Mailing List Archive

X-Spam-Relays-External
Hi List,

I see the useful X-Spam-Relays-External pseudo header but what I'd
really like to be able to specifically check is the Last External header
as DNSBL rules are able to do with -lastexternal.

Is there a X-Spam-Relays-Last-External option that I'm missing, and if
not would it be possible to implement such a feature or perhaps someone
can suggest a workaround method?

For example, I'd like to be able to do something like this against only
the last external Received header:

header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i

Thanks
Re: X-Spam-Relays-External [ In reply to ]
On 2011-06-29 12:02, Ned Slider wrote:
> Hi List,
>
> I see the useful X-Spam-Relays-External pseudo header but what I'd
> really like to be able to specifically check is the Last External header
> as DNSBL rules are able to do with -lastexternal.
>
> Is there a X-Spam-Relays-Last-External option that I'm missing, and if
> not would it be possible to implement such a feature or perhaps someone
> can suggest a workaround method?
>
> For example, I'd like to be able to do something like this against only
> the last external Received header:
>
> header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i

http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.txt

"TEMPLATE TAGS"

_LASTEXTERNALIP_ IP address of client in the external-to-internal
SMTP handover
_LASTEXTERNALRDNS_ reverse-DNS of client in the external-to-internal
SMTP handover
_LASTEXTERNALHELO_ HELO string used by client in the external-to-internal
SMTP handover

Is that what you're looking for?
Re: X-Spam-Relays-External [ In reply to ]
On Wed, 29 Jun 2011 11:02:13 +0100, Ned Slider wrote:

> header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~
> /someisp\.com/i

bad rule, hostnames can have more then one ip, would you trust every ip
now ?

better would be to extend ASN plugin to have whitelist specific ASN or
blacklist
Re: X-Spam-Relays-External [ In reply to ]
On Wed, Jun 29, 2011 at 11:02:13AM +0100, Ned Slider wrote:
> Hi List,
>
> I see the useful X-Spam-Relays-External pseudo header but what I'd
> really like to be able to specifically check is the Last External
> header as DNSBL rules are able to do with -lastexternal.
>
> Is there a X-Spam-Relays-Last-External option that I'm missing, and
> if not would it be possible to implement such a feature or perhaps
> someone can suggest a workaround method?
>
> For example, I'd like to be able to do something like this against
> only the last external Received header:
>
> header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i
>
> Thanks

Example from 20_dynrdns.cf

# Note the '^[^\]]+ ' stanza: this ensures that we only match spamware
# connecting to a internal relay; if a mail came from a dynamic addr but
# was relayed through their smarthost, that's fine.
...
header __LAST_EXTERNAL_RELAY_NO_AUTH X-Spam-Relays-External =~ /^[^\]]+ auth= /
Re: X-Spam-Relays-External [ In reply to ]
On 29/06/11 11:12, Axb wrote:
> On 2011-06-29 12:02, Ned Slider wrote:
>> Hi List,
>>
>> I see the useful X-Spam-Relays-External pseudo header but what I'd
>> really like to be able to specifically check is the Last External header
>> as DNSBL rules are able to do with -lastexternal.
>>
>> Is there a X-Spam-Relays-Last-External option that I'm missing, and if
>> not would it be possible to implement such a feature or perhaps someone
>> can suggest a workaround method?
>>
>> For example, I'd like to be able to do something like this against only
>> the last external Received header:
>>
>> header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i
>
> http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.txt
>
> "TEMPLATE TAGS"
>
> _LASTEXTERNALIP_ IP address of client in the external-to-internal
> SMTP handover
> _LASTEXTERNALRDNS_ reverse-DNS of client in the external-to-internal
> SMTP handover
> _LASTEXTERNALHELO_ HELO string used by client in the external-to-internal
> SMTP handover
>
> Is that what you're looking for?
>

Yes, _LASTEXTERNALRDNS_ would certainly work as the connecting IP has
rDNS that matches the string I was trying to match.

Where might I find examples of TEMPLATE TAGS usage? It's unclear to me
how to use these options so some examples of their usage would be useful.

Many thanks
Re: X-Spam-Relays-External [ In reply to ]
On 29/06/11 11:24, Benny Pedersen wrote:
> On Wed, 29 Jun 2011 11:02:13 +0100, Ned Slider wrote:
>
>> header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i
>
> bad rule, hostnames can have more then one ip, would you trust every ip
> now ?
>

Who said anything about trusting the IP ?

I simply want to verify that the email was relayed to me from a
particular ISP as part of a meta rule. The very fact that the
hostname(s) do have many IPs is the reason for matching that rather than
trying to match multiple subnet ranges.

> better would be to extend ASN plugin to have whitelist specific ASN or
> blacklist
>
Re: X-Spam-Relays-External [ In reply to ]
On Wed, 29 Jun 2011 12:05:58 +0100, Ned Slider wrote:

> Who said anything about trusting the IP ?
>
> I simply want to verify that the email was relayed to me from a
> particular ISP as part of a meta rule. The very fact that the
> hostname(s) do have many IPs is the reason for matching that rather
> than trying to match multiple subnet ranges.

okay does ASN plugin not fit there ?

would your rule catch forged reverse dns ?
Re: X-Spam-Relays-External [ In reply to ]
On Wed, 29 Jun 2011 12:01:54 +0100
Ned Slider wrote:


>
> Yes, _LASTEXTERNALRDNS_ would certainly work as the connecting IP has
> rDNS that matches the string I was trying to match.
>
> Where might I find examples of TEMPLATE TAGS usage? It's unclear to
> me how to use these options so some examples of their usage would be
> useful.

There wont be any because all rules of this sort use the method given
by Henrik.
Re: X-Spam-Relays-External [ In reply to ]
On Wed, Jun 29, 2011 at 01:28:48PM +0300, Henrik K wrote:
> On Wed, Jun 29, 2011 at 11:02:13AM +0100, Ned Slider wrote:
> > Hi List,
> >
> > I see the useful X-Spam-Relays-External pseudo header but what I'd
> > really like to be able to specifically check is the Last External
> > header as DNSBL rules are able to do with -lastexternal.
> >
> > Is there a X-Spam-Relays-Last-External option that I'm missing, and
> > if not would it be possible to implement such a feature or perhaps
> > someone can suggest a workaround method?
> >
> > For example, I'd like to be able to do something like this against
> > only the last external Received header:
> >
> > header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i
> >
> > Thanks
>
> Example from 20_dynrdns.cf
>
> # Note the '^[^\]]+ ' stanza: this ensures that we only match spamware
> # connecting to a internal relay; if a mail came from a dynamic addr but
> # was relayed through their smarthost, that's fine.
> ...
> header __LAST_EXTERNAL_RELAY_NO_AUTH X-Spam-Relays-External =~ /^[^\]]+ auth= /

To prevent further questions..

header __RCVD_FROM_SOMEISP X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.someisp\.com /

As you see, all the relays are enclosed in [ ..relay1.. ] [ ..relay2.. ] ...

Thus the stanza will not look further than first ].
Re: X-Spam-Relays-External [ In reply to ]
On 29/06/11 12:50, Henrik K wrote:
> On Wed, Jun 29, 2011 at 01:28:48PM +0300, Henrik K wrote:
>> On Wed, Jun 29, 2011 at 11:02:13AM +0100, Ned Slider wrote:
>>> Hi List,
>>>
>>> I see the useful X-Spam-Relays-External pseudo header but what I'd
>>> really like to be able to specifically check is the Last External
>>> header as DNSBL rules are able to do with -lastexternal.
>>>
>>> Is there a X-Spam-Relays-Last-External option that I'm missing, and
>>> if not would it be possible to implement such a feature or perhaps
>>> someone can suggest a workaround method?
>>>
>>> For example, I'd like to be able to do something like this against
>>> only the last external Received header:
>>>
>>> header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i
>>>
>>> Thanks
>>
>> Example from 20_dynrdns.cf
>>
>> # Note the '^[^\]]+ ' stanza: this ensures that we only match spamware
>> # connecting to a internal relay; if a mail came from a dynamic addr but
>> # was relayed through their smarthost, that's fine.
>> ...
>> header __LAST_EXTERNAL_RELAY_NO_AUTH X-Spam-Relays-External =~ /^[^\]]+ auth= /
>
> To prevent further questions..
>
> header __RCVD_FROM_SOMEISP X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.someisp\.com /
>
> As you see, all the relays are enclosed in [ ..relay1.. ] [ ..relay2.. ] ...
>
> Thus the stanza will not look further than first ].
>
>

Brilliant - thank you very much. Works perfectly.