once in a while we get e-mails with spoofed sender’s address claiming to come from @ourorg.com. this can fool some of our users; outlook displaying an image of sender solely based on the From: field does not help here. some of those messages have different Return-Path pointing to @someotherscammy.site, other have it also pointing to @ourorg.com. here are two spamassassin rules to the rescue.
header FROM_US From =~ /\@(ourorg\.com|ourorg\.org)\>$/i header RETURN_PATH_US Return-Path =~ /\@(ourorg\.com|ourorg\.org)\>$/i meta FROM_US_RETURN_PATH_OUTSIDE ( FROM_US && !RETURN_PATH_US ) score FROM_US 0.001 score RETURN_PATH_US 0.001 score FROM_US_RETURN_PATH_OUTSIDE 2 describe FROM_US_RETURN_PATH_OUTSIDE From address within our domain yet having Return-Path: pointing to domains that are not under our control meta SPF_FAIL_FROM_US ( FROM_US && SPF_FAIL ) score SPF_FAIL_FROM_US 2 describe SPF_FAIL_FROM_US From address within our domain yet originating from IPs that are not listed in our SPF record
both rules should be applied with care. in our case there’s no mailing sent by 3rd parties on our behalf, we should be in total control of messages originating from @ourorg.com, but that’s not the case for others.