Re: spam with bad From: field

2016-04-01 Thread Russell Coker via luv-main 
On Fri, 1 Apr 2016 11:47:42 PM Chris Samuel via luv-main wrote:
> On Friday, 1 April 2016 10:22:40 PM AEDT Russell Coker via luv-main wrote:
> > Is there a good way of stopping such spam with Postfix and SpamAssassin?
> 
> You can match on the display-name in "header" tests with SpamAssassin using
> the :name suffix according to the docs:
> 
> http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html

header FAKE_DOMAIN From =~ /@coker.com.au/:addr

From the documentation you reference it appears that the above line might do 
what's necessary.  Writing a shell script that generates a config file listing 
every domain that the server supports should be easy enough.  Then I just have 
to make sure that SA doesn't run on local mail.

On Sat, 2 Apr 2016 01:32:31 AM Andrew McGlashan via luv-main wrote:
> Above, the "postmast..." part is just the pretty name, it isn't the
> real from address; still the trimas.com.au domain has no SPF record for
> validation anyway.

I know, but forging an address in my domain is a very good criteria for 
recognising spam.

-- 
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/
___
luv-main mailing list
luv-main@luv.asn.au
https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-main

Re: spam with bad From: field

2016-04-01 Thread Andrew McGlashan via luv-main 


On 1/04/2016 10:22 PM, Russell Coker via luv-main wrote:
> From: "postmas...@coker.com.au" 
> 
> Above is the From field of a spam that recently arrived in my inbox, the 
> Return-Path and Message-ID refer to trimas.com.au so it didn't hit any SPF 
> checks.
> 
> Is there a good way of stopping such spam with Postfix and SpamAssassin?

Not likely, email is so broken in some areas, backscatter is one of
them; backscatter caused by incorrect SPF handling.

Above, the "postmast..." part is just the /pretty/ name, it isn't the
real from address; still the trimas.com.au domain has no SPF record for
validation anyway.

> I wrote some milter code to stop this for a client, the code was a little 
> hacky and even if I had approval to reuse it the amount of work involved 
> would 
> vastly exceed the amount of time it takes to just delete such mail.

You will be fighting a never ending battle.

Cheers
AndrewM
___
luv-main mailing list
luv-main@luv.asn.au
https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-main

Re: spam with bad From: field

2016-04-01 Thread Chris Samuel via luv-main 
On Friday, 1 April 2016 10:22:40 PM AEDT Russell Coker via luv-main wrote:

> Is there a good way of stopping such spam with Postfix and SpamAssassin?

You can match on the display-name in "header" tests with SpamAssassin using 
the :name suffix according to the docs:

http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html

# Appending a modifier :name to a header field name will cause everything
# except the first display name to be removed from the header field. It is
# mainly applicable to header fields containing a single mail address: 'From',
# 'Sender', along with their 'Resent-From' and 'Resent-Sender' counterparts.
[...]
# For example, appending :name to a header name will result in "Foo Blah"
# (without quotes) in all of the following cases:
#
# example@foo (Foo Blah)
[...]
# "Foo Blah" 

Best of luck!
Chris
-- 
 Chris Samuel  :  http://www.csamuel.org/  :  Melbourne, VIC

___
luv-main mailing list
luv-main@luv.asn.au
https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-main

spam with bad From: field

2016-04-01 Thread Russell Coker via luv-main 
From: "postmas...@coker.com.au" 

Above is the From field of a spam that recently arrived in my inbox, the 
Return-Path and Message-ID refer to trimas.com.au so it didn't hit any SPF 
checks.

Is there a good way of stopping such spam with Postfix and SpamAssassin?

I wrote some milter code to stop this for a client, the code was a little 
hacky and even if I had approval to reuse it the amount of work involved would 
vastly exceed the amount of time it takes to just delete such mail.

-- 
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/
___
luv-main mailing list
luv-main@luv.asn.au
https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-main