|
|
Robert Marshall wrote:
> On Tue, 17 Jul 2007, Nigel Wade wrote:
>
>> Nigel Wade wrote:
>>
>>> Justin C wrote:
>>>
>>>> I'm getting spam which is defeating SpamAssassin, I think it's
>>>> because *@[ourdomain].com is whitelisted in /etc/local.cf. The
>>>> problem messages appear to come from me, the From and Reply-To
>>>> addresses are:
>>>>
>>>> Brandy Lugo <justin@[ourdomain].com>
>>>>
>>>> the email address is mine, the user name is not.
>>>>
>>>> I'm reluctant to remove '*@[ourdomain].com' from the local
>>>> spamassassin file, I don't want spamassassin wasting it's time
>>>> scanning local originating messages, but I would like to catch
>>>> messages like the above. As Exim hasn't managed to reject it, and
>>>> spamassassin sees it as whitelisted, I can only think of procmail
>>>> to catch these. I've only used procmail to sort legitimate mail,
>>>> or send spam (already identified by sa-exim) to /dev/null. I don't
>>>> have a clue where to start with this one.
>>>>
>>>> Thank you for any help you can give.
>>>>
>>>> Justin.
>>>>
>>>
>>> Don't base your whitelisting on the easily forged envelope sender,
>>> or FromL
>>
>> That should, of course, be "From:" not "FromL"
>>
>
> Or use whitelist_from_rcvd instead
>
There is no need to pass these messages to SA at all if you use Exim correctly.
Whitelisting is a double-edged sword anyway. As soon as the spammers find what
is being whitelisted by SA they will use it against you. Received headers can
be forged, and SA can be fooled into allowing incoming spam via this route.
Spammers do look at SpamAssasin to see how to defeat it. I remember that in one
older release the default scores included a negative score for a "Re:" in the
subject. Guess what the next round of spam all included?
--
Nigel Wade
|
|