2004-09-17 17:00:09 UTC
relay' emails from specific 'problem' networks.
The problem I faced with an all inclusive ban on these networks was that
our customer's connect to our SMTP servers from all around the world.
Banning Dynamic, DSL, Cable, or Dialup connections at the SMTP level was
not an option, because that would prevent our customers from
establishing a valid SMTP connection to us.
Luckily, our Spam Assassin configuration is set up to bypass Spam
Assassin processing when a customer has authenticated themselves for the
SMTP connection. So 'local to local' and 'local to remote' deliveries
are not scanned, and are not affected by these rules. I can safely
assume any mail running through Spam Assassin is from a remote sender
intended for a local customer.
When Spam Assassin receives an email (at least under my setup), the
first line of that email is always the Received line added by our SMTP
With this in mind, I created a number of rules like this, which are
based on the dynamic / cable / dialup / DSL hosts names of large ISPs:
describe SKM_SPAM_HOST_3 Received via Insecure Networks -
score SKM_SPAM_HOST_3 0.1
describe SKM_SPAM_HOST_25 Received via Insecure
Networks - *.pool*.interbusiness.it
score SKM_SPAM_HOST_25 0.1
This rule will match hosts like
123-123-123-123.pool54321.interbusiness.it in the first line of the
email (which is our SMTP Received line).
In my logic, there is no valid reason that a remote sender would connect
directly to our SMTP server from their dynamic/DSL/cable IP to send our
customer's an email ... I think ? Valid 'remote to local' emails being
sent from these DSL/cable/dialup IP would normally be relayed via their
own network's SMTP server, which would then be delved to us by a host
that didn't match the dynamic/DSL/cable custom rule. Right?
It would either be a 'zombie' spam relay', or some one who setup a SMTP
server on a dynamic IP (which just isn't what valid businesses do ... )?
So far I have had 100% spam, 0% ham marked by these rules.
Does anyone see any error in this logic? I would like to begin
automatically deleting emails that match these rules, but I am curious
if there are obscure cases where a non-authenticated SMTP connection
(remote to local), delivering a valid email, would be connecting from
these dynamic/DSL/cable IPs?
Thanks in advance,
P.S. If there isn't some sort of error in this logic, I will be happy to
post the full set of rules which match the 20-30 major 'zombie relay'
networks that we receive Spam from.