Re: to: header is not in my domain

2020-10-20 Thread Martin Gregorie 
On Tue, 2020-10-20 at 22:49 +0100, RW wrote:
> On Tue, 20 Oct 2020 21:34:08 +0100
> Martin Gregorie wrote:
> 
> , not exactly what you're asking for, but e-mails where the From:
> > domain doesn't match the domain in Message-ID: are very often spam
> > and
> > so could be worth a point or two.
> 
> And lots of ham will fail that too. 

Fair comment: I don't use that sort of rule myself. Instead, I have a
module that does a sender lookup in my mail archive. The rule triggering
the lookup adds some negative points if I've ever sent mail to that
address.

Martin

Re: to: header is not in my domain

2020-10-20 Thread Benny Pedersen 

Martin Gregorie skrev den 2020-10-20 23:48:


header __TORULE  /(addr1addr2|...)/
header __BCCRULE /(add1|addr2|...)/
meta  MYRULE !( __TORULE || __BCCRULE)
score MYRULE 6.0


what MTA does not remove bcc headers ?

Re: to: header is not in my domain

2020-10-20 Thread RW 
On Tue, 20 Oct 2020 21:34:08 +0100
Martin Gregorie wrote:

, not exactly what you're asking for, but e-mails where the From:
> domain doesn't match the domain in Message-ID: are very often spam and
> so could be worth a point or two.

And lots of ham will fail that too.

Re: to: header is not in my domain

2020-10-20 Thread Martin Gregorie 
On Tue, 2020-10-20 at 21:34 +0100, Martin Gregorie wrote:
> On Tue, 2020-10-20 at 19:29 +0100, Miki wrote:
> > Hi, how to score this e-mails?
> > I know I can give negative score if To: IS my domain, but I do not
> > like this solution.
> > Any suggestions?
> > 
> Why do that? Its the exact reverse of something that does work pretty
> well: write a rule that gives a positive score to any mail whose To:
> or
> BCC: headers contain your email address(es).
> 
Brain fart: sorry. I should have said "give a positive score to an email
where neither the To or BCC addresses contain your email adress(es),
i.e write subrules for To and BCC that contain addresses you
want,combine them and negate the result in a meta rule, something like
this:

header __TORULE  /(addr1addr2|...)/
header __BCCRULE /(add1|addr2|...)/
meta  MYRULE !( __TORULE || __BCCRULE)
score MYRULE 6.0

Martin

Re: to: header is not in my domain

2020-10-20 Thread Benny Pedersen 

Miki skrev den 2020-10-20 21:38:

Thanks for quick reply, but blacklist what?


+1


The problem is I do not know this spammy domains.


see maillist headers, you know me now :=)


I want to give a score when To: field is NOT in
anyaddr...@mydomain.com


read manuels in perldoc Mail::SpamAssassin::Conf and possibe 
Mail::SpamAssassin::Plugin::SPF and Mail::SpamAssassin::Plugin::DKIM


if you like to trust you own From: header sign it with dkim and 
whitelist_from_dkim b...@yourdomain.example.org


do not use whitelist_from ever

i will stop my rants here

Re: to: header is not in my domain

2020-10-20 Thread Bill Cole 

On 20 Oct 2020, at 16:06, Miki wrote:

Are you telling me it's that simple. I want to score the emails 
without my

domain in To field. I can do this both ways
1. Score when To: contain main domain negatively
header  HDR  To=~ /\@mydomain\.com/i
describeHDR  To mydomain
score   HDR  -2

2. Score when To: does not contain my domain positively. But will it 
work?

header  HDR  To!~ /\@mydomain\.com/i
describeHDR  To mydomain
score   HDR  2


It's that simple, but put a space between the header name and the 
matching operator. Just as documented, run: perldoc 
Mail::SpamAssassin::Conf


And as previously noted by others, this will match a majority of 
non-spam mailing list mail.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: to: header is not in my domain

2020-10-20 Thread Martin Gregorie 
On Tue, 2020-10-20 at 19:29 +0100, Miki wrote:
> Hi, how to score this e-mails?
> I know I can give negative score if To: IS my domain, but I do not
> like this solution.
> Any suggestions?
> 
Why do that? Its the exact reverse of something that does work pretty
well: write a rule that gives a positive score to any mail whose To: or
BCC: headers contain your email address(es).

Also, not exactly what you're asking for, but e-mails where the From:
domain doesn't match the domain in Message-ID: are very often spam and
so could be worth a point or two.

Martin

Re: to: header is not in my domain

2020-10-20 Thread Miki 
WOOW.
Thank you very much. I owe you one :)


wt., 20 paź 2020 o 20:52 Alan Hodgson  napisał(a):

> On Tue, 2020-10-20 at 20:38 +0100, Miki wrote:
>
> Thanks for quick reply, but blacklist what?
> The problem is I do not know this spammy domains.
> I want to give a score when To: field is NOT in anyaddr...@mydomain.com
>
>
> Not tested, but something like this should work:
>
> header __LOCAL_TO_ME To =~ /\@mydomain/i
> header __LOCAL_CC_ME Cc =~ /\@mydomain/i
> header __LOCAL_MAILING_LIST1 List-Unsubscribe =~ /[a-z]+/
> header __LOCAL_MAILING_LIST2 List-ID =~ /[a-z]+/
>
> meta LOCAL_NOT_TO_ME ( ! ( __LOCAL_TO_ME || __LOCAL_CC_ME
>  || __LOCAL_MAILING_LIST1 || __LOCAL_MAILING_LIST2 ))
> score LOCAL_NOT_TO_ME ??
>
> You'll want to whitelist authenticated mail from your regular
> correspondents though so it doesn't hit normal bcc's.
>

Re: to: header is not in my domain

2020-10-20 Thread Miki 
Are you telling me it's that simple. I want to score the emails without my
domain in To field. I can do this both ways
1. Score when To: contain main domain negatively
header  HDR  To=~ /\@mydomain\.com/i
describeHDR  To mydomain
score   HDR  -2

2. Score when To: does not contain my domain positively. But will it work?
header  HDR  To!~ /\@mydomain\.com/i
describeHDR  To mydomain
score   HDR  2



wt., 20 paź 2020 o 20:50 Dave Wreski 
napisał(a):

> > Thanks for quick reply, but blacklist what?
> > The problem is I do not know this spammy domains.
> > I want to give a score when To: field is NOT in anyaddr...@mydomain.com
>
> If only it were that easy.
>
> You'll notice that recipients of this mailing list receive mail to the
> mailing list address, not to each recipient.
>
> You might have better luck building a meta rule that combines the "To:"
> field with something else, like a body rule or lack of presence of an
> SPF record, etc.
>
> You might also consider building rules based on email !__MYDOMAIN, and
> excluding cases like this mailing list, then otherwise adding points
> that would normally be overcome by a proper SPF record or Envelope From
> address, for example.
>
> You should submit a few of these emails to pastebin.com where we can
> analyze them more thoroughly for other patterns.
>
> Regards,
> Dave
>
> > 
> >
> > cheers
> > Miki
> >
> >
> > wt., 20 paź 2020 o 20:25 Benny Pedersen mailto:m...@junc.eu>>
>
> > napisał(a):
> >
> > Miki skrev den 2020-10-20 21:19:
> >  > Let's say my domain is mydomain.com  [2].
> > 99% of all the e-mails have:
> >  > To: m...@mydomain.com 
> >  > But some e-mails, most likely sent using BCC are coming with:
> >  > To: anyu...@anydomain.com 
> >  >
> >  > Nearly all of them are spam.
> >
> > blacklist_to then
> >
> > set blacklist_from to same
> >
> > this is forged protecting safe
> >
> > and yes its not fool proff since bcc can be used on remote
> >
>

Re: to: header is not in my domain

2020-10-20 Thread Alan Hodgson 
On Tue, 2020-10-20 at 20:38 +0100, Miki wrote:
> Thanks for quick reply, but blacklist what?
> The problem is I do not know this spammy domains.
> I want to give a score when To: field is NOT in anyaddr...@mydomain.com

Not tested, but something like this should work:

header __LOCAL_TO_ME To =~ /\@mydomain/i
header __LOCAL_CC_ME Cc =~ /\@mydomain/i
header __LOCAL_MAILING_LIST1 List-Unsubscribe =~ /[a-z]+/ 
header __LOCAL_MAILING_LIST2 List-ID =~ /[a-z]+/

meta LOCAL_NOT_TO_ME ( ! ( __LOCAL_TO_ME || __LOCAL_CC_ME
 || __LOCAL_MAILING_LIST1 || __LOCAL_MAILING_LIST2 )) 
score LOCAL_NOT_TO_ME ??

You'll want to whitelist authenticated mail from your regular correspondents
though so it doesn't hit normal bcc's.

Re: to: header is not in my domain

2020-10-20 Thread Dave Wreski 

Thanks for quick reply, but blacklist what?
The problem is I do not know this spammy domains.
I want to give a score when To: field is NOT in anyaddr...@mydomain.com 


If only it were that easy.

You'll notice that recipients of this mailing list receive mail to the 
mailing list address, not to each recipient.


You might have better luck building a meta rule that combines the "To:" 
field with something else, like a body rule or lack of presence of an 
SPF record, etc.


You might also consider building rules based on email !__MYDOMAIN, and 
excluding cases like this mailing list, then otherwise adding points 
that would normally be overcome by a proper SPF record or Envelope From 
address, for example.


You should submit a few of these emails to pastebin.com where we can 
analyze them more thoroughly for other patterns.


Regards,
Dave




cheers
Miki


wt., 20 paź 2020 o 20:25 Benny Pedersen mailto:m...@junc.eu>> 
napisał(a):


Miki skrev den 2020-10-20 21:19:
 > Let's say my domain is mydomain.com  [2].
99% of all the e-mails have:
 > To: m...@mydomain.com 
 > But some e-mails, most likely sent using BCC are coming with:
 > To: anyu...@anydomain.com 
 >
 > Nearly all of them are spam.

blacklist_to then

set blacklist_from to same

this is forged protecting safe

and yes its not fool proff since bcc can be used on remote

Re: to: header is not in my domain

2020-10-20 Thread Miki 
Thanks for quick reply, but blacklist what?
The problem is I do not know this spammy domains.
I want to give a score when To: field is NOT in anyaddr...@mydomain.com

cheers
Miki


wt., 20 paź 2020 o 20:25 Benny Pedersen  napisał(a):

> Miki skrev den 2020-10-20 21:19:
> > Let's say my domain is mydomain.com [2]. 99% of all the e-mails have:
> > To: m...@mydomain.com
> > But some e-mails, most likely sent using BCC are coming with:
> > To: anyu...@anydomain.com
> >
> > Nearly all of them are spam.
>
> blacklist_to then
>
> set blacklist_from to same
>
> this is forged protecting safe
>
> and yes its not fool proff since bcc can be used on remote
>

Re: to: header is not in my domain

2020-10-20 Thread Benny Pedersen 

Miki skrev den 2020-10-20 21:19:

Let's say my domain is mydomain.com [2]. 99% of all the e-mails have:
To: m...@mydomain.com
But some e-mails, most likely sent using BCC are coming with:
To: anyu...@anydomain.com

Nearly all of them are spam.


blacklist_to then

set blacklist_from to same

this is forged protecting safe

and yes its not fool proff since bcc can be used on remote

Re: to: header is not in my domain

2020-10-20 Thread Miki 
Let's say my domain is mydomain.com. 99% of all the e-mails have:
To: m...@mydomain.com
But some e-mails, most likely sent using BCC are coming with:
To: anyu...@anydomain.com

Nearly all of them are spam.

cheers
Miki


wt., 20 paź 2020 o 20:14 Benny Pedersen  napisał(a):

> Miki skrev den 2020-10-20 20:29:
> > Hi, how to score this e-mails?
>
> what email ?
>
> >  I know I can give negative score if To: IS my domain, but I do not
>
> please dont help spammers
>
> > like this solution.
> > Any suggestions?
>
> is users@spamassassin.apache.org you liked to give negative scores to ?
>
> then in local.cf:
>
> whitelist_from users@spamassassin.apache.org
>
> i hate that this is supported in spamassassin, since there is no forged
> protection with it
>
> do instaed:
>
> whitelist_from_spf users@spamassassin.apache.org
>
>
>

Re: to: header is not in my domain

2020-10-20 Thread Benny Pedersen 

Miki skrev den 2020-10-20 20:29:

Hi, how to score this e-mails?


what email ?


 I know I can give negative score if To: IS my domain, but I do not


please dont help spammers


like this solution.
Any suggestions?


is users@spamassassin.apache.org you liked to give negative scores to ?

then in local.cf:

whitelist_from users@spamassassin.apache.org

i hate that this is supported in spamassassin, since there is no forged 
protection with it


do instaed:

whitelist_from_spf users@spamassassin.apache.org

to: header is not in my domain

2020-10-20 Thread Miki 
Hi, how to score this e-mails?
I know I can give negative score if To: IS my domain, but I do not like
this solution.
Any suggestions?

cheers
Miki