[BlueOnyx:26323] Re: negative AV-Spam score
Juerg Sommer
jsommer at emailto.ch
Thu Jun 22 15:20:28 -05 2023
Hi Meaulnes
> Can someone help me to set up a rule that recognizes *the same from
> and to address* in the header? I'm not very skilled for this...
>
> From: <legler at waveweb.ch>
> To: <legler at waveweb.ch>
> Subject: Your account is hacked. Your data is stolen. Learn how to
> regain access.
>
> I don't want to take @waveweb.ch out of the Welcomelist/Whitelist,
> it's where the users on my servers write to. A rule that would catch
> if from and to addresses are the same and then set a very high score
> would fix my problem.
This is not a good idea, I REALLY recommend you to define SPF and/or
DKIM. This mailing list mails for example have also same from and to and
would be affected too.
Google says for your rule:
header FROM_SAME_AS_TO ALL=~/\nFrom:
([^\n]+)\n.*To: \1/sm
describe FROM_SAME_AS_TO identical from and to
score FROM_SAME_AS_TO 10
header FROM_SAME_AS_TO2 ALL=~/\nTo:
([^\n]+)\n.*From: \1/sm
describe FROM_SAME_AS_TO2 identical from and to
score FROM_SAME_AS_TO2 10
not perfect (doesn't work if the is defined a different name like
From: "sender" <test at mail.com>
To: "recipient" <test at mail.com>
or there's more than one recipient. But once again: if you give that
rule so many points, so that's more than the whitelist negative score,
this rule is very dangerous and will filter wanted mails like this.
There are better possibilities, if you don't wan't to use spf for
example create rules with negative score for your firstname (if it's not
part of the mail), trusted networks, part of your signature (ex.
"Zurich, Switzerland"), so that all replies to your mails get's negative
score, ...
Best regards,
Juerg
More information about the Blueonyx
mailing list