Jim Schueler wrote: > My users have been getting particularly insidious emails containing a > windows virus that purports to come from the system administrator. > > One email header contains the following entry: > <snip> > I would expect this test would be part of the distributed SpamAssassin > configuration files. Can anybody recommend an approach other than > reinventing the wheel?
In general Your expectations are beyond what SpamAssassin is designed to do. SA is NOT intended to be a virus scanner, it's only intended to detect spam. Install a virus scanner, such as clamav, and run your mail through it at the MTA level. Virus scanners can update signatures much more frequently than SA can. That said, the forgery CAN be detected by SpamAssassin, but only if you publish SPF records for your domain. Right now, motorcityinteractive.com lacks any SPF records, so SPF assumes that all hosts in the world are valid sources of mail claiming to be from motorcityinteractive.com. SPF is pretty easy, it's just a TXT record you publish in DNS. http://spf.pobox.com/
