1 (edited by ozapien 2012-11-20 02:58:11)

Topic: How to score points in Spamassassin on reply-to header.

==== ==== Required information ====
- iRedMail version:  iRedMail-0.8.3
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: CENTOS
- Related log if you're reporting an issue: none
====

This is only a contribution of how to configure spamassassin to score mails with a reply-to header that is different from the sender (From: header). This is usually a technique used by spammers but often some real users are using this functionality. Be careful, make sure to not get in troubles yourself by implementing this rule, before using it!!!

Notice that the scored points in this guide are very high, you can setting as you need it. In my case I make the decision of send to quarantine almost all mails using a reply-to because it's what I needed, maybe it's a good stuff setting down a low score like 0.001 to get started and see if this is what you need!

Based on: http://wiki.apache.org/spamassassin/FromNotReplyTo

Rule FromNotReplyTo. Score 2 points to mail with reply-to and from headers are not the same
Rule FromNotReplyToSameDomain. Score 5 points to mail with reply-to and from headers are not in the same domain

################### Add in /etc/mail/spamassassin/local.conf ###################
## Score 2 points to mail with reply-to and from headers are not the same
loadplugin FromNotReplyTo plugins/FromNotReplyTo.pm
header FROM_NOT_REPLYTO eval:check_for_from_not_reply_to()
score FROM_NOT_REPLYTO 2.0
describe FROM_NOT_REPLYTO From: does not match Reply-To:

# Score 5 points to mail with reply-to and from headers are not the same domain
loadplugin FromNotReplyToSameDomain plugins/FromNotReplyToSameDomain.pm
header FROM_NOT_REPLYTO_SAME_DOMAIN eval:check_for_from_not_reply_to_same_domain()
score FROM_NOT_REPLYTO_SAME_DOMAIN 5.0
describe FROM_NOT_REPLYTO_SAME_DOMAIN From domain: does not match Reply-To: domain
###########################################################################

# create plugin directory.
mkdir /etc/mail/spamassassin/plugins/

########## Create /etc/mail/spamassassin/plugins/FromNotReplyTo.pm ############
package FromNotReplyTo;
1;

use strict;

use Mail::SpamAssassin;
use Mail::SpamAssassin::Plugin;
our @ISA = qw(Mail::SpamAssassin::Plugin);


sub new {
        my ($class, $mailsa) = @_;
        $class = ref($class) || $class;
        my $self = $class->SUPER::new( $mailsa );
        bless ($self, $class);
        $self->register_eval_rule ( 'check_for_from_not_reply_to' );
       
        return $self;
}


# Often spam uses different From: and Reply-To:
# while most legitimate e-mails does not.
sub check_for_from_not_reply_to {
        my ($self, $msg) = @_;

        my $from = $msg->get( 'From:addr' );
        my $replyTo = $msg->get( 'Reply-To:addr' );

        #Mail::SpamAssassin::Plugin::dbg( "FromNotReplyTo: Comparing '$from'/'$replyTo" );

        if ( $from ne '' && $replyTo ne '' && $from ne $replyTo ) {
                return 1;
        }

        return 0;
}
###########################################################################

##### Create /etc/mail/spamassassin/plugins/FromNotReplyToSameDomain.pm #######
package FromNotReplyToSameDomain;
1;

use strict;

use Mail::SpamAssassin;
use Mail::SpamAssassin::Plugin;
our @ISA = qw(Mail::SpamAssassin::Plugin);


sub new {
        my ($class, $mailsa) = @_;
        $class = ref($class) || $class;
        my $self = $class->SUPER::new( $mailsa );
        bless ($self, $class);
        $self->register_eval_rule ( 'check_for_from_not_reply_to_same_domain' );
       
        return $self;
}


# Often spam uses different From: and Reply-To:
# while most legitimate e-mails does not.
sub check_for_from_not_reply_to_same_domain {
        my ($self, $msg) = @_;

        my $from = $msg->get( 'From:addr' );
        $from =~ s/.*@//;
        my $replyTo = $msg->get( 'Reply-To:addr' );
        $replyTo =~ s/.*@//;

        #Mail::SpamAssassin::Plugin::dbg( "FromNotReplyToSameDomain: Comparing '$from'/'$replyTo" );

        if ( $from ne '' && $replyTo ne '' && $from ne $replyTo ) {
                return 1;
        }

        return 0;
}
###########################################################################

#Stop amavis with:
/etc/init.d/amavisd stop

# Debug amavis with:
amavisd -c /etc/amavisd/amavisd.conf debug 2>&1 | grep -i 'FromNotReplyTo'

#You must see someting like:
# /etc/init.d/amavisd -c /etc/amavisd/amavisd.conf debug 2>&1 | grep -i 'FromNotReplyTo'
Nov 19 10:03:46.219 your.mail-host.domain /usr/sbin/amavisd[7971]: SpamAssassin loaded plugins: AutoLearnThreshold, Bayes, BodyEval, Check, DCC, DKIM, DNSEval, FreeMail, FromNotReplyTo, FromNotReplyToSameDomain, HTMLEval, HTTPSMismatch, Hashcash, HeaderEval, ImageInfo, MIMEEval, MIMEHeader, Pyzor, Razor2, RelayEval, ReplaceTags, SPF, SpamCop, URIDNSBL, URIDetail, URIEval, VBounce, WLBLEval, WhiteListSubject
Nov 19 10:03:46.219 your.mail-host.domain /usr/sbin/amavisd[7971]: extra modules loaded after daemonizing/chrooting: /etc/mail/spamassassin/plugins/FromNotReplyTo.pm, /etc/mail/spamassassin/plugins/FromNotReplyToSameDomain.pm, Mail/SpamAssassin/BayesStore/MySQL.pm, Mail/SpamAssassin/BayesStore/SQL.pm, Mail/SpamAssassin/Plugin/FreeMail.pm

# If all it's working, end debug with CTRL+C and start amavis as usual.
/etc/init.d/amavisd start

I hope this was usefull for you!!!

Greetings!

Omar David Zapién López

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: How to score points in Spamassassin on reply-to header.

From not reply-to, this is very common, i don't think we should use it to fight spam...

P.S. it should be easier to achieve it in iRedAPD as a plugin.