On 18/02/2018 21:06, Kenneth Porter wrote:
Is there a blacklist for domains in the reply-to header?
I've noticed a lot of spam with no URL and mutating From but the
reply-to domain is always aliyun dot com. I want to add a site-wide
blacklist for that.
If you are willing to write a little SA plugin and possibly mantain your
own dnsbl you can use something like this:
sub check_email_headers {
my ($self, $msg) = @_;
my %headers;
if (defined($msg->get( 'Reply-To:addr' ))) {
$headers{"Reply-To"} = $msg->get( 'Reply-To:addr' );
}
foreach my $header ( keys %headers) {
my @addresses = Email::Address->parse($headers{$header});
for my $address (@addresses) {
if (is_domain($address->host)) {
my $parser = Domain::PublicSuffix->new();
# domain is in $parser->get_root_domain($address->host) , you
can now look it up on your own dnsbl, Spamhaus DBL etc..
}
}
return 0;
}
I personally also check the domain in the body From, useful in example
to catch legit abused accounts that have the return-path set as the
abused account but the body From set differently.
Also, the "image editing" spam is almost all caught by the MSBL
(https://msbl.org/) , take a look at that bl and their plugin for more
inspiration
Daniele Duca
