Mike Cardwell wrote:
Mike Cardwell wrote:
Justin Mason wrote:
hi -- this stuff is generally recorded in the Received header, and SA
will act on it if it's there. that's the place to do it...
The "STARTTLS" example is recorded in the received headers, yes. None
of the other 3 examples are recorded in the received headers though...
I was thinking along the lines of an interface where the mta connects
to SpamAssassin when a connection comes in, and it then sends the full
smtp transaction to SpamAssassin as it happens.
SpamAssassin would then be aware of various extra metrics, such as the
examples I gave in my original email. Also, some more examples:
1.) How quickly the connecting host responded to commands
2.) Whether or not it sent any "RCPT TO" commands that were rejected,
as well as the ones which weren't rejected
3.) Whether or not there were any syntax errors in the communication
4.) Whether or not the connecting host made any synchronisation
errors, eg sending a HELO before receiving the SMTP banner.
5.) What case the connecting host used in its commands
6.) Whether the connecting host tried to do a VRFY before doing
anything else.
7.) Whether the connecting host tried to use an ESMTP extension that
wasn't mentioned in the results of EHLO
8.) How many parallel connections the sending host currently has open.
I'm sure there are many other useful metrics that could be obtained
from such an interface which would be useful for determining spammyness.
SpamAssassin would also then be able to get information about attempts
to send email that would not have reached the stage of message body
scanning previously.
SpamAssassin would also be able to start doing certain RBL lookups etc
before the message body had even been sent.
I know this would be a massive job, would be resource hungry, and
would also require the co-operation of mta developers to update their
mail servers with this interface so I'm not expecting it to happen.
Still, I can dream...
Agreed, I do a lot of those tests using Exim where I block 99% of spam
and pass 70% of ham before it ever sees spamassassin. I can't imagine
using any other MTA but Exim.
