Thank you, the VM-x-yy-centos.localdomain did the trick. Best regards,
Olivier "George A. Theall via users" <users@spamassassin.apache.org> writes: > On Thu, Oct 05, 2023 at 02:41:59PM +0700, Olivier wrote: > >>Recently I have received a wave of mails in the form >>From: word-olivier@somewhere.random >>To: oliv...@mydomain.com >> >>Where the "olivier" part is a valid username on my domain. >> >>Is there a rule to catch these with SA? > > I've been seeing recently connection attempts like that. When they > first started last month, they spoofed amazon.co.jp addresses. > Recently, though, they've morphed and spoof arbitrary hosts / domains. > > They seem associated with a HELO such as "VM-0-9-centos.localdomain", > with "VM-" and "-centos.localdomain" always appearing in the value. > While I don't see anything in the current ruleset that looks for that, > you could create your own rule, say one modeled after HELO_LH_LD in > 72_active.cf. > > You could also consider adjusting the score for RCVD_IN_PBL - all the > connections that I've seen so far have been from hosts on SpamHaus' PBL. > > > George --
