Help Documents: PEP

Headers

This header is named From and its value is bob@hotmail.com:

From: bob@hotmail.com

This header is named Subject and its value is Have you read any good books lately?:

Subject: Have you read any good books lately?

PEP rules work by testing header values to see if they match values you specify. PEP can test any header value that appears in an e-mail message. There are also several values that you can test that aren't actual message headers, but they can be treated like headers anyway.

You can test multiple headers at once by separating them with a comma:

fail if to,cc,bcc does not contain "mark@christian.net"

It would be impossible to list every possible e-mail header you may encounter, but here is a list of the more useful ones:

FROM

This header is commonly misunderstood. Most people think that it contains the name and/or e-mail address of the person who sent the message. While this is usually the case, it doesn't have to be.

It is possible to send an e-mail message with just about anything you want in the FROM: header. In fact, some spammers will even put the recipient's e-mail address in here to confuse them.

Example:

From: spammer@hotmail.com (Joe Spammer)

TO

Just like the FROM header, this header can actually contain just about anything. If you are the only recipient of the message, then it probably contains your e-mail address. Messages to a list of people may or may not include all the addresses here though.

Examples:

To: you@christian.net

SUBJECT

This header contains a brief title or description of the message. This is a good place to look for certain spam key words or phrases.

Examples:

Subject: ADV: Cable Descrambler Subject: Make Money Fast!!

Special PEP Values

ORIGIN

This value is a shortcut that is the same as typing from, message-id, reply-to, senderaddress, return-path, x-sender, ip, apparently-from.

DESTINATION

This value is a shortcut that is the same as typing to,cc,bcc,envelope-to,apparently-to.

TOP

This value refers to the first four kilobytes of the message body. It is not possible to test the entire message body if it is over 8K in size.

BOTTOM

This value refers to the last four kilobytes of the message body. It is not possible to test the entire message body if it is over 8K in size.

SENDERADDRESS

This contains the sender's address as provided to the SMTP server via the MAIL FROM: command. Also known as the "Envelope From" value. This will usually match the value in Return-Path: (minus any surrounding angle brackets) but not always.

SENDERLOCAL

This contains the local part of SENDERADDRESS (the part to the left of the @ sign).

SENDERDOMAIN

This contains the domain part of SENDERADDRESS (the part to the right of the @ sign).

FROMADDRESS

Often the From: header contains more than just an e-mail address. It might include the sender's name, company, or other text that isn't part of the e-mail address. This header value contains only the e-mail address portion, if any.

So if the From: header contains the value "Bob Smith <bob@aol.com>", the FROMADDRESS will be "bob@aol.com".

RETURNADDRESS

The Return-path: header usually contains the sender's address surrounded by angle brackets. RETURNADDRESS contains only the e-mail address portion, if any.

So if the Return-path: header contains the value "<bob@aol.com>", the RETURNADDRESS will be "bob@aol.com".

REPLYADDRESS

Occasionally the Reply-to: header contains more than just an e-mail address. It might include the sender's name, company, or other text that isn't part of the e-mail address. This header value contains only the e-mail address portion, if any.

So if the Reply-to: header contains the value "Bob Smith <bob@aol.com>", the REPLYADDRESS will be "bob@aol.com".

#header

If you place a hash mark before a header name you'll get a numeric value that tells you how many occurances of the header there are in the message. For example, #from will usually have a value of 1 because there's normally a single From: header. #received will usually be more than one.

header(n)

If you test a header value and there happens to be more than one instance of that header in the message, only the first one is tested. For example, using received will test only the first Received: header. If you want to test the second one you'd use received(2) instead.

To refer to the last instance of a header, use a hash mark instead of a number. So received(#) refers to the very last Received: header. You can also follow that with a negative number to indicate the Nth from the last header: received(#-1) would be the second to last Received: header, for example.

SCORE

PEP maintains an internal numeric score that starts out at zero. You can use the SCORE action to add or subtract from this value. The idea is to score a message based on a variety of tests and then if the score is high enough, delete it.

MAILBOX

This is a numeric value that indicates the current size of your mailbox in bytes, before delivering the current message.

MAILBOXNEW

This is a numeric value that indicates how large your mailbox would be if the current message gets delivered to it.

%

This value represents a random number from 1 to 100. It is different each time PEP handles a new message.

IP

This value contains the IP address of the last machine to handle the message prior to reaching the local server. This is often, but not always, the IP address of the remote mail server that relayed the message to our server.

HOSTNAME

This value contains the host name that you get if you do a reverse lookup on the IP value above. Note that this value is only available if you've previously used the "resolve" command.

LINES

This value is numeric and indicates the number of lines there are in the message.

BYTES

This value is numeric and indicates how large the message is in bytes.

TOCOUNT

This value is numeric and indicates how many addresses there are in the To: header.

CCCOUNT

This value is numeric and indicates how many addresses there are in the Cc: header.

CHALLENGEID

This is a unique value that is meant to be used exclusively in reply files that are sent via the challenge action.

PEP_ID

This is a value that is guaranteed to be unique for every message ever processed by PEP.

RXn

If you don't know what a regular expression is then don't worry about these values. This is an advanced topic.

RX values refer to substrings that were matched with the last regex test. RX0 refers to the entire matching string, RX1 refers to the first substring, RX2 refers to the second, and so on.

So given a Subject: line of

   [Llamas] Any good llama jokes?

and the rule

   reply if subject regex "\\[(.+)\\]"

RX0 would contain "[Llamas]" and RX1 would contain "Llamas".

SASCORE

This value contains the numeric score that SpamAssassin calculates after analyzing the message. Click here for more details.

Example:

delete if sascore > 4.9

BFSCORE

- IN TESTING -

RAZOR

Vipul's Razor is a shared catalogue of know spam. When you tet this value, it connects to the Razor database and returns either "yes" or "no" to indicate whether the message is listed.

Example:

delete if razor is yes

DCCBODY, DCCFUZ1, and DCCFUZ2

- IN TESTING -

NUMPARTS

If the message in question consists of one or more MIME attachments, this value will tell you how many there are.

ATTACHMENT

When a message contains one or more attachments, each one that has a filename attribute will be assigned to a separate "attachment" value. If there are 5 attachments with filenames, then there will be 5 "attachment" values. You would normally test these by using a wildcard.

Example:

delete if attachment* matches "*.exe"

USERNAME

This value contains the username of the account that is currently accessing your mailrule file. Normally it will be your username, but if you've allowed others to include your mailrule file then it will be set to their username when PEP is processing mail for them. You can use it to implement different rule sets depending on who's using your mailrule file.

CALLBACK

This is a special value that causes PEP to perform a "callback", and report the result as either "OK" or "BAD". A callback is when PEP connects back to the mail server(s) for the sender's email address and goes through the motions of sending a bounce message, without actually sending it. If the sender's address is phony, most servers will let us know about it.

So if "callback" is "bad", then you know the mail message in question is bogus because it comes from a non-existant address (or one that's been closed down by the ISP, etc). In the event that PEP is unable to connect to the sender's mail servers, or there is some other kind of error, the default is to assume that it's OK.

This is a very effective way to eliminate a lot of spam with no worries about false positives (since messages with invalid return addresses are invalid).

Example:

delete if callback is bad