Hi all,
as I'm facing raising amount of bounces on my mailserver in the last 2
months, I tried to use the vbounce ruleset to identify the ones caused
by UBE faking the sender address.
This was generally successful, but surprisingly there are a lot of
UBE-bounces which are not recognized by vbounce.
After digging a little bit into this (I'm not a SA-expert), it showed
that the body-rule " __HAVE_BOUNCE_RELAYS" is giving a "1", but often no
header rule "__BOUNCE*" seems to give a hit.
One of the most likely rules to be IMHO true is the
"__BOUNCE_FROM_DAEMON" one, but this one nearly never gives a hit.
Looking at the regexp in this line, the "+" after the \S seems not to be
correct from my point of view, I would suggest a "*" here, as it is in
"__BOUNCE_RPATH_MD".
So for testing purposes I modified the line
old:
header __BOUNCE_FROM_DAEMON From =~
/(?:(?:daemon|deamon|majordomo|postmaster|virus|scanner|devnull|automated-response|SMTP.gateway|mailadmin|mailmaster|surfcontrol|You_Got_Spammed)\S+\@|<>)/i
to new:
header __BOUNCE_FROM_DAEMON From =~
/(?:(?:daemon|deamon|majordomo|postmaster|virus|scanner|devnull|automated-response|SMTP.gateway|mailadmin|mailmaster|surfcontrol|You_Got_Spammed)\S*\@|<>)/i
and now, also the bounces formerly not recognized are correctly identified.
Can someone confirm that this is a "typo"? Or have I misunderstood
something?
THX,
Robert