Reject mails with two different mail addresses in From Header

Matus UHLAR - fantomas uhlar at fantomas.sk
Mon Mar 14 09:42:30 CET 2022 

>On 11/3/2022 3:40 μ.μ., Matus UHLAR - fantomas wrote:
>>I've had this problem too, in spamassassin you can:
>>
>>uncomment in v343.pre:
>>
>>loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
>>
>>define rule:
>>
>>body L_OLEMACRO_ZIP_PW  eval:check_olemacro_zip_password()
>>
>>define meta rule for already existing __PDS_FROM_2_EMAILS:
>>
>>meta L_FROM_2_EMAILS    (__PDS_FROM_2_EMAILS)
>>
>>- there's T_PDS_FROM_2_EMAILS which unfortunately does not hit when 
>>e.g.   DKIM signature exists
>>
>>and maybe meta rule for these:
>>
>>meta L_FROM_2_ENCRYPTED L_OLEMACRO_ZIP_PW && __PDS_FROM_2_EMAILS

On 12.03.22 01:34, Nikolaos Milas wrote:
>So, this would form a rule set like the following?
>
>body        L_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
>meta        L_FROM_2_EMAILS       (__PDS_FROM_2_EMAILS)
>meta        L_FROM_2_ENCRYPTED    L_OLEMACRO_ZIP_PW && __PDS_FROM_2_EMAILS
>describe    L_FROM_2_ENCRYPTED    encrypted attachment and two mails
>score       L_FROM_2_ENCRYPTED    5
>
>Is the above block valid? If not, please kindly correct.

looks perfectly valid.  Note that L_OLEMACRO_ZIP_PW and L_FROM_2_EMAILS each 
score 1 point by default.
If this is not what you want, start name with __

... I use L_ as prefix for local rules, __ prefixes test rules (no score by 
default) and T_ prefixes test rules (score 0.01 by default).

rules with score 0 are not evaluated unless they are prefixed with __

>Also, what should I do to catch (and score) ALL mails with 2 different 
>mail addresses in the From header (regardless whether there is an 
>encrypted zip attachment or not)?

the __PDS_FROM_2_EMAILS should catch excatly this, but since the rule name 
starts with __, it has no points by default.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.

More information about the amavis-users mailing list