Re: how to make a custom ruleset
Adi Nugroho wrote on Fri, 6 Mar 2009 10:40:26 +0800: Is there a howto about this ruleset? http://wiki.apache.org/spamassassin/WritingRules Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: how to make a custom ruleset
On Thursday 05 March 2009 23:44:39 Benny Pedersen wrote: header SELF_FROM From =~ /\...@my.address/i header SELF_TO To =~ /\...@my.address/i meta SELF (SELF_FROM SELF_TO) describe SELF Trap mail with forged sender the same as recipient score SELF 3.0 Finally I understand above rule. First it check if the sender is my.address then it check if the recipient is my.address and finally, if both are true, then it give the score 3.0 Thank you. It is working well, but not global (just check for my.address, and not for everyone). Please help me again to teach me, how to make it a little bit different: First, it read the sender, and put it into a variable Then, it check, if the recipient is the same as that variable if true, then give score 3.0 Thank you again :)
RE: how to make a custom ruleset
Adi Nugroho wrote: On Thursday 05 March 2009 23:44:39 Benny Pedersen wrote: header SELF_FROM From =~ /\...@my.address/i header SELF_TO To =~ /\...@my.address/i meta SELF (SELF_FROM SELF_TO) describe SELF Trap mail with forged sender the same as recipient score SELF 3.0 Finally I understand above rule. First it check if the sender is my.address then it check if the recipient is my.address and finally, if both are true, then it give the score 3.0 Not quite. SELF_FROM and SELF_TO default to a score of 1. So it actually works like this: If the sender is my.address, score +1 If the recipient is my.address, score +1 If both are true, score +3 Final score = 5 If you don't want the sub-rules to score, you need to prefix the names with a double-underscore (this will also prevent them from showing in the rule summaries). header __SELF_FROM From =~ /\...@my.address/i header __SELF_TO To =~ /\...@my.address/i meta SELF (__SELF_FROM __SELF_TO) describe SELF Trap mail with forged sender the same as recipient score SELF 3.0 -- Bowie
Re: how to make a custom ruleset
On Fri, 6 Mar 2009, Adi Nugroho wrote: It is working well, but not global (just check for my.address, and not for everyone). Actually, it _is_ global, as it can only match on the domain name. Any mail from any user in your domain to any other user in your domain will hit this rule. Please help me again to teach me, how to make it a little bit different: First, it read the sender, and put it into a variable Then, it check, if the recipient is the same as that variable Unfortunately this cannot be done in SpamAssassin, and adding the ability to do that (have one rule depend on the actual text matched by another rule rather than just whether or not that rule matched _something_) is difficult and will likely not be done anytime soon. This particular test - whether from == to - is something that is best done by something outside SA. (1) configure your MTA to reject it at SMTP time (2) configure your MTA to reject mail claiming to be from your domain when it's coming in from outside your network (3) do something like write a procmail rule to check for that match and add a customer header if it is found, then have SA add points if that header is present (which, of course, depends on your using procmail to glue SA into your mail system) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Failure to plan ahead on someone else's part does not constitute an emergency on my part. -- David W. Barts in a.s.r --- 2 days until Daylight Saving Time begins in U.S. - Spring Forward
Re: how to make a custom ruleset
Adi,
First, it read the sender, and put it into a variable
Then, it check, if the recipient is the same as that variable
if true, then give score 3.0
The trick is to let a regexp see an entire mail header section.
Unfortunately it means we can't reuse already parsed addresses
in From and To header fields, but need to reparse it all in a regexp.
The rules below comes close, but is not exact (the TOFROM rule
only checks the first To). Mind the line wraps, there are three
long lines, each starting by 'header':
header SAME_FROMTO1 ALL =~ m{^From: (?: . | \n[\ \t] )* \s*(.+)\s* (?s:.*)
^To: (?: (?: [^]* | \([^)]*\) |
[\ \t]+ | \n[\ \t]+ )*? \1 [,(\ \t\n] | (?: . | \n[\ \t])* \s*\1\s*)}mix
header SAME_FROMTO2 ALL =~ m{^From: (?: [^]* | \([^)]*\) | [\ \t]+ | \n[\
\t]+ )* ([^,;\s...@[0-9a-z._-]+\.
[a-z]{2,})\b (?s:.*) ^To: (?: (?: [^]* | \([^)]*\) | [\ \t]+ | \n[\ \t]+ )*?
\1 [,(\ \t\n] | (?: . | \n[\
\t])* \s*\1\s*)}mix
header SAME_TOFROM ALL =~ m{^To: (?: . | \n[\ \t] )* (?:\b|)
([^,;\s...@[0-9a-z._-]+\.[a-z]{2,}) \b (?!\.)
(?s:.*) ^From: (?: (?: [^]* | \([^)]*\) | [\ \t]+ | \n[\ \t]+ )*? \1 [,(\
\t\n] | (?: . | \n[\ \t])*
\s*\1\s*)}mix
meta SAME_FROMTO SAME_FROMTO1 || SAME_FROMTO2 || SAME_TOFROM
score SAME_FROMTO1 0.1
score SAME_FROMTO2 0.1
score SAME_TOFROM 0.1
score SAME_FROMTO 1.5
Mark
Re: how to make a custom ruleset
Just fyi, this particular topic keeps getting raised here. It'd be
great if people would search the list archives. :)
One of the last times around:
http://www.nabble.com/forum/ViewPost.jtp?post=21296293framed=y
In short, if you want to do this, write a plugin. REs are great until
you get complicated, like doing multiple headers and comparing
captured text.
SA used to have a rule that looked for from=to, but it didn't do well
and got removed. Some pointers in the above thread.
On Fri, Mar 6, 2009 at 2:44 PM, Mark Martinec mark.martinec...@ijs.si wrote:
Adi,
First, it read the sender, and put it into a variable
Then, it check, if the recipient is the same as that variable
if true, then give score 3.0
The trick is to let a regexp see an entire mail header section.
Unfortunately it means we can't reuse already parsed addresses
in From and To header fields, but need to reparse it all in a regexp.
The rules below comes close, but is not exact (the TOFROM rule
only checks the first To). Mind the line wraps, there are three
long lines, each starting by 'header':
header SAME_FROMTO1 ALL =~ m{^From: (?: . | \n[\ \t] )* \s*(.+)\s* (?s:.*)
^To: (?: (?: [^]* | \([^)]*\) |
[\ \t]+ | \n[\ \t]+ )*? \1 [,(\ \t\n] | (?: . | \n[\ \t])* \s*\1\s*)}mix
header SAME_FROMTO2 ALL =~ m{^From: (?: [^]* | \([^)]*\) | [\ \t]+ | \n[\
\t]+ )* ([^,;\s...@[0-9a-z._-]+\.
[a-z]{2,})\b (?s:.*) ^To: (?: (?: [^]* | \([^)]*\) | [\ \t]+ | \n[\ \t]+
)*? \1 [,(\ \t\n] | (?: . | \n[\
\t])* \s*\1\s*)}mix
header SAME_TOFROM ALL =~ m{^To: (?: . | \n[\ \t] )* (?:\b|)
([^,;\s...@[0-9a-z._-]+\.[a-z]{2,}) \b (?!\.)
(?s:.*) ^From: (?: (?: [^]* | \([^)]*\) | [\ \t]+ | \n[\ \t]+ )*? \1 [,(\
\t\n] | (?: . | \n[\ \t])*
\s*\1\s*)}mix
meta SAME_FROMTO SAME_FROMTO1 || SAME_FROMTO2 || SAME_TOFROM
score SAME_FROMTO1 0.1
score SAME_FROMTO2 0.1
score SAME_TOFROM 0.1
score SAME_FROMTO 1.5
Mark
how to make a custom ruleset
Dear all, I found that a lot of spam is using recipient email address as the sender. (from a...@internux.co.id to a...@internux.co.id, or from i...@apache.org to i...@apache.org). Since if we mail to our self, usually we have very low score, I hope it is save to give a BIG score (probably 2 or 3). Is there a hint how to make this custom rule set?
Re: how to make a custom ruleset
On Thu, 2009-03-05 at 21:31 +0800, Adi Nugroho wrote: I found that a lot of spam is using recipient email address as the sender. (from a...@internux.co.id to a...@internux.co.id, or from i...@apache.org to i...@apache.org). The only disadvantage is that you'll label test messages as spam. Since if we mail to our self, usually we have very low score, I hope it is save to give a BIG score (probably 2 or 3). Is there a hint how to make this custom rule set? Use a meta rule: describe SELF Trap mail with forged sender the same as recipient header SELF From =~ /\...@my.address/i header SELF To =~ /\...@my.address/i meta SELF 5.0 This will work for a domain where internal mail is *not* scanned by SA. Martin
Re: how to make a custom ruleset
On Thu, 2009-03-05 at 21:31 +0800, Adi Nugroho wrote: Dear all, I found that a lot of spam is using recipient email address as the sender. (from a...@internux.co.id to a...@internux.co.id, or from i...@apache.org to i...@apache.org). Since if we mail to our self, usually we have very low score, I hope it is save to give a BIG score (probably 2 or 3). Is there a hint how to make this custom rule set? Here's one way. I'm sure there will be many holes in this approach. 1. Define and publish SPF policies for your network. 2. Create a rule like this: header __OUR_DOMAIN_FROMFrom:addr example.com header __OUR_DOMAIN_ENVELOPEEnvelopeFrom:addr example.com meta OUR_DOMAIN (__OUR_DOMAIN_FROM || __OUR_DOMAIN_ENVELOPE) SPF_FAIL describe OUR_DOMAIN claims to be from our domain but fails SPF score OUR_DOMAIN 2.5 -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
Re: how to make a custom ruleset
On Thu, March 5, 2009 14:31, Adi Nugroho wrote: I found that a lot of spam is using recipient email address as the sender. (from a...@internux.co.id to a...@internux.co.id, or from i...@apache.org to i...@apache.org). all this happends on domains that have no spf and or testing spf in mta, when spf is used properly this will soon go away Since if we mail to our self, usually we have very low score, I hope it is save to give a BIG score (probably 2 or 3). you know where you send from (ip-wise, smtp auth) there should be no problem to make a wall on this Is there a hint how to make this custom rule set? enable spf / dkim, testing spf / dkim, problem solved http://www.openspf.org/ http://www.dkim.org/ -- http://localhost/ 100% uptime and 100% mirrored :)
Re: how to make a custom ruleset
On Thursday 05 March 2009 22:28:23 Martin Gregorie wrote: describe SELF Trap mail with forged sender the same as recipient header SELF From =~ /\...@my.address/i header SELF To =~ /\...@my.address/i meta SELF 5.0 Dear Martin, Thank you for the rule... I made a file self.cf in /etc/mail/spamassassin: describe SELF Trap mail with forged sender the same as recipient header SELF From =~ /\...@my.address/i header SELF To =~ /\...@my.address/i meta SELF 5.0 score SELF 3.0 But all mail identified as SELF :D Did I misunderstood something?
Re: how to make a custom ruleset
On Thu, March 5, 2009 16:27, Adi Nugroho wrote: describe SELF Trap mail with forged sender the same as recipient header SELF From =~ /\...@my.address/i header SELF_TO To =~ /\...@my.address/i meta SELF 5.0 ups header SELF_FROM From =~ /\...@my.address/i header SELF_TO To =~ /\...@my.address/i meta SELF (SELF_FROM SELF_TO) describe SELF Trap mail with forged sender the same as recipient score SELF 3.0 But all mail identified as SELF :D then it works Did I misunderstood something? nope, make sure NO_RELAYS or ALL_TRUSTED have highter scores then SELF eg: score NO_RELAYS -3.1 or score ALL_TRUSTED -3.1 -- http://localhost/ 100% uptime and 100% mirrored :)
Re: how to make a custom ruleset
On Thu, 5 Mar 2009, Benny Pedersen wrote: header SELF_FROM From =~ /\...@my.address/i header SELF_TO To =~ /\...@my.address/i Are you sure you want to give 1 point to each of those cases in addition to whatever points the meta adds? If not, then they should be named __SELF_FROM and __SELF_TO -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Failure to plan ahead on someone else's part does not constitute an emergency on my part. -- David W. Barts in a.s.r --- 3 days until Daylight Saving Time begins in U.S. - Spring Forward
Re: how to make a custom ruleset
On Thu, March 5, 2009 17:31, John Hardin wrote: header SELF_FROM From =~ /\...@my.address/i header SELF_TO To =~ /\...@my.address/i Are you sure you want to give 1 point to each of those cases in addition to whatever points the meta adds? it was not me that maked the rules, just edit them :) If not, then they should be named __SELF_FROM and __SELF_TO sure when do you stop CC me ? -- http://localhost/ 100% uptime and 100% mirrored :)
Re: how to make a custom ruleset
On Mar 5, 2009, at 7:28, Martin Gregorie mar...@gregorie.org wrote: On Thu, 2009-03-05 at 21:31 +0800, Adi Nugroho wrote: I found that a lot of spam is using recipient email address as the sender. (from a...@internux.co.id to a...@internux.co.id, or from i...@apache.org to i...@apache.org). The only disadvantage is that you'll label test messages as spam. If you allow address delimiters this is trivial to get around, just have the email their test to user+t...@example.com
Re: how to make a custom ruleset
On Thursday 05 March 2009 23:44:39 Benny Pedersen wrote: ups header SELF_FROM From =~ /\...@my.address/i header SELF_TO To =~ /\...@my.address/i meta SELF (SELF_FROM SELF_TO) describe SELF Trap mail with forged sender the same as recipient score SELF 3.0 I have tried above syntax but failed. No mail identified as SELF. Is there a howto about this ruleset?
