Rafal Jankowski wrote:
>I have written a rule like that:
>
>header DOMAIN_PL Received =~/\.pl/
>describe DOMAIN_PL Received From Poland
>lang pl describe DOMAIN_PL E-mail z Polski
>score DOMAIN_PL -2.5
>
>but it checks each Received header, and I am only interested in the
>last one beacouse the previous could be forged.
>
>
>
So make a requirement that the received line also contains a "by" for
your server name.
It looks something like this:
header DOMAIN_PL Received =~/from .{1,50}\.pl.{1,100} by
servername\.doraco\.com\.pl/
Yes, it's still forgable, but harder to forge. You can also refine the
regex to look for other specifics of your server to make it harder to
spoof. Look for the name and version of your MTA, etc.
> And I still don't know
>how to write a rule matching the lack of revDNS.
>
You'd have to post examples of headers that mailserver generates for
this, but generally you want to look for a from clause immediately
followed by an IP, without a host name in between.
Something like this regex:
/from \(\[\d.{1,100} by fire.doraco.com.pl/
