You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by sa...@top-consulting.net on 2010/01/18 16:40:14 UTC
SpamAssassin SPF Checks
I am running Postfix with Amavisd-maia which in turn uses Mail::SpamAssassin..
I am running SPF checks with Postfix and that works reasonably well
but it fails at catching fake senders in the 'DATA' portion of the
SMTP conversation.
Say my domain is: test.com
the envelope of the message will contain something like:
From: web@remotedomain.com
and the sending ip/domain will properly pass SPF checking
the 'DATA' portion of the message however will contain a different
from, usually my own domain name:
From: user@test.com
How do I tell SpamAssassin to run an SPF check against that From:
field and not just analyze the results Postfix added in. I am already
using this configuration variable: ignore_received_spf_header 1 but
it doesn't help at all.
My current debugging output looks like this:
[27379] dbg: spf: ignoring any Received-SPF headers from internal
hosts, by admin setting
[27379] dbg: spf: checking HELO (helo=remotedomain.com, ip=X.X.X.X)
[27379] dbg: spf: query for /X.X.X.X/remotedomain.com: result: pass,
comment: , text: Mechanism 'include:remotedomain.com' matched
[27379] dbg: rules: ran eval rule SPF_HELO_PASS ======> got hit (1)
[27379] dbg: spf: ignoring any Received-SPF headers from internal
hosts, by admin setting
[27379] dbg: spf: checking EnvelopeFrom (helo=remotedomain.com,
ip=X.X.X.X, envfrom=web@remotedomain.com)
[27379] dbg: spf: query for
web@remotedomain.com/X.X.X.X/remotedomain.com: result: pass, comment:
, text: Mechanism 'include:remotedomain.com' matched
[27379] dbg: rules: ran eval rule SPF_PASS ======> got hit (1)
[27379] dbg: spf: def_whitelist_from_spf: web@remotedomain.com is not
in DEF_WHITELIST_FROM_SPF
[27379] dbg: spf: whitelist_from_spf: web@remotedomain.com is not in
user's WHITELIST_FROM_SPF
How do I get SpamAssassin to do an SPF check on the From provided in
the 'DATA' portion ? Is that even possible ?
If not, how do I stop this type of Spam ?
Re: SpamAssassin SPF Checks
Posted by RW <rw...@googlemail.com>.
On Mon, 18 Jan 2010 10:40:14 -0500
sa@top-consulting.net wrote:
> If not, how do I stop this type of Spam ?
try making a meta rule that that looks for your domain in "from" and the
absence of a sensible hostname in "message-id"
Re: SpamAssassin SPF Checks
Posted by Mike Cardwell <sp...@lists.grepular.com>.
On 18/01/2010 15:40, sa@top-consulting.net wrote:
> How do I get SpamAssassin to do an SPF check on the From provided in the
> 'DATA' portion ? Is that even possible ?
>
> If not, how do I stop this type of Spam ?
SPF is only meant for the sender envelope. Not the From header. If you
were to do SPF checks on the From header of this email it would be
rejected due to an SPF failure.
--
Mike Cardwell : UK based IT Consultant, LAMP developer, Linux admin
Cardwell IT Ltd. : UK Company - http://cardwellit.com/ #06920226
Technical Blog : Tech Blog - https://secure.grepular.com/blog/
Spamalyser : Spam Tool - http://spamalyser.com/