Hi guys,
a continuous torrent of spam has been driving me to distraction recently
and the out of the box configurations seem to be loosing ground so it
come time for me to learn about writing custom rulesets for
spamassassin. Unfortunatly the first rule I want to write appears to be
a bit more than a simple regex : (
Here's what I have observed about the bulk of the spam that comes my way
and what differentiates from the ham:
Received: from YOUR-4ECD8HHOVM.druuvln.net (unknown [70.106.176.148])
by mail4.zoneedit.com (Postfix) with ESMTP id 027C1A529F
for <[EMAIL PROTECTED]>; Mon, 24 Jul 2006 10:15:41 -0400 (EDT)
In the received headers for spam the sending domain is almost always
forged and for ham I can find no example of this nor any valid reason
for doing so.
First job; there are many Recieved headers and the one that is of
interest is where the mail enters my mail domain and can be identified
by 'mail?.zoneedit.com' in the second line.
Then; pull the claimed sender domain e.g. druuvln.net and comapre it to
a hostlookup on the real sender ip [70.106.176.148] or the zoneedit
supplied lookup 'unknown', then when they don't match add LOTS of points
to the spam score....
Does anyone know if a spamassassin rule can be this sophisticated or is
it necessary or is there even a way to break out into some script for
this test ??
Regards,
Chris Bayley
