*** Referenced White List [score enhancement] ***

[nicola.piazzi]

I suggest to anyone any simple enhancement that can help to find really ham messages.
When you send a message to someone ant this people answer it you are sure that this is ham and the couple EmailAddress/ServerIp is candidate for whitelisting.
Some server, when message is a answer, put in header one or both keyword like this :
In-Reply-To: <df83b29d208f4f53b6db032be12b0126@yourdomain.it>
References: <df83b29d208f4f53b6db032be12b0126@yourdomain.it>

So it is very simple to make a rule that check that the incoming message contains a reference to your domain adding these lines to local.cf, obviosulsy changing domain list :
# BONUS TO MESSAGES THAT ARE REPLIES TO A MESSAGE SENT FROM US
header __REPLY_TO_US_REFERENCES References =~ /\@mydomain1.it|\@mydomain2.it/i
header __REPLY_TO_US_INREPLYTO In-Reply-To =~ /\@mydomain1.it|\@mydomain2.it/i
meta REPLY_TO_US ( __REPLY_TO_US_REFERENCES || __REPLY_TO_US_INREPLYTO )
describe REPLY_TO_US Was a reply to a message sent from us
score REPLY_TO_US -2.90

Someone can tell that also a spammer can add a line like above containing this code, obviously the better il will be to make a database of message numbers sent and find for a match every time, but in my tests of a lot of days i never found a spam that have REPLY_TO_US in its report, I think that spammers can't say that someone run a test like so and put a dummy tag to pass this kind of check.

Better is to use these data to compile a whitelist of people that have answered to our messages.
To do that please follow these steps :

1) Create a folder called /batch and put in it 2 files contained in the attachment rrwl.zip, chmod to enable execution.

2) Put in your CRONTAB these 2 lines :
05 00 * * * /batch/rrwl.sh
05 01 * * * /batch/rrwl.cf.sh
(rrwl.sh runs after midnight and create 2 files of referenced email (one domain based and one email based) with Yesterday data,
rrwl.cf.sh runs after 1 hour and create .cf files and put in production)

3) Edit rrwl.sh and watch at # Variables, you MUST review mydomains array data and put domains that you use, you MUST review also LDIP writing your internal Ip/Class, Others are optional.

4) Edit rrwl.cf.sh and watch at # Variables, you MUST review singledomains array data and Scores, Others are optional.
singledomains array is very important, it tell if a row will be put as single entry in rrwl.email.cf because it is a public provider or if it will be put in rrwl.domain.cf enabling whitelist on entire domain.

Tell me about your results !

[nicola.piazzi]

Please redownload rrwl.zip
I changed something in rrwl.sh to prevent some erroneus whitelist to be extracted

I noticed that it is very difficoult to have a hit on rrwl.email.cf
This is because single email that use a provider is more probable that can came from a lot of different ip
So, to save cpu, can be useful to comment the mv of rrwl.email.cf at the end of rrwl.cf.sh script and remove rrwl.email.cf from spamassassin dir.

[nicola.piazzi]

This is about my RRWL Idea results
I am using only domain whitelist, single mail whitelist belongs to email providers (manually declared) but have no hit
I have a whitelist based of 30 days of data collected but in future can increase a bit
Today I received 2.572 messages and this rule hit 445 messages ! more than 17 % of incoming messages that in future can be more than 20%
And all these messages are absolutely ham

Cattura.PNG (47.61 KiB) Viewed 4379 times

[pdwalker]

[nicola.piazzi]

I made a little thing to avoid a problem of some erroneus matching, please dowlnload new zip

[nicola.piazzi]

Using these files it create rules using C CLASS instead of IP
It give more chances to whitelist sender (whitout false positive)
now i have a hit on 20% of incoming email !!