Author: Lee W Date: To: Ben Giddings CC: exim-users Subject: Re: [Exim] Fighting fake spam headers
Ben Giddings wrote:
<snip>
> Unfortunately, I found that some clever spammer *ssh*les are putting in
> fake Spamassassin headers, marking their spam as not spam. So, what I
> want to do is make sure my machine always scans messages.
>
> I thought a good way to do that would be to make sure my machine's name
> was in the X-Spam-Checker-Version header, but everything I tried to do
> to use that ended up messing everything up, and creating a mail loop.
>
> My condition line looked like:
>
> condition = "${if and { {!match
> {${escape:$h_X-Spam-Checker-Version:}} {'myhost.com'}} {!eq
> {$received_protocol}{spam-scanned}}} {1}{0}}"
>
> No matter what I tried to put in that second string, I never got a
> match. I thought it might be a newline in the header, so I tried
> escaping it, I tried matching against 'SpamAssassin'... nothing.
>
> What am I doing wrong? How do I properly do what I'm trying to do?
>
> Ben Giddings
> Hey Ben,
Sorry if I am talking a load of b**ls**t but I am just learning about
SpamAssassin/Mailscanner.
Is not the general idea to only scan messages that come from external
servers so that any mail that originates from the localhost (and
possibly local network) is not scanned.
I thought that spamassassin worked by reinjecting a new message into the
MTA which in most cases is running on the same server as spamassasin in
which case could you not modify your routers to only send external
messages though the spamassassin transport. In this was any external
message would go though spamassasin regardless of if the faked headers
are present or not.
Here is also something that I got out of the README for spamassassin:-
"Users of SpamAssassin versions earlier than 2.50 should note that the
default tagging behavior has changed. If an incoming message is tagged as
spam, instead of modifying the original message, SpamAssassin will create a
new report message and attach the original message as a message/rfc822 MIME
part (ensuring the original message is completely preserved and easier to
recover). If you do not want to modify the body of incoming spam, use the
"report_safe" option."