Mailing List Archive

help with simple test?
I'm hoping this is a relatively simple test...

I'm seeing emails "From Me, To Me", typically extortion types. I'm not
even seeing which of the SA tests are getting hit, because I have my own
email in my Whitelist.

Is there a way I can check IF From = me@staticinfo.com AND Return-Path
!= FROM in a rule?

I guess no matter what, I would have to remove my own email address from
the Whitelist?  Or can this be checked and override the
whitelist-shortcircuit somehow?

Thanks.
Re: help with simple test? [ In reply to ]
On Wed, 2020-01-15 at 11:02 -0500, AJ Weber wrote:
> I'm hoping this is a relatively simple test...
> I'm seeing emails "From Me, To Me", typically extortion types. I'm not
> even seeing which of the SA tests are getting hit, because I have my
> own email in my Whitelist.
> Is there a way I can check IF From = me@staticinfo.com AND Return-Path
> != FROM in a rule?
> I guess no matter what, I would have to remove my own email address
> from the Whitelist? Or can this be checked and override the
> whitelist-shortcircuit somehow?

I'd suggest a few things.
1) Make sure all your real email is DKIM signed. Then change the
whitelist on your own email to one or more whitelist_from_dkim entries
with valid signing domains. Proper use of DKIM is awesome for
whitelisting.
2) You can't test multiple headers in one rule but meta rules are your
friend.
header __LOCAL_RETURN_PATH_ME Return-Path =~ /my@address/imheader
__LOCAL_FROM_ME From =~ /my@address/immeta LOCAL_ME_FORGED ( __FROM_ME
&& ! __RETURN_PATH_ME)score LOCAL_ME_FORGED 10describe LOCAL_ME_FORGED
Message has my address in From but not in envelope sender
3) Much better plan, just add DMARC to your domain and high score
anything from your domain that fails DMARC. There is no reason to be
seeing mail forged from your own address in 2020 (assuming you have your
own domain).
4) Remember that most mailing list messages will fail both 2) and 3)
above. Have a plan for mailing lists.
Re: help with simple test? [ In reply to ]
On 15.01.20 11:02, AJ Weber wrote:
>I'm hoping this is a relatively simple test...
>
>I'm seeing emails "From Me, To Me", typically extortion types. I'm not
>even seeing which of the SA tests are getting hit, because I have my
>own email in my Whitelist.
>
>Is there a way I can check IF From = me@staticinfo.com AND Return-Path
>!= FROM in a rule?

No. Also, you would refure many mail from mailing lists (where From: is your
addresse but envelope from "return-path" is mailing list).

>I guess no matter what, I would have to remove my own email address
>from the Whitelist?

Yes. Sending from the same address (or at least domain) is what spammers do
to exploit your whitelists.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
42.7 percent of all statistics are made up on the spot.