Reject mails with two different mail addresses in From Header

Nikolaos Milas nmilas at noa.gr
Sat Mar 12 00:34:59 CET 2022


On 11/3/2022 3:40 μ.μ., Matus UHLAR - fantomas wrote:

> please, when possible, use plaintext e-mail with mailing lists.

Thanks, Matus, you are right; my attention was distracted when sending 
this one. Sorry.

> I've had this problem too, in spamassassin you can:
>
> uncomment in v343.pre:
>
> loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
>
> define rule:
>
> body L_OLEMACRO_ZIP_PW  eval:check_olemacro_zip_password()
>
> define meta rule for already existing __PDS_FROM_2_EMAILS:
>
> meta L_FROM_2_EMAILS    (__PDS_FROM_2_EMAILS)
>
> - there's T_PDS_FROM_2_EMAILS which unfortunately does not hit when 
> e.g.   DKIM signature exists
>
> and maybe meta rule for these:
>
> meta L_FROM_2_ENCRYPTED L_OLEMACRO_ZIP_PW && __PDS_FROM_2_EMAILS

Super.

So, this would form a rule set like the following?

body        L_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
meta        L_FROM_2_EMAILS       (__PDS_FROM_2_EMAILS)
meta        L_FROM_2_ENCRYPTED    L_OLEMACRO_ZIP_PW && __PDS_FROM_2_EMAILS
describe    L_FROM_2_ENCRYPTED    encrypted attachment and two mails
score       L_FROM_2_ENCRYPTED    5

Is the above block valid? If not, please kindly correct.

Also, what should I do to catch (and score) ALL mails with 2 different 
mail addresses in the From header (regardless whether there is an 
encrypted zip attachment or not)?

Sorry if my questions are naive, but my SA rules knowledge is quite poor.

Thanks a lot!
Nick




More information about the amavis-users mailing list