Spamassassin - check return-path against from address
Spamassassin - check return-path against from address
I am getting a lot of spam recently that I am having a hard time getting flagged by spamassassin. We have enabled SPF checking and it works but I think these emails are getting through because the return-path is not from my domain.
Is there a way to get spamassassin to flag an email if the return-path and from field do not match?
Return-Path: stakespv07@scottiecd.com
Received: from 201.17.156.59 by smtp.secureserver.net; Fri, 19 Feb 2010
From: user@mydomain.com
Subject: Very urgent
To:
Is there a way to get spamassassin to flag an email if the return-path and from field do not match?
Return-Path: stakespv07@scottiecd.com
Received: from 201.17.156.59 by smtp.secureserver.net; Fri, 19 Feb 2010
From: user@mydomain.com
Subject: Very urgent
To:
Spamassassin - check return-path against from address
So I guess nobody else is getting hammered with spam like this???
Spamassassin - check return-path against from address
Are you able to post more of the headers so we can see what rules are being hit ? Are you using any RBLs at all ?
If you have setup your SPF records then you could usewhitelist_auth *@example.comin your SA local configuration.
If you have setup your SPF records then you could usewhitelist_auth *@example.comin your SA local configuration.
Spamassassin - check return-path against from address
Also, have a read of my last post in http://www.zimbra.com/forums/administra ... -user.html.
-
- Posts: 2
- Joined: Sat Sep 13, 2014 1:06 am
Spamassassin - check return-path against from address
lunarj565, I faced recently the same problem, having lots of phishing email originating from HotMail users (with correct return-paths, thus passing SPF check) but with From and Reply-to set to ...@blizzard.com.
I wrote this simple plugin: Perl | package FromNotReturnPath; us - Ivan Korotkov - 0m9CYxzV - Pastebin.com (based on SpamAssassin samples)
Save it to /etc/spamassassin/plugins. To use it, add new .pre-file to /etc/spamassassin with following content:
loadplugin FromNotReturnPath plugins/FromNotReturnPath.pm
header FROM_NOT_RETURN_PATH eval:check_for_from_not_return_path()
describe FROM_NOT_RETURN_PATH From: does not match Return-path:
Then you can set FROM_NOT_RETURN_PATH's score in local.cf as usual.
I'd recommend using it in conjunction with spamming domain (because, technically, return-path does not always equal From even in legitimate e-mail; maillists are counter-example). I use it as follows:
header __FROM_BLIZZARD From =~ /@blizzard.com/i
meta FAKE_BLIZZARD_ANNOUNCE (__FROM_BLIZZARD && FROM_NOT_RETURN_PATH)
describe FAKE_BLIZZARD_ANNOUNCE Fake mail from Blizzard account management
score FAKE_BLIZZARD_ANNOUNCE 40.0
(high score is needed to outweigh SPF_PASS).
I wrote this simple plugin: Perl | package FromNotReturnPath; us - Ivan Korotkov - 0m9CYxzV - Pastebin.com (based on SpamAssassin samples)
Save it to /etc/spamassassin/plugins. To use it, add new .pre-file to /etc/spamassassin with following content:
loadplugin FromNotReturnPath plugins/FromNotReturnPath.pm
header FROM_NOT_RETURN_PATH eval:check_for_from_not_return_path()
describe FROM_NOT_RETURN_PATH From: does not match Return-path:
Then you can set FROM_NOT_RETURN_PATH's score in local.cf as usual.
I'd recommend using it in conjunction with spamming domain (because, technically, return-path does not always equal From even in legitimate e-mail; maillists are counter-example). I use it as follows:
header __FROM_BLIZZARD From =~ /@blizzard.com/i
meta FAKE_BLIZZARD_ANNOUNCE (__FROM_BLIZZARD && FROM_NOT_RETURN_PATH)
describe FAKE_BLIZZARD_ANNOUNCE Fake mail from Blizzard account management
score FAKE_BLIZZARD_ANNOUNCE 40.0
(high score is needed to outweigh SPF_PASS).
Spamassassin - check return-path against from address
Welcome to the forums
Nice plugin Have you submitted that to the SA team for inclusion in 3.3.0 ?
Nice plugin Have you submitted that to the SA team for inclusion in 3.3.0 ?
-
- Posts: 2
- Joined: Sat Sep 13, 2014 1:06 am
Spamassassin - check return-path against from address
It's almost same as a sample from their wiki (FromNotReplyTo - Spamassassin Wiki), just Reply-to replaced with Return-path, so I don't think they really need it
Spamassassin - check return-path against from address
Hello all,
I have the same problem, since few weeks my Zimbra server receive a lot of blizzard spam every days
How can I use your plugins in Zimbra for tag or stop this fishing mail please ?
Thanks in advance !!!
Davy
I have the same problem, since few weeks my Zimbra server receive a lot of blizzard spam every days
How can I use your plugins in Zimbra for tag or stop this fishing mail please ?
Thanks in advance !!!
Davy
Spamassassin - check return-path against from address
Ivan has already provided the perl script and the necessary changes you need to make to salocal.cf
Spamassassin - check return-path against from address
in salocal.conf.in
-------------
header BLK_3 From =~ /ravi.wi@gmail.com/
score BLK_3 2
I am trying to score my gmail account , Is there something wrong i am doing here . it doesnt hit the rule .
-------------
header BLK_3 From =~ /ravi.wi@gmail.com/
score BLK_3 2
I am trying to score my gmail account , Is there something wrong i am doing here . it doesnt hit the rule .