Recipient Limitation(s)
Steve Freegard
steve.freegard at fsl.com
Sat Jul 25 16:56:37 IST 2009
Mark Sapiro wrote:
> On Fri, Jul 24, 2009 at 04:56:13PM -0300, Eduardo Casarero wrote:
>> 2009/7/22 Gottschalk, David <dgottsc at emory.edu>
>>
>>> Is it possible to setup MailScanner to block/quarantine messages over a
>>> certain number of recipients? I want to do this because we have a lot of
>>> accounts being compromised and sending out emails to a large number of
>>> recipients. I think this would be a good proactive measure.
>>>
>>> I've looked into spamassassin doing this, but cannot find anything that
>>> would give me the ability to do this.
>>>
>>> Any tips would be appreciated, I've searched all around and haven't found
>>> anything.
>>
>> Some time ago i wrote this rule for SpamAssassin, i didnt test it a lot, so
>> test it with precaution. I was for someone with the same problem than you.
>>
>> the logic of the rule is that if the email has more than 10 recipients at
>> least 1 rule will hit, with combination is probable than more than one hits.
>> you can also generate a new meta rule to have only 1 hit with an OR.
>>
>> header __TEST_TO_1 To =~ /(.*?(@).*?){1,}/i
>> header __TEST_TO_2 To =~ /(.*?(@).*?){2,}/i
>> header __TEST_TO_3 To =~ /(.*?(@).*?){3,}/i
>> header __TEST_TO_4 To =~ /(.*?(@).*?){4,}/i
>> header __TEST_TO_5 To =~ /(.*?(@).*?){5,}/i
>> header __TEST_TO_6 To =~ /(.*?(@).*?){6,}/i
>> header __TEST_TO_7 To =~ /(.*?(@).*?){7,}/i
>> header __TEST_TO_8 To =~ /(.*?(@).*?){8,}/i
>> header __TEST_TO_9 To =~ /(.*?(@).*?){9,}/i
>> header __TEST_TO_10 To =~ /(.*?(@).*?){10,}/i
>>
>> header __TEST_CC_1 Cc =~ /(.*?(@).*?){1,}/i
>> header __TEST_CC_2 Cc =~ /(.*?(@).*?){2,}/i
>> header __TEST_CC_3 Cc =~ /(.*?(@).*?){3,}/i
>> header __TEST_CC_4 Cc =~ /(.*?(@).*?){4,}/i
>> header __TEST_CC_5 Cc =~ /(.*?(@).*?){5,}/i
>> header __TEST_CC_6 Cc =~ /(.*?(@).*?){6,}/i
>> header __TEST_CC_7 Cc =~ /(.*?(@).*?){7,}/i
>> header __TEST_CC_8 Cc =~ /(.*?(@).*?){8,}/i
>> header __TEST_CC_9 Cc =~ /(.*?(@).*?){9,}/i
>> header __TEST_CC_10 Cc =~ /(.*?(@).*?){10,}/i
>>
>> #just for testing purposes
>> #meta TEST_TO_1_CC_1 (__TEST_TO_1 && __TEST_CC_1)
>> #
>>
>> meta TEST_TO_1_CC_9 (__TEST_TO_1 && __TEST_CC_9)
>> meta TEST_TO_2_CC_8 (__TEST_TO_2 && __TEST_CC_8)
>> meta TEST_TO_3_CC_7 (__TEST_TO_3 && __TEST_CC_7)
>> meta TEST_TO_4_CC_6 (__TEST_TO_4 && __TEST_CC_6)
>> meta TEST_TO_5_CC_5 (__TEST_TO_5 && __TEST_CC_5)
>> meta TEST_TO_6_CC_4 (__TEST_TO_6 && __TEST_CC_4)
>> meta TEST_TO_7_CC_3 (__TEST_TO_7 && __TEST_CC_3)
>> meta TEST_TO_8_CC_2 (__TEST_TO_8 && __TEST_CC_2)
>> meta TEST_TO_9_CC_1 (__TEST_TO_9 && __TEST_CC_1)
>> meta TEST_TO_10_CC_0 (__TEST_TO_10)
>> meta TEST_TO_10_CC_0 (__TEST_CC_10)
>
>
> I think the above line has a typo. It should be
>
> meta TEST_TO_0_CC_10 (__TEST_CC_10)
>
>
>> score TEST_TO_1_CC_1 0.01
>> score TEST_TO_1_CC_9 0.01
>> score TEST_TO_2_CC_8 0.01
>> score TEST_TO_3_CC_7 0.01
>> score TEST_TO_4_CC_6 0.01
>> score TEST_TO_5_CC_5 0.01
>> score TEST_TO_6_CC_4 0.01
>> score TEST_TO_7_CC_3 0.01
>> score TEST_TO_8_CC_2 0.01
>> score TEST_TO_9_CC_1 0.01
>> score TEST_TO_10_CC_0 0.01
>> score TEST_TO_0_CC_10 0.01
>>
>> hope it helps!
>
>
> The potential issue with this is it is looking at the To: and Cc:
> headers of the message and not at the number of envelope recipients.
>
> If this is what is wanted, fine, but keep in mind that the To: and
> Cc: headers don't necessarily bear any relation to the actual message
> recipients.
>
These rules could also be simplified considerably and reduce their
overhead by better regexp (using capturing parenthesis in SA simply
wastes memory) so:
header COUNT_TO To =~ /(?:\S+@\S+)/
tflags COUNT_TO multiple
score COUNT_TO 0.1
header COUNT_CC Cc =~ /(?:\S+@\S+)/
tflags COUNT_CC multiple
score COUNT_CC 0.1
These would add 0.1 for every e-mail address in the To and Cc headers;
to 20 recipients would add 2 to the computed score.
Regards,
Steve.
More information about the MailScanner
mailing list