Re: Is there any way to score this?

2006-10-17 Thread Peter H. Lemieux 

Micke Andersson wrote:

excuse me for my ignorance, but is this really the correct approach 
right now, since it is quite a lot of badly configured DNS servers out
there. Should this not be handled by the SMTP server as is instead! 
And return an error code of 421 or something like this. Like AOL has

implemented at their servers, you will be informed as sender about the
problem, with an URL link to
http://postmaster.info.aol.com/errors/421dnsnr.html


Whatever opinions you may have about AOL, when they began rejecting mail 
without reverse-DNS entries a few years' back, AOL's sheer size forced 
mail admins to make sure that their servers have both forward and reverse 
lookups enable.  Heck, even random cable/DSL hosts usually have reverse 
lookups configured, usually something like 123-123-123-123.someisp.com. 
Most of the mail I see coming from servers without reverse-resolution is 
spam, usually from hosts in places like China.


Moreover, I'd much rather give such messages a relatively high SA score 
than reject them at the SMTP level.  False positives in the SMTP exchange 
cause ill-will with clients and their correspondents.


Or if one should have this above Rule, me my self would not for the time 
being, have that high of a score,


I give these messages a score of 3.3 with an SA criterion of 4.0; I get 
very few false positives.



Peter

Is there any way to score this?

2006-10-13 Thread Robert Swan 








Is there anyway to get points added if the sending mail
server has no PTR record (unknown [196.211.162.65])?

I am using Redhat Fedora and Spamassassin 3.1.2 and Postfix



X-Spam-Checker-Version: SpamAssassin 3.1.2 (2006-05-25) on
SPAM1

X-Spam-Level: **

X-Spam-Status: No, score=3.0 required=4.9
tests=BAYES_50,EXTRA_MPART_TYPE,

 HTML_IMAGE_ONLY_28,HTML_MESSAGE autolearn=no
version=3.1.2

Received: from lyonop.com (unknown [196.211.162.65])



Thanks in advance





Robert













Peace he would say instead of goodbyepeace my brother.

RE: Is there any way to score this?

2006-10-13 Thread Coffey, Neal 
 
Robert Swan wrote:
 Is there anyway to get points added if the sending mail
 server has no PTR record (unknown [196.211.162.65])?

 Received: from lyonop.com (unknown [196.211.162.65])

This is totally untested, but:

header  LOCAL_INVALID_PTR  Received =~ /\(unknown /

This might be more robust:

header  LOCAL_INVALID_PTR  Received =~ /from \S+ \(unknown /

Again, totally untested, so put them in with a score of 0.01 and watch
them for a while before you rely on either on.

Re: Is there any way to score this?

2006-10-13 Thread Andreas Pettersson 

Robert Swan wrote:

Is there anyway to get points added if the sending mail server has no 
PTR record *(unknown [196.211.162.65])?*


I am using Redhat Fedora and Spamassassin 3.1.2 and Postfix




I was looking for the same thing some time ago, but I couldn't easily 
find a way to do that in SA.
Instead I use the MTA (Exim) to add a header if the PTR is missing, and 
then I use SA to check against that header.


Perhaps there are better ways to do it.

--
Andreas

Re: Is there any way to score this?

2006-10-13 Thread Wolfgang Zeikat 



On 10/13/06 17:12, Andreas Pettersson wrote:

Robert Swan wrote:

Is there anyway to get points added if the sending mail server has no 
PTR record *(unknown [196.211.162.65])?*


I am using Redhat Fedora and Spamassassin 3.1.2 and Postfix


With a postfix mail gateway, I use a local SA rule like:

Received =~ /from \S{1,30} \(unknown 
\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\)\s+by\s+your\.smtp\.server\.desy/


Replace your.smtp.server by your server's name ...

Cheers,

wolfgang

Re: Is there any way to score this?

2006-10-13 Thread Wolfgang Zeikat 



On 10/13/06 17:34, Wolfgang Zeikat wrote:
Received =~ /from \S{1,30} \(unknown 
\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\)\s+by\s+your\.smtp\.server\.desy/


Replace your.smtp.server by your server's name ...


Oops, and leave out \.desy of course ;)
And - just to make sure - that's a header rule.



Cheers,

wolfgang

Re: Is there any way to score this?

2006-10-13 Thread Micke Andersson 

James Lay wrote:
 


-Original Message-
From: Wolfgang Zeikat [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 13, 2006 9:49 AM

To: users@spamassassin.apache.org
Subject: Re: Is there any way to score this?



On 10/13/06 17:34, Wolfgang Zeikat wrote:
  

Received =~ /from \S{1,30} \(unknown
\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\)\s+by\s+your\.smtp\.server\.de
sy/

Replace your.smtp.server by your server's name ...



Oops, and leave out \.desy of course ;) And - just to make sure - that's a
header rule.

  

Cheers,

wolfgang





So does:

header  UNKNOWN Received =~ /from \S{1,30}
\(unknown\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\)\s+by\s+mail\.slave-tothe-b
ox\.net/
score   UNKNOWN 3
describeUNKNOWN Unknown hosts

Look about right?

James
  

Hi all,

excuse me for my ignorance, but is this really the correct approach 
right now,

since it is quite a lot of badly configured DNS servers out there.
Should this not be handled by the SMTP server as is instead!
And return an error code of 421 or something like this.

Like AOL has implemented at their servers, you will be informed as 
sender about the problem,

with an URL link to http://postmaster.info.aol.com/errors/421dnsnr.html

Or if one should have this above Rule, me my self would not for the time 
being, have that high of a score,
check out your legitimate and non SPAM incoming mails, you will find 
tons of e-mail server IP's that is not registered with a good PTR.


And even further, if this test is done at SMTP server level, there will 
not be that much of CPU consuming processing to check if the sender is

an unknown sender IP.

/Micke