lunarj565, I faced recently the same problem, having lots of phishing email originating from HotMail users (with correct return-paths, thus passing SPF check) but with From and Reply-to set to ...@blizzard.com.
I wrote this simple plugin: Perl | package FromNotReturnPath; us - Ivan Korotkov - 0m9CYxzV - Pastebin.com (based on SpamAssassin samples)
Save it to /etc/spamassassin/plugins. To use it, add new .pre-file to /etc/spamassassin with following content:
Then you can set FROM_NOT_RETURN_PATH's score in local.cf as usual.
loadplugin FromNotReturnPath plugins/FromNotReturnPath.pm
header FROM_NOT_RETURN_PATH eval:check_for_from_not_return_path()
describe FROM_NOT_RETURN_PATH From: does not match Return-path:
I'd recommend using it in conjunction with spamming domain (because, technically, return-path does not always equal From even in legitimate e-mail; maillists are counter-example). I use it as follows:
(high score is needed to outweigh SPF_PASS).
header __FROM_BLIZZARD From =~ /\@blizzard\.com/i
meta FAKE_BLIZZARD_ANNOUNCE (__FROM_BLIZZARD && FROM_NOT_RETURN_PATH)
describe FAKE_BLIZZARD_ANNOUNCE Fake mail from Blizzard account management
score FAKE_BLIZZARD_ANNOUNCE 40.0