From: "postmaster@coker.com.au" <ich@trimas.com.au> Above is the From field of a spam that recently arrived in my inbox, the Return-Path and Message-ID refer to trimas.com.au so it didn't hit any SPF checks. Is there a good way of stopping such spam with Postfix and SpamAssassin? I wrote some milter code to stop this for a client, the code was a little hacky and even if I had approval to reuse it the amount of work involved would vastly exceed the amount of time it takes to just delete such mail. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
On Friday, 1 April 2016 10:22:40 PM AEDT Russell Coker via luv-main wrote:
Is there a good way of stopping such spam with Postfix and SpamAssassin?
You can match on the display-name in "header" tests with SpamAssassin using the :name suffix according to the docs: http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html # Appending a modifier :name to a header field name will cause everything # except the first display name to be removed from the header field. It is # mainly applicable to header fields containing a single mail address: 'From', # 'Sender', along with their 'Resent-From' and 'Resent-Sender' counterparts. [...] # For example, appending :name to a header name will result in "Foo Blah" # (without quotes) in all of the following cases: # # example@foo (Foo Blah) [...] # "Foo Blah" <example@foo> Best of luck! Chris -- Chris Samuel : http://www.csamuel.org/ : Melbourne, VIC
On Fri, 1 Apr 2016 11:47:42 PM Chris Samuel via luv-main wrote:
On Friday, 1 April 2016 10:22:40 PM AEDT Russell Coker via luv-main wrote:
Is there a good way of stopping such spam with Postfix and SpamAssassin?
You can match on the display-name in "header" tests with SpamAssassin using the :name suffix according to the docs:
http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html
header FAKE_DOMAIN From =~ /@coker.com.au/:addr From the documentation you reference it appears that the above line might do what's necessary. Writing a shell script that generates a config file listing every domain that the server supports should be easy enough. Then I just have to make sure that SA doesn't run on local mail. On Sat, 2 Apr 2016 01:32:31 AM Andrew McGlashan via luv-main wrote:
Above, the "postmast..." part is just the pretty name, it isn't the real from address; still the trimas.com.au domain has no SPF record for validation anyway.
I know, but forging an address in my domain is a very good criteria for recognising spam. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
On 1/04/2016 10:22 PM, Russell Coker via luv-main wrote:
From: "postmaster@coker.com.au" <ich@trimas.com.au>
Above is the From field of a spam that recently arrived in my inbox, the Return-Path and Message-ID refer to trimas.com.au so it didn't hit any SPF checks.
Is there a good way of stopping such spam with Postfix and SpamAssassin?
Not likely, email is so broken in some areas, backscatter is one of them; backscatter caused by incorrect SPF handling. Above, the "postmast..." part is just the /pretty/ name, it isn't the real from address; still the trimas.com.au domain has no SPF record for validation anyway.
I wrote some milter code to stop this for a client, the code was a little hacky and even if I had approval to reuse it the amount of work involved would vastly exceed the amount of time it takes to just delete such mail.
You will be fighting a never ending battle. Cheers AndrewM
participants (3)
-
Andrew McGlashan -
Chris Samuel -
Russell Coker