I received the following Nigerian scam today. What makes it interesting is the fact that it picked up a -100 for supposedly being in my whitelist, yet my whitelist contains nothing even remotely resembling the FROM address used. I do, however, have a wildcard entry for ebay.com (which I'll now go change); is it possible that this got whitelisted because of the bogus Return-Path?
Yes.. Return-Path IS considered a "From" address by SpamAssassin.
If you look in EvalTests.pm, sub all_from_addrs you can see that SA uses all of these headers as "From" addresses:
# Resent- headers take priority, if present. see bug 672
$self->get ('Resent-From')); ($self->get ('From') . # std
$self->get ('Envelope-Sender') . # qmail: new-inject(1)
$self->get ('Resent-Sender') . # procmailrc manpage
$self->get ('X-Envelope-From') . # procmailrc manpage
$self->get ('Return-Path') . # Postfix, sendmail; rfc821Also note that if it finds a resent-from header, the others will be ignored. Otherwise it will check ALL of the addresses in the second grouping.
