You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Bill Minton <bi...@gmail.com> on 2007/03/22 14:14:02 UTC

Need help with a rule

I'm looking to have Spamassassin mark messages where the from address is
forged with a valid local address.

For instance, if a local address is bob@web.com and a spammer spoofs that,
then it initially appears as though bob@web.com is sending an email to
bob@web.com (which is ok).

I've found that if the "From:" contains a valid local account, AND the
"envelope-from" (part of "Received:" doesn't match that account, it is
spam.  At least that's the case w/the ones I've looked over.

So, is it possible to write a rule to combine the two checks necessary to do
that?

Re: Need help with a rule

Posted by "Chris St. Pierre" <st...@NebrWesleyan.edu>.

Sure.

header __LOCAL_SENDER      From =~ /@example\.com/i
meta   FORGED_LOCAL_SENDER __LOCAL_SENDER && !TRUSTED_NETWORKS
score  FORGED_LOCAL_SENDER 1

This depends on a proper setting of TRUSTED_NETWORKS.

(Note: untested code, YMMV, etc.)

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University

On Thu, 22 Mar 2007, Bill Minton wrote:

> I'm looking to have Spamassassin mark messages where the from address is
> forged with a valid local address.
>
> For instance, if a local address is bob@web.com and a spammer spoofs that,
> then it initially appears as though bob@web.com is sending an email to
> bob@web.com (which is ok).
>
> I've found that if the "From:" contains a valid local account, AND the
> "envelope-from" (part of "Received:" doesn't match that account, it is
> spam.  At least that's the case w/the ones I've looked over.
>
> So, is it possible to write a rule to combine the two checks necessary to do
> that?
>

Re: Need help with a rule

Posted by Matt Kettler <mk...@verizon.net>.

Bill Minton wrote:
> I'm looking to have Spamassassin mark messages where the from address
> is forged with a valid local address.
>
> For instance, if a local address is bob@web.com <ma...@web.com>
> and a spammer spoofs that, then it initially appears as though
> bob@web.com <ma...@web.com> is sending an email to bob@web.com
> <ma...@web.com> (which is ok).
>
> I've found that if the "From:" contains a valid local account, AND the
> "envelope-from" (part of "Received:" doesn't match that account, it is
> spam.  At least that's the case w/the ones I've looked over.
>
> So, is it possible to write a rule to combine the two checks necessary
> to do that?
Yes, but it would be easier to just publish a SPF record for web.com,
install the SPF perl modules, and let the SPF checks in SA pick it up.
>
>