Page 1 of 1

"mxpf" [plugin]

Posted: 10 Aug 2016 09:57
by nicola.piazzi
I wrote this simple plugin, mxpf
This plugin search B class of sender Ip Address and try to match B class of any Ip of mx records of declared domain
So when it match is very difficolut that sender is a spoofed domain, you can use MXPF_PASS to combine with other rules in addition to SPF_PASS

1) Unpack mxpf.cf and mxpf.pm under /etc/mail/spamassassin dir
2) put your score in mxpf.cf

Re: "mxpf" [plugin]

Posted: 10 Aug 2016 11:25
by ovizii
thanks, will test it. your default score was 0.20 - should the score not be negative? Just checking if I got this right: we want to give a bonus to emails where the sending IP is in the same b-class network as the MX, right?

Re: "mxpf" [plugin]

Posted: 10 Aug 2016 12:06
by ovizii
one more question. the description reads:
# Mxpf helps to hit some non spoofed emails where the domain doesn't have SPF or DKIM
# It compare the B mask of sender ip with B mask of all mx records of domain
Does that mean this ONLY affects email domains without SPF or DKIM?

Re: "mxpf" [plugin]

Posted: 10 Aug 2016 12:28
by nicola.piazzi
NO, it is independent

Re: "mxpf" [plugin]

Posted: 10 Aug 2016 12:32
by ovizii
Thanks, so only the description is misleading.
What about my other question:
your default score was 0.20 - should the score not be negative?

Re: "mxpf" [plugin]

Posted: 10 Aug 2016 12:34
by nicola.piazzi
mistake, correct it please

Re: "mxpf" [plugin]

Posted: 10 Aug 2016 12:39
by ovizii
nicola.piazzi wrote:NO, it is independent
How about checking if SPF and DKIM are correct first and only proceed with this test if they are not both correct. No point in awarding additional points if SPF and DKIM are already correct?

something along the lines of:

Code: Select all

meta     __MXPF_PASS (eval:check_pf() && SPF_PASS && DKIM_VALID_AU)

Re: "mxpf" [plugin]

Posted: 10 Aug 2016 12:40
by nicola.piazzi
yes

Re: "mxpf" [plugin]

Posted: 10 Aug 2016 12:46
by ovizii
this is what I made of mxpf.cf, testing now:

Code: Select all

# Mxpf helps to hit some non spoofed emails where the domain doesn't have SPF or DKIM
# It compares the B mask of sender ip with B mask of all mx records of domain

loadplugin      Mail::SpamAssassin::Plugin::mxpf mxpf.pm

header     __jacob_MXPF_PASS    eval:check_pf()
meta       _jacob_MXPF_PASS     (__jacob_MXPF_PASS && !SPF_PASS && !DKIM_VALID)
score      _jacob_MXPF_PASS     -0.50
describe   _jacob_MXPF_PASS     Sender IP has same B-Class IP as a MX Record of Sender Domain

Re: "mxpf" [plugin]

Posted: 21 Aug 2016 16:22
by shawniverson

Re: "mxpf" [plugin]

Posted: 21 Aug 2016 17:15
by ovizii
@nicola: maybe you should submit the latest version which checks against a C-class network and not B-class?

Re: "mxpf" [plugin]

Posted: 22 Aug 2016 10:57
by pdwalker
ovizil,

if you check the code, nicola left in a comment on how to match class C addresses. There are two places you'd need to change if you want to change it yourself.

Everyone,

Does anyone have any experience with debugging spamassassin modules? I'd like to debug a spamassassin module, but I have no idea how to get useful debug information out of the system.

Re: "mxpf" [plugin]

Posted: 23 Aug 2016 05:46
by pdwalker
Found the answer. Invoke spamassassin from the command line against one of the messages in the message queues:

Code: Select all

spamassassin -D -t < /var/spool/MailScanner/quarantine/[date]/spam/[messageid] 2>&1 | vim -