Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SpamAssassin: users

X-Spam-Relays-External

 

 

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded


ned at unixmail

Jun 29, 2011, 3:02 AM

Post #1 of 10 (610 views)
Permalink
X-Spam-Relays-External

Hi List,

I see the useful X-Spam-Relays-External pseudo header but what I'd
really like to be able to specifically check is the Last External header
as DNSBL rules are able to do with -lastexternal.

Is there a X-Spam-Relays-Last-External option that I'm missing, and if
not would it be possible to implement such a feature or perhaps someone
can suggest a workaround method?

For example, I'd like to be able to do something like this against only
the last external Received header:

header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i

Thanks


axb.lists at gmail

Jun 29, 2011, 3:12 AM

Post #2 of 10 (615 views)
Permalink
Re: X-Spam-Relays-External [In reply to]

On 2011-06-29 12:02, Ned Slider wrote:
> Hi List,
>
> I see the useful X-Spam-Relays-External pseudo header but what I'd
> really like to be able to specifically check is the Last External header
> as DNSBL rules are able to do with -lastexternal.
>
> Is there a X-Spam-Relays-Last-External option that I'm missing, and if
> not would it be possible to implement such a feature or perhaps someone
> can suggest a workaround method?
>
> For example, I'd like to be able to do something like this against only
> the last external Received header:
>
> header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i

http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.txt

"TEMPLATE TAGS"

_LASTEXTERNALIP_ IP address of client in the external-to-internal
SMTP handover
_LASTEXTERNALRDNS_ reverse-DNS of client in the external-to-internal
SMTP handover
_LASTEXTERNALHELO_ HELO string used by client in the external-to-internal
SMTP handover

Is that what you're looking for?


me at junc

Jun 29, 2011, 3:24 AM

Post #3 of 10 (620 views)
Permalink
Re: X-Spam-Relays-External [In reply to]

On Wed, 29 Jun 2011 11:02:13 +0100, Ned Slider wrote:

> header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~
> /someisp\.com/i

bad rule, hostnames can have more then one ip, would you trust every ip
now ?

better would be to extend ASN plugin to have whitelist specific ASN or
blacklist


hege at hege

Jun 29, 2011, 3:28 AM

Post #4 of 10 (643 views)
Permalink
Re: X-Spam-Relays-External [In reply to]

On Wed, Jun 29, 2011 at 11:02:13AM +0100, Ned Slider wrote:
> Hi List,
>
> I see the useful X-Spam-Relays-External pseudo header but what I'd
> really like to be able to specifically check is the Last External
> header as DNSBL rules are able to do with -lastexternal.
>
> Is there a X-Spam-Relays-Last-External option that I'm missing, and
> if not would it be possible to implement such a feature or perhaps
> someone can suggest a workaround method?
>
> For example, I'd like to be able to do something like this against
> only the last external Received header:
>
> header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i
>
> Thanks

Example from 20_dynrdns.cf

# Note the '^[^\]]+ ' stanza: this ensures that we only match spamware
# connecting to a internal relay; if a mail came from a dynamic addr but
# was relayed through their smarthost, that's fine.
...
header __LAST_EXTERNAL_RELAY_NO_AUTH X-Spam-Relays-External =~ /^[^\]]+ auth= /


ned at unixmail

Jun 29, 2011, 4:01 AM

Post #5 of 10 (607 views)
Permalink
Re: X-Spam-Relays-External [In reply to]

On 29/06/11 11:12, Axb wrote:
> On 2011-06-29 12:02, Ned Slider wrote:
>> Hi List,
>>
>> I see the useful X-Spam-Relays-External pseudo header but what I'd
>> really like to be able to specifically check is the Last External header
>> as DNSBL rules are able to do with -lastexternal.
>>
>> Is there a X-Spam-Relays-Last-External option that I'm missing, and if
>> not would it be possible to implement such a feature or perhaps someone
>> can suggest a workaround method?
>>
>> For example, I'd like to be able to do something like this against only
>> the last external Received header:
>>
>> header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i
>
> http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.txt
>
> "TEMPLATE TAGS"
>
> _LASTEXTERNALIP_ IP address of client in the external-to-internal
> SMTP handover
> _LASTEXTERNALRDNS_ reverse-DNS of client in the external-to-internal
> SMTP handover
> _LASTEXTERNALHELO_ HELO string used by client in the external-to-internal
> SMTP handover
>
> Is that what you're looking for?
>

Yes, _LASTEXTERNALRDNS_ would certainly work as the connecting IP has
rDNS that matches the string I was trying to match.

Where might I find examples of TEMPLATE TAGS usage? It's unclear to me
how to use these options so some examples of their usage would be useful.

Many thanks


ned at unixmail

Jun 29, 2011, 4:05 AM

Post #6 of 10 (615 views)
Permalink
Re: X-Spam-Relays-External [In reply to]

On 29/06/11 11:24, Benny Pedersen wrote:
> On Wed, 29 Jun 2011 11:02:13 +0100, Ned Slider wrote:
>
>> header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i
>
> bad rule, hostnames can have more then one ip, would you trust every ip
> now ?
>

Who said anything about trusting the IP ?

I simply want to verify that the email was relayed to me from a
particular ISP as part of a meta rule. The very fact that the
hostname(s) do have many IPs is the reason for matching that rather than
trying to match multiple subnet ranges.

> better would be to extend ASN plugin to have whitelist specific ASN or
> blacklist
>


me at junc

Jun 29, 2011, 4:12 AM

Post #7 of 10 (612 views)
Permalink
Re: X-Spam-Relays-External [In reply to]

On Wed, 29 Jun 2011 12:05:58 +0100, Ned Slider wrote:

> Who said anything about trusting the IP ?
>
> I simply want to verify that the email was relayed to me from a
> particular ISP as part of a meta rule. The very fact that the
> hostname(s) do have many IPs is the reason for matching that rather
> than trying to match multiple subnet ranges.

okay does ASN plugin not fit there ?

would your rule catch forged reverse dns ?


rwmaillists at googlemail

Jun 29, 2011, 4:36 AM

Post #8 of 10 (606 views)
Permalink
Re: X-Spam-Relays-External [In reply to]

On Wed, 29 Jun 2011 12:01:54 +0100
Ned Slider wrote:


>
> Yes, _LASTEXTERNALRDNS_ would certainly work as the connecting IP has
> rDNS that matches the string I was trying to match.
>
> Where might I find examples of TEMPLATE TAGS usage? It's unclear to
> me how to use these options so some examples of their usage would be
> useful.

There wont be any because all rules of this sort use the method given
by Henrik.


hege at hege

Jun 29, 2011, 4:50 AM

Post #9 of 10 (608 views)
Permalink
Re: X-Spam-Relays-External [In reply to]

On Wed, Jun 29, 2011 at 01:28:48PM +0300, Henrik K wrote:
> On Wed, Jun 29, 2011 at 11:02:13AM +0100, Ned Slider wrote:
> > Hi List,
> >
> > I see the useful X-Spam-Relays-External pseudo header but what I'd
> > really like to be able to specifically check is the Last External
> > header as DNSBL rules are able to do with -lastexternal.
> >
> > Is there a X-Spam-Relays-Last-External option that I'm missing, and
> > if not would it be possible to implement such a feature or perhaps
> > someone can suggest a workaround method?
> >
> > For example, I'd like to be able to do something like this against
> > only the last external Received header:
> >
> > header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i
> >
> > Thanks
>
> Example from 20_dynrdns.cf
>
> # Note the '^[^\]]+ ' stanza: this ensures that we only match spamware
> # connecting to a internal relay; if a mail came from a dynamic addr but
> # was relayed through their smarthost, that's fine.
> ...
> header __LAST_EXTERNAL_RELAY_NO_AUTH X-Spam-Relays-External =~ /^[^\]]+ auth= /

To prevent further questions..

header __RCVD_FROM_SOMEISP X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.someisp\.com /

As you see, all the relays are enclosed in [ ..relay1.. ] [ ..relay2.. ] ...

Thus the stanza will not look further than first ].


ned at unixmail

Jun 29, 2011, 5:21 AM

Post #10 of 10 (620 views)
Permalink
Re: X-Spam-Relays-External [In reply to]

On 29/06/11 12:50, Henrik K wrote:
> On Wed, Jun 29, 2011 at 01:28:48PM +0300, Henrik K wrote:
>> On Wed, Jun 29, 2011 at 11:02:13AM +0100, Ned Slider wrote:
>>> Hi List,
>>>
>>> I see the useful X-Spam-Relays-External pseudo header but what I'd
>>> really like to be able to specifically check is the Last External
>>> header as DNSBL rules are able to do with -lastexternal.
>>>
>>> Is there a X-Spam-Relays-Last-External option that I'm missing, and
>>> if not would it be possible to implement such a feature or perhaps
>>> someone can suggest a workaround method?
>>>
>>> For example, I'd like to be able to do something like this against
>>> only the last external Received header:
>>>
>>> header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i
>>>
>>> Thanks
>>
>> Example from 20_dynrdns.cf
>>
>> # Note the '^[^\]]+ ' stanza: this ensures that we only match spamware
>> # connecting to a internal relay; if a mail came from a dynamic addr but
>> # was relayed through their smarthost, that's fine.
>> ...
>> header __LAST_EXTERNAL_RELAY_NO_AUTH X-Spam-Relays-External =~ /^[^\]]+ auth= /
>
> To prevent further questions..
>
> header __RCVD_FROM_SOMEISP X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.someisp\.com /
>
> As you see, all the relays are enclosed in [ ..relay1.. ] [ ..relay2.. ] ...
>
> Thus the stanza will not look further than first ].
>
>

Brilliant - thank you very much. Works perfectly.

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.