Reject mails with two different mail addresses in From Header
Nikolaos Milas
nmilas at noa.gr
Sat Mar 12 00:34:59 CET 2022
On 11/3/2022 3:40 μ.μ., Matus UHLAR - fantomas wrote:
> please, when possible, use plaintext e-mail with mailing lists.
Thanks, Matus, you are right; my attention was distracted when sending
this one. Sorry.
> I've had this problem too, in spamassassin you can:
>
> uncomment in v343.pre:
>
> loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
>
> define rule:
>
> body L_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
>
> define meta rule for already existing __PDS_FROM_2_EMAILS:
>
> meta L_FROM_2_EMAILS (__PDS_FROM_2_EMAILS)
>
> - there's T_PDS_FROM_2_EMAILS which unfortunately does not hit when
> e.g. DKIM signature exists
>
> and maybe meta rule for these:
>
> meta L_FROM_2_ENCRYPTED L_OLEMACRO_ZIP_PW && __PDS_FROM_2_EMAILS
Super.
So, this would form a rule set like the following?
body L_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
meta L_FROM_2_EMAILS (__PDS_FROM_2_EMAILS)
meta L_FROM_2_ENCRYPTED L_OLEMACRO_ZIP_PW && __PDS_FROM_2_EMAILS
describe L_FROM_2_ENCRYPTED encrypted attachment and two mails
score L_FROM_2_ENCRYPTED 5
Is the above block valid? If not, please kindly correct.
Also, what should I do to catch (and score) ALL mails with 2 different
mail addresses in the From header (regardless whether there is an
encrypted zip attachment or not)?
Sorry if my questions are naive, but my SA rules knowledge is quite poor.
Thanks a lot!
Nick
More information about the amavis-users
mailing list