Spamassassin - check return-path against from address

lunarj565 · Post by **lunarj565** » Fri Feb 19, 2010 9:50 am

I am getting a lot of spam recently that I am having a hard time getting flagged by spamassassin. We have enabled SPF checking and it works but I think these emails are getting through because the return-path is not from my domain.
Is there a way to get spamassassin to flag an email if the return-path and from field do not match?
Return-Path: stakespv07@scottiecd.com

Received: from 201.17.156.59 by smtp.secureserver.net; Fri, 19 Feb 2010

From: user@mydomain.com

Subject: Very urgent

To:

lunarj565 · Post by **lunarj565** » Tue Feb 23, 2010 2:18 pm

So I guess nobody else is getting hammered with spam like this???

uxbod · Post by **uxbod** » Wed Feb 24, 2010 2:03 am

Are you able to post more of the headers so we can see what rules are being hit ? Are you using any RBLs at all ?
If you have setup your SPF records then you could usewhitelist_auth *@example.comin your SA local configuration.

uxbod · Post by **uxbod** » Wed Feb 24, 2010 4:32 am

Also, have a read of my last post in http://www.zimbra.com/forums/administra ... -user.html.

Ivan Korotkov · Post by **Ivan Korotkov** » Mon Mar 15, 2010 1:00 pm

lunarj565, I faced recently the same problem, having lots of phishing email originating from HotMail users (with correct return-paths, thus passing SPF check) but with From and Reply-to set to ...@blizzard.com.
I wrote this simple plugin: Perl | package FromNotReturnPath; us - Ivan Korotkov - 0m9CYxzV - Pastebin.com (based on SpamAssassin samples)
Save it to /etc/spamassassin/plugins. To use it, add new .pre-file to /etc/spamassassin with following content:

loadplugin FromNotReturnPath plugins/FromNotReturnPath.pm

header FROM_NOT_RETURN_PATH eval:check_for_from_not_return_path()

describe FROM_NOT_RETURN_PATH From: does not match Return-path:

Then you can set FROM_NOT_RETURN_PATH's score in local.cf as usual.
I'd recommend using it in conjunction with spamming domain (because, technically, return-path does not always equal From even in legitimate e-mail; maillists are counter-example). I use it as follows:

header __FROM_BLIZZARD From =~ /@blizzard.com/i

meta FAKE_BLIZZARD_ANNOUNCE (__FROM_BLIZZARD && FROM_NOT_RETURN_PATH)

describe FAKE_BLIZZARD_ANNOUNCE Fake mail from Blizzard account management
score FAKE_BLIZZARD_ANNOUNCE 40.0

(high score is needed to outweigh SPF_PASS).

uxbod · Post by **uxbod** » Mon Mar 15, 2010 1:40 pm

Welcome to the forums

Nice plugin

Have you submitted that to the SA team for inclusion in 3.3.0 ?

Ivan Korotkov · Post by **Ivan Korotkov** » Mon Mar 15, 2010 4:15 pm

It's almost same as a sample from their wiki (FromNotReplyTo - Spamassassin Wiki), just Reply-to replaced with Return-path, so I don't think they really need it

zagg · Post by **zagg** » Tue Mar 30, 2010 4:25 am

Hello all,
I have the same problem, since few weeks my Zimbra server receive a lot of blizzard spam every days

How can I use your plugins in Zimbra for tag or stop this fishing mail please ?
Thanks in advance !!!
Davy

uxbod · Post by **uxbod** » Tue Mar 30, 2010 4:33 am

Ivan has already provided the perl script and the necessary changes you need to make to salocal.cf

6147ravil · Post by **6147ravil** » Tue Sep 14, 2010 2:18 am

in salocal.conf.in

-------------
header BLK_3 From =~ /ravi.wi@gmail.com/

score BLK_3 2

I am trying to score my gmail account , Is there something wrong i am doing here . it doesnt hit the rule .