Re-2: A rule to check X-ASN header
> > Hi all, > > > > I'm trying to create a rule which will check the results of the ASN > > plugin. > ... > > As a test I have the following... > > > > ifplugin Mail::SpamAssassin::Plugin::ASN > >header T_SCS_ASN_EXISTS exists:X-ASN > >header T_SCS_ASN_ANYTHINGX-ASN =~ /.*/i > >header T_SCS_ASN_ANY_AS X-ASN =~ /AS[0-9]*/i > >header T_SCS_ASN_AS15169 X-ASN =~ /AS15169/ > >header T_SCS_ASN_AS15169BX-ASN =~ /^AS15169 / > > endif > > > > On a test message which I sent myself on Friday from my google > > account and which I am now currently pipping into SpamAssassin at the > > command line the rules T_SCS_ASN_EXISTS and T_SCS_ASN_ANYTHING > > trigger but T_SCS_ASN_ANY_AS, T_SCS_ASN_AS15169 and > > T_SCS_ASN_AS15169B. > ... > > rules: ran header rule T_SCS_ASN_ANYTHING ==> got hit: "15169" > > This is why the other tests fail, there's no "AS" before the number. > RW, Thank you! With that in mind I've made the following adjustment and the rule is now being triggered. header T_SCS_ASN_AS15169CX-ASN =~ /^15169$/ As to whether this will be helpful in detecting spam I'll let you know. Kind regards Steve
Re-2: A rule to check X-ASN header
> > The example i saw last week was from "Google Audit" > co.uk>, was DKIM signed and valid [but obviously not by Google's key :)] > > and was asking a user to verifiy thier account... URIs weren't blacklisted > > at the time. > > My thought process was that emails with Google in the Senders Name or email > > address should only really originate from IP addresses / ASN's Google own ( > > initial invesgation suggest gmail.com comes from AS15169 thought I've not > > thrown a wide net yet). > > how do you come to that strange conclusion? > > that is a domain as any other and "with Google in the Senders Name or > email address should only really originate" is by all respect pure > nonsense - DKIM, SPF and DMARC are about *domains* and not *partly > matches* of some special handeled large companies > _ > > Domain name: > googletechteam.co.uk > > Registrant: > Alexander Duffus > > Registrant type: > UK Individual > > Registrant's address: > Bury House > Royston > Hertfordshire > SG8 8QB > United Kingdom > In my mailflow I believe it to be very unusual for a domain / sender to have Google in it and not orignate from Googles network. The example I gave originated from 217.199.161.224 (ASN 20738 - Webfusion Internet Solutions) and had *google* in the domain, to me that's something I want to have visability of. Overall, while i appericate your efforts and discussions about the validatility of my objectives, what I'm really after is how can I query the X-ASN header? If this turns out to be a waste of time I'll be the first to let you know. Many thanks Steve
Re: Re-2: A rule to check X-ASN header
On 11/23/2015 01:31 PM, steve wrote: My thought process was that emails with Google in the Senders Name or email address should only really originate from IP addresses / ASN's Google own (initial invesgation suggest gmail.com comes from AS15169 thought I've not thrown a wide net yet). a meta rule with rcvd header and From: header rules will do the trick, faster and simpler.
Re: Re-2: A rule to check X-ASN header
steve skrev den 2015-11-23 13:31: asn plugin currently does not work with ipv6 I'll cross that bridge when I come to it. i just still need self to debug why it fails, currently i have seen 2.0.0.0/8 when ipv6 recieved in 26xx: :=) and if you see mails pretending sent from google/gmail it wont be dkim pass and spf pass The example i saw last week was from "Google Audit" , was DKIM signed and valid [but obviously not by Google's key :)] and was asking a user to verifiy thier account... URIs weren't blacklisted at the time. co.uk is a domain and a tld, very cool :) dont blame me on that i can make google.junc.eu is it now google that spams you ? yes i know co.uk is a valid tld, but spammers seems not knowing why not to use it Test results of that scan were... DKIM_SIGNED=0.1 DKIM_VALID=-0.1 DKIM_VALID_AU=-0.1 HTML_MESSAGE=0.001 KAM_COUK=0.1 MIME_HTML_ONLY=0.723 RP_MATCHES_RCVD=-0.582 SPF_PASS=-0.001 TXREP=1.105 what dkim domain, whois dkim-domain My thought process was that emails with Google in the Senders Name or email address should only really originate from IP addresses / ASN's Google own (initial invesgation suggest gmail.com comes from AS15169 thought I've not thrown a wide net yet). asn is nice but too unstable to make rules on I feel its worth exploring for my purposes. okay with me if you do with stable data Any further advice will be grafefully recived. possible start using dmarc ?
Re-2: A rule to check X-ASN header
Hi Benny, >> asn plugin currently does not work with ipv6 I'll cross that bridge when I come to it. > and if you see mails pretending sent from google/gmail it wont be dkim > pass and spf pass The example i saw last week was from "Google Audit" , was DKIM signed and valid [but obviously not by Google's key :)] and was asking a user to verifiy thier account... URIs weren't blacklisted at the time. Test results of that scan were... DKIM_SIGNED=0.1 DKIM_VALID=-0.1 DKIM_VALID_AU=-0.1 HTML_MESSAGE=0.001 KAM_COUK=0.1 MIME_HTML_ONLY=0.723 RP_MATCHES_RCVD=-0.582 SPF_PASS=-0.001 TXREP=1.105 My thought process was that emails with Google in the Senders Name or email address should only really originate from IP addresses / ASN's Google own (initial invesgation suggest gmail.com comes from AS15169 thought I've not thrown a wide net yet). > asn is nice but too unstable to make rules on I feel its worth exploring for my purposes. Any further advice will be grafefully recived. Regards Steve Original Message Subject: Re: A rule to check X-ASN header (23-Nov-2015 12:13) From:Benny Pedersen To: st...@mailinglists.spectrumcs.net > steve skrev den 2015-11-23 13:05: > > > Any advice gratefully received! > > asn plugin currently does not work with ipv6 > > and if you see mails pretending sent from google/gmail it wont be dkim > pass and spf pass > > asn is nice but too unstable to make rules on > > To: users@spamassassin.apache.org