This is an annoying little spammer trick. You simply need to create 2 meta rule. If it is from your whitelisted email but doesn't contain your server IP address in the header, then add +103 points. That will counter their little trick.
I will try to write something for the wiki later this week. Chris Santerre > -----Original Message----- > From: James Herschel [mailto:[EMAIL PROTECTED] > Sent: Monday, October 20, 2003 11:11 AM > To: [EMAIL PROTECTED] Sourceforge. Net > Subject: [SAtalk] Forged From addresses and whitelist rule > > > Hello, > > I've got an odd situation where I've received spam from a > (forged) valid > address in my own domain. Problem is that the headers are > clearly forged as > the IP for my mailserver is incorrect, but the whitelist rule > for my domain > is being applied. > > Is there a setting where I can tell spamassassin which IP is > the MTA for my > domain? It would make sense to me that spamassassin should > know what my > proper MTA is, and if the header is forged, it shouldn't > apply the whitelist > rule. > > SpamAssassin 2.55 > Qmail-scanner 1.60 > qmail 1.03 > > Any ideas? > > James > > Received: from mail.quarry.com (HELO quarry.com) (PROPER IP) > by cygnus.quarry.com with SMTP; 18 Oct 2003 09:34:42 -0400 > Received: from quarry.com (FORGED IP) by quarry.com with ESMTP (Eudora > Internet Mail Server 3.2.1) for <[EMAIL PROTECTED]>; > Sat, 18 Oct 2003 09:34:40 -0400 > Received: from theressa [FORGED IP] by quarry.com with eSMTP; > Sat, 18 Oct 2003 08:34:36 -0500 > Message-ID: <[EMAIL PROTECTED]> > From: "robert" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: Lower your payments today! > Date: Sat, 18 Oct 2003 08:34:36 -0500 > MIME-Version: 1.0 > Content-Type: text/html; charset="ISO-8859-1" > X-Priority: 3 > X-Mailer: mailer > Return-Path: [EMAIL PROTECTED] > ABC-Tracking: <d2F0ZXJsb29AcXVhcnJ5LmNvbQ==> > X-Spam-Status: No, hits=-87.7 required=5.0 > tests=BAYES_80,COMPLETELY_FREE,HTML_30_40,HTML_FONT_BIG, > HTML_FONT_COLOR_RED,LOW_PAYMENT,MIME_HTML_ONLY, > > RAZOR2_CF_RANGE_91_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET, > USER_IN_WHITELIST > version=2.55 > X-Spam-Level: > X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) > X-Spam-Report: ---- Start SpamAssassin results > -87.70 points, 5 required; > * 2.2 -- BODY: Lower Monthly Payment > * 1.1 -- BODY: No such thing as a free lunch (2) > * 0.6 -- BODY: Message is 30% to 40% HTML > * 0.1 -- BODY: HTML font color is red > * 2.9 -- BODY: Bayesian classifier says spam probability > is 80 to 90% > [score: 0.8569] > * 1.2 -- BODY: Razor2 gives a spam confidence level > between 91 and 100 > [cf: 97] > * 0.2 -- BODY: FONT Size +2 and up or 3 and up > * 0.9 -- Listed in Razor2, see http://razor.sf.net/ > * -100.0 -- From: address is in the user's white-list > * 3.0 -- RBL: Received via a relay in bl.spamcop.net > [RBL check: found 178.187.62.68.bl.spamcop.net.] > * 0.1 -- Message only has text/html MIME parts > ---- End of SpamAssassin results > > > > ------------------------------------------------------- > This SF.net email sponsored by: Enterprise Linux Forum > Conference & Expo > The Event For Linux Datacenter Solutions & Strategies in The > Enterprise > Linux in the Boardroom; in the Front Office; & in the Server Room > http://www.enterpriselinuxforum.com > _______________________________________________ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > ------------------------------------------------------- This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
