Hi all,
I'm trying to create a rule which will check the results of the ASN plugin. My longer term goal is to use this and the Sender information together to catch suspicious emails that have Google in the Senders Name but orginate from a non Google domain (eg somegoogledomainijustmadeup.com) and doesn't originate from a Google ASN (and therefore a Google IP range). As a test I have the following... ifplugin Mail::SpamAssassin::Plugin::ASN header T_SCS_ASN_EXISTS exists:X-ASN header T_SCS_ASN_ANYTHING X-ASN =~ /.*/i header T_SCS_ASN_ANY_AS X-ASN =~ /AS[0-9]*/i header T_SCS_ASN_AS15169 X-ASN =~ /AS15169/ header T_SCS_ASN_AS15169B X-ASN =~ /^AS15169 / endif On a test message which I sent myself on Friday from my google account and which I am now currently pipping into SpamAssassin at the command line the rules T_SCS_ASN_EXISTS and T_SCS_ASN_ANYTHING trigger but T_SCS_ASN_ANY_AS, T_SCS_ASN_AS15169 and T_SCS_ASN_AS15169B. I've dabbled with rule priorities but it didn't appear to make any difference. In any case the message itself has no ASN header in it so the fact the T_SCS_ASN_EXISTS triggers suggests to me my rules are being run after the ASN plugin completes its work (?) I initally had problems even getting SpamAssassin to find the ASN header but http://www.gossamer-threads.com/lists/spamassassin/users/178388 pointed out "The metadata pseudo-headers are available to rules with an X- prefix." and goes on to give an example ... header ASnnnn X-ASN =~ /^ASnnnn / ... which doesn't trigger on my system. Heres the relevant output from scanning my test message... # spamassassin -D < ~/test-asn.txt | & /usr/bin/grep -i ASN Nov 23 11:54:04.401 [74846] dbg: config: read file /usr/local/etc/mail/spamassassin/Spectrum-ASN.cf Nov 23 11:54:04.670 [74846] dbg: plugin: loading Mail::SpamAssassin::Plugin::ASN from @INC Nov 23 11:54:04.890 [74846] dbg: config: fixed relative path: /var/db/spamassassin/3.004001/updates_spamassassin_org/25_asn.cf Nov 23 11:54:04.890 [74846] dbg: config: using "/var/db/spamassassin/3.004001/updates_spamassassin_org/25_asn.cf" for included file Nov 23 11:54:04.891 [74846] dbg: config: read file /var/db/spamassassin/3.004001/updates_spamassassin_org/25_asn.cf Nov 23 11:54:05.457 [74846] dbg: plugin: did not register Mail::SpamAssassin::Plugin::ASN, already registered Nov 23 11:54:12.332 [74846] dbg: plugin: Mail::SpamAssassin::Plugin::ASN=HASH(0x80a83d798) implements 'parsed_metadata', priority 0 Nov 23 11:54:12.337 [74846] dbg: asn: using first external relay IP for lookups: 74.125.82.50 Nov 23 11:54:12.337 [74846] dbg: async: launching TXT/50.82.125.74.asn.routeviews.org for asnlookup-0-asn.routeviews.org Nov 23 11:54:12.345 [74846] dbg: dns: providing a callback for id: 23747/IN/TXT/50.82.125.74.asn.routeviews.org Nov 23 11:54:12.345 [74846] dbg: async: starting: TXT, asnlookup-0-asn.routeviews.org (timeout 15.0s, min 3.0s) Nov 23 11:54:12.345 [74846] dbg: asn: launched DNS TXT query for 50.82.125.74.asn.routeviews.org in background Nov 23 11:54:12.345 [74846] dbg: async: query 23747/IN/TXT/50.82.125.74.asn.routeviews.org already underway, adding no.2 asnlookup-1-asn.routeviews.org Nov 23 11:54:12.345 [74846] dbg: asn: launched DNS TXT query for 50.82.125.74.asn.routeviews.org in background Nov 23 11:54:12.345 [74846] dbg: async: launching TXT/50.82.125.74.ip2asn.sasm4.net for asnlookup-2-ip2asn.sasm4.net Nov 23 11:54:12.346 [74846] dbg: dns: providing a callback for id: 18937/IN/TXT/50.82.125.74.ip2asn.sasm4.net Nov 23 11:54:12.346 [74846] dbg: async: starting: TXT, asnlookup-2-ip2asn.sasm4.net (timeout 15.0s, min 3.0s) Nov 23 11:54:12.346 [74846] dbg: asn: launched DNS TXT query for 50.82.125.74.ip2asn.sasm4.net in background Nov 23 11:54:12.346 [74846] dbg: async: launching TXT/50.82.125.74.origin.asn.spameatingmonkey.net for asnlookup-3-origin.asn.spameatingmonkey.net Nov 23 11:54:12.347 [74846] dbg: dns: providing a callback for id: 21798/IN/TXT/50.82.125.74.origin.asn.spameatingmonkey.net Nov 23 11:54:12.347 [74846] dbg: async: starting: TXT, asnlookup-3-origin.asn.spameatingmonkey.net (timeout 15.0s, min 3.0s) Nov 23 11:54:12.347 [74846] dbg: asn: launched DNS TXT query for 50.82.125.74.origin.asn.spameatingmonkey.net in background Nov 23 11:54:12.379 [74846] dbg: async: calling callback on key asnlookup-0-asn.routeviews.org Nov 23 11:54:12.379 [74846] dbg: asn: asn.routeviews.org: lookup result packet: 50.82.125.74.asn.routeviews.org. 83431 IN TXT 15169 74.125.0.0 16 Nov 23 11:54:12.379 [74846] dbg: asn: ASNCIDR added route 74.125.0.0/16 Nov 23 11:54:12.379 [74846] dbg: asn: ASN added asn 15169 Nov 23 11:54:12.379 [74846] dbg: check: tagrun - tag ASN is now ready, value: AS15169 Nov 23 11:54:12.379 [74846] dbg: check: tagrun - tag ASNCIDR is now ready, value: 74.125.0.0/16 Nov 23 11:54:12.379 [74846] dbg: async: calling callback on key asnlookup-0-asn.routeviews.org Nov 23 11:54:12.380 [74846] dbg: asn: asn.routeviews.org: lookup result packet: 50.82.125.74.asn.routeviews.org. 83431 IN TXT 15169 74.125.0.0 16 Nov 23 11:54:12.380 [74846] dbg: asn: ASNCIDRROUTEVIEWS added route 74.125.0.0/16 Nov 23 11:54:12.380 [74846] dbg: asn: ASNROUTEVIEWS added asn 15169 Nov 23 11:54:12.380 [74846] dbg: check: tagrun - tag ASNROUTEVIEWS is now ready, value: AS15169 Nov 23 11:54:12.380 [74846] dbg: check: tagrun - tag ASNCIDRROUTEVIEWS is now ready, value: 74.125.0.0/16 Nov 23 11:54:12.381 [74846] dbg: async: calling callback on key asnlookup-2-ip2asn.sasm4.net Nov 23 11:54:12.381 [74846] dbg: asn: ip2asn.sasm4.net: lookup result packet: 50.82.125.74.ip2asn.sasm4.net. 631 IN TXT AS15169 Nov 23 11:54:12.381 [74846] dbg: asn: ASNSASM4 added asn 15169 Nov 23 11:54:12.381 [74846] dbg: check: tagrun - tag ASNSASM4 is now ready, value: AS15169 Nov 23 11:54:12.383 [74846] dbg: async: calling callback on key asnlookup-3-origin.asn.spameatingmonkey.net Nov 23 11:54:12.383 [74846] dbg: asn: origin.asn.spameatingmonkey.net: lookup result packet: 50.82.125.74.origin.asn.spameatingmonkey.net. 221 IN TXT ( Nov 23 11:54:12.383 [74846] dbg: asn: [...] "74.125.0.0/16 | AS15169 | Google Inc. | 2000-03-30 | US" ) Nov 23 11:54:12.383 [74846] dbg: asn: ASNCIDRSEM added route 74.125.0.0/16 Nov 23 11:54:12.383 [74846] dbg: asn: ASNSEM added asn 15169 Nov 23 11:54:12.383 [74846] dbg: check: tagrun - tag ASNSEM is now ready, value: AS15169 Nov 23 11:54:12.383 [74846] dbg: check: tagrun - tag ASNCIDRSEM is now ready, value: 74.125.0.0/16 Nov 23 11:54:12.397 [74846] dbg: async: completed in 0.034 s: TXT, asnlookup-3-origin.asn.spameatingmonkey.net Nov 23 11:54:12.398 [74846] dbg: async: completed in 0.027 s: TXT, asnlookup-0-asn.routeviews.org Nov 23 11:54:12.398 [74846] dbg: async: completed in 0.034 s: TXT, asnlookup-2-ip2asn.sasm4.net Nov 23 11:54:13.574 [74846] dbg: rules: ran header rule T_SCS_ASN_EXISTS ======> got hit: "<YES>" Nov 23 11:54:13.574 [74846] dbg: rules: ran header rule T_SCS_ASN_ANYTHING ======> got hit: "15169" Nov 23 11:54:14.396 [74846] dbg: async: timing: 0.027 . asnlookup-0-asn.routeviews.org Nov 23 11:54:14.397 [74846] dbg: async: timing: 0.034 . asnlookup-2-ip2asn.sasm4.net Nov 23 11:54:14.397 [74846] dbg: async: timing: 0.034 . asnlookup-3-origin.asn.spameatingmonkey.net Nov 23 11:54:14.571 [74846] dbg: check: tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,FREEMAIL_FROM,HTML_MESSAGE,NML_ADSP_CUSTOM_MED,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS,TXREP,T_DKIM_INVALID,T_SCS_ASN_ANYTHING,T_SCS_ASN_EXISTS X-Spam-ASN: AS15169 74.125.0.0/16 T_SCS_ASN_ANYTHING,T_SCS_ASN_EXISTS shortcircuit=no autolearn=no X-Spam-ASN_RV: AS15169 74.125.0.0/16 X-Spam-ASN_SASM4: AS15169 X-Spam-ASN_SEM: AS15169 74.125.0.0/16 SPF_PASS=-0.001,TXREP=-1.021,T_DKIM_INVALID=0.01,T_SCS_ASN_ANYTHING=0.01, T_SCS_ASN_EXISTS=0.01 Any advice gratefully received! Steve
