Re: How to reject spam where sender = receiver
Benny Pedersen wrote: On ons 28 okt 2009 00:36:10 CET, rpc1 wrote My spamassassin plug doesn't check mail where sender address and receiver address are equal. Like this http://www.nabble.com/postfwd-stop-equal-sender-recipient-spams-td21164908.html or setup spf for your domain and test with spf in your mta i do the later now, but if you dont want to use spf, use the postfwd rule I scored that 0.1 ... rejecting based on sender==recipient would effectively be scoring it far higher, and would most certainly reject legitimate mail (lots of people send announcements via Bcc or Cc while addressing the message back to themselves). Also, SPF only works for domains you control iff the sender were forging one of them. My plugin maches userna...@domain1 to userna...@domain2 if username1 == username2 regardless of domain.
Re: How to reject spam where sender = receiver
On ons 28 okt 2009 15:42:19 CET, Adam Katz wrote [snip] forging one of them. My plugin maches userna...@domain1 to userna...@domain2 if username1 == username2 regardless of domain. legit users can not use smtp auth ?, hmm :) -- xpoint
Re: How to reject spam where sender = receiver
28.10.2009 16:42, Adam Katz kirjoitti: I scored that 0.1 ... rejecting based on sender==recipient would effectively be scoring it far higher, and would most certainly reject legitimate mail (lots of people send announcements via Bcc or Cc while addressing the message back to themselves). Thanks for the plugin! I scored it as 1.0, and it definitely hits most of my spam. I sometimes send notes to myself, but 1.0 is not dangerous yet. -- http://www.iki.fi/jarif/ Tomorrow will be cancelled due to lack of interest. signature.asc Description: OpenPGP digital signature
Re: How to reject spam where sender = receiver
Jari Fredriksson wrote: 28.10.2009 16:42, Adam Katz kirjoitti: I scored that 0.1 ... rejecting based on sender==recipient would effectively be scoring it far higher, and would most certainly reject legitimate mail (lots of people send announcements via Bcc or Cc while addressing the message back to themselves). Thanks for the plugin! I scored it as 1.0, and it definitely hits most of my spam. I sometimes send notes to myself, but 1.0 is not dangerous yet. The only data we have on this at the moment is my own S/O of 0.665, which (as John mentioned) is rather mild. I wouldn't push it beyond 0.75 on the aggressive side.
Re: How to reject spam where sender = receiver
Thanks for useful answers !!! -- View this message in context: http://www.nabble.com/How-to-reject-spam-where-sender-%3D-receiver-tp26086971p26103651.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How to reject spam where sender = receiver
On Tue, 27 Oct 2009, rpc1 wrote: My spamassassin plug doesn't check mail where sender address and receiver address are equal. Like this Return-Path: o...@domen.com X-Spam-Status: No, hits=0.0 required=3.2 tests=DNSBL_RELAYS.ORDB.ORG: 5.00,DNSBL_BL.SPAMCOP.NET: 5.00,DNSBL_SBL-XBL.SPAMHAUS.ORG: 5.00, BAYES_99: 4.07,HELO_DYNAMIC_IPADDR2: 3.818,HTML_IMAGE_ONLY_32: 1.052, HTML_MESSAGE: 0.001,MIME_HTML_ONLY: 0.001,NO_REAL_NAME: 0.961, URIBL_AB_SURBL: 3.812,URIBL_JP_SURBL: 4.087,URIBL_OB_SURBL: 3.008, URIBL_SBL: 1.639,URIBL_SC_SURBL: 4.498,URIBL_WS_SURBL: 2.14, CUSTOM_RULE_FROM: ALLOW,TOTAL_SCORE: 44.087 X-Spam-Level: Received: from 75-148-3-221-WashingtonDC.hfc.comcastbusiness.net ([75.148.3.221]) by mail.tvtb.ru for o...@domen.com; Sun, 25 Oct 2009 07:53:00 +1000 To: oper...@tvtb.ru Subject: A path leading to your well-being From: o...@domen.com MIME-Version: 1.0 Importance: High Content-Type: text/html How can I create a new rule which will check equity fields TO and FROM ??? I would suggest that is not really what you want to do, as you'll rarely see that on spam that isn't addressed to your domain. What you probably want to do is reject mail that is claiming to be from your domain, but does not actually originate from your domain - in other words, mail where someone is forging your domain name on the sender address. Is that a better description of what you want to do? That has been covered several times, I am pretty sure within the last month. Please check the list archives for the past two months for a thread having a subject like to = from. You'll find a discussion of setting up an SPF record for your domain and using whitelist_from_auth to enforce it, and another discussion (involving me) of using milter-regex to reject such forged sender addresses at SMTP time. Both methods work well, I would modestly say milter-regex works better because it bypasses SA and is thus a lighter solution overall. mutterMaybe I should throw a rule like that into the sandbox and see how well it does.../mutter -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- 4 days until Halloween
Re: How to reject spam where sender = receiver
John Hardin schrieb: On Tue, 27 Oct 2009, rpc1 wrote: My spamassassin plug doesn't check mail where sender address and receiver address are equal. Like this Return-Path: o...@domen.com X-Spam-Status: No, hits=0.0 required=3.2 tests=DNSBL_RELAYS.ORDB.ORG: 5.00,DNSBL_BL.SPAMCOP.NET: 5.00,DNSBL_SBL-XBL.SPAMHAUS.ORG: 5.00, BAYES_99: 4.07,HELO_DYNAMIC_IPADDR2: 3.818,HTML_IMAGE_ONLY_32: 1.052, HTML_MESSAGE: 0.001,MIME_HTML_ONLY: 0.001,NO_REAL_NAME: 0.961, URIBL_AB_SURBL: 3.812,URIBL_JP_SURBL: 4.087,URIBL_OB_SURBL: 3.008, URIBL_SBL: 1.639,URIBL_SC_SURBL: 4.498,URIBL_WS_SURBL: 2.14, CUSTOM_RULE_FROM: ALLOW,TOTAL_SCORE: 44.087 X-Spam-Level: Received: from 75-148-3-221-WashingtonDC.hfc.comcastbusiness.net ([75.148.3.221]) by mail.tvtb.ru for o...@domen.com; Sun, 25 Oct 2009 07:53:00 +1000 To: oper...@tvtb.ru Subject: A path leading to your well-being From: o...@domen.com MIME-Version: 1.0 Importance: High Content-Type: text/html How can I create a new rule which will check equity fields TO and FROM ??? I would suggest that is not really what you want to do, as you'll rarely see that on spam that isn't addressed to your domain. What you probably want to do is reject mail that is claiming to be from your domain, but does not actually originate from your domain - in other words, mail where someone is forging your domain name on the sender address. Is that a better description of what you want to do? That has been covered several times, I am pretty sure within the last month. Please check the list archives for the past two months for a thread having a subject like to = from. You'll find a discussion of setting up an SPF record for your domain and using whitelist_from_auth to enforce it, and another discussion (involving me) of using milter-regex to reject such forged sender addresses at SMTP time. Both methods work well, I would modestly say milter-regex works better because it bypasses SA and is thus a lighter solution overall. mutterMaybe I should throw a rule like that into the sandbox and see how well it does.../mutter If you do not like SPF and you do not have remote users who are allowed to send mail with local domain you can add a rule to header checks. e.g Postfix : /etc/postfix/header_checks : /^From:.*example\.com/ REJECT Cheers Ralph
Re: How to reject spam where sender = receiver
On ons 28 okt 2009 00:36:10 CET, rpc1 wrote My spamassassin plug doesn't check mail where sender address and receiver address are equal. Like this http://www.nabble.com/postfwd-stop-equal-sender-recipient-spams-td21164908.html or setup spf for your domain and test with spf in your mta i do the later now, but if you dont want to use spf, use the postfwd rule -- xpoint