http://bugzilla.spamassassin.org/show_bug.cgi?id=3200
Summary: new rules: dynamic/no-rDNS-for-IP
Product: Spamassassin
Version: unspecified
Platform: All
OS/Version: other
Status: NEW
Severity: normal
Priority: P3
Component: Rules
AssignedTo: spamassassin-dev@incubator.apache.org
ReportedBy: kai-sa-bugs@conti.nu
the following rules are attempting to mark incoming mail coming in
directly from dynamic/dialup/cable/dsl IPs. Unfortunately, some of
the header semantics (like "(may be forged)") are Sendmail-specific,
and all rely on a match for the receiving host (here: "by conti.nu").
Maybe someone can suggest a way of re-writing this into written
code, to match only on the first "trusted" header line?
Something tells me that we should be applying a lot of DNSBL tests
only on such specific header lines, too.
# conti.nu-specific
header RX_DYN_HOST_CUSTOM Received =~ /(?:ppp.*?|dialup.*?|dial|.dsl|.*?
adsl.*?|\.cable|\.modem|\.pool.*?|\.dyn|\.d
ynamic|\.abo|\.client|\..*?-ip|\...\.shawcable\.net|\.in-
addr|\.cablemodem|dhcp.*?|resnet)\..*?\..*by conti.nu /i
describe RX_DYN_HOST_CUSTOM Received directly from dialup/cable/dsl host
(custom rule)
score RX_DYN_HOST_CUSTOM 2.0
# conti.nu-specific
# with 4 numeric elements concatenated with a hyphen - too strict?
# header RX_DYN_HOST2_CUSTOM Received =~ /\(.*\d{1,3}-\d{1,3}-\d
{1,3}-\d{1,3}.*\).*by conti.nu /i
# with 3 numeric elements concatenated with a hyphen - seen quite often, such
as in:
# m235.net81-64-119.noos.fr [81.64.119.235]
header __RX_DYN_HOST2_CUSTOM Received =~ /\(.*\d{1,3}-\d{1,3}-\d
{1,3}.*\).*by conti.nu /i
# but do not score if we already matched the dialup/cable/DSL rule
meta RX_DYN_HOST2_CUSTOM (__RX_DYN_HOST2_CUSTOM && !RX_DYN_HOST_CUSTOM)
describe RX_DYN_HOST2_CUSTOM Received directly from host with script-
generated rDNS name (custom rule)
score RX_DYN_HOST2_CUSTOM 2.0
# conti.nu-specific
header RX_FROM_NODNS_HOST Received =~ /\(\[\d+\.\d+\.\d+\.\d+\]\).*by
conti.nu /i
describe RX_FROM_NODNS_HOST Received directly from host with no rDNS
(custom rule)
score RX_FROM_NODNS_HOST 2.0
# conti.nu-specific
header RX_FROM_FORGEDDNS_HOST Received =~ /\(.*?\[\d+\.\d+\.\d+\.\d+\] \(may
be forged\)\).*by conti.nu /i
describe RX_FROM_FORGEDDNS_HOST Received directly from host with forged rDNS
(custom rule)
score RX_FROM_FORGEDDNS_HOST 1.5
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Summary: new rules: dynamic/no-rDNS-for-IP
Product: Spamassassin
Version: unspecified
Platform: All
OS/Version: other
Status: NEW
Severity: normal
Priority: P3
Component: Rules
AssignedTo: spamassassin-dev@incubator.apache.org
ReportedBy: kai-sa-bugs@conti.nu
the following rules are attempting to mark incoming mail coming in
directly from dynamic/dialup/cable/dsl IPs. Unfortunately, some of
the header semantics (like "(may be forged)") are Sendmail-specific,
and all rely on a match for the receiving host (here: "by conti.nu").
Maybe someone can suggest a way of re-writing this into written
code, to match only on the first "trusted" header line?
Something tells me that we should be applying a lot of DNSBL tests
only on such specific header lines, too.
# conti.nu-specific
header RX_DYN_HOST_CUSTOM Received =~ /(?:ppp.*?|dialup.*?|dial|.dsl|.*?
adsl.*?|\.cable|\.modem|\.pool.*?|\.dyn|\.d
ynamic|\.abo|\.client|\..*?-ip|\...\.shawcable\.net|\.in-
addr|\.cablemodem|dhcp.*?|resnet)\..*?\..*by conti.nu /i
describe RX_DYN_HOST_CUSTOM Received directly from dialup/cable/dsl host
(custom rule)
score RX_DYN_HOST_CUSTOM 2.0
# conti.nu-specific
# with 4 numeric elements concatenated with a hyphen - too strict?
# header RX_DYN_HOST2_CUSTOM Received =~ /\(.*\d{1,3}-\d{1,3}-\d
{1,3}-\d{1,3}.*\).*by conti.nu /i
# with 3 numeric elements concatenated with a hyphen - seen quite often, such
as in:
# m235.net81-64-119.noos.fr [81.64.119.235]
header __RX_DYN_HOST2_CUSTOM Received =~ /\(.*\d{1,3}-\d{1,3}-\d
{1,3}.*\).*by conti.nu /i
# but do not score if we already matched the dialup/cable/DSL rule
meta RX_DYN_HOST2_CUSTOM (__RX_DYN_HOST2_CUSTOM && !RX_DYN_HOST_CUSTOM)
describe RX_DYN_HOST2_CUSTOM Received directly from host with script-
generated rDNS name (custom rule)
score RX_DYN_HOST2_CUSTOM 2.0
# conti.nu-specific
header RX_FROM_NODNS_HOST Received =~ /\(\[\d+\.\d+\.\d+\.\d+\]\).*by
conti.nu /i
describe RX_FROM_NODNS_HOST Received directly from host with no rDNS
(custom rule)
score RX_FROM_NODNS_HOST 2.0
# conti.nu-specific
header RX_FROM_FORGEDDNS_HOST Received =~ /\(.*?\[\d+\.\d+\.\d+\.\d+\] \(may
be forged\)\).*by conti.nu /i
describe RX_FROM_FORGEDDNS_HOST Received directly from host with forged rDNS
(custom rule)
score RX_FROM_FORGEDDNS_HOST 1.5
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.