On 4/14/10 2:23 PM, Kris Deugau wrote:
Michael Scheidell wrote:
On 4/14/10 12:21 PM, Kris Deugau wrote:
Is there a consistent way to match whatever headers might be
available in a returned message?
use the vbounce rules. google for sa and vbounce. its already done
if you are using a newer version of SA.
you need to specifically whitelist the outbound mail servers, and it
can catch OOO and vacation messages (anything machine generated)
*nod* And after a quick check, I've apparently had those rules active
for quite a while. (In fact, one of the subrules for my metas is
BOUNCE_MESSAGE.)
But they don't differentiate based on whatever original-message
content may be available - and as a medium-sized ISP we're not in a
postition to arbitrarily block all NDRs. There are too many ways
legitimate NDRs may come into our mail system in response to
legitimate customer mail.
I'm looking for a way to match on that original-message content -
after all, that's the real spam payload; the rest of the message is
perfectly legitimate.
yes, but they are disabled unless you have specific whitelists. the
'original-message content' you are looking for.
vbounce rules are disabled, even if you enable them unless you also have
this in *.cf
whitelist_bounce_relays {your outbound mail servers}
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________