On Wed, 2020-01-15 at 11:02 -0500, AJ Weber wrote: > I'm hoping this is a relatively simple test... > I'm seeing emails "From Me, To Me", typically extortion types. I'm not > even seeing which of the SA tests are getting hit, because I have my > own email in my Whitelist. > Is there a way I can check IF From = m...@staticinfo.com AND Return-Path > != FROM in a rule? > I guess no matter what, I would have to remove my own email address > from the Whitelist? Or can this be checked and override the > whitelist-shortcircuit somehow?
I'd suggest a few things. 1) Make sure all your real email is DKIM signed. Then change the whitelist on your own email to one or more whitelist_from_dkim entries with valid signing domains. Proper use of DKIM is awesome for whitelisting. 2) You can't test multiple headers in one rule but meta rules are your friend. header __LOCAL_RETURN_PATH_ME Return-Path =~ /my@address/imheader __LOCAL_FROM_ME From =~ /my@address/immeta LOCAL_ME_FORGED ( __FROM_ME && ! __RETURN_PATH_ME)score LOCAL_ME_FORGED 10describe LOCAL_ME_FORGED Message has my address in From but not in envelope sender 3) Much better plan, just add DMARC to your domain and high score anything from your domain that fails DMARC. There is no reason to be seeing mail forged from your own address in 2020 (assuming you have your own domain). 4) Remember that most mailing list messages will fail both 2) and 3) above. Have a plan for mailing lists.