamassassin 3.1.2 and Postfix
>
>

I was looking for the same thing some time ago, but I couldn't easily 
find a way to do that in SA.
Instead I use the MTA (Exim) to add a header if the PTR is missing, and 
then I use SA to check against that header.

Perhaps there are better ways to do it.

-- 
Andreas

RE: Is there any way to score this?

Posted by "Coffey, Neal" <nc...@langeveld.com>.

Robert Swan wrote:
> Is there anyway to get points added if the sending mail
> server has no PTR record (unknown [196.211.162.65])?

> Received: from lyonop.com (unknown [196.211.162.65])

This is totally untested, but:

header  LOCAL_INVALID_PTR  Received =~ /\(unknown /

This might be more robust:

header  LOCAL_INVALID_PTR  Received =~ /from \S+ \(unknown /

Again, totally untested, so put them in with a score of 0.01 and watch
them for a while before you rely on either on.