spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis B. Hopp" <>
Subject Re: Bogus mails from hijacked accounts
Date Wed, 10 Mar 2010 21:08:23 GMT

On Wed, 2010-03-10 at 20:22 +0000, Martin Gregorie wrote:
> On Wed, 2010-03-10 at 13:37 -0600, Dennis B. Hopp wrote:
> > Obviously we just have to tell the clients that they need to deal with
> > the various e-mail providers, but is there an effective way that I can
> > filter these messages out before my users see them without blacklisting
> > the address?
> >
> There's nothing in SA that can blacklist a sending MTA, so blacklisting
> can't happen unless you've added something to your MTA set-up that does
> auto-blacklisting.

I meant blacklisting the sender address, not the MTA.

> The question then comes down to marking the message as spam and dealing
> with it however you normally deal with spam. You'll probably need custom
> rule(s) to handle that. You say the message bodies are quite variable,
> but I notice that the Reply-to: header doesn't remotely match the From:
> header. Is this a common factor?

The ones that I have seen the reply-to doesn't match the from and I
think the reply-to have all been

> If it is, and the body texts have no common features that could also be
> used, the only obvious approach would be a rule for each forged sending
> domain that fires if the sending domain doesn't match the Reply-to
> domain. 

There isn't anything in common that I can see that wouldn't be
susceptible to false positives.  One even left the clients signature
intact.  I've written fairly simple custom rules before but I'm not sure
how to do conditional rules.  I'll have to dig into the docs a little
> Only you can know if these rules would cause false positives: I can't
> possibly tell from a single sample message.

I wasn't expecting anybody to give me a magic rule that would fix it,
just suggestions since I would only be able to blacklist the sender
address after the e-mail had been received and I was notified of the
problem.  And obviously blacklisting all of gmail/hotmail/yahoo isn't an



View raw message