On Thu, 2009-03-05 at 21:31 +0800, Adi Nugroho wrote: > Dear all, > > I found that a lot of spam is using recipient email address as the sender. > (from a...@internux.co.id to a...@internux.co.id, or from i...@apache.org to > i...@apache.org). > > Since if we mail to our self, usually we have very low score, I hope it is > save to give a BIG score (probably 2 or 3). > > Is there a hint how to make this custom rule set?
Here's one way. I'm sure there will be many holes in this approach. 1. Define and publish SPF policies for your network. 2. Create a rule like this: header __OUR_DOMAIN_FROM From:addr example.com header __OUR_DOMAIN_ENVELOPE EnvelopeFrom:addr example.com meta OUR_DOMAIN (__OUR_DOMAIN_FROM || __OUR_DOMAIN_ENVELOPE) && SPF_FAIL describe OUR_DOMAIN claims to be from our domain but fails SPF score OUR_DOMAIN 2.5 -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com