You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Ramprasad <ra...@netcore.co.in> on 2011/04/11 08:34:26 UTC
Score on sender domain by country
Hi,
One of our clients has a purely local business and wants any mail coming
from a foreign domain to be given a score for spam
I would like to reduce the spam threshold , and then give a negative
score for every mail with sender domain in India
Is there a possibility of identifying the country where a domain is
registered. Identyfying by tld seems in-correct
Thanks
Ram
Re: Score on sender domain by country
Posted by John Hardin <jh...@impsec.org>.
On Tue, 12 Apr 2011, RW wrote:
> On Mon, 11 Apr 2011 20:04:39 +0200
> Benny Pedersen <me...@junc.org> wrote:
>
>> # Note that the "X-Relay-Countries" header is by default a pseudo header
>> # that isn't actually added to the message, but can be matched by rules
>> # and used by bayes.
>
> Actually, they can't because two-letter country codes are shorter than
> the 3-character minimum token length.
Does it treat the entire list of country codes as a single token? ISTR
from prior discussions that's what it does.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Gun Control laws aren't enacted to control guns, they are enacted
to control people: catholics (1500s), japanese peasants (1600s),
blacks (1860s), italian immigrants (1911), the irish (1920s),
jews (1930s), blacks (1960s), the poor (always)
-----------------------------------------------------------------------
Tomorrow: Thomas Jefferson's 268th Birthday
Re: Score on sender domain by country
Posted by RW <rw...@googlemail.com>.
On Mon, 11 Apr 2011 20:04:39 +0200
Benny Pedersen <me...@junc.org> wrote:
> # Note that the "X-Relay-Countries" header is by default a pseudo
> header
> # that isn't actually added to the message, but can be matched by
> rules
> # and used by bayes.
Actually, they can't because two-letter country codes are shorter than
the 3-character minimum token length.
Re: Score on sender domain by country
Posted by Benny Pedersen <me...@junc.org>.
> Is there a possibility of identifying the country where a domain is
> registered. Identyfying by tld seems in-correct
ifplugin Mail::SpamAssassin::Plugin::RelayCountry
header RELAY_IN X-Relay-Countries =~ /\bIN\b/
describe RELAY_IN Relayed through India
score RELAY_IN 1.0
header RELAY_STAR X-Relay-Countries =~ /\*\*/
describe RELAY_STAR Relayed through RFC1918
score RELAY_STAR 0.1
# Note that the "X-Relay-Countries" header is by default a pseudo
header
# that isn't actually added to the message, but can be matched by
rules
# and used by bayes.
# See also:
# Docs for Relay Country
#
http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Plugin_RelayCountry.html
# Docs for IP::Country
# http://www.annocpan.org/~NWETTERS/IP-Country-2.22/lib/IP/Country.pm
# List of ISO 3166 2-character country codes
# http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
endif # Mail::SpamAssassin::Plugin::RelayCountry
more strict rule meta it with spf or dkim on sender domain
exsample headers for RU tld
# header __HRD_SENDER_RU From:addr =~
/@((([a-zA-Z0-9])|\.|\-)+)\.ru(\.?)$/i
# header __HRD_RECIPIENT_RU From:addr =~
/@((([a-zA-Z0-9])|\.|\-)+)\.ru(\.?)$/i
# header __HDR_ENVFROM_RU EnvelopeFrom:addr =~
/@((([a-zA-Z0-9])|\.|\-)+)\.ru(\.?)$/i
# header __HDR_RCVD_RU Received:raw =~
/from([[:blank:]]+((([a-zA-Z0-9])|\.|\-)+)\.ru(\.?)[[:blank:]])/i
# meta HDR_CCTLD_RU __HRD_SENDER_RU || __HRD_RECIPIENT_RU ||
__HDR_ENVFROM_RU || __HDR_RCVD_RU
# score HDR_CCTLD_RU 0.01
if your mta is postfix then check Return-Path header
RelayCountry plugin: make it capable to use IP::Country alternatives [Was: Score on sender domain by country]
Posted by Andrzej Adam Filip <an...@gmail.com>.
John Hardin <jh...@impsec.org> wrote:
> [...]
> Much more useful is identifying the countries where the MTAs are
> located. Take a look at the RelayCountry plugin.
BTW It would be nice (and IMHO simple) to make RelayCountry plugin
capable to use IP::Country *OR* (e.g.) Geo::IPfree modules.
WHY: Debian does not provide libip-country-perl package
(debianized IP::Country module).
--
[pl>en: Andrew] Andrzej Adam Filip : anfi@onet.eu
In the long run, every program becomes rococco, and then rubble.
-- Alan Perlis
Re: Score on sender domain by country
Posted by John Hardin <jh...@impsec.org>.
On Mon, 11 Apr 2011, Ramprasad wrote:
> One of our clients has a purely local business and wants any mail coming
> from a foreign domain to be given a score for spam
>
> I would like to reduce the spam threshold , and then give a negative
> score for every mail with sender domain in India
>
> Is there a possibility of identifying the country where a domain is
> registered. Identyfying by tld seems in-correct
It's also weak in the face of forgery.
Much more useful is identifying the countries where the MTAs are located.
Take a look at the RelayCountry plugin.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Gun Control laws cannot reduce violent crime, because gun control
laws assume a violent criminal will obey the law.
-----------------------------------------------------------------------
2 days until Thomas Jefferson's 268th Birthday
Re: Score on sender domain by country
Posted by SM <sm...@resistor.net>.
Hi Ram,
At 23:34 10-04-2011, Ramprasad wrote:
>One of our clients has a purely local business and wants any mail coming
>from a foreign domain to be given a score for spam
>
>I would like to reduce the spam threshold , and then give a negative
>score for every mail with sender domain in India
>
>Is there a possibility of identifying the country where a domain is
>registered. Identyfying by tld seems in-correct
No. You mentioned that using the ccTLD for negative scoring isn't
what you want.
If you assume that senders will be sending the mail from an IP
address (or ASN) generally used within the country, you can put in a
score for such a rule. You may have to allow some exceptions (e.g.
by domain name).
Regards,
-sm