A while back I created a plugin for checking Levenshtein distance on From
and To domains, this might answer the problem?
An example configuration might look like this -
This would look just for From domains with a distance equal to 1 from
alexander.com
---8<---
ifplugin Mail::SpamAssassin::Plugin::Levenshtein
header LEVENSHTEIN_ALEXANDER_VCLOSE eval:check_levenshtein_from('
alexander.com', 1)
describe LEVENSHTEIN_ALEXANDER_VCLOSE From domain has distance of 1
from alexander.com
score LEVENSHTEIN_ALEXANDER_VCLOSE 0.1
endif
---8<---
A bit more generic use, protecting To domains -
---8<---
ifplugin Mail::SpamAssassin::Plugin::WLBLEval &&
Mail::SpamAssassin::Plugin::Levenshtein
enlist_addrlist (LEVENSHTEINPROTECT) *@alexander.com
header __LEVENSHTEIN_PROTECT eval:check_to_in_list('LEVENSHTEINPROTECT')
header __LEVENSHTEIN_FROM eval:check_levenshtein()
meta LEVENSHTEIN_PROTECT __LEVENSHTEIN_PROTECT && __LEVENSHTEIN_FROM
describe LEVENSHTEIN_PROTECT From address has a close distance to To
address
score LEVENSHTEIN_PROTECT 0.1
endif
---8<---
Looking at something like paypal -
---8<---
ifplugin Mail::SpamAssassin::Plugin::Levenshtein
header LEVENSHTEIN_PAYPAL_VCLOSE
eval:check_levenshtein_from('paypal', 1)
describe LEVENSHTEIN_PAYPAL_VCLOSE From domain has distance of 1 from
paypal
score LEVENSHTEIN_PAYPAL_VCLOSE 0.1
endif
---8<---
There are a few more examples and details here
https://github.com/fmbla/spamassassin-levenshtein/ Note that this is a third party plugin.
Paul