Need Spamassassin rule to detect recipient equal to sender

I have mail from my domains whitelisted and get a lot of spam using the technique of making the sender address equal to the recipient. I would like to write a rule to detect this so I can subtract the whitelist value, but can't wrap my head around it.
I can detect if the From: address contains some value or if the To: contains some value, but how can you determine if the address in From: is the same as the address in To:, especially since the From might be "Big Deals" <me@mydomain.com> while the To: is "My Name" <me@mydomain.com>?
Better yet, has anyone written a rule to do this already?
LVL 1
scarpenter104Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grbladesCommented:
The short answer is that it cannot be done without having lots of rules and even then you will have significant problems.

You should never whitelist your own domain.
You should either configure trusted hosts in spamassassin or use smtp authentication on a different port when sending mail and then have it bypass the spam check.
0
scarpenter104Author Commented:
I whitelist my domains because I have many companies receiving mail on this server and I don't want intra-company mail to be flagged as spam EVER. You can't do this with trusted hosts because you never know where the mail will be originating. I could trust their office mail server but they also send through their homes, on the road, even internationally.

As far as the "cannot be done" statement goes, I find that hard to accept. I was told years ago that modems would never go faster than 9600 baud and CPU's would never exceed 32Mhz.

I am not opposed to using several rules to accomplish this. I'm also not opposed to some external PERL. I'm looking for guidance on how it can be done.
0
robocatCommented:

There are additional products like mimedefang that allow you to easily define such rules. But this would not help you much, because what are you going to do if the SPAM uses <somebodyelse@mydomain.com> as a sender ? You can never differentiate between legit intra-company mail and spam this way. And what if the user wants to send himself a reminder mail ?

You CAN use trusted hosts if you use a different server or an smtp server on a different port that uses SMTP authentication. Only known users can use this host/port and all mail orginating from this is safe.


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

grbladesCommented:
In that case you should trust their mail server and require all users sending mail from elsewhere to use smtp authentication.

If you are not using smto authentication how are you controlling relaying?
If you allow relaying for any email where the from address is from one of your domains then you will soon be used to relay spam and end up getting blacklisted yourself.

In order to do what you want you will have to write the following rules :-
1) A rule to match the users email address in the To or CC field.
2) A rule to match the users email address in the From field.
3) Write a meta rule to match when both rules 1 & 2 are true.
4) Assign a score to the meta rule.

You will need to do this for every single email address that is valid. For large numbers of users this can result in a huge number of rules.
0
scarpenter104Author Commented:
If a user sends email from home or on the road using the company address as a sender (very common) they won't use my trusted server. This also goes for people who send email using a PDA or phone. If you don't understand my position, you've never been on the other end of a phone with the president of one of your clients screaming because the email he sent to a VP got stuck in his spam folder and some critical action didn't take place.

You are correct that if they don't use the same address in both fields this won't help, but that's not the problem I'm having right now. The technique that is working for spammers on my system is using the same address.  Until I see the technique you mentioned become an issue, I'll settle for this.

As far as a user sending himself a reminder, this is why I want to address this within Spamassassin. Whitelisting adds -100 points to a message, I want to add 100 points back if the two addresses match which means normal spam filtering would apply and an actual self-sent message would not normally be flagged.

It might be possible to eliminate the whitelisting and use mimedefang to prevent intracompany mail from being scanned while requiring mail with matching addresses to be scanned. I'll take a look at this.
0
scarpenter104Author Commented:
I don't want to turn this into a forum about relaying so let it suffice to say that I do not have an open relay and I do not use smtp authentication. Clients use various servers to send mail depending on their ISP.

Also, when you work as a service provider and a consultant you don't 'require' your clients to do anything. They require things of you and you deliver. If you work IT at one company you can solve things by requiring your users to do things a different way. In my world, you can't.

Finally, writing one rule for each possible email address is obviously not a reasonable approach.
0
grbladesCommented:
Well I think you need to tell your clients they should be using amtp authentication when sending mail remotely and if they dont then there is a possibility their mail may be classed as spam.

You can give them an option of whitelisting their domain but make them aware that it will cause them to get more spam.

If you look at the way most large email providers do it then they practically always use the first option.

We insist that all users send email through the company servers and they have to use smtp authentication.
Infact we go even furthur and publish a SPF record so anyone not doing so gets a far higher chance of getting classed as spam than normal.
If you dont insist on this then you have no control or accounting on the email system. One user could reply to an email agreeing to a contract term and you would have no record of it.
0
grbladesCommented:
> Finally, writing one rule for each possible email address is obviously not a reasonable approach.
Unfortunetly that is the only possible way of doing it.
The spamassassin rules dont have any concept of variables. If it did then you could use a regular expression to extract the email address from the FROM field and the TO and CC fields. Then write a rule to compare the two sets of variables. However since there is no variable support you cannot do this.
0
robocatCommented:

As I suggested before, if you use sendmail as MTA, you could achieve this easily using mimedefang. You can do all sorts of nice tricks using mimedefang.

Of course, setting up mimedefang and reconfiguring Spamassassin could take you some time and effort.


0
scarpenter104Author Commented:
Thanks for the push in the mimedefang direction. I've never been a fan of it but in this case it was perfect.
0
scarpenter104Author Commented:
I was able to solve this by writing a filter for mimedefang that evaluated the sender and receiver and when they are the same adds a header to the email before passing it on.
In spamassassin I wrote a rule that looks for that header and a meta rule that says if the header is there and the user is in the whitelist add 100 points. This negates the -100 points of the whitelist.
So if the spammer fakes a sender address that is in my domain it will succeed, but at the moment, that is rare. At this point, there is no advantage to making the sender and recipient the same and that was the strategy we were having trouble with.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
AntiSpam

From novice to tech pro — start learning today.