Mailing List Archive

to: header is not in my domain
Hi, how to score this e-mails?
I know I can give negative score if To: IS my domain, but I do not like
this solution.
Any suggestions?

cheers
Miki
Re: to: header is not in my domain [ In reply to ]
Miki skrev den 2020-10-20 20:29:
> Hi, how to score this e-mails?

what email ?

> I know I can give negative score if To: IS my domain, but I do not

please dont help spammers

> like this solution.
> Any suggestions?

is users@spamassassin.apache.org you liked to give negative scores to ?

then in local.cf:

whitelist_from users@spamassassin.apache.org

i hate that this is supported in spamassassin, since there is no forged
protection with it

do instaed:

whitelist_from_spf users@spamassassin.apache.org
Re: to: header is not in my domain [ In reply to ]
Let's say my domain is mydomain.com. 99% of all the e-mails have:
To: miki@mydomain.com
But some e-mails, most likely sent using BCC are coming with:
To: anyuser@anydomain.com

Nearly all of them are spam.

cheers
Miki


wt., 20 pa? 2020 o 20:14 Benny Pedersen <me@junc.eu> napisa?(a):

> Miki skrev den 2020-10-20 20:29:
> > Hi, how to score this e-mails?
>
> what email ?
>
> > I know I can give negative score if To: IS my domain, but I do not
>
> please dont help spammers
>
> > like this solution.
> > Any suggestions?
>
> is users@spamassassin.apache.org you liked to give negative scores to ?
>
> then in local.cf:
>
> whitelist_from users@spamassassin.apache.org
>
> i hate that this is supported in spamassassin, since there is no forged
> protection with it
>
> do instaed:
>
> whitelist_from_spf users@spamassassin.apache.org
>
>
>
Re: to: header is not in my domain [ In reply to ]
Miki skrev den 2020-10-20 21:19:
> Let's say my domain is mydomain.com [2]. 99% of all the e-mails have:
> To: miki@mydomain.com
> But some e-mails, most likely sent using BCC are coming with:
> To: anyuser@anydomain.com
>
> Nearly all of them are spam.

blacklist_to then

set blacklist_from to same

this is forged protecting safe

and yes its not fool proff since bcc can be used on remote
Re: to: header is not in my domain [ In reply to ]
Thanks for quick reply, but blacklist what?
The problem is I do not know this spammy domains.
I want to give a score when To: field is NOT in anyaddress@mydomain.com

cheers
Miki


wt., 20 pa? 2020 o 20:25 Benny Pedersen <me@junc.eu> napisa?(a):

> Miki skrev den 2020-10-20 21:19:
> > Let's say my domain is mydomain.com [2]. 99% of all the e-mails have:
> > To: miki@mydomain.com
> > But some e-mails, most likely sent using BCC are coming with:
> > To: anyuser@anydomain.com
> >
> > Nearly all of them are spam.
>
> blacklist_to then
>
> set blacklist_from to same
>
> this is forged protecting safe
>
> and yes its not fool proff since bcc can be used on remote
>
Re: to: header is not in my domain [ In reply to ]
> Thanks for quick reply, but blacklist what?
> The problem is I do not know this spammy domains.
> I want to give a score when To: field is NOT in anyaddress@mydomain.com

If only it were that easy.

You'll notice that recipients of this mailing list receive mail to the
mailing list address, not to each recipient.

You might have better luck building a meta rule that combines the "To:"
field with something else, like a body rule or lack of presence of an
SPF record, etc.

You might also consider building rules based on email !__MYDOMAIN, and
excluding cases like this mailing list, then otherwise adding points
that would normally be overcome by a proper SPF record or Envelope From
address, for example.

You should submit a few of these emails to pastebin.com where we can
analyze them more thoroughly for other patterns.

Regards,
Dave

> <mailto:anyaddress@mydomain.com>
>
> cheers
> Miki
>
>
> wt., 20 pa? 2020 o 20:25 Benny Pedersen <me@junc.eu <mailto:me@junc.eu>>
> napisa?(a):
>
> Miki skrev den 2020-10-20 21:19:
> > Let's say my domain is mydomain.com <http://mydomain.com> [2].
> 99% of all the e-mails have:
> > To: miki@mydomain.com <mailto:miki@mydomain.com>
> > But some e-mails, most likely sent using BCC are coming with:
> > To: anyuser@anydomain.com <mailto:anyuser@anydomain.com>
> >
> > Nearly all of them are spam.
>
> blacklist_to then
>
> set blacklist_from to same
>
> this is forged protecting safe
>
> and yes its not fool proff since bcc can be used on remote
>
Re: to: header is not in my domain [ In reply to ]
On Tue, 2020-10-20 at 20:38 +0100, Miki wrote:
> Thanks for quick reply, but blacklist what?
> The problem is I do not know this spammy domains.
> I want to give a score when To: field is NOT in anyaddress@mydomain.com

Not tested, but something like this should work:

header __LOCAL_TO_ME To =~ /\@mydomain/i
header __LOCAL_CC_ME Cc =~ /\@mydomain/i
header __LOCAL_MAILING_LIST1 List-Unsubscribe =~ /[a-z]+/
header __LOCAL_MAILING_LIST2 List-ID =~ /[a-z]+/

meta LOCAL_NOT_TO_ME ( ! ( __LOCAL_TO_ME || __LOCAL_CC_ME
|| __LOCAL_MAILING_LIST1 || __LOCAL_MAILING_LIST2 ))
score LOCAL_NOT_TO_ME ??

You'll want to whitelist authenticated mail from your regular correspondents
though so it doesn't hit normal bcc's.
Re: to: header is not in my domain [ In reply to ]
Are you telling me it's that simple. I want to score the emails without my
domain in To field. I can do this both ways
1. Score when To: contain main domain negatively
header HDR To=~ /\@mydomain\.com/i
describe HDR To mydomain
score HDR -2

2. Score when To: does not contain my domain positively. But will it work?
header HDR To!~ /\@mydomain\.com/i
describe HDR To mydomain
score HDR 2



wt., 20 pa? 2020 o 20:50 Dave Wreski <dwreski@guardiandigital.com>
napisa?(a):

> > Thanks for quick reply, but blacklist what?
> > The problem is I do not know this spammy domains.
> > I want to give a score when To: field is NOT in anyaddress@mydomain.com
>
> If only it were that easy.
>
> You'll notice that recipients of this mailing list receive mail to the
> mailing list address, not to each recipient.
>
> You might have better luck building a meta rule that combines the "To:"
> field with something else, like a body rule or lack of presence of an
> SPF record, etc.
>
> You might also consider building rules based on email !__MYDOMAIN, and
> excluding cases like this mailing list, then otherwise adding points
> that would normally be overcome by a proper SPF record or Envelope From
> address, for example.
>
> You should submit a few of these emails to pastebin.com where we can
> analyze them more thoroughly for other patterns.
>
> Regards,
> Dave
>
> > <mailto:anyaddress@mydomain.com>
> >
> > cheers
> > Miki
> >
> >
> > wt., 20 pa? 2020 o 20:25 Benny Pedersen <me@junc.eu <mailto:me@junc.eu>>
>
> > napisa?(a):
> >
> > Miki skrev den 2020-10-20 21:19:
> > > Let's say my domain is mydomain.com <http://mydomain.com> [2].
> > 99% of all the e-mails have:
> > > To: miki@mydomain.com <mailto:miki@mydomain.com>
> > > But some e-mails, most likely sent using BCC are coming with:
> > > To: anyuser@anydomain.com <mailto:anyuser@anydomain.com>
> > >
> > > Nearly all of them are spam.
> >
> > blacklist_to then
> >
> > set blacklist_from to same
> >
> > this is forged protecting safe
> >
> > and yes its not fool proff since bcc can be used on remote
> >
>
Re: to: header is not in my domain [ In reply to ]
WOOW.
Thank you very much. I owe you one :)


wt., 20 pa? 2020 o 20:52 Alan Hodgson <ahodgson@lists.simkin.ca> napisa?(a):

> On Tue, 2020-10-20 at 20:38 +0100, Miki wrote:
>
> Thanks for quick reply, but blacklist what?
> The problem is I do not know this spammy domains.
> I want to give a score when To: field is NOT in anyaddress@mydomain.com
>
>
> Not tested, but something like this should work:
>
> header __LOCAL_TO_ME To =~ /\@mydomain/i
> header __LOCAL_CC_ME Cc =~ /\@mydomain/i
> header __LOCAL_MAILING_LIST1 List-Unsubscribe =~ /[a-z]+/
> header __LOCAL_MAILING_LIST2 List-ID =~ /[a-z]+/
>
> meta LOCAL_NOT_TO_ME ( ! ( __LOCAL_TO_ME || __LOCAL_CC_ME
> || __LOCAL_MAILING_LIST1 || __LOCAL_MAILING_LIST2 ))
> score LOCAL_NOT_TO_ME ??
>
> You'll want to whitelist authenticated mail from your regular
> correspondents though so it doesn't hit normal bcc's.
>
Re: to: header is not in my domain [ In reply to ]
On Tue, 2020-10-20 at 19:29 +0100, Miki wrote:
> Hi, how to score this e-mails?
> I know I can give negative score if To: IS my domain, but I do not
> like this solution.
> Any suggestions?
>
Why do that? Its the exact reverse of something that does work pretty
well: write a rule that gives a positive score to any mail whose To: or
BCC: headers contain your email address(es).

Also, not exactly what you're asking for, but e-mails where the From:
domain doesn't match the domain in Message-ID: are very often spam and
so could be worth a point or two.

Martin
Re: to: header is not in my domain [ In reply to ]
On 20 Oct 2020, at 16:06, Miki wrote:

> Are you telling me it's that simple. I want to score the emails
> without my
> domain in To field. I can do this both ways
> 1. Score when To: contain main domain negatively
> header HDR To=~ /\@mydomain\.com/i
> describe HDR To mydomain
> score HDR -2
>
> 2. Score when To: does not contain my domain positively. But will it
> work?
> header HDR To!~ /\@mydomain\.com/i
> describe HDR To mydomain
> score HDR 2

It's that simple, but put a space between the header name and the
matching operator. Just as documented, run: perldoc
Mail::SpamAssassin::Conf

And as previously noted by others, this will match a majority of
non-spam mailing list mail.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: to: header is not in my domain [ In reply to ]
Miki skrev den 2020-10-20 21:38:
> Thanks for quick reply, but blacklist what?

+1

> The problem is I do not know this spammy domains.

see maillist headers, you know me now :=)

> I want to give a score when To: field is NOT in
> anyaddress@mydomain.com

read manuels in perldoc Mail::SpamAssassin::Conf and possibe
Mail::SpamAssassin::Plugin::SPF and Mail::SpamAssassin::Plugin::DKIM

if you like to trust you own From: header sign it with dkim and
whitelist_from_dkim bar@yourdomain.example.org

do not use whitelist_from ever

i will stop my rants here
Re: to: header is not in my domain [ In reply to ]
On Tue, 2020-10-20 at 21:34 +0100, Martin Gregorie wrote:
> On Tue, 2020-10-20 at 19:29 +0100, Miki wrote:
> > Hi, how to score this e-mails?
> > I know I can give negative score if To: IS my domain, but I do not
> > like this solution.
> > Any suggestions?
> >
> Why do that? Its the exact reverse of something that does work pretty
> well: write a rule that gives a positive score to any mail whose To:
> or
> BCC: headers contain your email address(es).
>
Brain fart: sorry. I should have said "give a positive score to an email
where neither the To or BCC addresses contain your email adress(es),
i.e write subrules for To and BCC that contain addresses you
want,combine them and negate the result in a meta rule, something like
this:

header __TORULE /(addr1addr2|...)/
header __BCCRULE /(add1|addr2|...)/
meta MYRULE !( __TORULE || __BCCRULE)
score MYRULE 6.0

Martin
Re: to: header is not in my domain [ In reply to ]
On Tue, 20 Oct 2020 21:34:08 +0100
Martin Gregorie wrote:

, not exactly what you're asking for, but e-mails where the From:
> domain doesn't match the domain in Message-ID: are very often spam and
> so could be worth a point or two.

And lots of ham will fail that too.
Re: to: header is not in my domain [ In reply to ]
Martin Gregorie skrev den 2020-10-20 23:48:

> header __TORULE /(addr1addr2|...)/
> header __BCCRULE /(add1|addr2|...)/
> meta MYRULE !( __TORULE || __BCCRULE)
> score MYRULE 6.0

what MTA does not remove bcc headers ?
Re: to: header is not in my domain [ In reply to ]
On Tue, 2020-10-20 at 22:49 +0100, RW wrote:
> On Tue, 20 Oct 2020 21:34:08 +0100
> Martin Gregorie wrote:
>
> , not exactly what you're asking for, but e-mails where the From:
> > domain doesn't match the domain in Message-ID: are very often spam
> > and
> > so could be worth a point or two.
>
> And lots of ham will fail that too.

Fair comment: I don't use that sort of rule myself. Instead, I have a
module that does a sender lookup in my mail archive. The rule triggering
the lookup adds some negative points if I've ever sent mail to that
address.

Martin