Thanks to everyone's suggestions. I will try to respond to everyone in this 1 message:
This was intended for people who get both filtering inbound and outbound form the mail gateway. At times certain legit content gets flagged on the way OUT, so this was to try and add a little negative score, so it would say, OK we know we send this guy, lets say the word million etc. We didn't want to simply whitelist the TO address, because in theory if computers get hacked, they could potentially send out malicios attachments/links etc, so we want to allow something that scores a very high score, we won't allow that to go out, but if its a moderate score, make sure it doesn't get rejected. In respect to Henrik K, i tried using the rule but SA with lint didn't like the evaluation of the header you suggested. I was able to try it a litte different and got this to work, should anyone else want to use it: header TO_SPECIFIC_DOMAIN To:addr =~ /\@(test\.com|test\.net)$/ describe TO_SPECIFIC_DOMAIN Mail sent to test.com or test.net email addresses score TO_SPECIFIC_DOMAIN -2.0 *As always, thank you to everyone who helps support this list!* On Thu, Jan 12, 2023 at 9:57 PM John Hardin <jhar...@impsec.org> wrote: > On Thu, 12 Jan 2023, John Hardin wrote: > > > On Thu, 12 Jan 2023, Martin Gregorie wrote: > > > >> On Wed, 2023-01-11 at 18:39 -0500, Joey J wrote: > >>> Hello All, > >>> > >>> I created this rule to check for email addresses matching a list to > >>> get > >>> added some negative value. > >>> I also tried it with just domains so it would be more efficient, but I > >>> can't seem to get them to run. > >>> Any suggestions? > >> > >> Use a database to store addresses you accept mail from. Apart from the > >> database, you'll need a Perl module to let SA look up addresses in the > >> database. > > > > Simpler as it involves no new coding: a local DNS server and a DNSBL > lookup > > rule with a negative score. There are instructions for setting such up > for > > local blacklists, that works equally well for a local whitelist. > > Ah, whoops. I had it in my head that emailBL had been implemented. Never > mind! > > > -- > John Hardin KA7OHZ http://www.impsec.org/~jhardin/ > jhar...@impsec.org pgpk -a jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > ----------------------------------------------------------------------- > The difference is that Unix has had thirty years of technical > types demanding basic functionality of it. And the Macintosh has > had fifteen years of interface fascist users shaping its progress. > Windows has the hairpin turns of the Microsoft marketing machine > and that's all. -- Red Drag Diva > ----------------------------------------------------------------------- > 5 days until Benjamin Franklin's 317th Birthday > -- Thanks! Joey
