On 20230715 20:20:03, Thomas Cameron wrote:
On 7/14/23 23:59, Loren Wilton wrote:
I am suddenly getting hammered by a BUNCH of spam that appears to be from
me. It scores low, and even though I keep feeding it to Bayes, it's still
not hitting the threshold to be marked as spam.
When I check the headers, it's coming from multiple random email servers,
but many appear to originate from hotmail/outlook.com. So from outlook.com,
through some unsecured email server, then to my server.
SA can't block this trash by itself, but if something post the SA invocation
can look at the headers you might be able to block it. You can certainly mark
it as spam.
For instance:
#
# Ok, catch 'from me' when it isn't
header __FROM_ME_1 From =~ /<me\@myhost\.(?:net|com)>/i
header __FROM_ME_2 From =~ /\"First Last\" <me\@myhost\.net>/
header __FROM_ME_3 From =~ /First Last <me\@myhost\.net>/
meta NOT_FROM_ME __FROM_ME_1 && !(__FROM_ME_2 || __FROM_ME_3)
score NOT_FROM_ME 10
describe NOT_FROM_ME Spammer faking the mail from me!
Mind the backslash on the quotes and at sign. Depending on versions of things
these are necessary, and don't hurt if they are not necessary.
Forgive my ignorance, I haven't really played with custom rules before. Are
the entries like /<me\@myhost\.(?:net|com)>/i meant to edited for my actual
email address and domain, or does "me" and "@myhost" get expanded somehow? I
actually use sendmail for bunch of domains on my mail servers, and I want to
make sure this will work for all those domains.
I assume this just needs to go in /etc/mail/spamassassin/local.cf, right? Or
do I need to do separate stanzas for each domain?
Thomas
Edit your username for "me", and your hostname plus most of its domain for "my
host" and probably you can change .net to match your TLD. And "first last" would
be your first name and last name as appears in emails.
I do it basically the same way Loren does. You are creating a rule or rules to
match your legitimate email address. That is the _FROM_ME_n stuff. Then you are
creating a meta rule that looks for email that claims to be from your raw email
address that does not have the correct formats for your outgoing email. If it
has your raw address but lacks your name components it fires off a score of 10.
The oddity at the end of the first rule is something I treat differently but the
concept is the change. Legitimate user accounts at Earthlink all end with .net.
So if it ends in .com it is automatically a dumb spam. My rules are a little
different. But the concept is the same.
{^_^}
