Spamassassin - check return-path against from address

[lunarj565]

I am getting a lot of spam recently that I am having a hard time getting flagged by spamassassin. We have enabled SPF checking and it works but I think these emails are getting through because the return-path is not from my domain.

Is there a way to get spamassassin to flag an email if the return-path and from field do not match?

Return-Path: stakespv07@scottiecd.com
Received: from 201.17.156.59 by smtp.secureserver.net; Fri, 19 Feb 2010
From: user@mydomain.com
Subject: Very urgent
To: <user@mydomain.com>

[lunarj565]

So I guess nobody else is getting hammered with spam like this???

[uxbod]

Are you able to post more of the headers so we can see what rules are being hit ? Are you using any RBLs at all ?

If you have setup your SPF records then you could use

Code:

whitelist_auth *@example.com

in your SA local configuration.

[uxbod]

Also, have a read of my last post in SPAM sourced from virtual domain user to same user.

[Ivan Korotkov]

lunarj565, I faced recently the same problem, having lots of phishing email originating from HotMail users (with correct return-paths, thus passing SPF check) but with From and Reply-to set to ...@blizzard.com.

I wrote this simple plugin: Perl | package FromNotReturnPath; us - Ivan Korotkov - 0m9CYxzV - Pastebin.com (based on SpamAssassin samples)

Save it to /etc/spamassassin/plugins. To use it, add new .pre-file to /etc/spamassassin with following content:

Code:

loadplugin FromNotReturnPath plugins/FromNotReturnPath.pm
header FROM_NOT_RETURN_PATH eval:check_for_from_not_return_path()
describe FROM_NOT_RETURN_PATH From: does not match Return-path:

Then you can set FROM_NOT_RETURN_PATH's score in local.cf as usual.

I'd recommend using it in conjunction with spamming domain (because, technically, return-path does not always equal From even in legitimate e-mail; maillists are counter-example). I use it as follows:

Code:

header __FROM_BLIZZARD  From =~ /\@blizzard\.com/i
meta FAKE_BLIZZARD_ANNOUNCE (__FROM_BLIZZARD && FROM_NOT_RETURN_PATH)
describe FAKE_BLIZZARD_ANNOUNCE Fake mail from Blizzard account management

score FAKE_BLIZZARD_ANNOUNCE 40.0

(high score is needed to outweigh SPF_PASS).

[uxbod]

Welcome to the forums

Nice plugin Have you submitted that to the SA team for inclusion in 3.3.0 ?

[Ivan Korotkov]

It's almost same as a sample from their wiki (FromNotReplyTo - Spamassassin Wiki), just Reply-to replaced with Return-path, so I don't think they really need it

[zagg]

Hello all,

I have the same problem, since few weeks my Zimbra server receive a lot of blizzard spam every days :-(

How can I use your plugins in Zimbra for tag or stop this fishing mail please ?

Thanks in advance !!!

Davy

[uxbod]

Ivan has already provided the perl script and the necessary changes you need to make to salocal.cf

[ravil]

in salocal.conf.in
-------------

header BLK_3 From =~ /ravi\.wi\@gmail\.com/
score BLK_3 2


I am trying to score my gmail account , Is there something wrong i am doing here . it doesnt hit the rule .