On 10/6/2023 1:22 AM, Olivier wrote:
> Hi,
>
>>> Recently I have received a wave of mails in the form
>>> From:word-olivier@somewhere.random
>>> To:olivier@mydomain.com
>>>
>>> Where the "olivier" part is a valid username on my domain.
>>>
>>> Is there a rule to catch these with SA?
>> SA does not have any way to know what the valid usernames in any domain
>> are. Without custom local rules, it doesn't even know what domains might
>> be valid for your mail system. You can, of course, create local rules
>> for specific users who get heavily targeted by this tactic. That does
>> not scale, but it can be useful.
> Someone could have written a plugin that does just that. I think I could
> write one myself, it is quite basic programming, but I'd prefer to avoid
> re-inventing the wheel.
(1) Should you go the plugin route, make sure that the variable assigned
to the
To: address field is always (set/init) to something. Otherwise, any BCC'd
messages will throw PERL "undefined variable" errors.
https://metacpan.org/pod/Mail::SpamAssassin::PerMsgStatus lists all of
the SA
functions available to plugins and is always a good reference.
>> Special rules for high-spam individuals can also help by acting as
>> "canary" rules, if you use the 'autolearn_force' rule tflag. This way,
>> when a spammer using the specific pattern starts a run, you will catch
>> one match, autolearn it as spam, and (hopefully) recognize its sibling
>> messages as such.
> I will look at that too.
(2) SA v4.0 has support for PERL Capture Groups where the Capture Group
can be match-tested in rules. Maybe something like this (untested):
if (version >= 4.000000)
header __MY_TO_ADDR To:addr =~ /(?<TO_USER_ADDR>.*)\@.*/
header MY_WORD From:addr =~ /^word\-%{TO_USER_ADDR}\@/i\
score MY_WORD 5.0
endif
You can read more information about this function here:
https://metacpan.org/pod/Mail::SpamAssassin::Conf#CAPTURING-TAGS-USING-REGEX-NAMED-CAPTURE-GROUPS -- Jared Hall