Re: IP country plugin - can we look for two countries?

[mouss]

McDonald, Dan wrote:
On Mon, 2008-06-30 at 17:17 -0500, McDonald, Dan wrote:
  
On Mon, 2008-06-30 at 22:04 +0200, mouss wrote:
    
McDonald, Dan wrote:
      
On Sat, 2008-06-28 at 01:40 +0200, mouss wrote:
  
        
mouss wrote:
    
          
Is there some way to grab the metadata from IPCountry to count the
number of countries that were involved in sending a mail, and set a
score based on that?
        
              
you mean catching the "Junkman traveller"?
            

Ok, been fiddling with this.  Here is my current rule:

header          __IS_LIST       exists:List-Id
describe        __IS_LIST       Is this a mailing list?

header          __MULTI_COUNTRY exists:X-Relay-Country-Count
describe        __MULTI_COUNTRY Has this message passed through two or more 
countries?

header          __LAST_RELAY_US X-Relay-Countries=~/US\b$/
describe        __LAST_RELAY_US Came from our home country

meta            AE_RELAY_MANY   !__IS_LIST && __MULTI_COUNTRY && 
!__LAST_RELAY_US
describe        AE_RELAY_MANY   passed through 2 foreign countries and is not a 
mailing list
score           AE_RELAY_MANY   0.25

I also changed RelayCountry.pm to only insert the X-Relay-Country-Count
header if there were two or more countries involved, mainly to allow a
simple exists query rather than a regex...

But I was very encouraged by my first two hits:
Jul  1 08:05:03 ca amavis[1869]: (01869-04) SPAM,
<[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, Yes, score=22.549
tag=-99 tag2=4.5 kill=6.31 tests=[ADVANCE_FEE_2=2.049,
ADVANCE_FEE_3=1.435, ADVANCE_FEE_4=1.502, AE_RELAY_MANY=0.1,
DATE_IN_FUTURE_06_12=3.099, DEAR_SOMETHING=2.234,
FORGED_MUA_OUTLOOK=4.199, FREEMAIL_FROM=0.5, FREEMAIL_REPLYTO=2,
L_P0F_Linux=-0.1, MSOE_MID_WRONG_CASE=0.699, RELAY_NG=2,
SARE_FRAUD_X3=1.667, US_DOLLARS_3=1.165], autolearn=disabled

Jul  1 08:13:55 ca amavis[1852]: (01852-07) SPAM, <[EMAIL PROTECTED]> ->
<[EMAIL PROTECTED]>, Yes, score=24.912 tag=-99 tag2=4.5 kill=6.31
tests=[ADVANCE_FEE_2=2.049, ADVANCE_FEE_3=1.435, ADVANCE_FEE_4=1.502,
AE_RELAY_MANY=0.1, DEAR_SOMETHING=2.234, FORGED_MUA_OUTLOOK=4.199,
FREEMAIL_FROM=0.5, FREEMAIL_REPLYTO=2, L_P0F_Linux=-0.1,
MSOE_MID_WRONG_CASE=0.699, RAZOR2_CF_RANGE_51_100=0.5,
RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CHECK=0.5, RELAY_CN=3,
SARE_FRAUD_X3=1.667, SPF_SOFTFAIL=0.654, SUBJ_ALL_CAPS=1.806,
URG_BIZ=0.667], autolearn=disabled


  

Good. I'll have to test this.

(you should open a bugzilla ticket so that this gets integrated in the 
next version...).