Justin Mason wrote:
existing set: http://wiki.apache.org/spamassassin/VBounceRuleset
;)
Thanks!
One thing I'm not sure about - that module produces two rules. How
should I score the rules so that real bounces aren't rejected but the
fake ones are?
I presume I do it this way round:
score BOUNCE_MESSAGE 10
score ANY_BOUNCE_MESSAGE 0.1
I presume BOUNGE_MESSAGE is only true if the bounce is for a mail not
sent by me? If so, I'm surprised the rule name isn't
SPOOF_BOUNCE_MESSAGE or similar.
My mail server rejects messages with spam scores of 10 or above.
Nick...
Nick Gilbert writes:
Hi,
I've been trying to write some SA rules to reject bounce messages which
I did not send.
I've made a good start, but some bounce messages still get through but I
don't understand why.
The theory is that viruses and spammers don't seem to use my full e-mail
address [EMAIL PROTECTED] but change the username part of it and send
from an address [EMAIL PROTECTED] I would like to reject all bounce
messages which have arisen from mail sent from [EMAIL PROTECTED] but NOT
[EMAIL PROTECTED]
This works for about 50% of mail, but I think one serious problem is
that the line:
header __NICK_BOUNCE_REAL To =~ /[EMAIL PROTECTED]/i
...matches on the header:
X-MDaemon-Deliver-To: [EMAIL PROTECTED]
Which I'm pretty sure it shouldn't! Why does it think that header is the
same as a normal To header? Surely it's not scanning for headers simply
ending in "To"?
My rules are below for comment/improvement but please let me know if
there's a better way to do this or an existing set of working rules
somewhere.
Nick...
# ---------- BOUNCE DETECTION (stolen from
# bogus_virus_warnings.cf)---------
# General rule to indicate bounce or otherwise - used for some other
# rules
header __BOUNCE_HEADER X-Is-A-Bounce =~ /.+/
# This won't match for scanning done at SMTP time, at least with Exim
header __BOUNCE_RP1 Return-Path =~ /^<>$/
# NL says this is added by amavisd-new before passing to SA
header __BOUNCE_RP2 X-Return-Path =~ /^<>$/
# Mark Martinec says the above is incorrect, and it's X-Envelope-From
header __BOUNCE_RP3 X-Envelope-From =~ /^<>$/
meta __NULL_SENDER __BOUNCE_HEADER || __BOUNCE_RP1 ||
__BOUNCE_RP2 || __BOUNCE_RP3
# Thanks to AF
header __CT_DEL_STATUS Content-Type =~
/report-type=delivery-status/
meta __NICK_IS_A_BOUNCE __NULL_SENDER || __CT_DEL_STATUS
header __NICK_BOUNCE_REAL To =~ /[EMAIL PROTECTED]/i
header __NICK_TO_NOT_ME To =~ /[EMAIL PROTECTED]/i
meta NICK_SPOOF_BOUNCE (( __NICK_IS_A_BOUNCE && __NICK_TO_NOT_ME) &&
(!__NICK_BOUNCE_REAL))
score NICK_SPOOF_BOUNCE 10
describe NICK_SPOOF_BOUNCE "Attached bounce contains my address but I
never sent this!"
--
________________________________
Nick Gilbert, Software Developer
X-RM Limited, Winchester, UK
W: http://www.x-rm.com/
E: [EMAIL PROTECTED]
T: 01962 877237
F: 01962 842346
________________________________