On Wed, 26 Feb 2020, Benny Pedersen wrote:
Robert A. Ober skrev den 2020-02-26 02:28:
I have a user that is getting many emails with obscene subjects.
Someone is spoofing the From to include the users domain so the email
is hitting "USER_IN_WHITELIST". I have installed the plugins from
extremeshok and it has not stopped the problem.
remove whitelist_from in spamassassin, or change it to score -0.1
i will not argue on why whitelist_from even exists
The SUBJECT_FUCKBUDDY rule has a score of 3.0 .
change score to 300
upgrade to 3.4.4 btw
I won't argue with the recommendation to upgrade but his real problem is:
Someone is spoofing the From to include the users domain so the email is
hitting "USER_IN_WHITELIST"
That says somebody has taken the users' domain and added it to a
"whitelist_from" statement. That is -not- a SA default.
So first kill that ill-advised whitelist_from
Then find out why somebody did that and fix that problem properly, not with the
easily subverted "whitelist_from" sledge-hammer.
If they -must- have some form of whitelist_from, use something that is less
easily subverted (such as setting up DKIM or SPF for their domain and using
def_whitelist_auth or at least whitelist_from_rcvd ).
Even better, use def_whitelist_auth & def_whitelist_from_rcvd so it's not
such a sledge-hammer but just a mild "bump" to make sure locally generated
messages get a little extra help.
If it weren't from that bad "whitelist_from" the OP's message would have been
spam-tagged, it hit plenty of RBLs etc. It was just that sledge-hammer that got
it thru.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
