Reject mails with two different mail addresses in From Header

Nikolaos Milas nmilas at noa.gr
Sat Mar 12 17:21:40 CET 2022


On 12/3/2022 1:34 π.μ., Nikolaos Milas wrote:

> ...
> Also, what should I do to catch (and score) ALL mails with 2 different 
> mail addresses in the From header (regardless whether there is an 
> encrypted zip attachment or not)?
> ...

Hi Matus,

Regarding the above, I understand I could probably simply raise the 
score for the PDS_FROM_2_EMAILS rule in /etc/mail/spamassassin/local.cf, 
like:

    score PDS_FROM_2_EMAILS 4.0

However, it strikes me that incoming mail like the one I originally 
referred to, with a header field like:

From: "<John Doe> john_doe at example.com" <afom-seminyak at grandmashotels.com>

does NOT mention any scoring by this rule:

X-Spam-Status: Yes, score=4.693 tagged_above=-999 required=3.4
     tests=[BAYES_50=0.8, DATE_IN_FUTURE_12_24=3.199, DKIM_SIGNED=0.1,
     DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
     HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MISSING_MID=0.497,
     RCVD_IN_MSPIKE_H2=-0.4, RDNS_NONE=0.793, SPF_HELO_NONE=0.001,
     SPF_PASS=-0.1, TVD_SPACE_RATIO=0.001, URIBL_BLOCKED=0.001]
     autolearn=disabled

Questions:

1. How can I check if this or any other rule is active and which is its 
current score?

2. Could the PDS_FROM_2_EMAILS be triggered only when the From field 
contains ONLY two different mail addresses and nothing else? I only 
found in my quarantine two mails scored with this rule, and they both 
contained nothing else than two addresses in the From field, whereas the 
usual case is like the example I wrote above, i.e. there is a name as 
well. If this is so, how can we write a rule that would catch all other 
mails which contain "anything plus two different mail addresses"?

Thanks,
Nick



More information about the amavis-users mailing list