Results 1 to 10 of 10

Thread: Spamassassin - check return-path against from address

  1. #1
    lunarj565 is offline New Member
    Join Date
    Oct 2008
    Posts
    5
    Rep Power
    6

    Default Spamassassin - check return-path against from address

    I am getting a lot of spam recently that I am having a hard time getting flagged by spamassassin. We have enabled SPF checking and it works but I think these emails are getting through because the return-path is not from my domain.

    Is there a way to get spamassassin to flag an email if the return-path and from field do not match?

    Return-Path: stakespv07@scottiecd.com
    Received: from 201.17.156.59 by smtp.secureserver.net; Fri, 19 Feb 2010
    From: user@mydomain.com
    Subject: Very urgent
    To: <user@mydomain.com>

  2. #2
    lunarj565 is offline New Member
    Join Date
    Oct 2008
    Posts
    5
    Rep Power
    6

    Default

    So I guess nobody else is getting hammered with spam like this???

  3. #3
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Are you able to post more of the headers so we can see what rules are being hit ? Are you using any RBLs at all ?

    If you have setup your SPF records then you could use
    Code:
    whitelist_auth *@example.com
    in your SA local configuration.
    Last edited by uxbod; 02-24-2010 at 01:09 AM.

  4. #4
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Also, have a read of my last post in SPAM sourced from virtual domain user to same user.

  5. #5
    Ivan Korotkov is offline Starter Member
    Join Date
    Mar 2010
    Posts
    2
    Rep Power
    5

    Default

    lunarj565, I faced recently the same problem, having lots of phishing email originating from HotMail users (with correct return-paths, thus passing SPF check) but with From and Reply-to set to ...@blizzard.com.

    I wrote this simple plugin: Perl | package FromNotReturnPath; us - Ivan Korotkov - 0m9CYxzV - Pastebin.com (based on SpamAssassin samples)

    Save it to /etc/spamassassin/plugins. To use it, add new .pre-file to /etc/spamassassin with following content:

    Code:
    loadplugin FromNotReturnPath plugins/FromNotReturnPath.pm
    header FROM_NOT_RETURN_PATH eval:check_for_from_not_return_path()
    describe FROM_NOT_RETURN_PATH From: does not match Return-path:
    Then you can set FROM_NOT_RETURN_PATH's score in local.cf as usual.

    I'd recommend using it in conjunction with spamming domain (because, technically, return-path does not always equal From even in legitimate e-mail; maillists are counter-example). I use it as follows:

    Code:
    header __FROM_BLIZZARD  From =~ /\@blizzard\.com/i
    meta FAKE_BLIZZARD_ANNOUNCE (__FROM_BLIZZARD && FROM_NOT_RETURN_PATH)
    describe FAKE_BLIZZARD_ANNOUNCE Fake mail from Blizzard account management
    
    score FAKE_BLIZZARD_ANNOUNCE 40.0
    (high score is needed to outweigh SPF_PASS).

  6. #6
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Welcome to the forums

    Nice plugin Have you submitted that to the SA team for inclusion in 3.3.0 ?

  7. #7
    Ivan Korotkov is offline Starter Member
    Join Date
    Mar 2010
    Posts
    2
    Rep Power
    5

    Default

    It's almost same as a sample from their wiki (FromNotReplyTo - Spamassassin Wiki), just Reply-to replaced with Return-path, so I don't think they really need it

  8. #8
    zagg is offline Member
    Join Date
    Jul 2008
    Posts
    13
    Rep Power
    7

    Default

    Hello all,

    I have the same problem, since few weeks my Zimbra server receive a lot of blizzard spam every days :-(

    How can I use your plugins in Zimbra for tag or stop this fishing mail please ?

    Thanks in advance !!!

    Davy

  9. #9
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Ivan has already provided the perl script and the necessary changes you need to make to salocal.cf

  10. #10
    ravil is offline New Member
    Join Date
    Aug 2009
    Location
    Melbourne
    Posts
    3
    Rep Power
    6

    Default

    in salocal.conf.in
    -------------

    header BLK_3 From =~ /ravi\.wi\@gmail\.com/
    score BLK_3 2


    I am trying to score my gmail account , Is there something wrong i am doing here . it doesnt hit the rule .

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. combined address book
    By cdenley in forum Developers
    Replies: 0
    Last Post: 01-06-2009, 10:06 AM
  2. iSync Connector / Apple Address Book Problems
    By jrosen in forum CalDAV / CardDAV / iSync
    Replies: 11
    Last Post: 04-16-2007, 03:40 PM
  3. Replies: 6
    Last Post: 03-02-2007, 05:09 AM
  4. Replies: 7
    Last Post: 02-06-2007, 07:54 AM
  5. Mobile Support for Multiple Address Books?
    By airbish in forum Zimbra Mobile
    Replies: 3
    Last Post: 10-02-2006, 09:22 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •