Spam spoofing email address

11 posts / 0 new
Last post
#1 Tue, 12/09/2008 - 06:43
pixel_paul
pixel_paul's picture

Spam spoofing email address

I've been getting in the past few weeks loads of spam that is spoofing my email address, so that Spamassassin gives it a score of -100 immediately, as my email address is in the auto whitelist.

Is anyone else encountering these problems, and if so any suggestions on how to solve this?

These are the headers from an example spam email:

[code:1]Return-Path: <info@mydomain.co.uk> X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on servername.mailserverdomainname.eu X-Spam-Level: X-Spam-Status: No, score=-82.9 required=5.0 tests=BAYES_40, HTML_FONT_LOW_CONTRAST,HTML_IMAGE_ONLY_08,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1, MIME_HTML_ONLY,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL,RDNS_NONE,URIBL_AB_SURBL, URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL, USER_IN_WHITELIST autolearn=no version=3.2.4 X-Original-To: info@mydomain.co.uk Delivered-To: info@mydomain.co.uk@servername.mailserverdomainname.eu Received: from aa4df.com (unknown [118.221.241.143]) by servername.mailserverdomainname.eu (Postfix) with SMTP id 3E73E770178 for <info@mydomain.co.uk>; Tue, 9 Dec 2008 09:28:04 +0000 (GMT) To: <info@mydomain.co.uk> Subject: RE: Message From: <info@mydomain.co.uk> MIME-Version: 1.0 Importance: High Content-Type: text/html Message-Id: <20081209092805.3E73E770178@servername.mailserverdomainname.eu> Date: Tue, 9 Dec 2008 09:28:04 +0000 (GMT)[/code:1]

Thanks,

Paul

Tue, 12/09/2008 - 07:01
andreychek

Hi Paul,

One option is that you could always disable that particular rule if you find it's causing problems.

To disable it globally, you could edit /etc/spamassassin/local.cf, and set:

score USER_IN_WHITELIST 0

Or to disable it locally, just for your user, you can edit $HOME/.spamassassin/user_prefs and add the same line,
-Eric

Wed, 12/10/2008 - 03:33 (Reply to #2)
pixel_paul
pixel_paul's picture

Eric - you're a genius.

I will now skip around my office in joy.

Thanks again,

Paul

Mon, 12/22/2008 - 07:54 (Reply to #3)
sgrayban

Install a SPF milter maybe ?

Thu, 01/15/2009 - 04:22 (Reply to #4)
Ap0kalipSe

I've got the same issue, and it's starting to annoy me. I don't want to globally disable the option to assume email from domain is good.

Does postfix not have spf checking in it on virtualmin already?

Thu, 01/15/2009 - 05:07 (Reply to #5)
pixel_paul
pixel_paul's picture

The suggestion by Eric above definitely works (I changed it just for the users that are having the problem), so I haven't needed to use an SPF milter as suggested by Scott. This wouldn't work if you have 1000 users however!

It would be great if Virtualmin included the SPF milter though.

Thu, 01/15/2009 - 06:59 (Reply to #6)
andreychek

Regarding SPF -- that's something supported by SpamAssassin:

http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Plu...

It was enabled by default on my Ubuntu install -- make sure &quot;loadplugin Mail::SpamAssassin::Plugin::SPF&quot; is being run somewhere in /etc/spamassassin/.

Also, what version of SpamAssassin are you running? If you have version 3.2 or newer, it'll need the Mail::SPF Perl module (which was installed by default on my system I believe). If it's older than 3.2, you need the Mail::SPF::Query Perl module to do SPF within SpamAssassin.
-Eric

Fri, 01/16/2009 - 01:52 (Reply to #7)
Ap0kalipSe

I'm on CentOS 5.2 running spamassasin 3.2.4 - can't find spamassasin on the disk anywhere though :/

I've installed Mail::SPF but as above can;t find the config file to enable the spf checking.

Fri, 01/16/2009 - 02:04 (Reply to #8)
Ap0kalipSe

tried to edit but it said i'd hit an error!

found the config files eventually, they're under /usr/share/

the plugin Mail::SpamAssassin::Plugin::SPF is called in init.pre and chekcing a newly arrived mail it now appears to be doing spf lookups. not sure why mail::spf wasn't already installed.

Tue, 12/09/2008 - 08:11
pixel_paul
pixel_paul's picture

Hi Eric,

Thanks for the suggestion - if I wanted to have this switch set for just one domain should I add it to:

/home/mydomain/.spamassassin/user.prefs

or do I need to add it to each individual user?

Many Thanks,

Paul

Tue, 12/09/2008 - 08:15 (Reply to #10)
andreychek

So far as I know, you'll need to do it for each user.

Each user has their own user.prefs, and I don't believe that /home/mydomain/.spamassassin/user.prefs is consulted for anyone but the primary account for the domain.
-Eric

Topic locked