Correct me if I'm wrong, but would a rule like the following one of mine not do the trick regardless of how the MTA writes the Received header, and be less prone (actually not prone at all) to spoofing?
header JF_NO_PTR X-Spam-Relays-Untrusted =~ /^\[ ip=[^ ]* rdns= helo=/ describe JF_NO_PTR No reverse lookup for sender IP in X-Spam-Relays-Untrusted score JF_NO_PTR 0.5 It's simply searching for a blank "rdns=" string (without quotes of course) in the X-Spam-Relays-Untrusted pseudoheader. It should only search the very first line in this pseudoheader, ie. the one that relates to the most recent untrusted relay as per http://wiki.apache.org/spamassassin/TrustedRelays. I'm guessing, from what I've learnt at http://wiki.apache.org/spamassassin/TrustedRelays, that a blank "rdns=" string, ie. followed directly by a space, indicates a lack of a PTR record? The reason why I think this would be better than searching within the Received header, is that in theory the info in an older Received header could be spoofed by the spammer so that it includes the name of your MTA. Perhaps this is unlikely, I dunno, but at least using X-Spam-Relays-Untrusted means you don't have that risk at all, right??! Can anyone see any exceptions or issues with doing it this way? Cheers, Jeremy "Matthias Fuhrmann" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > On Sat, 18 Mar 2006, Dave Augustus wrote: > >> >> Anyone point me in the right direction? >> >> I am just thinking of increasing the spam level counter based on whether >> they have a reverse IP address. I have tried to reject these outiright >> based on this criteria but that would cause too many false positives. > > this thread will help you: > http://www.gossamer-threads.com/lists/spamassassin/users/11783?search_string=Reverse%20DNS%20Check;#11783 > > just have a look at the rule named: MY_NO_PTR > > regards, > Matthias
