[Bug 3021] New: Use whitelist_from_rcvd failure as forgery rule

[bu...@bugzilla.spamassassin.org]

http://bugzilla.spamassassin.org/show_bug.cgi?id=3021

           Summary: Use whitelist_from_rcvd failure as forgery rule
           Product: Spamassassin
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Rules (Eval Tests)
        AssignedTo: spamassassin-dev@incubator.apache.org
        ReportedBy: sidney@sidney.com


How about assigning a positive score when the sender address matches a
whitelist_from_rcvd or a def_whitelist_from_rcvd but the mail server fails to
match? That could indicate a forgery.

I was looking at a paypal.com phishing scheme that did not trigger the
def_whitelist_from_rcvd negative score, but did not get a very high positive
score. Catching the forgery would have nailed it, but there's no reason to add a
separate forgery rule for each thing in the whitelist when the information is
already all there in the whitelist itself.

I can see that sometimes you may not want to do this: A whitelist_from_rcvd
might mean "If the mail comes from that address on that server I know it is
trusted" or it might mean "The mail from this trusted address can only come from
this server". Would it be better to add some parameter to the
whitelist_from_rcvd syntax to indicate if a forgery should trigger some
FORGED_WHITELIST rule?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.