Here's a starter set of strict-SMTP rules, using data from the Received headers as sucked into the X-Spam-Relays-Untrusted psuedo-header. There are tests for unqualified hostname in HELO, domain literal in HELO (SA tests for addresses, but not literals), lack of reverse DNS, mismatched HELO and RDNS, too many hops, not enough hops, and some more stuff that is common spam-sign. A couple of these tests can hit very often against legitimate mail (in particular, there are *A LOT* of SMTP clients that have mismatched HELO/RDNS--including this mailing list's server...) so they all have a default score of 0.1 for safety. OTOH, some of these rules also hit very frequently against spam.
I need to monitor them for a while, do some tweaks (see the notes), and otherwise bump it along a bit. I guess I should figure out the submission rules for SARE and go that route, but I wanted to post this so there'd be visible feedback for what else I'd like to with more Received data.
Be careful with deployment and copy me on feedback please.
FWIW, the L_RCVD_TOO_MANY_HOPS rule will hit on *a lot* of corporate mail. Off the top of my head I can think of at least two dozen large companies that this would hit. I wouldn't be surprised if it hit more ham than spam.
Daryl
