A compound bounce/(spf/dk/dkim) rule I'd like to see.

In pseudocode...

IF (message is a recognizable bounce || message is from <>)...

AND (we can guess the domain being sent to (can't trust the "to" header, but maybe the X-Envelope-To or some MTA token?)

AND the domain being sent TO supports SPF and/or DKIM...(i.e. implying a misdirected bounce)

Score a compound rule hit.

My logic here is that I would eventually like to compile an rfc-ignorant list of the senders of such bounces, and aid them in not SENDING such bounce messages, or at the very least, set up a ruleset in the future to block bounces from them, based on a low signal/noise ratio.

I am not trying at all to claim that this should be something SCORABLE, immediately: I don't think SA's detection of legitimate bounce messages versus illegitmate bounce messages is good enough (please feel free to tell me differently).

-Dan Mahoney

Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related spamassassin.apache.org Links users Request more information about Pantek

--

"GO HOME AND COOK!!!" Donielle Cocossa, Taco Bell, 2:30 AM

--------Dan Mahoney--------

Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org