If you have the necessary access to add plugins, the solution involves
creating a custom plugin specifically for this checking and filtering
functionality.
Here is plugin to check MX records from the domain if from email address
----------------
# plugin file /etc/mail/spamassassin/CheckPrivateEmailMX.pm
package Mail::SpamAssassin::Plugin::CheckPrivateEmailMX;
use strict;
use warnings;
use Mail::SpamAssassin::Plugin;
use Net::DNS;
our @ISA = qw(Mail::SpamAssassin::Plugin);
sub new {
my ($class, $mailsa) = @_;
$class = ref($class) || $class;
my $self = $class->SUPER::new($mailsa);
bless ($self, $class);
$self->register_eval_rule('check_sender_mx_matches');
return $self;
}
sub check_sender_mx_matches {
my ($self, $pms, $mx_pattern) = @_;
my $from = $pms->get('EnvelopeFrom:addr');
return 0 unless $from;
my ($domain) = $from =~ /\@(.+)$/;
return 0 unless $domain;
# Query MX records
my $res = Net::DNS::Resolver->new;
my @mx = mx($res, $domain);
return 0 unless @mx;
foreach my $rr (@mx) {
my $mx_host = lc($rr->exchange);
# regex matching
if ($mx_host =~ /$mx_pattern/i) {
return 1;
}
}
return 0;
}
1;
---------------------
# config file
loadplugin Mail::SpamAssassin::Plugin::CheckPrivateEmailMX
/etc/mail/spamassassin/CheckPrivateEmailMX.pm
#
header CHECK_PRIVATEEMAIL_MX
eval:check_sender_mx_matches('privateemail\.com')
describe CHECK_PRIVATEEMAIL_MX Sender uses PrivateEmail MX servers
score CHECK_PRIVATEEMAIL_MX 2.5
#
header CHECK_PRIVATEEMAIL_MX1
eval:check_sender_mx_matches('mx1\.privateemail\.com')
describe CHECK_PRIVATEEMAIL_MX1 Sender uses mx1.privateemail.com
score CHECK_PRIVATEEMAIL_MX1 2.0
#
header CHECK_PRIVATEEMAIL_MX2
eval:check_sender_mx_matches('mx2\.privateemail\.com')
describe CHECK_PRIVATEEMAIL_MX2 Sender uses mx2.privateemail.com
score CHECK_PRIVATEEMAIL_MX2 2.0
On Fri, Nov 7, 2025 at 2:07 PM Benoît Panizzon <[email protected]>
wrote:
> Hi Assassins
>
> I noticed a increase of scam mails expecting the victim to reply and
> disclose personal data, which originate from daily changing domain
> names and sending ip addresses (probably a botnet).
>
> To name those received this week:
>
> gutter-install-info.site
> sd-st.com
> auto-repairhelp.xyz
>
> common to those domains is the MX used:
>
> mx1.privateemail.com
> mx2.privateemail.com
>
> operated by our good spam friend namecheap.
>
> Is there a way or plugin which would allow to score based on the MX of
> the sending domain?
>
> I contacted namecheap about their system being abused - but as usual I
> got stuck at the 'please log in to your account to open a case - oh, you
> are not a customer - sorry then we can't help'.
>
> --
> Mit freundlichen Grüssen
>
> -Benoît Panizzon- @ HomeOffice und normal erreichbar
> --
> I m p r o W a r e A G - Leiter Commerce Kunden
> ______________________________________________________
>
> Zurlindenstrasse 29 Tel +41 61 826 93 00
> CH-4133 Pratteln Fax +41 61 826 93 01
> Schweiz Web http://www.imp.ch
> ______________________________________________________
>
