how to make spam rule for specific "envelope-from" entry

[BruceLee]

Hi,
I would like to catch spam with this envelope-from entry. Blacklisting the domain mailfrom.com in spamdyke doesn't help since it's not originating from there.

Code: Select all

Received: (qmail 22309 invoked by uid 10039); 17 Nov 2010 15:42:26 +0100
Received: from ppp-124-120-27-2.revip2.asianet.co.th by MYSERVER (envelope-from <error@mailfrom.com>, uid 2020) with qmail-scanner-2.08st 
 (clamdscan: 0.96.4/12273. spamassassin: 3.2.5. perlscan: 2.08st.  
 Clear:RC:0(124.120.27.2):SA:1(6.0/4.0):. 
 Processed in 1.422905 secs); 17 Nov 2010 14:42:26 -0000
X-Spam-Status: Yes, hits=6.0 required=4.0
X-Spam-Level: ++++++
Received: from ppp-124-120-27-2.revip2.asianet.co.th (124.120.27.2)
  by MYSERVER with SMTP; 17 Nov 2010 15:42:23 +0100
Received: from [209.142.94.59] (account williamsnekula70@truck-turner.de HELO vvcmoifztvfr.hbavekho.biz)
	by ppp-124-120-27-2.revip2.asianet.co.th (CommuniGate Pro SMTP 5.2.3)
	with ESMTPA id 777624131 for <info@valid-email-address.tld>; Wed, 17 Nov 2010 21:42:21 +0700
From: Stewart Ferguson <hendersonhaqike20@peter-eder.at> 
To: <<info@valid-email-address.tld>>
Subject: ***SPAM*** MEDIUM *  die Analoge von Schweizer-Armbanduhren zum reduzierten Preis.
Date: Wed, 17 Nov 2010 21:42:21 +0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_oihsv_69_70_41"
X-Priority: 3
X-Mailer: jfni 12
Message-ID: <0862499354.CLEMB6WH217767@brkkw.zmdppgnf.biz>

I would like to use an ASL spam rule or a Spamassassin one. That doesn't matter.

Any help or advice appreciated. Thank you.

[scott]

So you want to blacklist everything from "peter-eder.at"?

in spamassassin that would be:

blacklist_from *@peter-eder.at

[BruceLee]

thanks for the quick reply.
I would like to catch everything from the "envelope-from" entry that is error@mailfrom.com. So blacklisting *@mailfrom.com would be my aim.
Thank you for your help.

[BruceLee]

Scott, is there a way to catch that? Thank you

[scott]

You'd have to craft a custom rule for that, I'd also double check to ensure that isnt showing up in legit emails just in case its a generic qmail-scanner setting or something.

[BruceLee]

Do you have a hint for me with what variable I can achieve this?
I have searched through spamassassins documentation but nothing seems to fit.
If you talk about a mod_sec rule a short hint would be very welcome since I did not find anything for that purpose.
Thank you very much.

[scott]

Its been a while, so you'd probably want to look at the other SA rules for examples:

header __TEST_HEADER_1 Received =~ /@mailfrom.com/i

[BruceLee]

thanks, I will take a look. Now I have something to start from. Thanks

[BruceLee]

Totally forgot to get back. My solution was in fact pretty simple.

I added the domain in the Plesk Mail-Settings Blacklist. This function basically just creates the
/var/qmail/control/badmailfrom file and adds the domain in there.
Which is what I wanted to do manually anyway.
Qmail now checks the envelope header and rejects an email if it matches the entry with:

"553 sorry, your envelope sender is in my badmailfrom list (#5.7.1)"

Of course this means that no emails will make it...which was my aim.