Mailing List Archive: SpamAssassin: users

X-Spam-Relays-External

Index | Next | Previous | View Threaded

ned at unixmail

Jun 29, 2011, 3:02 AM

Post #1 of 10 (278 views)
Permalink

X-Spam-Relays-External

Hi List,

I see the useful X-Spam-Relays-External pseudo header but what I'd
really like to be able to specifically check is the Last External header
as DNSBL rules are able to do with -lastexternal.

Is there a X-Spam-Relays-Last-External option that I'm missing, and if
not would it be possible to implement such a feature or perhaps someone
can suggest a workaround method?

For example, I'd like to be able to do something like this against only
the last external Received header:

header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i

Thanks

axb.lists at gmail

Jun 29, 2011, 3:12 AM

Post #2 of 10 (286 views)
Permalink

Re: X-Spam-Relays-External [In reply to]

On 2011-06-29 12:02, Ned Slider wrote:
> Hi List,
>
> I see the useful X-Spam-Relays-External pseudo header but what I'd
> really like to be able to specifically check is the Last External header
> as DNSBL rules are able to do with -lastexternal.
>
> Is there a X-Spam-Relays-Last-External option that I'm missing, and if
> not would it be possible to implement such a feature or perhaps someone
> can suggest a workaround method?
>
> For example, I'd like to be able to do something like this against only
> the last external Received header:
>
> header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i

http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.txt

"TEMPLATE TAGS"

_LASTEXTERNALIP_ IP address of client in the external-to-internal
SMTP handover
_LASTEXTERNALRDNS_ reverse-DNS of client in the external-to-internal
SMTP handover
_LASTEXTERNALHELO_ HELO string used by client in the external-to-internal
SMTP handover

Is that what you're looking for?

me at junc

Jun 29, 2011, 3:24 AM

Post #3 of 10 (290 views)
Permalink

Re: X-Spam-Relays-External [In reply to]

On Wed, 29 Jun 2011 11:02:13 +0100, Ned Slider wrote:

> header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~
> /someisp\.com/i

bad rule, hostnames can have more then one ip, would you trust every ip
now ?

better would be to extend ASN plugin to have whitelist specific ASN or
blacklist

hege at hege

Jun 29, 2011, 3:28 AM

Post #4 of 10 (306 views)
Permalink

Re: X-Spam-Relays-External [In reply to]

On Wed, Jun 29, 2011 at 11:02:13AM +0100, Ned Slider wrote:
> Hi List,
>
> I see the useful X-Spam-Relays-External pseudo header but what I'd
> really like to be able to specifically check is the Last External
> header as DNSBL rules are able to do with -lastexternal.
>
> Is there a X-Spam-Relays-Last-External option that I'm missing, and
> if not would it be possible to implement such a feature or perhaps
> someone can suggest a workaround method?
>
> For example, I'd like to be able to do something like this against
> only the last external Received header:
>
> header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i
>
> Thanks

Example from 20_dynrdns.cf

# Note the '^[^\]]+ ' stanza: this ensures that we only match spamware
# connecting to a internal relay; if a mail came from a dynamic addr but
# was relayed through their smarthost, that's fine.
...
header __LAST_EXTERNAL_RELAY_NO_AUTH X-Spam-Relays-External =~ /^[^\]]+ auth= /

ned at unixmail

Jun 29, 2011, 4:01 AM

Post #5 of 10 (281 views)
Permalink

Re: X-Spam-Relays-External [In reply to]

On 29/06/11 11:12, Axb wrote:
> On 2011-06-29 12:02, Ned Slider wrote:
>> Hi List,
>>
>> I see the useful X-Spam-Relays-External pseudo header but what I'd
>> really like to be able to specifically check is the Last External header
>> as DNSBL rules are able to do with -lastexternal.
>>
>> Is there a X-Spam-Relays-Last-External option that I'm missing, and if
>> not would it be possible to implement such a feature or perhaps someone
>> can suggest a workaround method?
>>
>> For example, I'd like to be able to do something like this against only
>> the last external Received header:
>>
>> header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i
>
> http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.txt
>
> "TEMPLATE TAGS"
>
> _LASTEXTERNALIP_ IP address of client in the external-to-internal
> SMTP handover
> _LASTEXTERNALRDNS_ reverse-DNS of client in the external-to-internal
> SMTP handover
> _LASTEXTERNALHELO_ HELO string used by client in the external-to-internal
> SMTP handover
>
> Is that what you're looking for?
>

Yes, _LASTEXTERNALRDNS_ would certainly work as the connecting IP has
rDNS that matches the string I was trying to match.

Where might I find examples of TEMPLATE TAGS usage? It's unclear to me
how to use these options so some examples of their usage would be useful.

Many thanks

ned at unixmail

Jun 29, 2011, 4:05 AM

Post #6 of 10 (289 views)
Permalink

Re: X-Spam-Relays-External [In reply to]

On 29/06/11 11:24, Benny Pedersen wrote:
> On Wed, 29 Jun 2011 11:02:13 +0100, Ned Slider wrote:
>
>> header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i
>
> bad rule, hostnames can have more then one ip, would you trust every ip
> now ?
>

Who said anything about trusting the IP ?

I simply want to verify that the email was relayed to me from a
particular ISP as part of a meta rule. The very fact that the
hostname(s) do have many IPs is the reason for matching that rather than
trying to match multiple subnet ranges.

> better would be to extend ASN plugin to have whitelist specific ASN or
> blacklist
>

me at junc

Jun 29, 2011, 4:12 AM

Post #7 of 10 (282 views)
Permalink

Re: X-Spam-Relays-External [In reply to]

On Wed, 29 Jun 2011 12:05:58 +0100, Ned Slider wrote:

> Who said anything about trusting the IP ?
>
> I simply want to verify that the email was relayed to me from a
> particular ISP as part of a meta rule. The very fact that the
> hostname(s) do have many IPs is the reason for matching that rather
> than trying to match multiple subnet ranges.

okay does ASN plugin not fit there ?

would your rule catch forged reverse dns ?

rwmaillists at googlemail

Jun 29, 2011, 4:36 AM

Post #8 of 10 (277 views)
Permalink

Re: X-Spam-Relays-External [In reply to]

On Wed, 29 Jun 2011 12:01:54 +0100
Ned Slider wrote:

>
> Yes, _LASTEXTERNALRDNS_ would certainly work as the connecting IP has
> rDNS that matches the string I was trying to match.
>
> Where might I find examples of TEMPLATE TAGS usage? It's unclear to
> me how to use these options so some examples of their usage would be
> useful.

There wont be any because all rules of this sort use the method given
by Henrik.

hege at hege

Jun 29, 2011, 4:50 AM

Post #9 of 10 (279 views)
Permalink

Re: X-Spam-Relays-External [In reply to]

On Wed, Jun 29, 2011 at 01:28:48PM +0300, Henrik K wrote:
> On Wed, Jun 29, 2011 at 11:02:13AM +0100, Ned Slider wrote:
> > Hi List,
> >
> > I see the useful X-Spam-Relays-External pseudo header but what I'd
> > really like to be able to specifically check is the Last External
> > header as DNSBL rules are able to do with -lastexternal.
> >
> > Is there a X-Spam-Relays-Last-External option that I'm missing, and
> > if not would it be possible to implement such a feature or perhaps
> > someone can suggest a workaround method?
> >
> > For example, I'd like to be able to do something like this against
> > only the last external Received header:
> >
> > header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i
> >
> > Thanks
>
> Example from 20_dynrdns.cf
>
> # Note the '^[^\]]+ ' stanza: this ensures that we only match spamware
> # connecting to a internal relay; if a mail came from a dynamic addr but
> # was relayed through their smarthost, that's fine.
> ...
> header __LAST_EXTERNAL_RELAY_NO_AUTH X-Spam-Relays-External =~ /^[^\]]+ auth= /

To prevent further questions..

header __RCVD_FROM_SOMEISP X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.someisp\.com /

As you see, all the relays are enclosed in [ ..relay1.. ] [ ..relay2.. ] ...

Thus the stanza will not look further than first ].

ned at unixmail

Jun 29, 2011, 5:21 AM

Post #10 of 10 (287 views)
Permalink

Re: X-Spam-Relays-External [In reply to]

On 29/06/11 12:50, Henrik K wrote:
> On Wed, Jun 29, 2011 at 01:28:48PM +0300, Henrik K wrote:
>> On Wed, Jun 29, 2011 at 11:02:13AM +0100, Ned Slider wrote:
>>> Hi List,
>>>
>>> I see the useful X-Spam-Relays-External pseudo header but what I'd
>>> really like to be able to specifically check is the Last External
>>> header as DNSBL rules are able to do with -lastexternal.
>>>
>>> Is there a X-Spam-Relays-Last-External option that I'm missing, and
>>> if not would it be possible to implement such a feature or perhaps
>>> someone can suggest a workaround method?
>>>
>>> For example, I'd like to be able to do something like this against
>>> only the last external Received header:
>>>
>>> header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i
>>>
>>> Thanks
>>
>> Example from 20_dynrdns.cf
>>
>> # Note the '^[^\]]+ ' stanza: this ensures that we only match spamware
>> # connecting to a internal relay; if a mail came from a dynamic addr but
>> # was relayed through their smarthost, that's fine.
>> ...
>> header __LAST_EXTERNAL_RELAY_NO_AUTH X-Spam-Relays-External =~ /^[^\]]+ auth= /
>
> To prevent further questions..
>
> header __RCVD_FROM_SOMEISP X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.someisp\.com /
>
> As you see, all the relays are enclosed in [ ..relay1.. ] [ ..relay2.. ] ...
>
> Thus the stanza will not look further than first ].
>
>

Brilliant - thank you very much. Works perfectly.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads