Ahhh... Mail from and to that uses the same e-mail address would score 104.11 <== I guess this should be sufficiently high to overcome the -100 from the white_list entry.
Looks like it would work. And, I agree with you that it could be considered for a SA "standard" rule. Thanks for your help Chris. -----Original Message----- From: Chris Santerre [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 11:57 AM To: 'Marc Steuer'; [EMAIL PROTECTED] Cc: Jennifer Wheeler (E-mail) Subject: RE: [SAtalk] [RD]Spammer uses address in hosted domain > -----Original Message----- > From: Marc Steuer [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 23, 2003 10:35 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] [RD]Spammer uses address in hosted domain > > > Hi list-members, > > How should SA be configured to handle the following situation? > > An account in one of my hosted domains received a spam > message with his own > e-mail address as the counterfeit "from" and "reply-to" > addresses. The > hosted domain is included SA's "whitelist_from", to avoid the > possibility > that "valid" messages between domain accounts would be tagged > as spam. SA > correctly identified the message as a potential spam, > however, the -100 > score for the whitelist_from entry overwhelmed the other scores. > > Suggestions? > > Marc > Basically you could use the following: header __CS_FROM_ME From =~ /[EMAIL PROTECTED]/i header __CS_TO_ME To =~ /[EMAIL PROTECTED]/i meta CS_SPAM_TRICK __CS_FROM_ME && __CS_TO_ME describe CS_SPAM_TRICK Spammer forged From + To my domain. score CS_SPAM_TRICK 104.11 # Silly, isn't it? (That's 2 underscores at the beginning of the rule name!) That would work for a single person. I could write one for _MY_ site wide use, as my internal mail stays internal. Just by dropping the "dude@" part. But I'm not sure it would work for people without a gateway, who work off the server that scans. For that kind of situation, you might want to add a header key, or add some more meta rules to make it work. I'm surprised this hasn't been made a standard rule in SA that is scored 0. Then give users option to score it higher. Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm "A little nonsense now and then, is relished by the wisest men." - Willy Wonka ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk