Ram wrote on 28/06/16 3:10 AM: > > Here is the sample > > > I just redacted the actual recpient email id and name > > > Return-Path: <c-le...@cognitorex.com>
This isn't a SpamAssassin problem, but it is a problem that you can use SpamAssassin as a tool to help solve. If your company's accounting department can send an arbitrary payment to an arbitrary bank account based on only an email from the CEO or Managing Director with no accompanying paperwork or reference to internal accounting documents, then your company has worse security problems than SpamAssassin can fix. Your company's procedures should at least require a written form be filled out with two signatures and a checklist that contains a step that includes verifying that the request is valid. I suggest that you set up your company email and set up the mail clients that company employees use to send company email so that all mail sent from the company domain is sent through a proper mail server for that domain. There is no excuse for that Return-Path to be valid for an email that has a From address with your company domain. Yes, your CEO may want to be able to send company mail from his phone. Your IT people can set up email on his phone so it is configured to use authenticated access to a specific mail server. You can then have local rules in SpamAssassin so that any mail that says it is from the company domain that does not have the right headers is blocked. It is a convenience that if you have example.com domain you can put From: m...@example.com in an email that you send any way you want. That particular convenience is not necessary in a business. It is reasonable to require that official company email be sent using a mail client that has properly been set up by the company IT department or properly set up according to their guidelines. If you do that then SpamAssassin is a great tool for blocking any spoofed emails that pretend to be from your company domain. Sidney
