> What problems might I encounter if I were to do this? > > I ask because I have a client who is currently getting spammed viciously > by spammers who use one address in MAIL FROM (to pass SPF tests) and they > use the senders email address in the From: header so they can get > whitelist scoring by SpamAssassin. It's pretty clever.
Having perused a lot of spam and non-spam, I would generally expect you to have problems if you were very strict about this. Our solution to "self-whitelisting" issues is that our whitelisting plugin ignores any whitelist with the recipient's own domain in it. You could perhaps do the same thing with some sanity checks after the fact (or before the fact, if you have a UI through which people enter SA whitelists). We got tired of tip-toeing around SA, though, so we simply changed our UI to save whitelist in our own native table rather than SA, and wrote our own plugins. > Another way to solve part of this problem is that if MAIL FROM contains a > local domain, reject it unless relay_client is set and the local user > exists. This might still be too strict, but it would probably go over better. At least there would be recourse if there are FP's > If the To header exists, shouldn't that also be validated against RCPT TO? One would think.. but again I'd expect FP's to happen because of legitimate senders doing strange, interesting, and foolish things. -Jared
