-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Anthony --
we do quite a lot more analysis of the Received headers than
just look up DNSBLs ;) grep Received rules/* for more.
- --j.
Anthony McCarthy writes:
>Based on the principle that if an email header says that "this email has
>been sent to you buy a spammer"
>then the spammer is telling the truth!
>
>It seems to me that SA only uses Received headers for DNSBL
>interrogation, however,
>the received header lines may tell us more information than what DNSBL
>tables tell us,
>
>I use procmail to tag email before using SA, kind of like an MTA.
>If the email Received header contains:
>A) a spammy IP range
>B) from unknown
>C) from 192.168.xxx.xxx
>D) from xxx-xxx-xxx-xxx
>
>then header tags can be added to emails that SA can recognize and score
>accordingly,
>as follows
>
>#==========================
>#a .procmailrc insert before calling SA
>#==========================
># common spammer IP sources YMMV
>:0 Hf
>*
>^Received.*(\(|\(\[)\/(69.6|64.70|69.56|69.59|64.191|172.60|66.59|5.0|66.63|6.0|209.66|64.124|63.212|206.162|209.40|\
>69.1|64.88|207.182|216.131|64.125|207.218|216.201|65.110|69.36|12.47|66.96|66.230|\
>205.252|64.211|209.133|64.156|211.97|69.42|66.55|206.131|66.129|38.113|66.239|61.173|\
>64.66|218.71|207.229|207.134|218.79|216.149|200.69|200.105|66.28|206.15|218.81|207.111|172.31|\
>63.215|218.107|216.94|69.60|218.80|209.5|209.210|206.165|209.87|65.118|205.183)
>| formail -A "X-From-IP-Header: Spammy IP: $MATCH"
>
># Spammers sometimes use this
>:0 Hf
>* ^Received.*from.*unknown.*192.168
>| formail -A "X-From-IP-Header: IP 192.168"
>
># Spammers sometimes use this
>:0 Hf
>* ^Received.*from.*unknown
>| formail -A "X-From-IP-Header: IP unknown"
>
># DSLs are not always Spammers
>:0 Hf
>* ^Received.*[0-9]{1,3}\-[0-9]{1,3}\-[0-9]{1,3}\-[0-9]{1,3}
>| formail -A "X-From-IP-Header: DSL Spammer possibly "
>
>#==========================
># end of a .procmailrc insert before calling SA
>#==========================
>
>
>and the accompanying SA tag lines
>
>#==========================
># SA spammy header tag lines
>#==========================
>
>header SPAMMY_IP X-From-IP-Header =~ /Spammy IP/i
>describe SPAMMY_IP Spammy IP Collection
>score SPAMMY_IP 3.0
>
>header SPAMMY_192 X-From-IP-Header =~ /IP 192.168/i
>describe SPAMMY_192 Spammy IP 192.168
>score SPAMMY_192 3.0
>
>header SPAMMY_DSL X-From-IP-Header =~ /DSL Spammer/i
>describe SPAMMY_DSL Possible Spammy DSL
>score SPAMMY_DSL 2.0
>
>header SPAMMY_UNKNOWN X-From-IP-Header =~ /IP unknown/i
>describe SPAMMY_UNKNOWN Unknown IP
>score SPAMMY_UNKNOWN 1.5
>
>#==========================
># end of SA spammy header tag lines
>#==========================
>
>
>
>As I say above - YMMV
>
>Anthony
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS
iD8DBQFAO9ECQTcbUG5Y7woRAj6UAKDbfXVg2SsQjJSlfZgFsmacMjRAKACg58eS
+oNTU9+YPBBbRRW5g0+vz5E=
=B3Id
-----END PGP SIGNATURE-----
