On 10/6/2023 1:22 AM, Olivier wrote:
Hi,
Recently I have received a wave of mails in the form
From:word-olivier@somewhere.random
To:oliv...@mydomain.com
Where the "olivier" part is a valid username on my domain.
Is there a rule to catch these with SA?
SA does not have any way to know what the valid usernames in any domain
are. Without custom local rules, it doesn't even know what domains might
be valid for your mail system. You can, of course, create local rules
for specific users who get heavily targeted by this tactic. That does
not scale, but it can be useful.
Someone could have written a plugin that does just that. I think I could
write one myself, it is quite basic programming, but I'd prefer to avoid
re-inventing the wheel.
(1) Should you go the plugin route, make sure that the variable assigned
to the
To: address field is always (set/init) to something. Otherwise, any BCC'd
messages will throw PERL "undefined variable" errors.
https://metacpan.org/pod/Mail::SpamAssassin::PerMsgStatus lists all of
the SA
functions available to plugins and is always a good reference.
Special rules for high-spam individuals can also help by acting as
"canary" rules, if you use the 'autolearn_force' rule tflag. This way,
when a spammer using the specific pattern starts a run, you will catch
one match, autolearn it as spam, and (hopefully) recognize its sibling
messages as such.
I will look at that too.
(2) SA v4.0 has support for PERL Capture Groups where the Capture Group
can be match-tested in rules. Maybe something like this (untested):
if (version >= 4.000000)
header __MY_TO_ADDR To:addr =~ /(?<TO_USER_ADDR>.*)\@.*/
header MY_WORD From:addr =~ /^word\-%{TO_USER_ADDR}\@/i\
score MY_WORD 5.0
endif
You can read more information about this function here:
https://metacpan.org/pod/Mail::SpamAssassin::Conf#CAPTURING-TAGS-USING-REGEX-NAMED-CAPTURE-GROUPS
-- Jared Hall
