John Hardin wrote: > <mutter>Maybe I should throw a rule like that into the sandbox and see > how well it does...</mutter>
I had a dialog with Karsten about this a few years ago ... the regex is nontrivial and dangerous, so the recommended method is a plugin. I've actually written such a thing already, though slightly different in that it ignores the domain. Easy to tailor one way or another. It's attached. Result: Mixed bag. Might be nice to see in the masscheck. FROM_EQUALS_TO: 1.313% of spam, 0.657% of ham FROM_NOT_REPLY: 5.840% of spam, 2.868% of ham Spam and ham are non-authoritative and include FPs and FNs. I also greylist, reducing all spam numbers.
# SenderChecks v1.0 # (C) 2009 By Adam Katz <antispamATkhopiscom> http://khopesh.com/Anti-spam # Apache License 2.0 =pod ################ # Example usage: loadplugin Mail::SpamAssassin::Plugin::SenderChecks sender-checks.pm header __FROM_EQ_TO eval:check_for_from_equals_to() meta FROM_EQUALS_TO !(ALL_TRUSTED || DKIM_VERIFIED) && __FROM_EQ_TO describe FROM_EQUALS_TO From: and To: have the same username score FROM_EQUALS_TO 0.1 header __FROM_V_REPLY eval:check_for_from_v_replyto_dom() header __PREC_BULK Precedence =~ /bulk|list/ meta FROM_NOT_REPLY !(__PREC_BULK||ALL_TRUSTED||DKIM_VERIFIED) && __FROM_V_REPLY describe FROM_NOT_REPLY From: and Reply-To: have different domains score FROM_NOT_REPLY 0.1 ################ =cut package Mail::SpamAssassin::Plugin::SenderChecks; use strict; use warnings; use Mail::SpamAssassin; use Mail::SpamAssassin::Plugin; our @ISA = qw(Mail::SpamAssassin::Plugin); sub new { my ($class, $mailsa) = @_; $class = ref($class) || $class; my $self = $class->SUPER::new( $mailsa ); bless ($self, $class); $self->register_eval_rule ( 'check_for_from_equals_to' ); $self->register_eval_rule ( 'check_for_from_v_replyto_dom' ); return $self; } # Adapted from http://wiki.apache.org/spamassassin/FromNotReplyTo # Spammers often forge the sender email to use the same username as # the victim, while most legitimate e-mails does not. sub check_for_from_v_replyto_dom { my ($self, $msg) = @_; my $from = $msg->get( 'From:addr' ); $from =~ s/.*@//; my $replyTo = $msg->get( 'Reply-To:addr' ); $replyTo =~ s/.*@//; Mail::SpamAssassin::Plugin::dbg( "SenderChecks: matching from/replyto: $from/$replyTo" ); if ( $from ne '' && $replyTo ne '' && $from ne $replyTo ) { return 1; } return 0; } # Spammers often forge the sender email to use the same username as # the victim, while most legitimate e-mails does not. sub check_for_from_equals_to { my ($self, $msg) = @_; my $from = $msg->get( 'From:addr' ); $from =~ s/@.*//; my $to = $msg->get( 'To:addr' ); $to =~ s/@.*//; Mail::SpamAssassin::Plugin::dbg("SenderChecks: matching from/to: $from/$to"); if ( $from ne '' && $from eq $to ) { return 1; } return 0; }