Results 1 to 10 of 10

Thread: Spamassassin - check return-path against from address

  1. #1
    Join Date
    Oct 2008
    Posts
    5
    Rep Power
    7

    Default Spamassassin - check return-path against from address

    I am getting a lot of spam recently that I am having a hard time getting flagged by spamassassin. We have enabled SPF checking and it works but I think these emails are getting through because the return-path is not from my domain.

    Is there a way to get spamassassin to flag an email if the return-path and from field do not match?

    Return-Path: stakespv07@scottiecd.com
    Received: from 201.17.156.59 by smtp.secureserver.net; Fri, 19 Feb 2010
    From: user@mydomain.com
    Subject: Very urgent
    To: <user@mydomain.com>

  2. #2
    Join Date
    Oct 2008
    Posts
    5
    Rep Power
    7

    Default

    So I guess nobody else is getting hammered with spam like this???

  3. #3
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Are you able to post more of the headers so we can see what rules are being hit ? Are you using any RBLs at all ?

    If you have setup your SPF records then you could use
    Code:
    whitelist_auth *@example.com
    in your SA local configuration.
    Last edited by uxbod; 02-24-2010 at 01:09 AM.

  4. #4
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Also, have a read of my last post in http://www.zimbra.com/forums/adminis...same-user.html.

  5. #5
    Join Date
    Mar 2010
    Posts
    2
    Rep Power
    5

    Default

    lunarj565, I faced recently the same problem, having lots of phishing email originating from HotMail users (with correct return-paths, thus passing SPF check) but with From and Reply-to set to ...@blizzard.com.

    I wrote this simple plugin: Perl | package FromNotReturnPath; us - Ivan Korotkov - 0m9CYxzV - Pastebin.com (based on SpamAssassin samples)

    Save it to /etc/spamassassin/plugins. To use it, add new .pre-file to /etc/spamassassin with following content:

    Code:
    loadplugin FromNotReturnPath plugins/FromNotReturnPath.pm
    header FROM_NOT_RETURN_PATH eval:check_for_from_not_return_path()
    describe FROM_NOT_RETURN_PATH From: does not match Return-path:
    Then you can set FROM_NOT_RETURN_PATH's score in local.cf as usual.

    I'd recommend using it in conjunction with spamming domain (because, technically, return-path does not always equal From even in legitimate e-mail; maillists are counter-example). I use it as follows:

    Code:
    header __FROM_BLIZZARD  From =~ /\@blizzard\.com/i
    meta FAKE_BLIZZARD_ANNOUNCE (__FROM_BLIZZARD && FROM_NOT_RETURN_PATH)
    describe FAKE_BLIZZARD_ANNOUNCE Fake mail from Blizzard account management
    
    score FAKE_BLIZZARD_ANNOUNCE 40.0
    (high score is needed to outweigh SPF_PASS).

  6. #6
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Welcome to the forums

    Nice plugin Have you submitted that to the SA team for inclusion in 3.3.0 ?

  7. #7
    Join Date
    Mar 2010
    Posts
    2
    Rep Power
    5

    Default

    It's almost same as a sample from their wiki (FromNotReplyTo - Spamassassin Wiki), just Reply-to replaced with Return-path, so I don't think they really need it

  8. #8
    Join Date
    Jul 2008
    Posts
    13
    Rep Power
    7

    Default

    Hello all,

    I have the same problem, since few weeks my Zimbra server receive a lot of blizzard spam every days :-(

    How can I use your plugins in Zimbra for tag or stop this fishing mail please ?

    Thanks in advance !!!

    Davy

  9. #9
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Ivan has already provided the perl script and the necessary changes you need to make to salocal.cf

  10. #10
    Join Date
    Aug 2009
    Location
    Melbourne
    Posts
    3
    Rep Power
    6

    Default

    in salocal.conf.in
    -------------

    header BLK_3 From =~ /ravi\.wi\@gmail\.com/
    score BLK_3 2


    I am trying to score my gmail account , Is there something wrong i am doing here . it doesnt hit the rule .

Similar Threads

  1. combined address book
    By cdenley in forum Developers
    Replies: 0
    Last Post: 01-06-2009, 10:06 AM
  2. iSync Connector / Apple Address Book Problems
    By jrosen in forum CalDAV / CardDAV / iSync
    Replies: 11
    Last Post: 04-16-2007, 04:40 PM
  3. Replies: 6
    Last Post: 03-02-2007, 05:09 AM
  4. Replies: 7
    Last Post: 02-06-2007, 07:54 AM
  5. Mobile Support for Multiple Address Books?
    By airbish in forum Zimbra Mobile
    Replies: 3
    Last Post: 10-02-2006, 10:22 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •