Amazonses Esp

Esp.cf

@@ -37,6 +37,13 @@ header		FORDEM		eval:esp_4dem_check()
 describe	FORDEM		Message from 4Dem abused account
 score		FORDEM		5.0
 
+# -------- AMAZON SES --------
+4dem_feed /etc/mail/spamassassin/amazonses_id.txt
+
+header		AMAZON		eval:esp_amazonses_check()
+describe	AMAZON		Message from Amazon SES abused account
+score		AMAZON		5.0
+
 # -------- BEMAIL --------
 4dem_feed /etc/mail/spamassassin/be-mail_id.txt
 

Esp.pm

@@ -58,6 +58,7 @@ sub new {
 
   $self->set_config($mailsaobject->{conf});
   $self->register_eval_rule('esp_4dem_check',  $Mail::SpamAssassin::Conf::TYPE_HEAD_EVALS);
+  $self->register_eval_rule('esp_amazonses_check',  $Mail::SpamAssassin::Conf::TYPE_HEAD_EVALS);
   $self->register_eval_rule('esp_be_mail_check',  $Mail::SpamAssassin::Conf::TYPE_HEAD_EVALS);
   $self->register_eval_rule('esp_constantcontact_check',  $Mail::SpamAssassin::Conf::TYPE_HEAD_EVALS);
   $self->register_eval_rule('esp_ecmessenger_check',  $Mail::SpamAssassin::Conf::TYPE_HEAD_EVALS);
@@ -98,6 +99,9 @@ Usage:
   esp_4dem_check()
     Checks for 4dem id abused accounts
 
+  esp_amazonses_check()
+    Checks for Amazon SES id abused accounts
+
   esp_be_mail_check()
     Checks for Be-Mail id abused accounts
 
@@ -157,6 +161,11 @@ with a "_" in order to be possible to use the Esp id in dns records.
 
 =over 4
 
+=item amazonses_feed [...]
+
+A list of files with abused Amazon SES accounts.
+Files can be separated by a comma.
+
 =item bemail_feed [...]
 
 A list of files with abused Be Mail accounts.
@@ -263,6 +272,9 @@ Tags that the plugin could set are:
 
 =over
 
+=item *
+AMAZONSESID
+
 =item *
 BEMAILID
 
@@ -322,6 +334,12 @@ sub set_config {
   my($self, $conf) = @_;
   my @cmds = ();
 
+  push(@cmds, {
+    setting => 'amazonses_feed',
+    is_admin => 1,
+    type => $Mail::SpamAssassin::Conf::CONF_TYPE_STRING,
+    }
+  );
   push(@cmds, {
     setting => 'bemail_feed',
     is_admin => 1,
@@ -429,6 +447,7 @@ sub set_config {
 
 sub finish_parsing_end {
   my ($self, $opts) = @_;
+  $self->_read_configfile('amazonses_feed', 'AMAZONSES');
   $self->_read_configfile('bemail_feed', 'BEMAIL');
   $self->_read_configfile('constantcontact_feed', 'CONSTANTCONTACT');
   $self->_read_configfile('ecmessenger_feed', 'ECMESSENGER');
@@ -491,6 +510,9 @@ sub _hit_and_tag {
       if($opts =~ /nodash/) {
         $id =~ s/\-/_/g;
       }
+      if($opts =~ /nobase64/) {
+        $id =~ s/\+|\=|\//_/g;
+      }
       if($opts =~ /md5/) {
         $id = md5_hex($id);
       }
@@ -524,6 +546,32 @@ sub esp_4dem_check {
   return _hit_and_tag($self, $pms, $uid, 'FORDEM', '4Dem', 'FORDEMID', $opts);
 }
 
+sub esp_amazonses_check {
+  my ($self, $pms, $opts) = @_;
+  my $fid;
+
+  # Change base64 chars that are not valid in dns records into "_", uid must be limited to chars permitted in dns records
+  $opts .= "nobase64";
+
+  # return if X-SES-Outgoing is not what we want
+  my $xses = $pms->get("X-SES-Outgoing", undef);
+
+  if((not defined $xses) or ($xses !~ /\d{4}\.\d{2}\.\d{2}\-/)) {
+    return;
+  }
+
+  # Parse the Feedback-ID
+  # Feedback-ID: 1.eu-west-3.lw6TDfPoSha17XiO+mc7ZtIOCZEcjZHgwdWo1vcloYU=:AmazonSES
+  $fid = $pms->get("Feedback-ID", undef);
+  return if not defined $fid;
+
+  if($fid =~ /\d+\.[a-z]+\-[a-z]+\-\d+\.(.*)\:AmazonSES/) {
+    $fid = $1;
+    return _hit_and_tag($self, $pms, $fid, 'AMAZONSES', 'Amazon SES', 'AMAZONSESID', $opts);
+  }
+  return;
+}
+
 sub esp_be_mail_check {
   my ($self, $pms, $opts) = @_;
   my ($fid, $uid);

man/man3p/Mail::SpamAssassin::Plugin::Esp.3p

@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "Esp 3"
-.TH Esp 3 "2022-08-29" "perl v5.34.1" "User Contributed Perl Documentation"
+.TH Esp 3 "2022-09-26" "perl v5.34.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -170,6 +170,9 @@ Usage:
 \&  esp_4dem_check()
 \&    Checks for 4dem id abused accounts
 \&
+\&  esp_amazonses_check()
+\&    Checks for Amazon SES id abused accounts
+\&
 \&  esp_be_mail_check()
 \&    Checks for Be\-Mail id abused accounts
 \&
@@ -227,6 +230,10 @@ to crypt the Esp id using md5 algorithm and \*(L"nodash\*(R" which will substitu
 with a \*(L"_\*(R" in order to be possible to use the Esp id in dns records.
 .SH "ADMINISTRATOR SETTINGS"
 .IX Header "ADMINISTRATOR SETTINGS"
+.IP "amazonses_feed [...]" 4
+.IX Item "amazonses_feed [...]"
+A list of files with abused Amazon \s-1SES\s0 accounts.
+Files can be separated by a comma.
 .IP "bemail_feed [...]" 4
 .IX Item "bemail_feed [...]"
 A list of files with abused Be Mail accounts.
@@ -312,6 +319,8 @@ added to the askdns rule.
 Tags that the plugin could set are:
 .RE
 .IP "\(bu" 4
+\&\s-1AMAZONSESID\s0
+.IP "\(bu" 4
 \&\s-1BEMAILID\s0
 .IP "\(bu" 4
 \&\s-1CONSTANTCONTACTID\s0