Re: How to reject spam where sender = receiver

Tue, 27 Oct 2009 16:59:22 -0700 

On Tue, 27 Oct 2009, rpc1 wrote:



My spamassassin plug doesn't check mail where sender address and receiver
address are equal. Like this

Return-Path: <o...@domen.com>
X-Spam-Status: No, hits=0.0 required=3.2
       tests=DNSBL_RELAYS.ORDB.ORG: 5.00,DNSBL_BL.SPAMCOP.NET:
5.00,DNSBL_SBL-XBL.SPAMHAUS.ORG: 5.00,
       BAYES_99: 4.07,HELO_DYNAMIC_IPADDR2: 3.818,HTML_IMAGE_ONLY_32:
1.052,
       HTML_MESSAGE: 0.001,MIME_HTML_ONLY: 0.001,NO_REAL_NAME: 0.961,
       URIBL_AB_SURBL: 3.812,URIBL_JP_SURBL: 4.087,URIBL_OB_SURBL: 3.008,
       URIBL_SBL: 1.639,URIBL_SC_SURBL: 4.498,URIBL_WS_SURBL: 2.14,
       CUSTOM_RULE_FROM: ALLOW,TOTAL_SCORE: 44.087
X-Spam-Level:
Received: from 75-148-3-221-WashingtonDC.hfc.comcastbusiness.net
([75.148.3.221])
       by mail.tvtb.ru
       for o...@domen.com;
       Sun, 25 Oct 2009 07:53:00 +1000
To: oper...@tvtb.ru
Subject: A path leading to your well-being
From: <o...@domen.com>
MIME-Version: 1.0
Importance: High
Content-Type: text/html

How can I create a new rule which will check equity fields  TO and FROM ???



I would suggest that is not really what you want to do, as you'll rarely 
see that on spam that isn't addressed to your domain. What you probably 
want to do is reject mail that is claiming to be from your domain, but 
does not actually originate from your domain - in other words, mail where 
someone is forging your domain name on the sender address.


Is that a better description of what you want to do?


That has been covered several times, I am pretty sure within the last 
month. Please check the list archives for the past two months for a thread 
having a subject like "to = from". You'll find a discussion of setting up 
an SPF record for your domain and using whitelist_from_auth to enforce it, 
and another discussion (involving me) of using milter-regex to reject such 
forged sender addresses at SMTP time. Both methods work well, I would 
modestly say milter-regex works better because it bypasses SA and is thus 
a lighter solution overall.



<mutter>Maybe I should throw a rule like that into the sandbox and see how 
well it does...</mutter>


--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  ...the Fates notice those who buy chainsaws...
                                              -- www.darwinawards.com
-----------------------------------------------------------------------
 4 days until Halloween






















					Reply via email to