"mxpf" [plugin]

Questions and answers about how to do stuff
Post Reply
nicola.piazzi
Posts: 286
Joined: 23 Apr 2015 09:45

"mxpf" [plugin]

Post by nicola.piazzi » 10 Aug 2016 09:57

I wrote this simple plugin, mxpf
This plugin search B class of sender Ip Address and try to match B class of any Ip of mx records of declared domain
So when it match is very difficolut that sender is a spoofed domain, you can use MXPF_PASS to combine with other rules in addition to SPF_PASS

1) Unpack mxpf.cf and mxpf.pm under /etc/mail/spamassassin dir
2) put your score in mxpf.cf
Attachments
mxpf.zip
(1.55 KiB) Downloaded 195 times

ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: "mxpf" [plugin]

Post by ovizii » 10 Aug 2016 11:25

thanks, will test it. your default score was 0.20 - should the score not be negative? Just checking if I got this right: we want to give a bonus to emails where the sending IP is in the same b-class network as the MX, right?

ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: "mxpf" [plugin]

Post by ovizii » 10 Aug 2016 12:06

one more question. the description reads:
# Mxpf helps to hit some non spoofed emails where the domain doesn't have SPF or DKIM
# It compare the B mask of sender ip with B mask of all mx records of domain
Does that mean this ONLY affects email domains without SPF or DKIM?

nicola.piazzi
Posts: 286
Joined: 23 Apr 2015 09:45

Re: "mxpf" [plugin]

Post by nicola.piazzi » 10 Aug 2016 12:28

NO, it is independent

ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: "mxpf" [plugin]

Post by ovizii » 10 Aug 2016 12:32

Thanks, so only the description is misleading.
What about my other question:
your default score was 0.20 - should the score not be negative?

nicola.piazzi
Posts: 286
Joined: 23 Apr 2015 09:45

Re: "mxpf" [plugin]

Post by nicola.piazzi » 10 Aug 2016 12:34

mistake, correct it please

ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: "mxpf" [plugin]

Post by ovizii » 10 Aug 2016 12:39

nicola.piazzi wrote:NO, it is independent
How about checking if SPF and DKIM are correct first and only proceed with this test if they are not both correct. No point in awarding additional points if SPF and DKIM are already correct?

something along the lines of:

Code: Select all

meta     __MXPF_PASS (eval:check_pf() && SPF_PASS && DKIM_VALID_AU)

nicola.piazzi
Posts: 286
Joined: 23 Apr 2015 09:45

Re: "mxpf" [plugin]

Post by nicola.piazzi » 10 Aug 2016 12:40

yes

ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: "mxpf" [plugin]

Post by ovizii » 10 Aug 2016 12:46

this is what I made of mxpf.cf, testing now:

Code: Select all

# Mxpf helps to hit some non spoofed emails where the domain doesn't have SPF or DKIM
# It compares the B mask of sender ip with B mask of all mx records of domain

loadplugin      Mail::SpamAssassin::Plugin::mxpf mxpf.pm

header     __jacob_MXPF_PASS    eval:check_pf()
meta       _jacob_MXPF_PASS     (__jacob_MXPF_PASS && !SPF_PASS && !DKIM_VALID)
score      _jacob_MXPF_PASS     -0.50
describe   _jacob_MXPF_PASS     Sender IP has same B-Class IP as a MX Record of Sender Domain

User avatar
shawniverson
Posts: 3162
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: "mxpf" [plugin]

Post by shawniverson » 21 Aug 2016 16:22

Version eFa 4.0.2 now available!

ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: "mxpf" [plugin]

Post by ovizii » 21 Aug 2016 17:15

@nicola: maybe you should submit the latest version which checks against a C-class network and not B-class?

User avatar
pdwalker
Posts: 1333
Joined: 18 Mar 2015 09:16

Re: "mxpf" [plugin]

Post by pdwalker » 22 Aug 2016 10:57

ovizil,

if you check the code, nicola left in a comment on how to match class C addresses. There are two places you'd need to change if you want to change it yourself.

Everyone,

Does anyone have any experience with debugging spamassassin modules? I'd like to debug a spamassassin module, but I have no idea how to get useful debug information out of the system.

User avatar
pdwalker
Posts: 1333
Joined: 18 Mar 2015 09:16

Re: "mxpf" [plugin]

Post by pdwalker » 23 Aug 2016 05:46

Found the answer. Invoke spamassassin from the command line against one of the messages in the message queues:

Code: Select all

spamassassin -D -t < /var/spool/MailScanner/quarantine/[date]/spam/[messageid] 2>&1 | vim -

Post Reply