"mxpf" [plugin]

Questions and answers about how to do stuff
Post Reply
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

"mxpf" [plugin]

Post by nicola.piazzi »

I wrote this simple plugin, mxpf
This plugin search B class of sender Ip Address and try to match B class of any Ip of mx records of declared domain
So when it match is very difficolut that sender is a spoofed domain, you can use MXPF_PASS to combine with other rules in addition to SPF_PASS

1) Unpack mxpf.cf and mxpf.pm under /etc/mail/spamassassin dir
2) put your score in mxpf.cf
Attachments
mxpf.zip
(1.55 KiB) Downloaded 329 times
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: "mxpf" [plugin]

Post by ovizii »

thanks, will test it. your default score was 0.20 - should the score not be negative? Just checking if I got this right: we want to give a bonus to emails where the sending IP is in the same b-class network as the MX, right?
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: "mxpf" [plugin]

Post by ovizii »

one more question. the description reads:
# Mxpf helps to hit some non spoofed emails where the domain doesn't have SPF or DKIM
# It compare the B mask of sender ip with B mask of all mx records of domain
Does that mean this ONLY affects email domains without SPF or DKIM?
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: "mxpf" [plugin]

Post by nicola.piazzi »

NO, it is independent
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: "mxpf" [plugin]

Post by ovizii »

Thanks, so only the description is misleading.
What about my other question:
your default score was 0.20 - should the score not be negative?
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: "mxpf" [plugin]

Post by nicola.piazzi »

mistake, correct it please
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: "mxpf" [plugin]

Post by ovizii »

nicola.piazzi wrote:NO, it is independent
How about checking if SPF and DKIM are correct first and only proceed with this test if they are not both correct. No point in awarding additional points if SPF and DKIM are already correct?

something along the lines of:

Code: Select all

meta     __MXPF_PASS (eval:check_pf() && SPF_PASS && DKIM_VALID_AU)
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: "mxpf" [plugin]

Post by nicola.piazzi »

yes
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: "mxpf" [plugin]

Post by ovizii »

this is what I made of mxpf.cf, testing now:

Code: Select all

# Mxpf helps to hit some non spoofed emails where the domain doesn't have SPF or DKIM
# It compares the B mask of sender ip with B mask of all mx records of domain

loadplugin      Mail::SpamAssassin::Plugin::mxpf mxpf.pm

header     __jacob_MXPF_PASS    eval:check_pf()
meta       _jacob_MXPF_PASS     (__jacob_MXPF_PASS && !SPF_PASS && !DKIM_VALID)
score      _jacob_MXPF_PASS     -0.50
describe   _jacob_MXPF_PASS     Sender IP has same B-Class IP as a MX Record of Sender Domain
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: "mxpf" [plugin]

Post by shawniverson »

ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: "mxpf" [plugin]

Post by ovizii »

@nicola: maybe you should submit the latest version which checks against a C-class network and not B-class?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: "mxpf" [plugin]

Post by pdwalker »

ovizil,

if you check the code, nicola left in a comment on how to match class C addresses. There are two places you'd need to change if you want to change it yourself.

Everyone,

Does anyone have any experience with debugging spamassassin modules? I'd like to debug a spamassassin module, but I have no idea how to get useful debug information out of the system.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: "mxpf" [plugin]

Post by pdwalker »

Found the answer. Invoke spamassassin from the command line against one of the messages in the message queues:

Code: Select all

spamassassin -D -t < /var/spool/MailScanner/quarantine/[date]/spam/[messageid] 2>&1 | vim -
Post Reply