> | OT: is it possible to add a configuration option which lists the domain > | mailservers and their IPs? And add a test which scores rather highly for > | mail claiming to come from domain.dom but which isn't actually from one > | of the mailservers for domain.dom? > > This belongs at the MTA level, if it belongs at all. How about this: > > You legitimately find a copy of my old/other email address (for > example you read exim-users and reply to one of my posts). You > send me a message at that address, which is From: your domain. My > MTA sees it coming from the server pony-express.cs.rit.edu > because that's where the .forward is that redirects that address > to my real/current address.
I'm not sure I understand how that trips this test. [EMAIL PROTECTED] .qmail file: &[EMAIL PROTECTED] SA on newdomain.dom knows that newdomain.dom's mailservers are a.b.c.d and e.f.g.h. Mail claiming to be from newdomain.dom but not originating from a.b.c.d or e.f.g.h are scored +10. From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Ping? olddomain.dom receives the message and forwards it to [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Fwd: Ping? newdomain.dom sees a message from [EMAIL PROTECTED] (or [EMAIL PROTECTED], depending on how you actually forward), which would *not* trip this test. Something like the following would trip the test: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Received: from unknown (HELO smtp1.newdomain.dom) (a.b.c.d)... Received: from unknown (HELO xyzzy.spammer.dom) (w.x.y.z)... Here, the last Received: line (i.e. the first server to have this message) is not one of the known SMTP servers for newdomain.dom. Now I can see how you might have a dialup roadwarrior using an AOL account or something and have his email client set up to have his From: come from @newdomain.dom, but that is an incorrectly set up MUA, IMO. It should be saying from [EMAIL PROTECTED] with a Replies-to: header, should it not? > Not to mention one of your users could have his mail forwarded > off-site, and then forwarded back in. The From: in that case should not be the original address. Forwards should alter the From, redirects should not. > That's the problem with whitelists. It is easy enough to forge the > "From:" sender. Which is why I'm trying to help. :-) Regards, Andrew ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Oh, it's good to be a geek. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk