I there Frederic, I think a geoip module exists. I saw that somewhere. Just take a look for it.
But I think this is a bad idea. You are right about the analysis, but geoip filtring is not efficient and may lead to FPs. Take extra care to the rules you are going to build about it. You may also take a look at: bayes (train your filter) et AWL. Of course, it all depends on the size of your system. Best, Alex, from osmosed. Bow before me, for I am root. On 09/12/12 05:16 AM, Frederic De Mees wrote: > Dear list, > > Here is the context. > The French-speaking countries receive tons of e-mails, mostly fraud > attempts, fake lotteries, originating from West-Africa and sent by > Yahoomail users. > Often those messages contain big attachments. The payload (text of the > message) is embedded in a 1MB jpeg with fake certificates of a lawyer, > a logo, or whatever. > > Spamassassin misses 100% of them because: > - the sender IP (Yahoo) is genuine and has a good reputation > - the analysis of the message text shows nothing bad, as the mill!ions > of euros are in the picture attachment > - due to the message size, the analysis is skipped anyway. > > If no customer of the mail server in question expect any mail from any > Yahoo user in Africa, a simple 'header_checks' Postfix directive like > this will match such messages if their sender IP starts with 41. > /^Received: from .41\..*web.*mail.*yahoo\.com via HTTP/i > > I admit this is rough albeit effective. On one side, not all Africa is > 41. On the other side, I do not want to block all 41. > > I would have loved to do it with SA. > This means that the line > "Received: from [ip.add.res.ss].*web.*mail.*yahoo\.com via HTTP" > should be detected and analysed. > The ip address should be extracted. > The whois of the address should be queried. > The country code of the IP address would return certain number of SA > points from a list of "Yahoousers bad countries" I would manage. > > Have I dreamed ? > > Frédéric > Brussels
signature.asc
Description: OpenPGP digital signature
