spam assassin rule to block a From address

Kai Risku Kai.Risku at arrak.fi
Fri Oct 14 10:29:15 CEST 2016 

There is a small chance of false positives, i.e. you are catching *all* email addresses beginning with airecom612. You could be a bit more specific and require a hexadecimal string of at least 16 characters also:
	
	header SPAM11OctF1	From:addr ~= /^airecom612\+[0-9a-f]{16,}\@/i

--
Kai.Risku at arrak.fi     GSM  +358-40-767 8282
Oy Arrak Software Ab   http://www.arrak.fi



-----Original Message-----
From: Indunil Jayasooriya [mailto:indunil75 at gmail.com] 
Sent: Friday, October 14, 2016 11:03 AM
To: Kai Risku <Kai.Risku at arrak.fi>
Cc: amavis-users at amavis.org
Subject: Re: spam assassin rule to block a From address

> Appending the modifier “:addr” to a header name will remove everything from
> that header except the first email address. If you are using an anchored
> regexp on the email address, then the From:addr test should work, i.e.
>
>
>
>                 header SPAM11OctF1   From:addr ~=
> /^airecom612\+97d7d60a91d9695c9a4240f92d5c3cae\@/i
>

Thanks. Now I get mails beginning with  "airecom612"


Pls see below


airecom612+97d7d60a91d9695c9a4240f92d5c3cae at therealizationofhealth.net
airecom612+eceaaa167743dd4a58b54bdb17ef86c4 at holistictips.net
airecom612+97d7d60a91d9695c9a4240f92d5c3cae at therealizationofhealth.net


So I have changed the rule in this way. pls see below. ( this time i.e
-   /^airecom612.*\@/i )

file /etc/mail/spamassassin/SPAM_11Oct2016_From_1.cf


header SPAM11OctF2 From:addr =~ /^airecom612.*\@/i
describe SPAM11OctF2 From address begin with the word airecom612@
score SPAM11OctF2 10.0


Hope. this will catch the PATTERN beginning with  "airecom612".


your comments on this ?



>
> But you are otherwise on to something there. If the airecom -address is not
> in the visible From: -line (“From: “), but instead in the Envelope sender
> (i.e. the “From “ line), then you should use the pseudoheader EnvelopeFrom
> in the SA test:
>
>
>
>                 header SPAM11OctF1   EnvelopeFrom ~=
> /^airecom612\+97d7d60a91d9695c9a4240f92d5c3cae\@/i
>
>
>
> The EnvelopeFrom pseudoheader contains just the email address without any
> surrounding < >.

I have never known it before. Thanks for your effort. Well done. your
effort never went to recycle bin since I realized it.
>
> man Mail::SpamAssassin::Conf is your friend.
>

Thanks for this man command.




> --
> Kai.Risku at arrak.fi     GSM  +358-40-767 8282
> Oy Arrak Software Ab   http://www.arrak.fi
>
>
>
>
> From: amavis-users
> [mailto:amavis-users-bounces+kai.risku=arrak.fi at amavis.org] On Behalf Of
> @lbutlr
> Sent: Thursday, October 13, 2016 11:43 AM
> To: amavis-users at amavis.org
> Subject: Re: spam assassin rule to block a From address
>
>
>
> On Oct 13, 2016, at 2:12 AM, Indunil Jayasooriya <indunil75 at gmail.com>
> wrote:
>
> what's the difference between From and From:addr ?
>
>
>
> Isn’t From the “From “ and From:addr the “From:”?
>
>



-- 
cat /etc/motd

Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
http://www.siyabas.lk/sinhala_how_to_install.html   -  Download Sinhala Fonts

More information about the amavis-users mailing list