Re: Testing the _REMOTEHOSTNAME_ in a rule
On Oct 19, 2013, at 5:28 PM, Karsten Bräckelmann guent...@rudersport.de wrote: On Fri, 2013-10-18 at 18:34 -0600, Philip Prindeville wrote: I'm trying to write a rule that gives some spamminess score to messages received from any host that resolves to protection.outlook.com. I tried to use _REMOTEHOSTNAME_ to do this, but I think I got the header syntax wrong. Template Tags cannot be used in rules. What you're looking for is the X-Spam-Relays-External or -Untrusted pseudo-header. http://wiki.apache.org/spamassassin/TrustedRelays Run a sample through spamassassin -D and grep the debug output for the X-Spam-Relays headers. You'll likely want to match your rule against the rdns or helo values. To ensure matching against the very last untrusted relay, no closing square bracket may appear before the match. RULE_NAME X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=evil.example.net / That rdns value is added to the Received header by your SMTP, and your MX actually should be listed as by value in that very [...] block. Thanks. By the way, in your example, the dots in evil.example.net need to be escaped, don't they? I ended up going with: header L_OUTLOOKX-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]*\.(ptr|outbound)\.protection\.outlook\.com / describe L_OUTLOOK Anything coming from outlook.com score L_OUTLOOK 4.95 and this seems to work. -Philip
Re: Testing the _REMOTEHOSTNAME_ in a rule
On Mon, 2013-10-21 at 13:19 -0600, Philip Prindeville wrote: On Oct 19, 2013, at 5:28 PM, Karsten Bräckelmann guent...@rudersport.de wrote: RULE_NAME X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=evil.example.net / That rdns value is added to the Received header by your SMTP, and your MX actually should be listed as by value in that very [...] block. Thanks. By the way, in your example, the dots in evil.example.net need to be escaped, don't they? It's not a must, but definitely best practice, yes. (Properly escaping the dot if you want to literally match a dot, rather than any char is even more important in the general case. In this very example FPs are almost impossible due to the trailing space, anchoring the TLD and readable domain.) -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Testing the _REMOTEHOSTNAME_ in a rule
On Fri, 2013-10-18 at 18:34 -0600, Philip Prindeville wrote: I'm trying to write a rule that gives some spamminess score to messages received from any host that resolves to protection.outlook.com. I tried to use _REMOTEHOSTNAME_ to do this, but I think I got the header syntax wrong. Template Tags cannot be used in rules. What you're looking for is the X-Spam-Relays-External or -Untrusted pseudo-header. http://wiki.apache.org/spamassassin/TrustedRelays Run a sample through spamassassin -D and grep the debug output for the X-Spam-Relays headers. You'll likely want to match your rule against the rdns or helo values. To ensure matching against the very last untrusted relay, no closing square bracket may appear before the match. RULE_NAME X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=evil.example.net / That rdns value is added to the Received header by your SMTP, and your MX actually should be listed as by value in that very [...] block. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Testing the _REMOTEHOSTNAME_ in a rule
I'm trying to write a rule that gives some spamminess score to messages received from any host that resolves to protection.outlook.com. I tried to use _REMOTEHOSTNAME_ to do this, but I think I got the header syntax wrong. Can someone set me straight? Thanks, -Philip