Hosting Provided By

Re: IP country plugin - can we look for two countries?

From: McDonald, Dan <Dan.McDonald(at)austinenergy.com>
Date: Tue Jul 01 2008 - 10:19:12 EDT

On Mon, 2008-06-30 at 17:17 -0500, McDonald, Dan wrote:
> On Mon, 2008-06-30 at 22:04 +0200, mouss wrote:
> > McDonald, Dan wrote:
> > > On Sat, 2008-06-28 at 01:40 +0200, mouss wrote:
> > >
> > >> mouss wrote:
> > >>
> > >>>> Is there some way to grab the metadata from IPCountry to count the
> > >>>> number of countries that were involved in sending a mail, and set a
> > >>>> score based on that?
> > >>>>
> > >>> you mean catching the "Junkman traveller"?
> > >>>

Ok, been fiddling with this. Here is my current rule:

header		__IS_LIST	exists:List-Id
describe	__IS_LIST	Is this a mailing list?

header		__MULTI_COUNTRY	exists:X-Relay-Country-Count
describe	__MULTI_COUNTRY	Has this message passed through two or more countries?

header		__LAST_RELAY_US	X-Relay-Countries=~/US\b$/
describe	__LAST_RELAY_US	Came from our home country

meta		AE_RELAY_MANY	!__IS_LIST && __MULTI_COUNTRY && !__LAST_RELAY_US
describe	AE_RELAY_MANY	passed through 2 foreign countries and is not a mailing list
score		AE_RELAY_MANY	0.25

I also changed RelayCountry.pm to only insert the X-Relay-Country-Count header if there were two or more countries involved, mainly to allow a simple exists query rather than a regex...

But I was very encouraged by my first two hits: Jul 1 08:05:03 ca amavis[1869]: (01869-04) SPAM, <mrsserena_wong15@yahoo.co.uk> -> <luser@example.com>, Yes, score=22.549 tag=-99 tag2=4.5 kill=6.31 tests=[ADVANCE_FEE_2=2.049, ADVANCE_FEE_3=1.435, ADVANCE_FEE_4=1.502, AE_RELAY_MANY=0.1, DATE_IN_FUTURE_06_12=3.099, DEAR_SOMETHING=2.234, FORGED_MUA_OUTLOOK=4.199, FREEMAIL_FROM=0.5, FREEMAIL_REPLYTO=2, L_P0F_Linux=-0.1, MSOE_MID_WRONG_CASE=0.699, RELAY_NG=2, SARE_FRAUD_X3=1.667, US_DOLLARS_3=1.165], autolearn=disabled

Jul 1 08:13:55 ca amavis[1852]: (01852-07) SPAM, <121212@live.com> -> <luser@example.com>, Yes, score=24.912 tag=-99 tag2=4.5 kill=6.31 tests=[ADVANCE_FEE_2=2.049, ADVANCE_FEE_3=1.435, ADVANCE_FEE_4=1.502,

AE_RELAY_MANY=0.1, DEAR_SOMETHING=2.234, FORGED_MUA_OUTLOOK=4.199,
FREEMAIL_FROM=0.5, FREEMAIL_REPLYTO=2, L_P0F_Linux=-0.1,
MSOE_MID_WRONG_CASE=0.699, RAZOR2_CF_RANGE_51_100=0.5,

RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CHECK=0.5, RELAY_CN=3, SARE_FRAUD_X3=1.667, SPF_SOFTFAIL=0.654, SUBJ_ALL_CAPS=1.806, URG_BIZ=0.667], autolearn=disabled

-- 
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com

application/pgp-signature attachment: This is a digitally signed message part

Received on Tue Jul 1 10:19:55 2008

This message: [ Message body ]
Next message: Michelle Konzack: "Re: MODERATION REQUEST: how to stop SPF checks from going past trusted host?"
Previous message: Anthony Peacock: "Re: Rules in local.cf are not read?"
In reply to: McDonald, Dan: "Re: IP country plugin - can we look for two countries?"
Next in thread: mouss: "Re: IP country plugin - can we look for two countries?"
Reply: mouss: "Re: IP country plugin - can we look for two countries?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Tue Sep 02 2008 - 18:11:29 EDT