It looks to me like your rule says if it's got a "([<ip address>", it's got
no PTR and if it's got a "{<something>[<ip address>" it has one. That could
be useful, except my mailer doesn't do such things.Bad Header: Received: from rnaiewno.com [66.0.118.65] by visioncomm.net (SMTPD32-8.15) id A940495001E; Thu, 05 May 2005 11:18:24 -0400 Good Header: Received: from dazed.lightbridge.com [206.35.13.66] by visioncomm.net with ESMTP (SMTPD32-8.15) id AD4A8D30072; Thu, 05 May 2005 11:35:38 -0400 I guess rnaiewno.com is the HELO or some such, because it sure isn't a name from 66.0! I guess I'm just screwed. We went from 2k emails a day (1900 spam) to 4K with the latest worm, and SA doesn't appear to be able to help at all. Sigh. Dan -----Original Message----- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Thursday, May 05, 2005 11:28 AM To: Dan Barker Cc: users@spamassassin.apache.org Subject: Re: PTR Rules Dan Barker wrote: >I can't find any doc on PTR rules. Specifically, I'd like to make my >SpamAssassin 3.0.1 score if there is no PTR record for the first "foreign" >IP in the "Received by" chain. > >This can't be difficult, but I've scanned the doc to the best of my ability >(my best may not be particularly good<g>) and come up empty. > > > There's no "easy" way to do this if you want SA to perform the PTR lookup. You'd have to do that as a plugin, which involves writing some perl code that makes use of Net::DNS. However, if your mailserver normally does the lookup you can write a regex to look for a Received: header from your MX that has no hostname. Take this Received: header for example (sendmail generated) Received: from eyou.com ([218.6.19.122]) by xanadu.evi-inc.com .... Compared to Received: from fsmail432.com (H1b65.h.pppool.de [85.72.27.101]) by xanadu.evi-inc.com ... A rule like this would work for my mailserver: header L_NO_RDNS_RCVD Received =~/from [\w.]{0,20} \(\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\) .{0,50} by xanadu\.evi/ score L_NO_RDNS_RCVD 0.1 For what it's worth, I've seen a lot of legitimate servers lacking RDNS entries, so I'd keep the score on this under 2.5. (That said, one measure I do already take is I greylist all servers with no RDNS.. Selective greylisting works pretty well. )
