Re: Create a rule to block MAX recipients
2011/4/6 David Touzeau da...@touzeau.eu
Dear All
I would like to create a rune in order to block messages that contains
more than X recipients in Spamassassin from these fields
To:
CC:
Bcc:
This without any MTA help
How can i do this
Best regards ?
In 2009 i wrote this email to the MailScanner List answering something like
your issue, maybe is a good approach, or may be not. I didnt test this rule
on production servers.
---
Some time ago i wrote this rule for SpamAssassin, i didnt test it a lot, so
test it with precaution. I was for someone with the same problem than you.
the logic of the rule is that if the email has more than 10 recipients at
least 1 rule will hit, with combination is probable than more than one hits.
you can also generate a new meta rule to have only 1 hit with an OR.
header __TEST_TO_1To =~ /(.*?(@).*?){1,}/i
header __TEST_TO_2To =~ /(.*?(@).*?){2,}/i
header __TEST_TO_3To =~ /(.*?(@).*?){3,}/i
header __TEST_TO_4To =~ /(.*?(@).*?){4,}/i
header __TEST_TO_5To =~ /(.*?(@).*?){5,}/i
header __TEST_TO_6To =~ /(.*?(@).*?){6,}/i
header __TEST_TO_7To =~ /(.*?(@).*?){7,}/i
header __TEST_TO_8To =~ /(.*?(@).*?){8,}/i
header __TEST_TO_9To =~ /(.*?(@).*?){9,}/i
header __TEST_TO_10To =~ /(.*?(@).*?){10,}/i
header __TEST_CC_1Cc =~ /(.*?(@).*?){1,}/i
header __TEST_CC_2Cc =~ /(.*?(@).*?){2,}/i
header __TEST_CC_3Cc =~ /(.*?(@).*?){3,}/i
header __TEST_CC_4Cc =~ /(.*?(@).*?){4,}/i
header __TEST_CC_5Cc =~ /(.*?(@).*?){5,}/i
header __TEST_CC_6Cc =~ /(.*?(@).*?){6,}/i
header __TEST_CC_7Cc =~ /(.*?(@).*?){7,}/i
header __TEST_CC_8Cc =~ /(.*?(@).*?){8,}/i
header __TEST_CC_9Cc =~ /(.*?(@).*?){9,}/i
header __TEST_CC_10Cc =~ /(.*?(@).*?){10,}/i
#just for testing purposes
#metaTEST_TO_1_CC_1(__TEST_TO_1__TEST_CC_1)
#
metaTEST_TO_1_CC_9(__TEST_TO_1__TEST_CC_9)
metaTEST_TO_2_CC_8(__TEST_TO_2__TEST_CC_8)
metaTEST_TO_3_CC_7(__TEST_TO_3__TEST_CC_7)
metaTEST_TO_4_CC_6(__TEST_TO_4__TEST_CC_6)
metaTEST_TO_5_CC_5(__TEST_TO_5__TEST_CC_5)
metaTEST_TO_6_CC_4(__TEST_TO_6__TEST_CC_4)
metaTEST_TO_7_CC_3(__TEST_TO_7__TEST_CC_3)
metaTEST_TO_8_CC_2(__TEST_TO_8__TEST_CC_2)
metaTEST_TO_9_CC_1(__TEST_TO_9__TEST_CC_1)
metaTEST_TO_10_CC_0(__TEST_TO_10)
metaTEST_TO_10_CC_0(__TEST_CC_10)
scoreTEST_TO_1_CC_10.01
scoreTEST_TO_1_CC_90.01
scoreTEST_TO_2_CC_80.01
scoreTEST_TO_3_CC_70.01
scoreTEST_TO_4_CC_60.01
scoreTEST_TO_5_CC_50.01
scoreTEST_TO_6_CC_40.01
scoreTEST_TO_7_CC_30.01
scoreTEST_TO_8_CC_20.01
scoreTEST_TO_9_CC_10.01
scoreTEST_TO_10_CC_00.01
scoreTEST_TO_0_CC_100.01
hope it helps!
Re: Create a rule to block MAX recipients
2011/4/6 John Hardin jhar...@impsec.org
On Wed, 6 Apr 2011, David Touzeau wrote:
I would like to create a rune in order to block messages that contains
more than X recipients in Spamassassin from these fields
To:
CC:
Bcc:
This without any MTA help
How can i do this
Dang, I thought these were already in my sandbox:
describe TO_TOO_MANY To: too many recipients
header TO_TOO_MANY To =~ /(?:,[^,]{1,80}){30}/
describe TO_WAY_TOO_MANY To: too many recipients
header TO_WAY_TOO_MANY ToCc =~ /(?:,[^,]{1,80}){50}/
describe CC_TOO_MANY Cc: too many recipients
header CC_TOO_MANY Cc =~ /(?:,[^,]{1,80}){30}/
Can you post an example of a populated BCC: header?
BCC is useless because the sender MTA generates the copies, in the inbound
MTA you will see 1 bcc at least.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Gun Control laws aren't enacted to control guns, they are enacted
to control people: catholics (1500s), japanese peasants (1600s),
blacks (1860s), italian immigrants (1911), the irish (1920s),
jews (1930s), blacks (1960s), the poor (always)
---
7 days until Thomas Jefferson's 268th Birthday
Re: New plugin: DecodeShortURLs
2010/9/17 Steve Freegard st...@stevefreegard.com Hi All, Recently I've been getting a bit of filter-bleed from a bunch of spams injected via Hotmail/Yahoo that contain shortened URLs e.g. bit.ly/foothat upon closer inspection would have been rejected with a high score if the real URL had been used. To that end - it annoyed me enough to write a plug-in that decodes the shortened URL using an HTTP HEAD request to extract the location header sent by the shortening service and to put this into the list of extracted URIs for other plug-ins to find (such as URIDNSBL). On the messages I tested it with - it raised the scores from 5 to 10 based on URIDNSBL hits which is just what I wanted. Hopefully it will be useful to others; you can grab it from: http://www.fsl.com/support/DecodeShortURLs.pm http://www.fsl.com/support/DecodeShortURLs.cf Kind regards, Steve. Thanks Steve! i will test it later!
Re: TMPDIR as a tmpfs
2010/6/22 Henrique Fernandes sf.ri...@gmail.com It is safe to use spamassassin tmpdir on a tmpfs mounted system ? And if its safe it would have a better performance ? Here where i work we have big problems with the hard drives, because we basically are sharing virtual machines disk over nfs. and spamassasin is a virtual machine. Any other tips for better performance ? []'sf.rique
Re: DCCPROC and / or DCCIFD
2009/10/14 Rick Knight rick_kni...@rlknight.com With the help of people here, I have gotten DCCIFD working. Now I have another question. Should I use DCCIFD with DCCPROC or instead of DCCPROC? Can they work together or does one take precedence? Thanks, Rick you have to add a dccifd_home or something like that in SA config, and SA will use the daemon automatically.
