adsp_override dhl.com penalize when someone spoof address, for example sent email with @dhl.com without dkim but it doesn't catch when someone use dhl description in From as this example : From: DHL Service d...@infectedpc.com<mailto:d...@infectedpc.com>
Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it<http://www.gruppocomet.it/> [Descrizione: gc] Da: Paul Stead [mailto:paul.st...@zeninternet.co.uk] Inviato: lunedì 3 ottobre 2016 13:03 A: users@spamassassin.apache.org Oggetto: Re: a .cf to prevent abuse of popular names On 03/10/16 10:14, Nicola Piazzi wrote: # DHL header __AF_DHL_FROM From =~ /([^a-zA-Z0-9]|^)dhl([^a-zA-Z0-9]|\b)/i header __AF_DHL_DOMAIN From =~ /\@dhl.com(>|\b)/i meta AF_VALID_DHL (SPF_PASS || MXPF_PASS || DKIM_VALID_AU) && __AF_DHL_DOMAIN describe AF_VALID_DHL Valid dhl Sender score AF_VALID_DHL -1.00 meta AF_ABUSED_DHL __AF_DHL_FROM && !AF_VALID_DHL describe AF_ABUSED_DHL Probably Abused dhl Sender Name score AF_ABUSED_DHL 1.00 An email sent with a valid SPF for a different domain than dhl.com would hit AF_VALID_DHL in this example... A better way to validate the emails would be ---8<--- whitelist_auth *@dhl.com<mailto:*@dhl.com> ---8<--- And to catch the potential abuse ---8<--- adsp_override dhl.com custom_med ---8<--- I'm part way through raising a bug request with a feature improvement which might help towards this too, watch this space Paul -- Paul Stead Systems Engineer Zen Internet
