On 8/25/11 3:42 PM, Todd Aiken wrote:
-----Original Message-----
From: "David F. Skoll"<[email protected]>
Reply-To:"[email protected]"
<[email protected]>
Date: Tue, 23 Aug 2011 16:01:01 -0400
To:"[email protected]"
<[email protected]>
Subject: Re: [Mimedefang] More than one From address
Our Linux gateways are correctly classifying the mail as
spam, but the transport rules on our Exchange server that filter
based on the X-Spam-Level header are not triggering because of the
multiple From addresses, and the spam ends up in everyone's Inbox.
Is there any easy way I can add something into my MIMEDefang's
configuration to detect and reject messages that come in with more
than one From address?
Call Microsoft support and ask them to fix Exchange! :)
You'll have to parse the From: header, I guess. Use the Mail::Address
Perl module to parse it out and if you get back more than one address,
take action... but be aware that you may block legitimate mail.
Thanks for your assistance. I was able to modify my Mimedefang
configuration with the following code in filter_end, right after I discard
messages with a spam rating> 15:
if ($hits> 5) {
my $From = $entity->head->get("From");
if ($From =~ /\@ubishops\.ca/i) {
md_graphdefang_log('spam', $hits, $RelayAddr);
md_syslog('info', "$MsgID, filter_end changed HEADERS because spam
level = $hits AND sender says they are from ubishops.ca");
action_change_header("X-Old-From", "$From");
action_change_header("From", "$Sender");
}
}
This fixes two problems in Exchange. 1) It prevents the transport rules
from crapping out due to multiple From addresses, and 2) It prevents our
Outlook safe senders rules from leaving the spam in a user's mailbox
because Outlook thinks the message is from us. And it also doesn't block
any mail because the mail is already classified as spam and is supposed to
end up in the user's Junk Mail folder anyways.
Two questions:
1. if you increase the score for mail from Internet, which has your
own domain in the From address, what about mail to this MIMEdefang
list that is distributed to all subscribers, including yourself? I
assume your own posting to this list is marked as spam now? :-)
2. there is no guarantee that the $Sender (envelope From or
5321.From) address of a spam message is not also
[email protected]. If the 5321.From address also contains the
domain ubishops.ca, then you still have problem #2 (Outlook safe
senders rule).
/rolf
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
