You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Mark London <mr...@psfc.mit.edu> on 2018/09/13 15:24:38 UTC
How to test for this suspicious From address?
Hi - I'm getting spam with From that contain 2 different From addresses,
that I would like to try and detect:
From: "xxxx xxxxx <xx...@psfc.mit.edu>" <bi...@decorproducts.com>
I created a crude rule that was properly being triggered when I manually ran spamassassin on the email itself.
But when it arrives (via Mimedefang), the rule is not being triggered.
I don't know how to configure spamassassin to run with debug output, when it's called via Mimedefang (using a perl script).
Here is the rule. I tried the 2nd rule, and that didn't work either.
header BAD_2FROM From =~ /\@\S+\>" \<\S+\@\S+\>/
header BAD_2FROM_ALL ALL =~ /From: \"[\S ]+\<\S+\@\S+\>" \<\S+\@\S+\>/
Here's the full header. Thanks. Mark
Received: from mail.wtf.net (mail.wtf.net [66.202.56.170])
by PSFCMAIL.MIT.EDU (8.14.7/8.14.7) with ESMTP id w8DCLlXe017269
for <wh...@psfc.mit.edu>; Thu, 13 Sep 2018 08:21:51 -0400
Received: from 205.234.customer.permana-as131746 [103.21.205.234] by mail.wtf.net with SMTP;
Thu, 13 Sep 2018 07:20:40 -0500
Date: Thu, 13 Sep 2018 19:18:46 +0700
From: "xxxx xxxx <xx...@psfc.mit.edu>" <bi...@decorproducts.com>
To: whyte@psfc.mit.edu
Message-ID: <34...@psfc.mit.edu>
Subject: Anastasia Alexandridis Statement 09/13/2018 for customer 74497
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_1526_290724656.11939892661078071324"
X-Declude-Sender: bill.orlando@decorproducts.com [103.21.205.234]
X-Declude-Spoolname: 190922733.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.3.46 for spam. "http://www.declude.com/x-note.htm"
X-Declude-Scan: Score [0] at 07:20:47 on 13 Sep 2018
X-Declude-Fail: Whitelisted
X-Country-Chain:
Re: How to test for this suspicious From address?
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 13 Sep 2018, at 11:24, Mark London wrote:
> Hi - I'm getting spam with From that contain 2 different From
> addresses, that I would like to try and detect:
>
> From: "xxxx xxxxx <xx...@psfc.mit.edu>"
> <bi...@decorproducts.com>
>
> I created a crude rule that was properly being triggered when I
> manually ran spamassassin on the email itself.
>
> But when it arrives (via Mimedefang), the rule is not being triggered.
The typical causes of this sort of problem are:
1. The user running the spamassassin script manually is using a
different configuration than what MIMEDefang is using. MIMEDefang looks
for these files and uses uses the first one it finds as a config file:
/etc/mail/sa-mimedefang.cf
/etc/mail/spamassassin/sa-mimedefang.cf
/etc/mail/spamassassin/local.cf
/etc/mail/spamassassin.cf
MIMEDefang typically runs as the user 'defang' and will load
~defang/.spamassassin/user_prefs if per-user preferences are enabled in
the main config file. Unless you have written a highly customized
mimedefang-filter which can find and load other per-user prefs dependent
on the individual recipients, no others will be loaded.
2. The MIMEDefang multiplexor has not reloaded the changed rules file
(i.e. respawned fresh worker processes) after a rule is added. You can
fix that with 'md-mx-ctrl reread' or whatever your platform uses to
restart the whole MIMEDefang service.
> I don't know how to configure spamassassin to run with debug output,
> when it's called via Mimedefang (using a perl script).
That's probably possible in principle with a customized user_prefs or
mimedefang-filter but it's not something you'll be happy with in
practice.