On 29-Aug-2013 00:30, John Hardin wrote:
On Wed, 28 Aug 2013, Michael Schaap wrote:
Hi,
I'm getting loads of fake LinkedIn invites, most of which aren't
caught by SpamAssassin.
Does anyone have a good SpamAssassin rule to catch those, while
letting real LinkedIn invites through?
Do they fail SPF or DKIM?
Unfortunately not, for the most part. (The "From:" header is at linkedin
dot com, but the envelope sender is a random address, and I guess SPF
and DKIM run on the envelope sender only.)
If they do, and the legit ones pass SPF or DKIM, then the standard
solution is to add a header rule to detect that the message claims to
be from that domain (e.g. using the domain part of the From or
Reply-To headers), and then either give that rule some points and also
define whitelist_from_auth for the domain, or meta that rule with
(SPF_FAIL || DKIM_FAIL) and give the meta a some points.
There were some examples of doing this for facebook within the last
couple of weeks, check the list archives.
Hmm, legit ones have SPF_PASS.
So I guess I could set up a rule that punishes messages “From:” linkedin
which don't have SPF_PASS. I might give that a try, once I find some
time to figure out how...
Thanks,
- Michael
