Discussion:
X-Spam-Relays-External
Ned Slider
2011-06-29 10:02:13 UTC
Permalink
Hi List,

I see the useful X-Spam-Relays-External pseudo header but what I'd
really like to be able to specifically check is the Last External header
as DNSBL rules are able to do with -lastexternal.

Is there a X-Spam-Relays-Last-External option that I'm missing, and if
not would it be possible to implement such a feature or perhaps someone
can suggest a workaround method?

For example, I'd like to be able to do something like this against only
the last external Received header:

header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i

Thanks
Axb
2011-06-29 10:12:53 UTC
Permalink
Post by Ned Slider
Hi List,
I see the useful X-Spam-Relays-External pseudo header but what I'd
really like to be able to specifically check is the Last External header
as DNSBL rules are able to do with -lastexternal.
Is there a X-Spam-Relays-Last-External option that I'm missing, and if
not would it be possible to implement such a feature or perhaps someone
can suggest a workaround method?
For example, I'd like to be able to do something like this against only
header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i
http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.txt

"TEMPLATE TAGS"

_LASTEXTERNALIP_ IP address of client in the external-to-internal
SMTP handover
_LASTEXTERNALRDNS_ reverse-DNS of client in the external-to-internal
SMTP handover
_LASTEXTERNALHELO_ HELO string used by client in the external-to-internal
SMTP handover

Is that what you're looking for?
Ned Slider
2011-06-29 11:01:54 UTC
Permalink
Post by Axb
Post by Ned Slider
Hi List,
I see the useful X-Spam-Relays-External pseudo header but what I'd
really like to be able to specifically check is the Last External header
as DNSBL rules are able to do with -lastexternal.
Is there a X-Spam-Relays-Last-External option that I'm missing, and if
not would it be possible to implement such a feature or perhaps someone
can suggest a workaround method?
For example, I'd like to be able to do something like this against only
header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i
http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.txt
"TEMPLATE TAGS"
_LASTEXTERNALIP_ IP address of client in the external-to-internal
SMTP handover
_LASTEXTERNALRDNS_ reverse-DNS of client in the external-to-internal
SMTP handover
_LASTEXTERNALHELO_ HELO string used by client in the external-to-internal
SMTP handover
Is that what you're looking for?
Yes, _LASTEXTERNALRDNS_ would certainly work as the connecting IP has
rDNS that matches the string I was trying to match.

Where might I find examples of TEMPLATE TAGS usage? It's unclear to me
how to use these options so some examples of their usage would be useful.

Many thanks
RW
2011-06-29 11:36:42 UTC
Permalink
On Wed, 29 Jun 2011 12:01:54 +0100
Post by Ned Slider
Yes, _LASTEXTERNALRDNS_ would certainly work as the connecting IP has
rDNS that matches the string I was trying to match.
Where might I find examples of TEMPLATE TAGS usage? It's unclear to
me how to use these options so some examples of their usage would be
useful.
There wont be any because all rules of this sort use the method given
by Henrik.
Benny Pedersen
2011-06-29 10:24:15 UTC
Permalink
Post by Ned Slider
header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~
/someisp\.com/i
bad rule, hostnames can have more then one ip, would you trust every ip
now ?

better would be to extend ASN plugin to have whitelist specific ASN or
blacklist
Ned Slider
2011-06-29 11:05:58 UTC
Permalink
Post by Benny Pedersen
Post by Ned Slider
header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i
bad rule, hostnames can have more then one ip, would you trust every ip
now ?
Who said anything about trusting the IP ?

I simply want to verify that the email was relayed to me from a
particular ISP as part of a meta rule. The very fact that the
hostname(s) do have many IPs is the reason for matching that rather than
trying to match multiple subnet ranges.
Post by Benny Pedersen
better would be to extend ASN plugin to have whitelist specific ASN or
blacklist
Benny Pedersen
2011-06-29 11:12:39 UTC
Permalink
Post by Ned Slider
Who said anything about trusting the IP ?
I simply want to verify that the email was relayed to me from a
particular ISP as part of a meta rule. The very fact that the
hostname(s) do have many IPs is the reason for matching that rather
than trying to match multiple subnet ranges.
okay does ASN plugin not fit there ?

would your rule catch forged reverse dns ?
Henrik K
2011-06-29 10:28:48 UTC
Permalink
Post by Ned Slider
Hi List,
I see the useful X-Spam-Relays-External pseudo header but what I'd
really like to be able to specifically check is the Last External
header as DNSBL rules are able to do with -lastexternal.
Is there a X-Spam-Relays-Last-External option that I'm missing, and
if not would it be possible to implement such a feature or perhaps
someone can suggest a workaround method?
For example, I'd like to be able to do something like this against
header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i
Thanks
Example from 20_dynrdns.cf

# Note the '^[^\]]+ ' stanza: this ensures that we only match spamware
# connecting to a internal relay; if a mail came from a dynamic addr but
# was relayed through their smarthost, that's fine.
...
header __LAST_EXTERNAL_RELAY_NO_AUTH X-Spam-Relays-External =~ /^[^\]]+ auth= /
Henrik K
2011-06-29 11:50:32 UTC
Permalink
Post by Henrik K
Post by Ned Slider
Hi List,
I see the useful X-Spam-Relays-External pseudo header but what I'd
really like to be able to specifically check is the Last External
header as DNSBL rules are able to do with -lastexternal.
Is there a X-Spam-Relays-Last-External option that I'm missing, and
if not would it be possible to implement such a feature or perhaps
someone can suggest a workaround method?
For example, I'd like to be able to do something like this against
header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i
Thanks
Example from 20_dynrdns.cf
# Note the '^[^\]]+ ' stanza: this ensures that we only match spamware
# connecting to a internal relay; if a mail came from a dynamic addr but
# was relayed through their smarthost, that's fine.
...
header __LAST_EXTERNAL_RELAY_NO_AUTH X-Spam-Relays-External =~ /^[^\]]+ auth= /
To prevent further questions..

header __RCVD_FROM_SOMEISP X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.someisp\.com /

As you see, all the relays are enclosed in [ ..relay1.. ] [ ..relay2.. ] ...

Thus the stanza will not look further than first ].
Ned Slider
2011-06-29 12:21:54 UTC
Permalink
Post by Henrik K
Post by Henrik K
Post by Ned Slider
Hi List,
I see the useful X-Spam-Relays-External pseudo header but what I'd
really like to be able to specifically check is the Last External
header as DNSBL rules are able to do with -lastexternal.
Is there a X-Spam-Relays-Last-External option that I'm missing, and
if not would it be possible to implement such a feature or perhaps
someone can suggest a workaround method?
For example, I'd like to be able to do something like this against
header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i
Thanks
Example from 20_dynrdns.cf
# Note the '^[^\]]+ ' stanza: this ensures that we only match spamware
# connecting to a internal relay; if a mail came from a dynamic addr but
# was relayed through their smarthost, that's fine.
...
header __LAST_EXTERNAL_RELAY_NO_AUTH X-Spam-Relays-External =~ /^[^\]]+ auth= /
To prevent further questions..
header __RCVD_FROM_SOMEISP X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.someisp\.com /
As you see, all the relays are enclosed in [ ..relay1.. ] [ ..relay2.. ] ...
Thus the stanza will not look further than first ].
Brilliant - thank you very much. Works perfectly.

Continue reading on narkive:
Loading...