Re: IP country plugin - can we look for two countries?

From: McDonald, Dan <Dan.McDonald(at)austinenergy.com>
Date: Mon Jun 30 2008 - 18:17:35 EDT

On Mon, 2008-06-30 at 22:04 +0200, mouss wrote:
> McDonald, Dan wrote:
> > On Sat, 2008-06-28 at 01:40 +0200, mouss wrote:
> >
> >> mouss wrote:
> >>
> >>>> Is there some way to grab the metadata from IPCountry to count the
> >>>> number of countries that were involved in sending a mail, and set a
> >>>> score based on that?
> >>>>
> >>> you mean catching the "Junkman traveller"?
> >>>
> >>> you can try
> >>>
> >>> header THREE_COUNTRIES X-Relay-Countries =~ /\s[a-z]{2}\s/
> >>> score THREE_COUNTRIES 0.01
> >>>
> >>> header FOUR_COUNTRIES X-Relay-Countries =~ /\s[a-z]{2}\s[a-z]{2}\s/
> >>> score FOUR_COUNTRIES 0.01
> >>>
> >>>
> >> argh. This is wrong as it will hit things like "US US FR FR"...
> >>
> >>> and so on...
> >>>
> >
> > Correct. And Spamassassin rules developers generally frown on using
> > back-tracking, as it slows down the whole ruleset even if only used for
> > one rule....

> it would be good to have two other meta-headers (in addition to
> X-Relay-Countries):
> X-Relay-Country-Count: the total number of different countries
> X-Relay-Country-Cross: the numbre of country "switches"
>
> so "FR US FR US" would yield 2 countries but 3 switches, which should be
> less "normal" than "FR FR US US".

Ok, how about this very messy patch to RelayCountry.pm?

• /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/Plugin/RelayCountry.pm 2008-01-05 15:10:50.000000000 -0600 +++ RelayCountry.pm 2008-06-30 17:11:35.000000000 -0500 @@ -76,15 +76,30 @@ my $msg = $opts->{msg};

   my $countries = '';
+  my $crosscountries=0;
+  my $lcc = '';

+ my %countriesvisited;

   foreach my $relay (@{$msg->{metadata}->{relays_untrusted}}) {
     my $ip = $relay->{ip};
     my $cc = $reg->inet_atocc($ip) || "XX";
+    $crosscountries +=1 if (($lcc ne '') and ($lcc ne $cc) and ($cc ne 'XX'));
+    $countriesvisited{$cc}++ if $cc ne 'XX';
     $countries .= $cc." ";

+ $lcc = $cc if $cc ne "XX";

   }
-
+ my @visited = keys %countriesvisited; + my $visits = $#visited;

   chop $countries;
   $msg->put_metadata("X-Relay-Countries", $countries);    dbg("metadata: X-Relay-Countries: $countries");

+  if ($visits++ > -1) {
+         $msg->put_metadata("X-Relay-Country-Count", $visits);
+         dbg("metadata: X-Relay-Country-Count: $visits");
+  }
+  if ($crosscountries >0) {
+         $msg->put_metadata("X-Relay-Country-Cross", $crosscountries);
+         dbg("metadata: X-Relay-Country-Cross: $crosscountries");
+  }
 

   return 1;
 }

-- 
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com


application/pgp-signature attachment: This is a digitally signed message part

Received on Mon Jun 30 18:18:24 2008