Mailing List Archive

At 08:05 AM 3/3/2004, you wrote:
>I will never have incoming mail coming from the outside which uses my
>domain name. I'd like to create a rule which prevents it.
>
>The problem is that I received one of the new Bagel virus emails with the
>password-protected ZIP payload. It has a FROM of my domain. It even
>faked the message-id for my domain.
>
>How can I give a high SA score to such an email?


That might be better to be blocked at your MUA level and reject the message. :)

Evan

Dan Bullock said:
> I will never have incoming mail coming from the outside which uses my
> domain name. I'd like to create a rule which prevents it.
>
> The problem is that I received one of the new Bagel virus emails with
> the password-protected ZIP payload. It has a FROM of my domain. It
> even faked the message-id for my domain.
>
> How can I give a high SA score to such an email?
>
> Thanks,
> Dan

Here's a rule I pulled off the list:
#penalize mail hosts pretending to be me when connecting
header LOCAL_SPOOFME Received =~ /from my\.ip\.add\.ress/
describe LOCAL_SPOOFME pretending to be from ourselves!
score LOCAL_SPOOFME 3.0



--
Kurt Yoder
Sport & Health network administrator

Don't you (or anyone at your domain) ever cc or bcc yourself on a message?
What do the headers for that look like?

Loren

> I will never have incoming mail coming from the outside which uses my
> domain name. I'd like to create a rule which prevents it.

----- Original Message -----
From: "Evan Platt" <evan@espphotography.com>
To: <spamassassin-users@incubator.apache.org>
Sent: Wednesday, March 03, 2004 11:15 AM
Subject: Re: Stop incoming mail from using my own domain name


> At 08:05 AM 3/3/2004, you wrote:
> >I will never have incoming mail coming from the outside which uses my
> >domain name. I'd like to create a rule which prevents it.
> >
> >The problem is that I received one of the new Bagel virus emails with the
> >password-protected ZIP payload. It has a FROM of my domain. It even
> >faked the message-id for my domain.
> >
> >How can I give a high SA score to such an email?
>
>
> That might be better to be blocked at your MUA level and reject the message. :)
>


I assume you mean at the MTA level. This is possible but does run into other problems such as offsite mailing lists, like this one.
I've also tried using the whitelist_from_rcvd but this gets cumbersome predicting all the valid places for whitelisted entriese,
assuming thatspammers will also start forging other domains as well.

What I have just done is written my first spamassassin rules :-) ... but perhaps this check should be part of the built in
whitelist processing. These two meta rules ignore the whitelist on any suspect email and let regular spamchecking take
care of it. I later search for TSG_WHITELIST in my .procmailrc, that's why that rule is needed. Otherwise its not
What are anyone's thoughts on this:

meta __TSG_UNTRUSTED (FORGED_AOL_RCVD || FORGED_HOTMAIL_RCVD ||
FORGED_EUDORA MAIL_RCVD || FORGED_YAHOO_RCVD || FORGED_JUNO_RCVD ||
FORGED_GW05_RCVD || FORGED_MUA_OUTLOOK)

describe __TSG_UNTRUSTED Received headers indicate a forgery of some type
score __TSG_UNTRUSTED 1.00
meta TSG_WHITELIST (USER_IN_WHITELIST && !(__TSG_UNTRUSTED))
describe TSG_WHITELIST Received headers do not indicate forgery, and USER_IN_WHITELIST
score TSG_WHITELIST -1.000
meta TSG_UNWHITELIST (USER_IN_WHITELIST && __TSG_UNTRUSTED)
describe TSG_UNWHITELIST Undo SpamAssassin Whitelisting
score TSG_UNWHITELIST 100.0