
WHAT IS RRWL :
==============

Is a way to catch and give a bonus score to messages coming from someone that rely to your messages
When you send a message to someone and this people answer it you are sure that this is ham and the couple EmailAddress/ServerIp is candidate for whitelisting
Some server, when message is a answer, put in header one or both keyword like this :
In-Reply-To: <df83b29d208f4f53b6db032be12b0126@yourdomain.ext>
Someone can tell that also a spammer can add a line like above containing this code,
obviously the better il will be to make a database of message numbers sent and find for a match every time,
but in my tests of a lot of days i never found a spam matching this program,
I think that spammers can't say that someone run a test like so and put a dummy tag to pass this kind of check.


WHO CAN USE RRWL :
==================

It can be used on EFA servers (or linux servers that use SpamAssassin) only if the same server is used to deliver internal emails.



HOW TO START USING RRWL :
=========================

1) Create a folder called /batch and put in it rrwl.sh and rrwl.cf.sh, chmod to enable execution.


2) Put in your CRONTAB these 2 lines :
05 00 * * * /batch/rrwl.sh
05 01 * * * /batch/rrwl.cf.sh

3) Edit rrwl.sh and watch at # Variables, 
   you MUST review mydomains array data and put domains that you use,  
   you MUST review also LDIP writing your internal Ip/Class, Others are optional.
   you MUST put your mysql root password to times instead <yourpassword>
   you MUST set MSGL for a lenght like your server In-Reply-To generation
   (watch a message header that efa deliver receiving from internal server, if for example is 
    In-Reply-To: <12345678901234567890123456789012@yourdomain.ext>
    You must write  ________________________________ 
    I think that Exchange generate a 32 bytes number before domain)

4) Edit rrwl.cf.sh and watch at # Variables,
   you MUST review singledomains array data and Scores, Others are optional.
   singledomains array is very important, it tell if a row will be put as single entry in rrwl.email.cf because it is a public provider
   or if it will be put in rrwl.domain.cf enabling whitelist on entire domain.
   Variables :
   F="/etc/mail/spamassassin"   # Spamassassin default dir
                                Change only if is different
   FT="/tmp"                    # Temp dir
                                I think no change required  
   APP="rrwl"                   # Application name
                                I think no change required  
   D=70                         # Days to search for whitelist files
                                Data retrieved from rrwl.sh are stored into rrwl directory, this work consider only last D days to generate new whitelist
   SD=-2.00                     # Score to assign to Domain/Ip
                                Score to assign when an email come from a combination domain+ip that sent reply in the past
                                File : rrwl.domains.cf
                                Rule : RRWL_D_<domain>
   SE=-2.50                     # Score to assign to Email/Ip
                                Score to assign when an email come from a combination email+ip that sent reply in the past
                                File : rrwl.email.cf
                                Rule : RRWL_E_<email>
   SRI=-0.10                    # Score to assign to References (Seen Ip)
                                Score to assign when an email come from an ip that sent reply in the past
                                File : rrwl.references.cf
                                Rule : RRWL_R_I
                                -do not give much score, it contains false positives-
   SRID=-2.00                   # Score to assign to References (Seen Ip on Seen Domain)
                                Score to assign when an email come from an ip that sent reply in the past and the declared domain also was used to sent reply
                                File : rrwl.references.cf
                                Rule : RRWL_R_ID
                                very difficoult to have false positives
5) Note that at the end of the scriptrrwl.cf.sh i suspended the production copy of rrwl.email.cf
   ##SUSPENDED## mv $FT/$APP.email.cf $F
   This is because is difficoult for me to have an hit and so I save a lot of cpu



RESULTS (IN MY INSTALLATION) :
==============================

We have 4 rules or rules type :

RRWL_D_<domain>	It hit about 20% of my incoming mail, all ham at now

RRWL_R_ID	It hit 5% more than RRWL_D_<domain>, all ham at now but as a probability to be not ham

RRWL_R_I	It hit everytime others hit and more (so it have a low bonus score)






