Using the RelayCountry plugin

The RelayCountry plugin exposes the countries that a mail was relayed from -- turn it on by reading that documentation page, installing the required CPAN module IP::Country::Fast, and uncommenting the 'loadplugin' line in the /etc/mail/spamassassin/init.pre file for Mail::SpamAssassin::Plugin::RelayCountry.

The RelayCountry plugin will add metadata to the Bayesian filtering process, allowing the Bayesian filters to learn information based on countries.

You can also write rules that match specific countries and add them to your /etc/mail/spamassassin/local.cf file. For example:

   header          RELAYCOUNTRY_BAD X-Relay-Countries =~ /CN/
   describe        RELAYCOUNTRY_BAD Relayed through China at some point
   score           RELAYCOUNTRY_BAD 3.0

   header          RELAYCOUNTRY_GOOD X-Relay-Countries =~ /^(FI|SE)/
   describe        RELAYCOUNTRY_GOOD First untrusted relay is Finland or Sweden :-)
   score           RELAYCOUNTRY_GOOD -0.2

A list of 2-letter ISO 3166 country codes can be found from http://www.iso.org/iso/country_codes/iso_3166_code_lists/. Note that the plugin itself adds few special types: private IPs are marked with '**' (two asterisks) and IPs not found in database are marked with 'XX'.

You can find a list of countries that statistically relay most spam for example from http://www.spamhaus.org/statistics/countries.lasso. Be careful not to score too much or too many, email is global by nature.

It's also possible to add a separate MIME header that shows all the message's relay countries, independent of the rules:

   add_header all Relay-Country _RELAYCOUNTRY_

This will show up in your MIME headers as:

   X-Spam-Relay-Country: US CN RU

Note about IP::Country::Fast database

As of writing, the latest version of IP::Country::Fast is three years old, meaning the bundled database is as old. There is no internal update mechanism.

The database consists of files named cc.gif and ip.gif. You can find the path with this command:

   $ perl -MIP::Country::Fast -e '$_=$INC{"IP/Country/Fast.pm"};s/\.pm/\n/;print';

Updating the database files requires entering dbmScripts directory in IP::Country::Fast sources and running whois_filenames, ipcc_loader.pl and ipcc_maker.pl scripts in that order. Note that the build can use up to 2GB of system memory.

Alternatively, you can download premade files provided by Hege. These should be updated once a month or so:

http://mailfud.org/ip-country-fast/

Note: Geo::IP support was recently added to SpamAssassin 3.4 trunk, so you should use that if possible!

RelayCountryPlugin (last edited 2012-06-08 09:24:45 by Hege)