Need Spamassassin rule to detect recipient equal to sender

I have mail from my domains whitelisted and get a lot of spam using the technique of making the sender address equal to the recipient. I would like to write a rule to detect this so I can subtract the whitelist value, but can't wrap my head around it.
I can detect if the From: address contains some value or if the To: contains some value, but how can you determine if the address in From: is the same as the address in To:, especially since the From might be "Big Deals" <> while the To: is "My Name" <>?
Better yet, has anyone written a rule to do this already?
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

robocatConnect With a Mentor Commented:

There are additional products like mimedefang that allow you to easily define such rules. But this would not help you much, because what are you going to do if the SPAM uses <> as a sender ? You can never differentiate between legit intra-company mail and spam this way. And what if the user wants to send himself a reminder mail ?

You CAN use trusted hosts if you use a different server or an smtp server on a different port that uses SMTP authentication. Only known users can use this host/port and all mail orginating from this is safe.

The short answer is that it cannot be done without having lots of rules and even then you will have significant problems.

You should never whitelist your own domain.
You should either configure trusted hosts in spamassassin or use smtp authentication on a different port when sending mail and then have it bypass the spam check.
scarpenter104Author Commented:
I whitelist my domains because I have many companies receiving mail on this server and I don't want intra-company mail to be flagged as spam EVER. You can't do this with trusted hosts because you never know where the mail will be originating. I could trust their office mail server but they also send through their homes, on the road, even internationally.

As far as the "cannot be done" statement goes, I find that hard to accept. I was told years ago that modems would never go faster than 9600 baud and CPU's would never exceed 32Mhz.

I am not opposed to using several rules to accomplish this. I'm also not opposed to some external PERL. I'm looking for guidance on how it can be done.
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

In that case you should trust their mail server and require all users sending mail from elsewhere to use smtp authentication.

If you are not using smto authentication how are you controlling relaying?
If you allow relaying for any email where the from address is from one of your domains then you will soon be used to relay spam and end up getting blacklisted yourself.

In order to do what you want you will have to write the following rules :-
1) A rule to match the users email address in the To or CC field.
2) A rule to match the users email address in the From field.
3) Write a meta rule to match when both rules 1 & 2 are true.
4) Assign a score to the meta rule.

You will need to do this for every single email address that is valid. For large numbers of users this can result in a huge number of rules.
scarpenter104Author Commented:
If a user sends email from home or on the road using the company address as a sender (very common) they won't use my trusted server. This also goes for people who send email using a PDA or phone. If you don't understand my position, you've never been on the other end of a phone with the president of one of your clients screaming because the email he sent to a VP got stuck in his spam folder and some critical action didn't take place.

You are correct that if they don't use the same address in both fields this won't help, but that's not the problem I'm having right now. The technique that is working for spammers on my system is using the same address.  Until I see the technique you mentioned become an issue, I'll settle for this.

As far as a user sending himself a reminder, this is why I want to address this within Spamassassin. Whitelisting adds -100 points to a message, I want to add 100 points back if the two addresses match which means normal spam filtering would apply and an actual self-sent message would not normally be flagged.

It might be possible to eliminate the whitelisting and use mimedefang to prevent intracompany mail from being scanned while requiring mail with matching addresses to be scanned. I'll take a look at this.
scarpenter104Author Commented:
I don't want to turn this into a forum about relaying so let it suffice to say that I do not have an open relay and I do not use smtp authentication. Clients use various servers to send mail depending on their ISP.

Also, when you work as a service provider and a consultant you don't 'require' your clients to do anything. They require things of you and you deliver. If you work IT at one company you can solve things by requiring your users to do things a different way. In my world, you can't.

Finally, writing one rule for each possible email address is obviously not a reasonable approach.
Well I think you need to tell your clients they should be using amtp authentication when sending mail remotely and if they dont then there is a possibility their mail may be classed as spam.

You can give them an option of whitelisting their domain but make them aware that it will cause them to get more spam.

If you look at the way most large email providers do it then they practically always use the first option.

We insist that all users send email through the company servers and they have to use smtp authentication.
Infact we go even furthur and publish a SPF record so anyone not doing so gets a far higher chance of getting classed as spam than normal.
If you dont insist on this then you have no control or accounting on the email system. One user could reply to an email agreeing to a contract term and you would have no record of it.
> Finally, writing one rule for each possible email address is obviously not a reasonable approach.
Unfortunetly that is the only possible way of doing it.
The spamassassin rules dont have any concept of variables. If it did then you could use a regular expression to extract the email address from the FROM field and the TO and CC fields. Then write a rule to compare the two sets of variables. However since there is no variable support you cannot do this.

As I suggested before, if you use sendmail as MTA, you could achieve this easily using mimedefang. You can do all sorts of nice tricks using mimedefang.

Of course, setting up mimedefang and reconfiguring Spamassassin could take you some time and effort.

scarpenter104Author Commented:
Thanks for the push in the mimedefang direction. I've never been a fan of it but in this case it was perfect.
scarpenter104Author Commented:
I was able to solve this by writing a filter for mimedefang that evaluated the sender and receiver and when they are the same adds a header to the email before passing it on.
In spamassassin I wrote a rule that looks for that header and a meta rule that says if the header is there and the user is in the whitelist add 100 points. This negates the -100 points of the whitelist.
So if the spammer fakes a sender address that is in my domain it will succeed, but at the moment, that is rare. At this point, there is no advantage to making the sender and recipient the same and that was the strategy we were having trouble with.
All Courses

From novice to tech pro — start learning today.