from = to spam

christophera · May 15, 2009, 12:55pm

I’m getting spam that is using my address as the from address. To me from me.

Spamassassin gives it a high score, but also says it’s not spam

"Status: No, score=-89.6 required=5.0"

Which I am guessing is because the to address is mine.

I saw a post about doing something concerning whitelisting, but I don’t have my address whitelisted (or is that done automatically?).

Is there a way for me to use the "spamassassin/header - body tests" to add points if the to and from match? if so, how?

Or is there another way to handle this?

christophera · May 15, 2009, 12:57pm

oh, I’m on centOS if that matters.

Eric · May 15, 2009, 1:01pm

Well, that score is negative (-89.6), so it’s actually a particularly low score. But you’re right, it may be because it’s your address.

You may want to try disabling the autowhitelist (AWL) related feature in SpamAssassin.

To do that, edit /etc/spamassassin/local.cf (I think that’s where it is, it may be different on CentOS), and add this:

use_auto_whitelist 0

And from there, restart SpamAssassin (/etc/init.d/spamassassin restart).
-Eric

christophera · May 15, 2009, 2:57pm

In the ‘spam and virus delivery’ module, there is a:

"Always allow mail from mailboxes in domain?"

I currently have it set to ‘no’, though actually I do want users to be able to write each other without any trouble.

Does checking that as yes or no affect the same setting you are referring to in local.cf? Or are those different?

christophera · May 15, 2009, 2:59pm

oh, and thanks for straightening me out on the - (negative), I had missed that little detail

Eric · May 15, 2009, 7:34pm

Sorry, I’m not sure what those options affect within Spamassassin.

They may be adding addresses to the autowhitelist, which would make the problem you’re seeing worse

If those options don’t have help available for them, you might just need to tinker a bit to see what exactly they’re enabling (for example, try making a change and see how the local.cf file differs).

Or, maybe someone more knowledgeable than myself will chime in!
-Eric

christophera · May 15, 2009, 7:48pm

Thanks Eric, either way, your ‘use_auto_whitelist 0’ seems to be working.

I’m trying to get rid of emails that have the word ‘viagra’ in them now. I put the word into the ‘header and body tests’ and gave it a bunch of points, but it doesn’t seem to be working.

Do you, or anyone else, know if I need to put that in some kind of regular expression? And if so, how do I do that?

Thanks again for all your help Eric, just about got everything set up, and just switch the dns to point at my new virtualmin server!

Waiting now for the dns to update so I can see how it all works for real.

Eric · May 15, 2009, 10:22pm

Howdy,

Well, I’m not sure of the specifics of your rule – but did you have a chance to go over the Rules Howto over on the SA Wiki?

Some details on writing SpamAssassin rules are here:

http://wiki.apache.org/spamassassin/WritingRules

They explain what all goes into writing them, checking for syntax errors, and other goodies.
-Eric

kenlyle · March 16, 2010, 5:15pm

Thanks for the link, Eric. I guess I wasn’t the only one unsure how to fill out the Header and Body Tests.

I would be great if we could maintain a wiki page of working filters.

Ken