On Mon, May 18, 2009 at 01:19:20PM -0400, Adam Katz wrote: > > On Fri, May 15, 2009 at 06:59:17PM -0400, Adam Katz wrote: > >> score ANY_BOUNCE_MESSAGE 0.1 0.1 0.3 0.3 # def: 0.1 > >> score BOUNCE_MESSAGE 0.4 0.5 0.9 1.0 # def: 0.1 > >> score VBOUNCE_MESSAGE 0.4 0.5 0.9 1.0 # def: 0.1 > >> > >> header __VACATION Subject =~ > >> /\b(?:vacatio|away|out.of.offic|auto.?re|confirm)/i > >> # https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6008 > >> header __BUGZILLA_DAEMON From =~ /bugzilla/i > >> meta KHOP_BACKSCATTER !ALL_TRUSTED && !DKIM_VERIFIED && !__VACATION && > >> !__BUGZILLA_DAEMON && (BOUNCE_MESSAGE||VBOUNCE_MESSAGE) > >> describe KHOP_BACKSCATTER Misdirected bounce to a forged sender > >> address > >> score KHOP_BACKSCATTER 6.9 > > Henrik K wrote: > > It pretty much kills all legit null senders too (my amavis db is full of > > examples), which is what BOUNCE_MESSAGE naively assumes to be bounces. Just > > something to remember. > > I've correctly constructed internal_networks, trusted_networks, and > whitelist_bounce_relays. The ALL_TRUSTED rule should catch anything > that vBounce failed to parse from whitelist_bounce_relays. > > Unless I'm mistaken, only mail to postmaster/mailer-daemon (if even > that) should use a null sender address from an *external* source.
I'm not sure what you are implying. BOUNCE_MESSAGE only requires Return-Path: <>, which many non-bounce things use (newsletters, order confirmations etc). So your rule catches all of them. It's been like this forever, but I guess people are happy enough with it not to fix things up. Amavisd-new bounce killer is more robust if you want to _kill_ (and not just tag) backscatter without fear of FPs.
