> -----Original Message----- > From: Marc Steuer [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 23, 2003 10:35 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] [RD]Spammer uses address in hosted domain > > > Hi list-members, > > How should SA be configured to handle the following situation? > > An account in one of my hosted domains received a spam > message with his own > e-mail address as the counterfeit "from" and "reply-to" > addresses. The > hosted domain is included SA's "whitelist_from", to avoid the > possibility > that "valid" messages between domain accounts would be tagged > as spam. SA > correctly identified the message as a potential spam, > however, the -100 > score for the whitelist_from entry overwhelmed the other scores. > > Suggestions? > > Marc >
Basically you could use the following: header __CS_FROM_ME From =~ /[EMAIL PROTECTED]/i header __CS_TO_ME To =~ /[EMAIL PROTECTED]/i meta CS_SPAM_TRICK __CS_FROM_ME && __CS_TO_ME describe CS_SPAM_TRICK Spammer forged From + To my domain. score CS_SPAM_TRICK 104.11 # Silly, isn't it? (That's 2 underscores at the beginning of the rule name!) That would work for a single person. I could write one for _MY_ site wide use, as my internal mail stays internal. Just by dropping the "dude@" part. But I'm not sure it would work for people without a gateway, who work off the server that scans. For that kind of situation, you might want to add a header key, or add some more meta rules to make it work. I'm surprised this hasn't been made a standard rule in SA that is scored 0. Then give users option to score it higher. Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm "A little nonsense now and then, is relished by the wisest men." - Willy Wonka ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
