Scoring for domain from Received header

[Rafal Jankowski <ra...@doraco.pl>]

Hello,

I am using SA 3.0.2 from Debian Sarge, it is invoked from exiscan.
I am wondering if it is possible to score for a domain from the last
Received header. For example:
*.pl     -2
*.co.uk  -3
.ru      +1
no rDNS  +3

I have searched through Mail::SpamAssassin::Conf documentation and
thought about using whitelist_from_rcv but I don't know how to assign
different scoring to different domains.

Rafał Jankowski

Re: Scoring for domain from Received header

[Rafal Jankowski <ra...@doraco.pl>]

Wednesday, April 20, 2005, 12:14:14 AM, you wrote:

> So make a requirement that the received line also contains a "by" for
> your server name.

> It looks something like this:

> header DOMAIN_PL    Received =~/from .{1,50}\.pl.{1,100} by
> servername\.doraco\.com\.pl/
      
> Yes, it's still forgable, but harder to forge.  You can also refine the
> regex to look for other specifics of your server to make it harder to
> spoof. Look for the name and version of your MTA, etc.

>> And I still don't know
>>how to write a rule matching the lack of revDNS.
>>
> You'd have to post examples of headers that mailserver generates for
> this, but generally you want to look for a from clause immediately
> followed by an IP, without a host name in between.

> Something like this regex:

> /from \(\[\d.{1,100} by fire.doraco.com.pl/


Thank you for your response, it was very helpful for me.
However finally I decided to add on my MTA an additional header like
X-Received for all scanned mail. I think it should be simpler and more
reliable.

Re: Scoring for domain from Received header

[Matt Kettler <mk...@evi-inc.com>]

Rafal Jankowski wrote:

>I have written a rule like that:
>
>header DOMAIN_PL                        Received =~/\.pl/
>describe DOMAIN_PL                      Received From Poland
>lang pl describe DOMAIN_PL              E-mail z Polski
>score DOMAIN_PL                         -2.5
>
>but it checks each Received header, and I am only interested in the
>last one beacouse the previous could be forged.
>
>  
>
So make a requirement that the received line also contains a "by" for
your server name.

It looks something like this:

header DOMAIN_PL    Received =~/from .{1,50}\.pl.{1,100} by
servername\.doraco\.com\.pl/
      
Yes, it's still forgable, but harder to forge.  You can also refine the
regex to look for other specifics of your server to make it harder to
spoof. Look for the name and version of your MTA, etc.

> And I still don't know
>how to write a rule matching the lack of revDNS.
>
You'd have to post examples of headers that mailserver generates for
this, but generally you want to look for a from clause immediately
followed by an IP, without a host name in between.

Something like this regex:

/from \(\[\d.{1,100} by fire.doraco.com.pl/

Re: Scoring for domain from Received header

[Rafal Jankowski <ra...@doraco.pl>]

Tuesday, April 19, 2005, 9:21:06 PM, you wrote:

> You'll almost certainly have to do this with a custom rule. You can't
> have multiple scores for whitelist, as the all get implemented as a
> single rule.

> To make your life easier, look at writing a rule that examines the fake
> header X-Spam-Relays-Untrusted and/or X-Spam-Relays-Trusted.

I have written a rule like that:

header DOMAIN_PL                        Received =~/\.pl/
describe DOMAIN_PL                      Received From Poland
lang pl describe DOMAIN_PL              E-mail z Polski
score DOMAIN_PL                         -2.5

but it checks each Received header, and I am only interested in the
last one beacouse the previous could be forged. And I still don't know
how to write a rule matching the lack of revDNS.

Rafał Jankowski

Re: Scoring for domain from Received header

[Matt Kettler <mk...@evi-inc.com>]

Rafal Jankowski wrote:

>Hello,
>
>I am using SA 3.0.2 from Debian Sarge, it is invoked from exiscan.
>I am wondering if it is possible to score for a domain from the last
>Received header. For example:
>*.pl     -2
>*.co.uk  -3
>.ru      +1
>no rDNS  +3
>
>I have searched through Mail::SpamAssassin::Conf documentation and
>thought about using whitelist_from_rcv but I don't know how to assign
>different scoring to different domains.
>
>Rafał Jankowski
>
>
>  
>
You'll almost certainly have to do this with a custom rule. You can't
have multiple scores for whitelist, as the all get implemented as a
single rule.

To make your life easier, look at writing a rule that examines the fake
header X-Spam-Relays-Untrusted and/or X-Spam-Relays-Trusted.