I actually block all incoming mail that claims to be from my domain. The only problem is that I don't get copies of messages that I send to some lists, such as this one. But... as far as I'm concerned, if a mail server isn't listed as an MX for <somedomain.com>, it should use <somedomain.com> in the mail from or envelope from feilds. It's a wide open hole for spam and social engineering attacks. I was actually surprised to see that even anti-spam lists such as this one spoof the envelope from field. :/ Oh, well... I still get everyone else's posts.
Nate -----Original Message----- From: Loren Wilton [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 3:22 PM To: users@spamassassin.apache.org Subject: Re: spoofed Received header > Received: from 64.239.129.105 ([::ffff:219.144.149.91]) > From: "Trina Parr" <[EMAIL PROTECTED]> > > where in Received: 1st ip is my mx, but 2nd is spammers host > and in From: name is some arbitrary name with my email address > > is it possible to make regex in local.cf that would check that both ips in Received are the same? Yes, but it can get tricky, because there are so many received formats. A very simple test could be something like /64\.239\.129\.105 \(\[(?!64\.239\.129\.105).{1,20}\]\)/ Assuming I typed that right it will check for a double-dotquad format where the second doesn't match and the first one matches. Of course you could have a hostname between the ([ characters, so you really should handle that somehow. Perhaps insert a [\w\.]{0,50} ir the like there. I've got a cold and am not thinking too clearly at the moment, so I don't know how many legit things that might declare to be bogus. You could try it with a real low score and see what sort of things it hits on. Maybe it would work for you. Loren
