Title: Message
|
... a
decline in the good guys making the MAILFROM some other domain, like the target
addressee itself?
I have
a simple filter file called Spoof which triggers when an inbound mail has a
MAILFROM in my domain instead of theirs. Typical
good-but-clueless senders included:
Fedex.com (package tracking messages)
Sabre.com (airline reservation confirmations)
Seattle-PI.com (news items as they happen)
In January however, I've only seen spam trigger this
test..
Has
anybody else noted a similar new behaviour?
Andrew
8)
I
coded something up for that blank subject issue. This external test is
compatible with all forms of Declude, however you should be running the most
recent release or beta just to be safe.
Since Declude sees intra-server
E-mail as "incoming", and the goal of this filter was to target internal
E-mail in order to enforce a policy, it needed a secondary match in order to
verify that the message didn't only contain a blank subject, but also that it
came from the address space in question.
I added options for doing
comparisons of the IP, reverse DNS entry and Mail From. They work as
arguments to the script like so:
Match Remote IP (MIP & DIP) - This is the Match IP, and it
is compared to start of the Declude IP string. MIP=127.0.0.
would match DIP=127.0.0.1, but MIP=0.0.1 would not match DIP=127.0.0.1
because it checks to see if the DIP starts with that value. MIP is
manually configured and the DIP value is provided by the %REMOTEIP%
variable.
Match Reverse DNS (MRD & DRD) - This is the Match
Reverse DNS, and it is compared to the end of the Declude Reverse DNS
string. MRD=example.com would match DRD=computer1.example.com, but
MRD=computer1 would not match DRD=computer1.example.com because that string
doesn't end with the match value. MRD is manually configured and the
DRD value is provided by the %REVDNS% variable.
Match Mail >From (MMF
& DMF) - This is the Match Mail From, and it is compared to the
end of the Declude Mail From string. [EMAIL PROTECTED] would match [EMAIL PROTECTED], but MMF=user
would not match [EMAIL PROTECTED] because that
string doesn't end with the match value. MMF is manually configured
and the DMF value is provided by the %MAILFROM% variable. ***NOTE***
since the Mail From can be forged by spammers, and some spam has blank
subjects, you should only use this when it is impossible to use one of the
other two match options, and if you do use it, you must make sure that you
aren't causing backscatter with bounce messages.
I have
also added the option of doing weight skipping using SW and CW as shown in the
script comments. You can download the script from the following
location:
http://www.mailpure.com/software/decludefilters/beta/BlankSubject_v1-0-0.zip
There
is currently a bug in all current versions of Declude that results in an
external test not being run when the test definition is too long once
populated with the variables. This occurs when things get beyond
about 250 characters. It is quite possible that you will sporadically
see this error with this external test and the Match Reverse DNS and Match
Mail From options. In order to work around this bug, you could place the
script in the root of a drive such as C:\BlankSubject.vbs, and that should
save enough space in the test definition for this not to matter.
This
was a rather easy script to construct once you have experience doing this
stuff. I threw this together not just to be nice, but also to inspire
others to come up with external tests of their own that enhance functionality
and encourage them to share. I have run many external tests as VBScript
using the CScript environment and have found that even though this is an
interpreted language, it will hardly show up on your CPU utilization and the
delay is virtually unnoticeable.
Matt
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
- [Declude.JunkMail] SPF uptake results in... Colbeck, Andrew
-
