You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Rapitharian <Ra...@hotmail.com> on 2011/05/19 03:40:19 UTC
RelayCountry Plugin
I am currently using the Relay Country plugin for SpamAssassin.
I have written rules similar to the ones found on the wiki page for the
plugin.
Example:
header RELAYCOUNTRY_FR X-Relay-Countries=~/FR/
describe RELAYCOUNTRY_FR Relayed through France
score RELAYCOUNTRY_FR 0.1
I am finding that every day I get Spam sent to my users from several new
countries. This requires me to have to write new rules for these countries.
The list is getting quite long.
What I would like to know is: is there a way to write a rule to award points
to countries not listed? For my case I get legit mail from the following
country codes: US, CA, and FR. If the countries the mail is relayed through
is not one of these, I would like to Bump the SA score by; 1.0 point.
Can I do this? If so how?
I have not found a way, via regular expressions to say; not this, or this,
or this. It seems regular expressions always work in the affirmative not the
negative.
I believe I may have found the answer (So thank you for hanging in there, I
am reading.)
Would this be the correct rule?
Example:
header RELAYCOUNTRY_UCF X-Relay-Countries!~/US|CA|FR/
describe RELAYCOUNTRY_UCF Relayed through Country other than US, CA, and FR
score RELAYCOUNTRY_UCF 1.0
Points I am not sure about: UCF at the end of RELAYCOUNTRY_. Does this need
to be a valid country code? or is it only part of the rule name?
Is the "!~/US|CA|FR/" the right way to say Not US or CA or FR?
Thanks in advance for all your help.
-Rap
--
View this message in context: http://old.nabble.com/RelayCountry-Plugin-tp31652314p31652314.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: RelayCountry Plugin
Posted by John Hardin <jh...@impsec.org>.
On Thu, 19 May 2011, Rapitharian wrote:
> One quick question though:
> 1) What does the ?: do in =~/(?:US|CA|FR)/
(xxx) by default remembers the matched text for later use. SA rules can't
use remembered matches for anything; adding ?: makes perl not remember
what matched, which is a performance improvement.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Vista: because the audio experience is *far* more important than
network throughput.
-----------------------------------------------------------------------
161 days since the first successful private orbital launch (SpaceX)
Re: RelayCountry Plugin
Posted by Rapitharian <Ra...@hotmail.com>.
John Wilcock wrote:
>
> Le 19/05/2011 04:46, John Hardin a écrit :
>> Sure. Well, not a _single_ rule, but you can achieve what you want...
>>
>> First, write a rule that hits on all messages and assign it a positive
>> score:
>>
>>
>> meta RELAYCOUNTRY_ALL __HAS_RCVD
>> describe RELAYCOUNTRY_ALL Relayed through any country
>> score RELAYCOUNTRY_ALL 1.00
>>
>>
>> Then write a RelayCountry rule for the "trusted" countries, and assign
>> it an offsetting negative score:
>>
>>
>> header RELAYCOUNTRY_GOOD X-Relay-Countries=~/(?:US|CA|FR)/
>> describe RELAYCOUNTRY_GOOD Relayed through trusted country
>> score RELAYCOUNTRY_GOOD -1.00
>
> That could be simplified:
>
> header __RELAYCOUNTRY_GOOD X-Relay-Countries=~/(?:US|CA|FR)/
> meta RELAYCOUNTRY_NOTGOOD __HAS_RCVD && !RELAYCOUNTRY_GOOD
>
> [except of course that you might find some legit French senders, for
> example, relaying via servers elsewhere in Europe, so the list of "good"
> countries might need to be a bit longer than you initially think]
>
> John.
>
> --
> -- Over 4000 webcams from ski resorts around the world - www.snoweye.com
> -- Translate your technical documents and web pages - www.tradoc.fr
>
>
John & John,
Thanks so much for the answer. I will try this in the next few days.
One quick question though:
1) What does the ?: do in =~/(?:US|CA|FR)/
Thanks so much for the help,
Rap
--
View this message in context: http://old.nabble.com/RelayCountry-Plugin-tp31652314p31660533.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: RelayCountry Plugin
Posted by John Hardin <jh...@impsec.org>.
On Thu, 19 May 2011, John Wilcock wrote:
> That could be simplified:
>
> header __RELAYCOUNTRY_GOOD X-Relay-Countries=~/(?:US|CA|FR)/
> meta RELAYCOUNTRY_NOTGOOD __HAS_RCVD && !RELAYCOUNTRY_GOOD
Even better!
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
I would buy a Mac today if I was not working at Microsoft.
-- James Allchin, Microsoft VP of Platforms
-----------------------------------------------------------------------
161 days since the first successful private orbital launch (SpaceX)
Re: RelayCountry Plugin
Posted by Rapitharian <Ra...@hotmail.com>.
Rapitharian wrote:
>
>
> RW-15 wrote:
>>
>> On Fri, 20 May 2011 06:41:33 -0500
>> Daniel McDonald <da...@austinenergy.com> wrote:
>>
>>>
>>>
>>>
>>> On 5/19/11 7:55 PM, "Rapitharian" <Ra...@hotmail.com> wrote:
>>>
>>> >
>>> > RW-15
>>> > Can you help me some? I am not even a novice in writing/reading
>>> > regular expressions.
>>> > What is this doing? X-Relay-Countries=~
>>> > /^([^[:alpha:]]*(GB|US)[^[:alpha:]]*)+$/
>>>
>>
>>> Since the non-alpha characters will always be a single space, and
>>> there is never a space in the first column, this would be more easily
>>> written as: /^(?:(?:GB|US)\s?)+$/
>>
>> [^[:alpha:]]* doesn't just match single spaces, it also matches the **
>> characters. I wrote it that way on the off-chance that additional
>> special codes might be added in the future. For example if ?? were
>> added to represent IPv6 addresses, they would be ignored by my rule,
>> but /^(?:(?:GB|US|\*\*)\s?)+$/ would treat ?? as if it were a foreign
>> country code.
>>
>>
>>
>> BTW does anyone know if there's a way to get the FreeBSD p5-IP-Country
>> port to update its database. I just noticed it's nearly two years old.
>>
>>
>>
>
> RW-15,
> Something seems wrong. I placed the following rule in my spamassassin
> local.cf file. It is only hitting on the countries I want to exclude. CA,
> FR, GB,KY, and US.
>
> header __RELAYCOUNTRY_SENSIBLE X-Relay-Countries=~
> /^([^[:alpha:]]*(CA|FR|GB|KY|US)[^[:alpha:]]*)+$/
> describe __RELAYCOUNTRY_SENSIBLE Relayed through a Spammy Country
> score __RELAYCOUNTRY_SENSIBLE 1.0
>
> Should I change the above to below to correct?
>
> header __RELAYCOUNTRY_SENSIBLE X-Relay-Countries!~
> /^([^[:alpha:]]*(CA|FR|GB|KY|US)[^[:alpha:]]*)+$/
> describe __RELAYCOUNTRY_SENSIBLE Relayed through a Spammy Country
> score __RELAYCOUNTRY_SENSIBLE 1.0
>
> The key difference is I exchanged the = for a !. This should make this
> rule a negative rather than a positive match, correct?
> Again I thank you all for your help.
> Rap
>
I had to make one more change to get this to work, I had to remove the space
after the !~.
Here is the final working code:
header RELAYCOUNTRY_SENSIBLE
X-Relay-Countries!~/^([^[:alpha:]]*(CA|FR|GB|KY|US)[^[:alpha:]]*)+$/
describe RELAYCOUNTRY_SENSIBLE Relayed through a Spammy Country
score RELAYCOUNTRY_SENSIBLE 1.0
Thanks to everyone for there help getting this to work. Now every time an
email relays through a country not in my very short acceptable list it gets
tagged with a point. Not as fine grained control as the normal method, but
a much easier way to wack all countries not explicitly called out.
Thanks Again,
Rap
--
View this message in context: http://old.nabble.com/RelayCountry-Plugin-tp31652314p31673280.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: RelayCountry Plugin
Posted by Rapitharian <Ra...@hotmail.com>.
RW-15 wrote:
>
> On Fri, 20 May 2011 06:41:33 -0500
> Daniel McDonald <da...@austinenergy.com> wrote:
>
>>
>>
>>
>> On 5/19/11 7:55 PM, "Rapitharian" <Ra...@hotmail.com> wrote:
>>
>> >
>> > RW-15
>> > Can you help me some? I am not even a novice in writing/reading
>> > regular expressions.
>> > What is this doing? X-Relay-Countries=~
>> > /^([^[:alpha:]]*(GB|US)[^[:alpha:]]*)+$/
>>
>
>> Since the non-alpha characters will always be a single space, and
>> there is never a space in the first column, this would be more easily
>> written as: /^(?:(?:GB|US)\s?)+$/
>
> [^[:alpha:]]* doesn't just match single spaces, it also matches the **
> characters. I wrote it that way on the off-chance that additional
> special codes might be added in the future. For example if ?? were
> added to represent IPv6 addresses, they would be ignored by my rule,
> but /^(?:(?:GB|US|\*\*)\s?)+$/ would treat ?? as if it were a foreign
> country code.
>
>
>
> BTW does anyone know if there's a way to get the FreeBSD p5-IP-Country
> port to update its database. I just noticed it's nearly two years old.
>
>
>
RW-15,
Something seems wrong. I placed the following rule in my spamassassin
local.cf file. It is only hitting on the countries I want to exclude. CA,
FR, GB,KY, and US.
header __RELAYCOUNTRY_SENSIBLE X-Relay-Countries=~
/^([^[:alpha:]]*(CA|FR|GB|KY|US)[^[:alpha:]]*)+$/
describe __RELAYCOUNTRY_SENSIBLE Relayed through a Spammy Country
score __RELAYCOUNTRY_SENSIBLE 1.0
Should I change the above to below to correct?
header __RELAYCOUNTRY_SENSIBLE X-Relay-Countries!~
/^([^[:alpha:]]*(CA|FR|GB|KY|US)[^[:alpha:]]*)+$/
describe __RELAYCOUNTRY_SENSIBLE Relayed through a Spammy Country
score __RELAYCOUNTRY_SENSIBLE 7.0
The key difference is I exchanged the = for a !. This should make this rule
a negative rather than a positive match, correct?
Again I thank you all for your help.
Rap
--
View this message in context: http://old.nabble.com/RelayCountry-Plugin-tp31652314p31670939.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: RelayCountry Plugin
Posted by Daniel McDonald <da...@austinenergy.com>.
On 5/20/11 4:58 PM, "RW" <rw...@googlemail.com> wrote:
>
>
> BTW does anyone know if there's a way to get the FreeBSD p5-IP-Country
> port to update its database. I just noticed it's nearly two years old.
>
The scripts to update it are in the source tarball for IP-Country, in the
dbmScripts subdirectory. I just ran that on one of my systems this week. I
try to remember to do it monthly. In fact, I also opened a bug with
Mandriva asking that they provide the update scripts in a package:
https://qa.mandriva.com/show_bug.cgi?id=63332
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: RelayCountry Plugin
Posted by RW <rw...@googlemail.com>.
On Fri, 20 May 2011 06:41:33 -0500
Daniel McDonald <da...@austinenergy.com> wrote:
>
>
>
> On 5/19/11 7:55 PM, "Rapitharian" <Ra...@hotmail.com> wrote:
>
> >
> > RW-15
> > Can you help me some? I am not even a novice in writing/reading
> > regular expressions.
> > What is this doing? X-Relay-Countries=~
> > /^([^[:alpha:]]*(GB|US)[^[:alpha:]]*)+$/
>
> Since the non-alpha characters will always be a single space, and
> there is never a space in the first column, this would be more easily
> written as: /^(?:(?:GB|US)\s?)+$/
[^[:alpha:]]* doesn't just match single spaces, it also matches the **
characters. I wrote it that way on the off-chance that additional
special codes might be added in the future. For example if ?? were
added to represent IPv6 addresses, they would be ignored by my rule,
but /^(?:(?:GB|US|\*\*)\s?)+$/ would treat ?? as if it were a foreign
country code.
BTW does anyone know if there's a way to get the FreeBSD p5-IP-Country
port to update its database. I just noticed it's nearly two years old.
Re: RelayCountry Plugin
Posted by Daniel McDonald <da...@austinenergy.com>.
On 5/19/11 7:55 PM, "Rapitharian" <Ra...@hotmail.com> wrote:
>
> RW-15
> Can you help me some? I am not even a novice in writing/reading regular
> expressions.
> What is this doing? X-Relay-Countries=~
> /^([^[:alpha:]]*(GB|US)[^[:alpha:]]*)+$/
Start at the beginning of the line.
Match zero or more non-alpha characters, followed by GB or US,
Follow that with zero or more non-alpha characters
match the previous pattern 1 or more times.
Follow with the end of a line.
Since the non-alpha characters will always be a single space, and there is
never a space in the first column, this would be more easily written as:
/^(?:(?:GB|US)\s?)+$/
But there are two special cases that need to be considered:
XX - private address space
** - addresses unassigned at the time the cc.gif file was last updated.
So, you may want to add those "countries" into the inner match... Note that
** would need to be escaped as \*\*
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: RelayCountry Plugin
Posted by Rapitharian <Ra...@hotmail.com>.
RW-15 wrote:
>
> On Thu, 19 May 2011 08:15:00 +0200
> John Wilcock <jo...@tradoc.fr> wrote:
>
>> Le 19/05/2011 04:46, John Hardin a écrit :
>> > Sure. Well, not a _single_ rule, but you can achieve what you
>> > want...
>
>> > header RELAYCOUNTRY_GOOD X-Relay-Countries=~/(?:US|CA|FR)/
>> > describe RELAYCOUNTRY_GOOD Relayed through trusted country
>> > score RELAYCOUNTRY_GOOD -1.00
>>
>> That could be simplified:
>>
>> header __RELAYCOUNTRY_GOOD X-Relay-Countries=~/(?:US|CA|FR)/
>> meta RELAYCOUNTRY_NOTGOOD __HAS_RCVD && !RELAYCOUNTRY_GOOD
>>
>> [except of course that you might find some legit French senders, for
>> example, relaying via servers elsewhere in Europe, so the list of
>> "good" countries might need to be a bit longer than you initially
>> think]
>
> This isn't an optimal approach. Received headers can be forged, and
> spammers sometimes send spam from foreign ip addresses through western
> mail accounts.
>
> A bad result is when the email passes through a "bad" country. A good
> result is when the email passes *only* through "good" countries.
>
> e.g. I use:
>
> header __RELAYCOUNTRY_SENSIBLE X-Relay-Countries
> =~ /^([^[:alpha:]]*(GB|US)[^[:alpha:]]*)+$/
>
>
RW-15
Can you help me some? I am not even a novice in writing/reading regular
expressions.
What is this doing? X-Relay-Countries=~
/^([^[:alpha:]]*(GB|US)[^[:alpha:]]*)+$/
I will take a stab and show just how little I know. It says
X-Relay-Countries is equal to case sensitive some number of characters GB or
US case sensitive some number of characters matched 1 or more times plus
some string. Nope that is wrong. Try two, X-Relay-Countries is equal to
case sensitive, not alpha characters; matched one or more times, GB or US,
not alpha characters; one or more times, and some string?
Am I even close?
Thanks again for the help and education.
Rap
--
View this message in context: http://old.nabble.com/RelayCountry-Plugin-tp31652314p31660618.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: RelayCountry Plugin
Posted by Daniel McDonald <da...@austinenergy.com>.
On 5/19/11 8:07 AM, "RW" <rw...@googlemail.com> wrote:
> On Thu, 19 May 2011 08:15:00 +0200
> John Wilcock <jo...@tradoc.fr> wrote:
>
>> Le 19/05/2011 04:46, John Hardin a écrit :
>>> Sure. Well, not a _single_ rule, but you can achieve what you
>>> want...
>
>>> header RELAYCOUNTRY_GOOD X-Relay-Countries=~/(?:US|CA|FR)/
>>> describe RELAYCOUNTRY_GOOD Relayed through trusted country
>>> score RELAYCOUNTRY_GOOD -1.00
>>
>> That could be simplified:
>>
>> header __RELAYCOUNTRY_GOOD X-Relay-Countries=~/(?:US|CA|FR)/
>> meta RELAYCOUNTRY_NOTGOOD __HAS_RCVD && !RELAYCOUNTRY_GOOD
>>
>> [except of course that you might find some legit French senders, for
>> example, relaying via servers elsewhere in Europe, so the list of
>> "good" countries might need to be a bit longer than you initially
>> think]
Also, newly allocated space is listed as XX until you update the database.
I try to do that every month or so (I used to do it right after updating my
bogon list in bind, but now that the bogon list is static I need another
reminder...)
In the IP-Country tarball, there is a dbmScripts directory that contains the
necessary items to update the databases.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: RelayCountry Plugin
Posted by RW <rw...@googlemail.com>.
On Thu, 19 May 2011 08:15:00 +0200
John Wilcock <jo...@tradoc.fr> wrote:
> Le 19/05/2011 04:46, John Hardin a écrit :
> > Sure. Well, not a _single_ rule, but you can achieve what you
> > want...
> > header RELAYCOUNTRY_GOOD X-Relay-Countries=~/(?:US|CA|FR)/
> > describe RELAYCOUNTRY_GOOD Relayed through trusted country
> > score RELAYCOUNTRY_GOOD -1.00
>
> That could be simplified:
>
> header __RELAYCOUNTRY_GOOD X-Relay-Countries=~/(?:US|CA|FR)/
> meta RELAYCOUNTRY_NOTGOOD __HAS_RCVD && !RELAYCOUNTRY_GOOD
>
> [except of course that you might find some legit French senders, for
> example, relaying via servers elsewhere in Europe, so the list of
> "good" countries might need to be a bit longer than you initially
> think]
This isn't an optimal approach. Received headers can be forged, and
spammers sometimes send spam from foreign ip addresses through western
mail accounts.
A bad result is when the email passes through a "bad" country. A good
result is when the email passes *only* through "good" countries.
e.g. I use:
header __RELAYCOUNTRY_SENSIBLE X-Relay-Countries
=~ /^([^[:alpha:]]*(GB|US)[^[:alpha:]]*)+$/
Re: RelayCountry Plugin
Posted by John Wilcock <jo...@tradoc.fr>.
Le 19/05/2011 04:46, John Hardin a écrit :
> Sure. Well, not a _single_ rule, but you can achieve what you want...
>
> First, write a rule that hits on all messages and assign it a positive
> score:
>
>
> meta RELAYCOUNTRY_ALL __HAS_RCVD
> describe RELAYCOUNTRY_ALL Relayed through any country
> score RELAYCOUNTRY_ALL 1.00
>
>
> Then write a RelayCountry rule for the "trusted" countries, and assign
> it an offsetting negative score:
>
>
> header RELAYCOUNTRY_GOOD X-Relay-Countries=~/(?:US|CA|FR)/
> describe RELAYCOUNTRY_GOOD Relayed through trusted country
> score RELAYCOUNTRY_GOOD -1.00
That could be simplified:
header __RELAYCOUNTRY_GOOD X-Relay-Countries=~/(?:US|CA|FR)/
meta RELAYCOUNTRY_NOTGOOD __HAS_RCVD && !RELAYCOUNTRY_GOOD
[except of course that you might find some legit French senders, for
example, relaying via servers elsewhere in Europe, so the list of "good"
countries might need to be a bit longer than you initially think]
John.
--
-- Over 4000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages - www.tradoc.fr
Re: RelayCountry Plugin
Posted by John Hardin <jh...@impsec.org>.
On Wed, 18 May 2011, Rapitharian wrote:
> I am finding that every day I get Spam sent to my users from several new
> countries. This requires me to have to write new rules for these countries.
> The list is getting quite long.
> What I would like to know is: is there a way to write a rule to award points
> to countries not listed?
Sure. Well, not a _single_ rule, but you can achieve what you want...
First, write a rule that hits on all messages and assign it a positive
score:
meta RELAYCOUNTRY_ALL __HAS_RCVD
describe RELAYCOUNTRY_ALL Relayed through any country
score RELAYCOUNTRY_ALL 1.00
Then write a RelayCountry rule for the "trusted" countries, and assign it
an offsetting negative score:
header RELAYCOUNTRY_GOOD X-Relay-Countries=~/(?:US|CA|FR)/
describe RELAYCOUNTRY_GOOD Relayed through trusted country
score RELAYCOUNTRY_GOOD -1.00
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If Microsoft made hammers, everyone would whine about how poorly
screws were designed and about how they are hard to hammer in, and
wonder why it takes so long to paint a wall using the hammer.
-----------------------------------------------------------------------
160 days since the first successful private orbital launch (SpaceX)