Re: SPF custom rule

Thu, 10 May 2007 00:53:41 -0700

Bret Miller wrote: 
   Thanks for the info Bret. What I've come up with is this:
        
   header _FROM_DOMAIN From ~= /example\.com/i
   header _SPF_TRUE /\bSPF_FAIL\b/
   meta DOMAIN_SPF_TRUE (_FROM_DOMAIN&&_SPF_TRUE)
   score DOMAIN_SPF_TRUE 10.0
        
   Will this work?
        
Kinda, with  few changes:

   header __FROM_DOMAIN From ~= /\bexample\.com\b/i
   header __SPF_TRUE ALL ~= /\bSPF_FAIL\b/

This will make sure you get example.com and not 
      
myexample.communists. 
    
However, the From header is *really* easy to spoof, so this 
      
isn't much 
    
of a check.  You would probaly be better off looking for 
      
the host name 
    
in one of the received headers.

You also need to give a target to the second header test.  I used
"ALL" to search all of the headers for the string you want. 
      
 However, 
    
if you know the name of the header you are looking for, you could 
better do something like

   header __SPF_CHECK    SPF_FAIL:Exists

Assuming the header was named "SPF_FAIL"

Note also you want two leading underscores, not one, on those meta
parts, so the final line becomes:

   meta DOMAIN_SPF_TRUE (__FROM_DOMAIN && __SPF_TRUE)


       Loren

      
Hi Loren

Thank you very much. I'll give it a try. The final filter 
will then look 
like this?

   header __FROM_DOMAIN From ~= /\bexample\.com\b/i
   header __SPF_TRUE ALL ~= /\bSPF_FAIL\b/
   meta DOMAIN_SPF_TRUE (__FROM_DOMAIN&&__SPF_TRUE)
   score DOMAIN_SPF_TRUE 10.0

Just a question though.. This whole process happens in 
Spamassassin... 
Will there be a SPF_FAIL in the header already at the time of this 
check?? I get the feeling there won't..
    

If the SPF test is happening in SA anyway, then you can reduce this to
two rules:

    header __FROM_DOMAIN From ~= /\bexample\.com\b/i
    meta DOMAIN_SPF_TRUE (__FROM_DOMAIN&&SPF_FAIL)
    score DOMAIN_SPF_TRUE 10.0

  
SPF_FAIL is part of the standard rule set in 25_spf.cf. No sense in
checking the condition twice.

Bret
The rule works 100%. Had to tweak it a bit and clean out some syntax errors, but it works. :)

header __DOMAIN_FROM From =~ /\bexample\.com\b/i
meta DOMAIN_SPF_TRUE (__DOMAIN_FROM && (SPF_SOFTFAIL || SPF_FAIL))
score DOMAIN_SPF_TRUE 5.0

Thanks for all the help .

Regards
JvdW










Reply via email to