RSS

case07传输规则引来的一点研究

03 Jul

传输规则是个好东西。exchange2007以来传输规则可以进行大量的邮件流过滤,今天遇到的case是某公司发生的。

邮件服务器架构:单主机3角色+linux GW对邮件进行判断。Linux GW会扫描邮件,并给判断为SPAM的邮件主题最前方绑定{SPAM 1002} 这样的标题。

目前做了一个传输规则:当邮件头包含字符串 SPAM的时候,将SCL调整为5。而后outlook将SCL为5以上的邮件作为垃圾邮件丢入junkmail中。

目前做了2个测试:

假设该公司为WINOS,用xunyang@winos.com通过SMTP验证,然后发送一封主题为spam的邮件,内容为空的邮件。

该邮件会应用传输规则。可以在收件人的junkmail中看到。

如果使用happy@126.com 不通过smtp验证发送,然后发送一封主题为空的邮件,内容包含“XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X”的邮件。

该邮件不会应用传输规则,出现在收件人的inbox中。

以上2点得出一个相反的结论传输规则并未真正启用。那么究竟是为什么呢?

通过查看邮件发现:

1、两封邮件的主题都包含了类似的{ (SPAM)998.3 } ,{ (SPAM)1001 } 。

2、通过验证的邮件能直接查看正文,而没有通过验证的邮件则是原文被作为附件了。

3、查看邮件头可以发现如下3种情况:

##########你可以直接忽略,往下拖#############################################################

——-通过验证的邮件,进入了junkmail

Received: from mailproxy.winos.com.cn (192.168.0.60) by server05.winos.com.cn
(192.168.0.15) with Microsoft SMTP Server id 8.1.358.0; Fri, 3 Jul 2009
18:48:48 +0800
Received: from pc-yangxun.winos.com.cn (pc-yangxun.winos.com.cn [10.10.10.47])
    by mailproxy.winos.com.cn (Postfix) with SMTP id 27BED1153FDF    for
<xunyang@winos.com.cn>; Fri,  3 Jul 2009 18:48:03 +0800 (CST)
Subject: test (spam)
Message-ID: <20090703104839.27BED1153FDF@mailproxy.winos.com.cn>
Date: Fri, 3 Jul 2009 18:48:03 +0800
From: <happy@126.com>
To: undisclosed-recipients:;
X-winos-MailScanner-Information: Please contact the ISP for more information
X-winos-MailScanner-ID: 27BED1153FDF.ADE1F
X-winos-MailScanner: Found to be clean
X-winos-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.652,
    required 10, autolearn=not spam, ALL_TRUSTED -1.44, AWL 2.09)
X-winos-MailScanner-From: happy@126.com
X-Spam-Status: No
MIME-Version: 1.0
Content-Type: text/plain
Return-Path: happy@126.com
X-MS-Exchange-Organization-SCL: 5
————–没有通过验证,直接telnet到本地服务器发送邮件,进入了inbox
Received: from mailproxy.winos.com.cn (192.168.0.60) by server05.winos.com.cn
(192.168.0.15) with Microsoft SMTP Server id 8.1.358.0; Fri, 3 Jul 2009
19:27:10 +0800
Received: from pc-yangxun (pc-yangxun.winos.com.cn [10.10.10.47])    by
mailproxy.winos.com.cn (Postfix) with SMTP id D5C931153FDF    for
<xunyang@winos.com.cn>; Fri,  3 Jul 2009 19:27:22 +0800 (CST)
Date: Fri, 3 Jul 2009 19:27:09 +0800
From: cf <xunyang@126.com>
To: "xunyang" <xunyang@winos.com.cn>
Subject: {(SPAM) 1002}
Message-ID: <200907031927098671072@126.com>
X-mailer: Foxmail 6, 10, 201, 20 [cn]
MIME-Version: 1.0
Content-Type: multipart/report; boundary="======17533==3561======";
    report-type=spam-notification
X-winos-MailScanner-Information: Please contact the ISP for more information
X-winos-MailScanner-ID: D5C931153FDF.A007B
X-winos-MailScanner: Found to be clean
X-winos-MailScanner-SpamCheck: spam, SpamAssassin (not cached,
    score=1002.745, required 10, ALL_TRUSTED -1.44, GTUBE 1000.00,
    HTML_MESSAGE 0.00, MISSING_SUBJECT 1.28, TVD_SPACE_RATIO 2.90)
X-winos-MailScanner-SpamScore: 1002
X-winos-MailScanner-From: xunyang@126.com
X-Spam-Status: Yes
Return-Path: xunyang@126.com
——————————-从Live邮箱发送邮件,进入了inbox
Received: from bay0-omc3-s20.bay0.hotmail.com (192.168.0.40) by
server05.winos.com.cn (192.168.0.15) with Microsoft SMTP Server id 8.1.358.0;
Fri, 3 Jul 2009 19:47:44 +0800
Received: from localhost by bj-mailproxy    with SpamAssassin (version 3.2.4);
    Fri, 03 Jul 2009 19:47:54 +0800
From: xun yang <xunyang@live.com>
To: <xunyang@winos.com.cn>
Subject: { (SPAM)998.3 }
Date: Fri, 3 Jul 2009 11:46:06 +0000
Message-ID: <BAY122-W2008175DCC8CF24E75490AD12C0@phx.gbl>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on bj-mailproxy
X-Spam-Level: **************************************************
X-Spam-Status: Yes, score=998.3 required=10.0 tests=AWL,BAYES_00,GTUBE,
    HTML_MESSAGE,MISSING_SUBJECT autolearn=no version=3.2.4
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="———-=_4A4DEFEA.42340000"
X-NoSpamToday-Result: Blocked (SpamAssassin)
X-NoSpamToday-HeloName: bay0-omc3-s20.bay0.hotmail.com
X-NoSpamToday-HostIP: 65.54.246.220
X-NoSpamToday-MessageID: 4A4DEFCF00000000
X-NoSpamToday-Policy: accept/deliver (junk)
X-NoSpamToday-Port: SMTP Proxy
Return-Path: xunyang@live.com

##########你可以直接忽略,往下拖#############################################################

更细节的对比如下:

Subject: test (spam)
X-winos-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.652,
    required 10, autolearn=not spam, ALL_TRUSTED -1.44, AWL 2.09)
X-Spam-Status: No
X-MS-Exchange-Organization-SCL: 5
————–
Subject: {(SPAM) 1002}
X-winos-MailScanner-SpamCheck: spam, SpamAssassin (not cached,
    score=1002.745, required 10, ALL_TRUSTED -1.44, GTUBE 1000.00,
    HTML_MESSAGE 0.00, MISSING_SUBJECT 1.28, TVD_SPACE_RATIO 2.90)
X-winos-MailScanner-SpamScore: 1002
X-Spam-Status: Yes
——————————-
Subject: { (SPAM)998.3 }
X-Spam-Flag: YES
X-Spam-Status: Yes, score=998.3 required=10.0 tests=AWL,BAYES_00,GTUBE,
    HTML_MESSAGE,MISSING_SUBJECT autolearn=no version=3.2.4
X-NoSpamToday-Result: Blocked (SpamAssassin)
X-NoSpamToday-Policy: accept/deliver (junk)
X-NoSpamToday-Port: SMTP Proxy

——————————–

我发现很多地方提到了score! 而且大部分时候分数都在900以上的会是spam。于是呢~创建了下面这个规则:

额,其实就是用到了一个正则解决问题。凡是SAPMscore评分中包含了“4位数字”,或者“3位数字.1为数字”的邮件而且标题包含了spam关键词的邮件的SCL值将设置为5。

现在问题搞定了。

——————–

其实还有很多细节在本文中被忽略了,希望你能在这篇文档中找到一些破绽,并指正出来。谢谢。

Advertisements
 
 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: