On 09/12/12 10:16, Frederic De Mees wrote:
Dear list,
Here is the context.
The French-speaking countries receive tons of e-mails, mostly fraud
attempts, fake lotteries, originating from West-Africa and sent by
Yahoomail users.
Often those messages contain big attachments. The payload (text of the
message) is embedded in a 1MB jpeg with fake certificates of a lawyer, a
logo, or whatever.
Spamassassin misses 100% of them because:
- the sender IP (Yahoo) is genuine and has a good reputation
- the analysis of the message text shows nothing bad, as the mill!ions
of euros are in the picture attachment
- due to the message size, the analysis is skipped anyway.
If no customer of the mail server in question expect any mail from any
Yahoo user in Africa, a simple 'header_checks' Postfix directive like
this will match such messages if their sender IP starts with 41.
/^Received: from .41\..*web.*mail.*yahoo\.com via HTTP/i
I admit this is rough albeit effective. On one side, not all Africa is
41. On the other side, I do not want to block all 41.
I would have loved to do it with SA.
This means that the line
"Received: from [ip.add.res.ss].*web.*mail.*yahoo\.com via HTTP" should
be detected and analysed.
The ip address should be extracted.
The whois of the address should be queried.
The country code of the IP address would return certain number of SA
points from a list of "Yahoousers bad countries" I would manage.
Have I dreamed ?
Frédéric
Brussels
There are already 2 meta rules related to mail from 41/8 subnets:
__NSL_ORIG_FROM_41
__NSL_RCVD_FROM_41
Write some meta rules combining these with a rule for mail from Yahoo!
or look at scoring __FROM_41_FREEMAIL which already combines the above
with FREEMAIL_FROM.
That should be enough to get you started.
