Hi folks.
I'm using Exim and Spamassassin at work and would like to add a check.
I've noticed that a lot of SPAM has the recipient in the from header. Does anyone know how to check for this?
Gary
On 2012/08/10 02:51, Gary Stainburn wrote:
Hi folks.
I'm using Exim and Spamassassin at work and would like to add a check.
I've noticed that a lot of SPAM has the recipient in the from header. Does anyone know how to check for this?
Gary
Yes.
If you use per user rules it's easy to create a rule to detect the user's email address(es).
For example: header JD_USER_SPIKE To =~ /spike@foobar.com/ describe JD_USER_SPIKE Email to self from self score JD_USER_SPIKE 0.001
Change the score to what you think it should be. Monitor how received spam changes. Monitor how mismarked ham changes. (You ARE a member of a mailing list, you know.) And decide to keep it or not.
(Using a meta rule you could exempt mailing lists, of course. But that filter would not necessarily be self-updating. So each new mailing list membership Spike, above, joins would require some editing.)
There is an excellent spamassassin users mailing list you might want to join if you're at all serious about rule hacking.
{^_^}
On Fri, 2012-08-10 at 03:11 -0700, jdow wrote:
For example: header JD_USER_SPIKE To =~ /spike@foobar.com/ describe JD_USER_SPIKE Email to self from self score JD_USER_SPIKE 0.001
Change the score to what you think it should be. Monitor how received spam changes. Monitor how mismarked ham changes. (You ARE a member of a mailing list, you know.) And decide to keep it or not.
Though, on this list, mail is addressed to the list, not the recipient. So his own mail to this list shouldn't affect scoring spam that's only assessing to address. As his address won't be in there.
For other lists, your caution stands.
And the original poster must remember that it's not just a case of flagging those particular messages as spam. With some anti-spam systems, you're increasing the statistics of your address being associated as spam. And that leads to one of my pet hates about "junk mail" buttons on ordinary mail clients used by clueless people. They'll hit the junk button on mail they don't want to see, but isn't actually junk (such as a message list that they've subscribed to, but can't arsed to unsub themselves), and report that mail as being spam to a third party. And suddenly, your actually not-spam mail, is being blacklisted.
Going back to the request, my own thoughts are, particularly if they were applying a filter for more than one person, or more than one address, the original poster's question may have been a more literal request. Rather than junk it if the "to" address includes their own address (a specific address), would be junking mail where the same address is found in the "to" and "from" headers, whatever that address is. Dunno if Spamassassin can do that. But I've often thought it would be a useful rule.
Am 10.08.2012 11:51, schrieb Gary Stainburn:
Hi folks.
I'm using Exim and Spamassassin at work and would like to add a check.
I've noticed that a lot of SPAM has the recipient in the from header. Does anyone know how to check for this?
HEADERS are typically NOT what is interesting for SMTP envelopes are interesting
On Fri, Aug 10, 2012 at 2:59 AM, Reindl Harald wrote:
Am 10.08.2012 11:51, schrieb Gary Stainburn:
I've noticed that a lot of SPAM has the recipient in the from header. Does anyone know how to check for this?
HEADERS are typically NOT what is interesting for SMTP envelopes are interesting
Perhaps, but for spam detection, HEADERS are quite often very interesting.
I have also noticed that my address appears in the From header in a lot of spam. That this correlates strongly with spam email has nothing whatsoever to do with the SMTP envelopes of those mails.
Tim wrote:
And that leads to one of my pet hates about "junk mail" buttons on ordinary mail clients used by clueless people. They'll hit the junk button on mail they don't want to see, but isn't actually junk (such as a message list that they've subscribed to, but can't arsed to unsub themselves), and report that mail as being spam to a third party. And suddenly, your actually not-spam mail, is being blacklisted.
This does have unexpected benefits, though.
Firstly, everyone knows that this is happening. No-one is blocking at an ISP level on a single “this is spam” click: they’re looking for higher than usual levels of reporting.
Secondly, some ISPs are turning “this is spam” into unsubscribes for reliable senders (and they have the data to be able to tell: they look at how long they’ve been sending from those IP addresses, how much, what the historic complaint rates have been, and so on). This does confirm that the account is active, but it also tells the ISP that any more mail is unwanted: if the senders ignore these unsubscribes, then the ISP knows that at least part of their output is spam. So senders who Do The Right Thing in processing unsubscribes don’t get harmed, and not having working unsubscribes gets you blocked.
Thirdly, large ISPs (for example, Yahoo), are starting to use “engagement” as a measure in their email filtering. Depending on the user agent (for example, web mail), the ISPs may be able to tell for a large proportion of their userbase which emails are being opened, which ones are having links clicked, and take a reasonable guess at how long people are spending reading an email.
Senders with better engagement are the ones that the users really want to hear from. They might get into “Priority Inboxes”, and are the ones that can tolerate a higher “this is spam rate”. So there’s another incentive for senders to send email that the recipients will want to receive.
For example, under the old system, a marketing department might have wanted to send out daily fliers during December. Now they might judge that three or four emails with a higher concentration of good offers will get better engagement, and hence better delivery.
See, for example, http://www.mediapost.com/publications/article/179994/summer-2012-when-engage...
James.