[BlueOnyx:26321] Re: negative AV-Spam score

[Meaulnes Legler @ MailList]

Michael and Juerg, thanks for the replies.

But I think my previously exposed solution doesn't resolve the problem sustainably, it won't work anymore if the hacker changes his bitcoin address.

Can someone help me to set up a rule that recognizes *the same from and to address* in the header? I'm not very skilled for this...

   From: <legler at waveweb.ch>
   To: <legler at waveweb.ch>
   Subject: Your account is hacked. Your data is stolen. Learn how to regain access.

I don't want to take @waveweb.ch out of the Welcomelist/Whitelist, it's where the users on my servers write to. A rule that would catch if from and to addresses are the same and then set a very high score would fix my problem.

Thank you and best regards

で⊃ Meaulnes Legler
Zurich, Switzerland
+41¦0 44 260-1660


On 22.06.23 19:05, Michael Stauber via Blueonyx wrote:
> Hi Juerg and Meaulnes,
> 
>> Rules are documented in the files Larry told you, maybe in another directory,  but you can search for the filenames. Do not change the score in this file, because this files will be replaced after an update. You can create new score in the file you create your own rules (because I don't use the plugin I don't know it's location). Simple add a line:
>>
>> score     BAYES_00                          -4
>>
>> to overwrite score for BAYES_00.
> 
> Basically it works like this:
> 
> You can place your own (server wide) rules or score changes in a new file the directory /etc/mail/spamassassin/
> 
> Make sure the file name ends with *.cf and then do a "systemctl restart spamassassin" to put it into effect.
> 
> As long as you don't modify an existing file your own changes will survive through AV-SPAM and SpamAssassin updates.
> 
> User rules (which apply only to a single specific user) are located in ~username/.spamassassin/user_rules and there is a GUI editor to modify them.
>