5067 – anti-bounce ruleset: match headers in bounce message against trusted_networks

Bug 5067 - anti-bounce ruleset: match headers in bounce message against trusted_networks

Summary: anti-bounce ruleset: match headers in bounce message against trusted_networks

Status:	RESOLVED FIXED

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Rules (show other bugs)
Version:	3.1.4
Hardware:	Other other

Importance:	P5 enhancement
Target Milestone:	Undefined
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2006-08-26 19:31 UTC by Justin Mason
Modified:	2006-09-01 10:30 UTC (History)
CC List:	0 users

Attachment	Type	Modified	Status	Actions	Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Justin Mason 2006-08-26 19:31:21 UTC

This is an RFE for the anti-bounce ruleset, not actually an issue in core SA;
I'm just using it as a discussion venue/reminder.

The big problem with the ruleset as it stands is that either (a) it drops all
bounces, not just spam-bounces/virus-bounces/forgery-bounces, or (b) it requires
a manual rule be written to match the SA admin's own networks from which a
bounced message may have originated.

An easy way to deal with this would be to write a plugin which could match the
IP addresses in bounce-message headers, and match for messages that passed
through a relay in trusted_networks.  That allows the anti-bounce ruleset to
work effectively, as soon as trusted_networks is configured.

Comment 1 Loren Wilton 2006-08-27 01:36:11 UTC

Another possible solution might be if SA had a selection of "stock variables" 
available to the rules.  Then a rule could be written for /$myaddress/ or some 
such to look for occurances of configurable words SA already knows.

Comment 2 Justin Mason 2006-08-27 10:28:10 UTC

yeah, I'd prefer to avoid having another thing for admins to set, esp since it
would mean the same thing as trusted_networks/internal_networks...

Comment 3 Justin Mason 2006-09-01 12:17:35 UTC

ah, this may not be so simple :(

I sent a mail to a nonexistent addr at gmail to induce a bounce, got one
back (see http://taint.org/xfer/2006/gmail-bounce.txt ), and noted something --
at least with a postfix MTA delivering to a remote MX, and receiving a 5xx
in-SMTP-transaction bounce -- one of the bounces we want to be able to rescue --
the postfix MTA's IP address will not appear in the bounce message.  Instead,
the MTA's idea of its own name ("dogma.boxhost.net") will appear.

So the plugin *will* require manual configuration, and can't just reuse the
contents of trusted_networks.  drat.

Comment 4 Justin Mason 2006-09-01 17:30:21 UTC

ok, this is now implemented; rulesrc/sandbox/jm/VBounce.pm is a plugin that
implements 'whitelist_bounce_relays', a new setting to specify that data.

It also implements an eval rule that checks the message body (and message/*
attachments) for relays listed in that setting.

Much easier to configure... with this and a little more work, the anti-bounce
ruleset will be suitable for distribution in 3.2.0!