Sure. header __LOCAL_SENDER From =~ /@example\.com/i meta FORGED_LOCAL_SENDER __LOCAL_SENDER && !TRUSTED_NETWORKS score FORGED_LOCAL_SENDER 1
This depends on a proper setting of TRUSTED_NETWORKS. (Note: untested code, YMMV, etc.) Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University On Thu, 22 Mar 2007, Bill Minton wrote:
I'm looking to have Spamassassin mark messages where the from address is forged with a valid local address. For instance, if a local address is [EMAIL PROTECTED] and a spammer spoofs that, then it initially appears as though [EMAIL PROTECTED] is sending an email to [EMAIL PROTECTED] (which is ok). I've found that if the "From:" contains a valid local account, AND the "envelope-from" (part of "Received:" doesn't match that account, it is spam. At least that's the case w/the ones I've looked over. So, is it possible to write a rule to combine the two checks necessary to do that?