You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Bill Minton <bi...@gmail.com> on 2007/03/22 14:14:02 UTC
Need help with a rule
I'm looking to have Spamassassin mark messages where the from address is
forged with a valid local address.
For instance, if a local address is bob@web.com and a spammer spoofs that,
then it initially appears as though bob@web.com is sending an email to
bob@web.com (which is ok).
I've found that if the "From:" contains a valid local account, AND the
"envelope-from" (part of "Received:" doesn't match that account, it is
spam. At least that's the case w/the ones I've looked over.
So, is it possible to write a rule to combine the two checks necessary to do
that?
Re: Need help with a rule
Posted by "Chris St. Pierre" <st...@NebrWesleyan.edu>.
Sure.
header __LOCAL_SENDER From =~ /@example\.com/i
meta FORGED_LOCAL_SENDER __LOCAL_SENDER && !TRUSTED_NETWORKS
score FORGED_LOCAL_SENDER 1
This depends on a proper setting of TRUSTED_NETWORKS.
(Note: untested code, YMMV, etc.)
Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University
On Thu, 22 Mar 2007, Bill Minton wrote:
> I'm looking to have Spamassassin mark messages where the from address is
> forged with a valid local address.
>
> For instance, if a local address is bob@web.com and a spammer spoofs that,
> then it initially appears as though bob@web.com is sending an email to
> bob@web.com (which is ok).
>
> I've found that if the "From:" contains a valid local account, AND the
> "envelope-from" (part of "Received:" doesn't match that account, it is
> spam. At least that's the case w/the ones I've looked over.
>
> So, is it possible to write a rule to combine the two checks necessary to do
> that?
>
Re: Need help with a rule
Posted by Matt Kettler <mk...@verizon.net>.
Bill Minton wrote:
> I'm looking to have Spamassassin mark messages where the from address
> is forged with a valid local address.
>
> For instance, if a local address is bob@web.com <ma...@web.com>
> and a spammer spoofs that, then it initially appears as though
> bob@web.com <ma...@web.com> is sending an email to bob@web.com
> <ma...@web.com> (which is ok).
>
> I've found that if the "From:" contains a valid local account, AND the
> "envelope-from" (part of "Received:" doesn't match that account, it is
> spam. At least that's the case w/the ones I've looked over.
>
> So, is it possible to write a rule to combine the two checks necessary
> to do that?
Yes, but it would be easier to just publish a SPF record for web.com,
install the SPF perl modules, and let the SPF checks in SA pick it up.
>
>