Forwarded spam

Thu, 31 Jul 2008 03:09:44 -0700

I'm trying to improve the effectiveness of a spamassassin installation, and there's one user who gets a lot of spam that is forwarded from another address, which effectively kills the network tests and in some cases messes with the BAYES score as well. I want to get rid of it.
My solution to the problem was originally to add the forwarding mtas to trusted_networks (seems ironic, but I think this is appropriate). 


Unfortunately, this doesn't work, because the headers look like this 
(with apologies for the munging, but it's not my e-mail):


Received: from mta3.iomartmail.com ([62.128.193.153])
        by smtp.DOMAIN.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
        (Exim 4.69)
        (envelope-from <[EMAIL PROTECTED]>)
        id 1KOUZB-0001Xq-Eb
        for [EMAIL PROTECTED]; Thu, 31 Jul 2008 10:35:29 +0100
Received: from mta3.iomartmail.com (localhost.localdomain [127.0.0.1])

	by mta3.iomartmail.com (8.12.11.20060308/8.12.11) with ESMTP id 
m6V9ZOVc018574

        for <[EMAIL PROTECTED]>; Thu, 31 Jul 2008 10:35:24 +0100

Received: from p548AAE80.dip0.t-ipconnect.de 
(p548AB09B.dip0.t-ipconnect.de [84.138.176.155])
	by mta3.iomartmail.com (8.12.11.20060308/8.12.11) with SMTP id 
m6V9ZNUK018506

        for <[EMAIL PROTECTED]>; Thu, 31 Jul 2008 10:35:24 +0100


[EMAIL PROTECTED] is the original address, which is handled by 
mta[X].iomartmail.com, and it's forwarded to [EMAIL PROTECTED], which is 
handled by smtp.DOMAIN.com.



I can put 62.128.193.153 into trusted_networks, which should make 
spamassassin look at the next header back, but that's another 
iomartmail.com machine (presumably a virus/spam checker), and I'm fairly 
sure adding 127.0.0.1 to trusted_networks would be a mistake.



Question one: Is there a way of getting the network tests working on 
these forwarded e-mails?




My next idea is just to add a load of score to messages to 
ORIGINALDOMAIN.com. Looking in the wiki at 
http://wiki.apache.org/spamassassin/WritingRules#head-36104467608e64f77e1878ec3201073b8180c728 
I see this:


===
Checking the From: line, or any other header, works much the same:

header LOCAL_DEMONSTRATION_FROM From =~ /test\.com/i
score LOCAL_DEMONSTRATION_FROM  0.1


Now, that rule is pretty silly, as it doesn't do much that a 
blacklist_from can't.

===


What I want to do is blacklist_to [EMAIL PROTECTED], but with a 
score of 3 (ie, it's not really a blacklisting). The quote above seems 
to suggest I can do that, but I can't see it in the docs. Question two: 
is it possible to set a score on a blacklisted address?



Finally, I can use header ToCC, and that'll probably do, but I wanted to 
know if there's a better way.


Thanks,
Chris






















					Reply via email to