See also: http://bugzilla.spamassassin.org/show_bug.cgi?id=3200
Dynamic IP's (dialup/dsl/cable) are currently the biggest spam sources
of all, summarily trojaned/backdoored Windows machines, poorly/not
administered or patched.
The following rules are very likely problematic for anyone who
has actual users on dynamic-IP hosts relaying mail through their
SpamAssassin-running mail relay, unless specific steps are taken
to exempt such users from these rules.
These rules have worked extremely well here to mark up such suspicious
hosts without relying entirely on DNSBLs.
- header semantics have been matched and tested with Sendmail-generated
headers ONLY, sorry. I'd be most interested in hearing from people trying
these rules on Qmail/Postfix/other servers.
- you will have to edit each and every rule to match the local hostname
appearing in your headers EXACTLY - the rules are intended to only
match for the first Received: header line from the top, to match only
dynamic hosts that have directly connected to your system, rather than
through another MTA/relay
- same goes for the rules matching forged EHLO/HELO, using your own
domain name (or a host within your subdomain by default, this may
be undesired!) or IP number. (RX_FORGED_OUR_EHLO)
Please run these rules through your spam/ham corpii, and post your FP/FN rates!
Replace "example.com" in all rules with the name of your server as it appears
in your headers.
# example.com-specific
header RX_DYN_HOST_CUSTOM Received =~
/(?:ppp.*?|dialup.*?|dial|.dsl|.*?adsl.*?|\.cable|\.modem|\.pool.*?|\.dyn|\.dynamic|\.abo|\.client|\..*?-ip|\...\.shawcable\.net|\.in-addr|\.cablemodem|dhcp.*?|resnet)\..*?\..*by
example.com /i
describe RX_DYN_HOST_CUSTOM Received directly from dialup/cable/dsl host
(custom rule)
score RX_DYN_HOST_CUSTOM 2.0
# example.com-specific
# with 4 numeric elements concatenated with a hyphen - too strict?
# header RX_DYN_HOST2_CUSTOM Received =~
/\(.*\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}.*\).*by example.com /i
# with 3 numeric elements concatenated with a hyphen - seen quite often, such
as in:
# m235.net81-64-119.noos.fr [81.64.119.235]
header __RX_DYN_HOST2_CUSTOM Received =~
/\(.*\d{1,3}-\d{1,3}-\d{1,3}.*\).*by example.com /i
# but do not score if we already matched the dialup/cable/DSL rule
meta RX_DYN_HOST2_CUSTOM (__RX_DYN_HOST2_CUSTOM && !RX_DYN_HOST_CUSTOM)
describe RX_DYN_HOST2_CUSTOM Received directly from host with
script-generated rDNS name (custom rule)
score RX_DYN_HOST2_CUSTOM 2.0
# example.com-specific
header RX_FROM_NODNS_HOST Received =~ /\(\[\d+\.\d+\.\d+\.\d+\]\).*by
example.com /i
describe RX_FROM_NODNS_HOST Received directly from host with no rDNS
(custom rule)
score RX_FROM_NODNS_HOST 2.0
# example.com-specific
header RX_FROM_FORGEDDNS_HOST Received =~ /\(.*?\[\d+\.\d+\.\d+\.\d+\] \(may
be forged\)\).*by example.com /i
describe RX_FROM_FORGEDDNS_HOST Received directly from host with forged rDNS
(custom rule)
score RX_FROM_FORGEDDNS_HOST 1.5
# example.com-specific
header RX_FORGED_OUR_EHLO Received =~ /from
(?:.*?example.com|192\.168\.1\.1) \(.*?\[\d+\.\d+\.\d+\.\d+\]\).*by example.com
/i
# remove .*? in line above to not match other hosts within your domain
# replace 192.168.1.1 with your server's own IP address!
describe RX_FORGED_OUR_EHLO Remote client forged our hostname or IP in
EHLO/HELO (custom rule)
score RX_FORGED_OUR_EHLO 3.0
bye,Kai
