On Mon, 24 Aug 2020, micah anderson wrote:
John Hardin <jhar...@impsec.org> writes:
On Mon, 24 Aug 2020, Marc Roos wrote:
You should use spf for this.
Duh.
+1
whitelist_auth *@amazon.com
blacklist_from *@amazon.com
whitelist_auth *@*.amazon.com
blacklist_from *@*.amazon.com
I do not understand this, how does this work?
It's a little clearer if the order is reversed...
blacklist_from *@amazon.com
If a mail claims to be from an amazon.com address, add a large score (I
disremember what it is offhand; 50 points?)
whitelist_auth *@amazon.com
If a mail claims to be from an amazon.com address, and it passas SPF or
has a valig signature for that domain, then add -100 to the score.
The net result is, any mail claiming to be from amazon.com is blacklisted,
unless it *actually comes from* amazon.com.
But, as Bill noted, it doesn't help with this case, as it doesn't
claim to be from amazon.com:
From: Amazon <p...@biggung1892301.com>
Sorry, I lost track of that nuance.
That could be captured by the above whitelist_auth, plus a "from name"
rule:
header FM_NAME_AMAZON From:name =~ /^amazon(?:.com\b|$)/i
score FM_NAME_AMAZON 10
That's a poison pill by itself, but the whitelist_auth entry would
override it for genuine Amazon emails.
Note, poison pill rules are generally a bad idea.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Our politicians should bear in mind the fact that
the American Revolution was touched off by the then-current
government attempting to confiscate firearms from the people.
-----------------------------------------------------------------------
Today: the 1941st anniversary of the destruction of Pompeii
