tuning spmassasin to treat more harshly mails with forged sender’s address claiming to come from us

once in a while we get e-mails with spoofed sender’s address claiming to come from @ourorg.com. this can fool some of our users; outlook displaying an image of sender solely based on the From: field does not help here. some of those messages have different Return-Path pointing to @someotherscammy.site, other have it also pointing to @ourorg.com. here are two spamassassin rules to the rescue.

header FROM_US From =~ /\@(ourorg\.com|ourorg\.org)\>$/i
header RETURN_PATH_US Return-Path =~ /\@(ourorg\.com|ourorg\.org)\>$/i
meta FROM_US_RETURN_PATH_OUTSIDE ( FROM_US && !RETURN_PATH_US )
score FROM_US 0.001
score RETURN_PATH_US 0.001
score FROM_US_RETURN_PATH_OUTSIDE 2
describe FROM_US_RETURN_PATH_OUTSIDE From address within our domain yet having Return-Path: pointing to domains that are not under our control


meta SPF_FAIL_FROM_US ( FROM_US && SPF_FAIL )
score SPF_FAIL_FROM_US 2
describe SPF_FAIL_FROM_US  From address within our domain yet originating from IPs that are not listed in our SPF record

both rules should be applied with care. in our case there’s no mailing sent by 3rd parties on our behalf, we should be in total control of messages originating from @ourorg.com, but that’s not the case for others.

Leave a Reply

Your email address will not be published. Required fields are marked *