Secondary relay rule (was: Do spammers have a sense of humor?)

[Pierre Thomson <Pi...@bruderhof.com>]

Paul, Fred and others who might wonder:

Since SA is only running on my primary relay, and the secondary is located on an internal network (though physically distant), I simply look for mail that includes the internal IP of the secondary in the last "hop".

header FROM_M2           Received =~ /192\.168\.6\.15.{1,20}by mail1\.mydomain\.com/
describe FROM_M2         relayed by mail2.mydomain.com
score FROM_M2            1.0

"mail1.mydomain.com" is the primary relay running SA, and "192.168.6.15" is the IP of the secondary.  Make these match what you see in your headers and the rule should work.

As far as "when the primary is up", that is not entirely accurate.  This rule is always in effect.  Of course, if the primary really went down it would need manual intervention, including setting this rule's score to zero until all mail stored and forwarded by the secondary is processed.  I have only done this once in a couple years of operation; our primary is running a very stable OS distro and we are on a redundant fiber loop.  Besides, 1 point won't cause an FP disaster in our scoring scenario.

I suppose I could write a script that checks for loss of connectivity on the primary and adjusts the score accordingly.  But I haven't felt the need.

Regards,
Pierre



-----Original Message-----
From: Pettit, Paul [mailto:ismanager@ccbnpts.com]
Sent: Tuesday, April 12, 2005 2:28 PM
To: users@spamassassin.apache.org
Subject: RE: OT: Do spammers have a sense of humor?


> Pierre Thomson wrote: 
> 
> Fortunately SA (2.64) 
> saw through it and nailed this using Bayes, DCC, and a custom 
> rule that penalizes mail coming through the secondary relay 
> when the primary is up.
> 

Would you be willing to post that custom rule? I get a number of those kind
of spams and haven't been able to figure out how to tag them correctly. I
use 2.64 as well so compatibility is not an issue. :)