Hi Jimmy
Again - thank you - works like a charm.
I extended your script to check some more header - if useful for
anybody else.
Successfully scores the new to domains which showed up in the same kind
of emails since friday.
gz-qkmxjt.com
engineering-degree-hub.site
--- shnipp ---
package Mail::SpamAssassin::Plugin::CheckSenderMX;
use strict;
use warnings;
use Mail::SpamAssassin::Plugin;
use Net::DNS;
our @ISA = qw(Mail::SpamAssassin::Plugin);
sub new {
my ($class, $mailsa) = @_;
$class = ref($class) || $class;
my $self = $class->SUPER::new($mailsa);
bless ($self, $class);
$self->register_eval_rule('check_sender_mx_matches');
return $self;
}
sub check_sender_mx_matches {
my ($self, $pms, $mx_pattern) = @_;
my $from = undef;
my $result = 0;
$from = $pms->get('Reply-To:addr');
if ($from) {
# warn "Found Reply-To: $from\n";
my ($domain) = $from =~ /\@(.+)$/;
if ($domain) {
$result = &lkup_mx($domain,$mx_pattern);
return $result if ($result);
}
}
$from = $pms->get('From:addr');
if ($from) {
# warn "Found From: $from\n";
my ($domain) = $from =~ /\@(.+)$/;
if ($domain) {
$result = &lkup_mx($domain,$mx_pattern);
return $result if ($result);
}
}
$from = $pms->get('EnvelopeFrom:addr');
if ($from) {
# warn "Found Env-From: $from\n";
my ($domain) = $from =~ /\@(.+)$/;
if ($domain) {
$result = &lkup_mx($domain,$mx_pattern);
return $result if ($result);
}
}
return 0;
}
sub lkup_mx {
my ($domain,$mx_pattern) = @_;
# Query MX records
my $res = Net::DNS::Resolver->new;
my @mx = mx($res, $domain);
return 0 unless @mx;
foreach my $rr (@mx) {
my $mx_host = lc($rr->exchange);
# regex matching
if ($mx_host =~ /$mx_pattern/i) {
return 1;
}
}
return 0;
}
1;
