On Sat, 2014-08-23 at 14:59 -0400, Jeff wrote:
> I recently started getting hammered by spam and nearly all of the spam
> emails have one thing in common. The return-path header contains the
> email address that the spam is being sent to.
>
> Below is a sample header:
> ...
> Return-Path: amazon-voucher-myname=mydomain....@indiarti.com
> ...
>
> The green text above is the email address that the spam is being sent
> to (i.e., myn...@mydomain.com).
That's common practice with legitimate mail, too, in particular mailing
lists. Have a look at this mail's Return-Path header.
> Is there a way to write a custom SpamAssassin rule that will mark any
> message as spam if the return-path contains the 'To' address,
> regardless of what it may be, and the equal sign (i.e.,
> user=domain.tld)?
See the TO_EQ_FROM stock rule.
A similar rule for the Return-Path should actually be simpler, though.
The Return-Path header (or similar envelope from type headers) is
generated by the MTA, so the order of Return-Path and To headers should
be static -- unlike To and From, which are set by the sending MUA.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
