{"id":2641,"date":"2016-05-13T09:38:53","date_gmt":"2016-05-13T08:38:53","guid":{"rendered":"http:\/\/kudzia.eu\/b\/?p=2641"},"modified":"2016-09-05T14:10:08","modified_gmt":"2016-09-05T13:10:08","slug":"tuning-spmassasin-to-treat-more-harshly-messages-with-spoofed-our-own-senders-address","status":"publish","type":"post","link":"https:\/\/kudzia.eu\/b\/2016\/05\/tuning-spmassasin-to-treat-more-harshly-messages-with-spoofed-our-own-senders-address\/","title":{"rendered":"tuning spmassasin to treat more harshly mails with forged sender&#8217;s address claiming to come from us"},"content":{"rendered":"<p>once in a while we get e-mails with spoofed sender&#8217;s address claiming to come from @ourorg.com. this can fool some of our users; outlook displaying an image of sender solely based on the From: field does not help here. some of those messages have different Return-Path pointing to @someotherscammy.site, other have it also pointing to @ourorg.com. here are two spamassassin rules to the rescue.<br \/>\n<!--more--><\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nheader FROM_US From =~ \/\\@(ourorg\\.com|ourorg\\.org)\\&gt;$\/i\r\nheader RETURN_PATH_US Return-Path =~ \/\\@(ourorg\\.com|ourorg\\.org)\\&gt;$\/i\r\nmeta FROM_US_RETURN_PATH_OUTSIDE ( FROM_US &amp;&amp; !RETURN_PATH_US )\r\nscore FROM_US 0.001\r\nscore RETURN_PATH_US 0.001\r\nscore FROM_US_RETURN_PATH_OUTSIDE 2\r\ndescribe FROM_US_RETURN_PATH_OUTSIDE From address within our domain yet having Return-Path: pointing to domains that are not under our control\r\n\r\n\r\nmeta SPF_FAIL_FROM_US ( FROM_US &amp;&amp; SPF_FAIL )\r\nscore SPF_FAIL_FROM_US 2\r\ndescribe SPF_FAIL_FROM_US  From address within our domain yet originating from IPs that are not listed in our SPF record\r\n<\/pre>\n<p>both rules should be applied with care. in our case there&#8217;s no mailing sent by 3rd parties on our behalf, we should be in total control of messages originating from @ourorg.com, but that&#8217;s not the case for others.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>once in a while we get e-mails with spoofed sender&#8217;s address claiming to come from @ourorg.com. this can fool some of our users; outlook displaying an image of sender solely based on the From: field does not help here. some of those messages have different Return-Path pointing to @someotherscammy.site, other have it also pointing to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17],"tags":[95],"class_list":["post-2641","post","type-post","status-publish","format-standard","hentry","category-tech","tag-spam"],"_links":{"self":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/2641","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/comments?post=2641"}],"version-history":[{"count":7,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/2641\/revisions"}],"predecessor-version":[{"id":2671,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/2641\/revisions\/2671"}],"wp:attachment":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/media?parent=2641"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/categories?post=2641"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/tags?post=2641"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}