On Oct 19, 2013, at 5:28 PM, Karsten Bräckelmann <guent...@rudersport.de> wrote:
> On Fri, 2013-10-18 at 18:34 -0600, Philip Prindeville wrote: >> I'm trying to write a rule that gives some spamminess score to messages >> received from any host that resolves to protection.outlook.com. >> >> I tried to use _REMOTEHOSTNAME_ to do this, but I think I got the >> header syntax wrong. > > Template Tags cannot be used in rules. What you're looking for is the > X-Spam-Relays-External or -Untrusted pseudo-header. > > http://wiki.apache.org/spamassassin/TrustedRelays > > Run a sample through spamassassin -D and grep the debug output for the > X-Spam-Relays headers. You'll likely want to match your rule against the > rdns or helo values. > > To ensure matching against the very last untrusted relay, no closing > square bracket may appear before the match. > > RULE_NAME X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=evil.example.net / > > That rdns value is added to the Received header by your SMTP, and your > MX actually should be listed as by value in that very [...] block. > > Thanks. By the way, in your example, the dots in evil.example.net need to be escaped, don't they? I ended up going with: header L_OUTLOOK X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]*\.(ptr|outbound)\.protection\.outlook\.com / describe L_OUTLOOK Anything coming from outlook.com score L_OUTLOOK 4.95 and this seems to work. -Philip