You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Kelly Jones <ke...@gmail.com> on 2006/12/19 01:50:28 UTC
Rule that negative scores emails from blackberry.com, not spoofers
How do I write a rule that negative scores emails "from"
blackberry.com. In other words, where the reverse DNS of the IP
address connecting to my mailserver matches the regex /.*blackberry\.com$/
The obvious:
Received =~ /.*blackberry\.com$/
doesn't work, because someone could "HELO blackberry.com" or spoof a
blackberry.com received header somewhere in the message headers prior
to the last hop.
Is this a good place to use the X-Spam-Relays-Trusted: and
X-Spam-Relays-Untrusted: psuedo-headers?
Reason I want to do this: by default, Blackberry sends text email
MIME-encoded and its timezone is +0000. This means it gets dinged by
the MIME_BASE64_TEXT rule AND the LW_STOCK_SPAM4 which is defined as:
meta LW_STOCK_SPAM4 __RATWARE_0_TZ_DATE && MIME_BASE64_TEXT
I want to even things out by giving a negative score to cancel out
those two positive scores.
Has anyone else run into this issue and/or written a rule to compensate?
--
We're just a Bunch Of Regular Guys, a collective group that's trying
to understand and assimilate technology. We feel that resistance to
new ideas and technology is unwise and ultimately futile.
Re: Rule that negative scores emails from blackberry.com, not spoofers
Posted by Jan Doberstein <jd...@hosteurope.de>.
Hiya,
Kelly Jones schrieb:
> Reason I want to do this: by default, Blackberry sends text email
> MIME-encoded and its timezone is +0000. This means it gets dinged by
> the MIME_BASE64_TEXT rule AND the LW_STOCK_SPAM4 which is defined as:
>
> meta LW_STOCK_SPAM4 __RATWARE_0_TZ_DATE && MIME_BASE64_TEXT
If Timezone differs from Blackberry Server, it will also Trigger
INVALID_DATE cause the Header will look like this:
--- cut ---
Date: Fri, 8 Dec 2006 14:58:27 +0000 GMT
--- cut ---
> Has anyone else run into this issue and/or written a rule to compensate?
I'm just a little bit frustrated that a company can constrain technicans
to find a way that there "broken" things are going to work ...
Maybe i'll use whitelist_from or something like this. Not sure quit at
the moment if i realy want this ... why not try to force blackberry to
send "good" mails ?
\jd
Re: Rule that negative scores emails from blackberry.com, not spoofers
Posted by "John D. Hardin" <jh...@impsec.org>.
On Mon, 18 Dec 2006, Kelly Jones wrote:
> The obvious:
>
> Received =~ /.*blackberry\.com$/
>
> doesn't work, because someone could "HELO blackberry.com" or spoof a
> blackberry.com received header somewhere in the message headers prior
> to the last hop.
...so add enough to it to match only on Received headers that *your*
MTA inserts.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
7 days until Christmas