On 29-Aug-2013 00:55, Michael Schaap wrote:
On 29-Aug-2013 00:30, John Hardin wrote:
On Wed, 28 Aug 2013, Michael Schaap wrote:
Hi,
I'm getting loads of fake LinkedIn invites, most of which aren't
caught by SpamAssassin.
Does anyone have a good SpamAssassin rule to catch those, while
letting real LinkedIn invites through?
Do they fail SPF or DKIM?
Unfortunately not, for the most part. (The "From:" header is at
linkedin dot com, but the envelope sender is a random address, and I
guess SPF and DKIM run on the envelope sender only.)
If they do, and the legit ones pass SPF or DKIM, then the standard
solution is to add a header rule to detect that the message claims to
be from that domain (e.g. using the domain part of the From or
Reply-To headers), and then either give that rule some points and
also define whitelist_from_auth for the domain, or meta that rule
with (SPF_FAIL || DKIM_FAIL) and give the meta a some points.
There were some examples of doing this for facebook within the last
couple of weeks, check the list archives.
Hmm, legit ones have SPF_PASS.
So I guess I could set up a rule that punishes messages “From:”
linkedin which don't have SPF_PASS. I might give that a try, once I
find some time to figure out how...
No time like the present...
# Punish fake LinkedIn mail
header __FROM_LINKEDIN From =~ /\@linkedin\.com/i
meta FROM_LINKEDIN_NO_SPF (__FROM_LINKEDIN && !SPF_PASS &&
!SPF_HELO_PASS)
score FROM_LINKEDIN_NO_SPF 5.0
This seems to do the trick for most of the messages.
- Michael
