Re: Scoring Based on IP Address

[John Hardin]

On Fri, 18 Dec 2020, @lbutlr wrote:


On 17 Dec 2020, at 16:19, Dave Wreski  wrote:

On 12/17/20 6:05 PM, Matt wrote:

Is there a way with spamassassin local.conf to add a higher score
based on source ip address or subnet?  Basically the last IP in
"Received:" header.
bad_subnet_add_20_points: 192.168.240.0/24
Raising the score if that IP appeared anywhere in headers or body
might work too.



Yes, but if you're effectively going to create a "poison pill" rule where any 
mail from a particular network is quarantined, you might be better of doing this at the 
firewall or in postfix directly and just rejecting it outright.

header __BAD_IP_RCVD  Received  =~ /192\.168\.240\.\d{1,3}/
body   __BAD_IP_BODY /192\.168\.240\.\d{1,3}/
rawbody __BAD_IP_RAWBODY /192\.168\.240\.\d{1,3}/
meta MY_BAD_SENDER __BAD_IP_RCVD || __BAD_IP_BODY || __BAD_IP_RAWBODY
score MY_BAD_SENDER 20
describe MY_BAD_SENDER Contains bad IP


Won't this match for that IP in ANY Received: header?


Yes. That's "deep inspection", and runs the risk of a hit on a legitimate 
"bad" IP in the sender's local network (assuming their MTA records the 
initial submission).


It would be better to check the last external IP in X-Spam-Relays-External:

  header __EXT_MTA_IP_BAD  X-Spam-Relays-External =~ /^\[ ip=192\.168\.240\.\d+ 
/


And, as Dave said, if you're going to poison pill based on the external 
MTA's IP address, then do it with an MTA IP rule or at the firewall, it's 
a lot easier (and lighter-weight) than all this SA stuff.


For example, in /etc/mail/access (for sendmail):

  93.159.212.159550 5.7.1 Spammed a mailing list - go away.
  65.49.16.2550 5.7.1 Open relay - go away.
  202.65.168.39 550 5.7.1 Seven 419 spams in one hour - go away.
  213.171.44.75 550 5.7.1 Open relay - email worms - go away.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
   -- Peter da Silva in a.s.r
---
 7 days until Christmas

Re: Scoring Based on IP Address

[@lbutlr]

On 17 Dec 2020, at 16:19, Dave Wreski  wrote:
> On 12/17/20 6:05 PM, Matt wrote:
>> Is there a way with spamassassin local.conf to add a higher score
>> based on source ip address or subnet?  Basically the last IP in
>> "Received:" header.
>> bad_subnet_add_20_points: 192.168.240.0/24
>> Raising the score if that IP appeared anywhere in headers or body
>> might work too.

> Yes, but if you're effectively going to create a "poison pill" rule where any 
> mail from a particular network is quarantined, you might be better of doing 
> this at the firewall or in postfix directly and just rejecting it outright.
> 
> header __BAD_IP_RCVD  Received  =~ /192\.168\.240\.\d{1,3}/
> body   __BAD_IP_BODY /192\.168\.240\.\d{1,3}/
> rawbody __BAD_IP_RAWBODY /192\.168\.240\.\d{1,3}/
> meta MY_BAD_SENDER __BAD_IP_RCVD || __BAD_IP_BODY || __BAD_IP_RAWBODY
> score MY_BAD_SENDER 20
> describe MY_BAD_SENDER Contains bad IP

Won't this match for that IP in ANY Received: header?

-- 
"How good bad music and bad reasons sound when we march against an
enemy." -  Friedrich Nietzsche

Re: Scoring Based on IP Address

[Dave Wreski]

Hi,

On 12/17/20 6:05 PM, Matt wrote:

Is there a way with spamassassin local.conf to add a higher score
based on source ip address or subnet?  Basically the last IP in
"Received:" header.

bad_subnet_add_20_points: 192.168.240.0/24

Raising the score if that IP appeared anywhere in headers or body
might work too.


Yes, but if you're effectively going to create a "poison pill" rule 
where any mail from a particular network is quarantined, you might be 
better of doing this at the firewall or in postfix directly and just 
rejecting it outright.


header __BAD_IP_RCVD  Received  =~ /192\.168\.240\.\d{1,3}/
body   __BAD_IP_BODY /192\.168\.240\.\d{1,3}/
rawbody __BAD_IP_RAWBODY /192\.168\.240\.\d{1,3}/
meta MY_BAD_SENDER __BAD_IP_RCVD || __BAD_IP_BODY || __BAD_IP_RAWBODY
score MY_BAD_SENDER 20
describe MY_BAD_SENDER Contains bad IP

Regards,
Dave