Recently I noticed a recurring pattern in some of the spams I get.
The return-path and from headers always have the same structure.
Let me explain with an example:
Return-path: <brian_chambers-USER=DOMAIN.COM@readyseas.com>
From: <brian_chambers@readyseas.com>
To: <USER@DOMAIN.COM>
Basically, I'd like to check if the Return-path user part equals the From user part with the addition of the To ("@" changed to "=") and a dash in front of the To.
I wanted to use some Postfix header_checks
and reject the USER=DOMAIN.COM@
pattern but most of the legit newsletters I receive contain that too in their return-path (except there's a much more complex string before, which never matches the From field).
Has anybody created such a rule before and cares to share?
Thanks!
Best Answer
SpamAssassin does not let you write code or assign variables ... in its rules. To do what you want, you'd be best suited writing a custom plugin (which would give you full access to perl).
That said, you can technically do what you're asking for within the SpamAssassin rule writing syntax by using header type
ALL
(which examines all headers at once, kind of likerawbody
rules):The above rule is expensive, and would be even more expensive if you were to allow for dashes in the username since it would have to iterate over all possible lengths of
([\w.-])
for the username. This is expensive not just because it requires lots of backtracking, but also because it requires examining very long strings. Also, it is possible that theReturn-Path
header is after theTo
header, meaning that you'd need a second rule for a second regex to handle that case.You'd be far better off writing a custom SpamAssassin plugin for this technique.
However, I think you'll quickly find that all this does is target certain types of bulk mail, many of which are legitimate; the
Return-Path
header is used as a bounce address and many mailing lists encode the recipient into it in order to measure their deliverability and clean up their lists.If you really want this sort of thing, I suspect it doesn't actually matter if the exact
To
address is the one present in theReturn-Path
header. Here is a dramatically faster rule that should have nearly the same efficacy:Another big note is that whenever a message is redirected (e.g. an email forwarding service), the
Return-Path
header is rewritten. This may limit the spam detection utility of that rule.