You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Virus Bounce Ruleset

There's a ruleset to block joe-job, virus-blowback, and spam-blowback bounce messages (a.k.a. "backscatter"), which is included in SpamAssassin 3.2.0. It provides the following rules:

MY_SERVERS_FOUND: a whitelisted relay a la "whitelist_bounce_relays" was found

BOUNCE_MESSAGE: an MTA-generated bounce from a non-whitelisted relay, "message was undeliverable" etc.

CRBOUNCE_MESSAGE: Challenge-response bounce message from a non-whitelisted relay, eg. "please confirm your message was not spam"

VBOUNCE_MESSAGE: a virus-scanner-generated bounce from a non-whitelisted relay, e.g. "You sent a virus"

ANY_BOUNCE_MESSAGE: any of the *BOUNCE_MESSAGE types above

If you are using SA 3.1.x, you can install the ruleset as follows:

  1. Download [http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_vbounce.cf?revision=482200&pathrev=482207 20_vbounce.cf] and [http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/VBounce.pm?revision=467392&pathrev=482207 VBounce.pm] from jm's rules sandbox.

2. Save both files to your /etc/mail/spamassassin directory.

3. Edit your local.cf and add a line like the following:

  whitelist_bounce_relays myrelay.mydomain.net

Replace myrelay.mydomain.net with the hostname of the relay (or relays) that you send your outbound mail through.

This is used to 'rescue' legitimate bounce messages that were generated in response to mail you really *did* send. If a bounce message is found, and it contains one of these hostnames in a 'Received' header in the bounced message, it will not be marked as a blowback virus-bounce.

4. Run spamassassin --lint and ensure it works.

5. Check a 'sample vbounce' mail, to ensure it marks blowback bounces as such:

spamassassin -Lt < sample-vbounce.txt
[...]
Content analysis details:   (2.6 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.0 NO_REAL_NAME           From: does not include a real name
 0.0 FORGED_RCVD_HELO       Received: contains a forged HELO
[...]
 0.1 BOUNCE_MESSAGE       MTA bounce message
 0.1 ANY_BOUNCE_MESSAGE   Message is some kind of bounce message

You should see the tests BOUNCE_MESSAGE and ANY_BOUNCE_MESSAGE appearing in the "Content analysis details" section.

6. Restart spamd, as usual, so that the ruleset is loaded.

7. Edit your procmailrc (or similar) to move messages that contain "ANY_BOUNCE_MESSAGE" in the "X-Spam-Status" header, to a "bounces" folder.

Don't forget – once SpamAssassin 3.2.0 is released, you may need to delete VBounce.pm and 20_vbounce.cf from /etc/mail/spamassassin, so that it doesn't clash with the released version.

  • No labels