1

Having a little trouble with Spamassasin identfying spam emails coming from a domain of mine.

The spam email is coming in from a return-path of someone@spammer.com, but the from field in the header is being set as someone@mydomain.com.

I've done a test by connecting to the smtp server, and setting my own from address (someone@spammer.com) and then using a different one in the DATA headers as someone@mydomain.com.

When i test it myself, spamassasin marks it as spam with the following variables: 

X-Spam-Status: Yes, score=5.0 required=4.5 tests=ALL_TRUSTED,FROM_ADDR_WS,
HEADER_FROM_DIFFERENT_DOMAINS,MISSING_DATE,MISSING_HEADERS,MISSING_MID

However, on the original spam email I received externally, HEADER_FROM_DIFFERENT_DOMAINS does not get triggered!
In fact, the original spam email had a score of 0!

Any ideas why this could be? I have checked the original email and I can clearly see the return-path domain and the From:field are both different domains.

My goal is to mark any emails as spam if they have a different domain in the return-path to the from field, I thought that HEADER_FROM_DIFFERENT_DOMAINS rule would do this but it doesn't seem to have happened on the original spam email I got.

Any ideas where I'm going wrong?

Thanks!

Daniele Santi
  • 2,529
  • 1
  • 25
  • 22
Maxingwell
  • 11
  • 1
  • 2

1 Answers1

1

First, you should really consider disabling accepting mail from yourdomain.com addresses without SASL authentication with something like

smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauthenticated_sender_login_mismatch, permit

The second thing is that what these spammer guys probably do is they feed you non-fqdn From: header (e.g. From: mary) that gets expanded on your system upon reception. Hence there's no domain mismatch, as there's no domain on a milter level in the From: field.

Peter Zhabin
  • 2,696
  • 9
  • 10