On 22/02/2021 15:45, Dominic Raferd wrote:
On 22/02/2021 15:05, RW wrote:
On Sun, 21 Feb 2021, Dominic Raferd wrote:
Michael's suggestion is interesting. There is a github project
allowing Levenshtein numbers to be calculated and used in SA, I
will see if there is a way to apply it in this situation. Thanks
to all for their input.
There is also a Damerau–Levenshtein version which is probably a better
choice as the transposition of two adjacent characters counts as 1
difference rather than 2.
That sounds better, but I don't know how to employ it to make a rule for
SA. My idea is to compare the domain part of the 'From' and 'Reply-To'
addresses, scoring for a close but not exact match (maybe
Damerau–Levenshtein between 1 and 3). The same logic could also be used
to compare the domain part of the 'From' to a list of domains that are
prone to impersonation (and don't have DMARC policy with
p=reject|quarantine).
I have now implemented this using the (updated) code at
https://github.com/fmbla/spamassassin-levenshtein. This was super-easy
as the new LEVENSHTEIN_REPLY rule does exactly what I need - I just
added the 3 files to /etc/spamassassin and added 1 line to
/etc/spamassassin/z_local.cf:
score LEVENSHTEIN_REPLY 4
My thanks to the coder! Now I need a real-world case to see it in action...
