[Mimedefang] Blocking e-mail where the To does not match the envelope To

[Rich West]

What I personally have found as the 'best' solution is what was recently 
suggested on the list.  Alter your filter such that IF a message is 
detected as spam and IF the score is TWICE what the required score to be 
tagged as spam is, THEN bounce it.

For example, if your threshold is a score of 10, which is the default, I 
believe, you are probably like the rest of us and see a fair number of 
false positives and false negatives... this will always be the case. 
 However, if you receive a message with a score of 20 or greater, then 
you can feel confident that it is most definitely spam (if you get a 
false positive that high, well, it would take a bit of work. :) and 
subsequently reject it.

By doing that at two of our sites, we saw the amount of spam reduced 
signifigantly.  One user came to me and actually asked if we changed 
anything because their filter for the "X-Spam-Status: Yes" only picked 
up 4 messages when it usually picked up greater than 30.

A snippet from my filter looks like:
...
    # Spam checks if SpamAssassin is installed
    if ($Features{"SpamAssassin"}) {
        if (-s "./INPUTMSG" < 100*1024) {
            # Only scan messages smaller than 100kB.  Larger messages
            # are extremely unlikely to be spam, and SpamAssassin is
            # dreadfully slow on very large messages.
            my($hits, $req, $names, $report) = spam_assassin_check();
            if ($hits >= $req) {
                if ($hits >= ($req*2.0)) {
                        action_quarantine_entire_message();
                        return action_bounce("Message Detected As SPAM - 
Delivery Denied");
                }
                # We add a header which looks like this:
                # X-Spam-Warning: Yes
                # making it easy for MUA's to filter on the SPAM.
                action_add_header("X-Spam-Warning", "This message is SPAM");
                action_add_part($entity, "text/plain", "-suggest",
                                "$report\n",
                                "SpamAssassinReport.txt", "inline");
            }
        }
...
-Rich


Jon Kenoyer wrote:

>Thanks all for clarifying the interaction between envelope and the
>e-mail fields.  We already run spamassassin and the e-mail was flagged
>as spam, but due to the false positives that are returned I can not
>simply bounce e-mails marked as spam.  Perhaps redirecting e-mails if
>the spam assassin results contain the Porn marker would be a better
>solution.
>
>-----Original Message-----
>From: Sidney Markowitz [mailto:sidney at sidney.com]
>Sent: Thursday, August 29, 2002 10:16 AM
>To: mimedefang at lists.roaringpenguin.com
>Subject: Re: [Mimedefang] Blocking e-mail where the To does not match
>the envelope To
>
>
>Jon Kenoyer <jonk at otsi.com> asked:
>  
>
>>Could I add a rule to discard e-mails where the To does not match the
>>actual recipients.  If so could someone post a quick sample?
>>Are there cases where this could block legitimate e-mails?
>>    
>>
>
>Here are some headers from the above mail I received from you:
>
>  From: "Jon Kenoyer" <jonk at otsi.com>
>  To: <mimedefang at lists.roaringpenguin.com>
>
>My MTA doesn't insert the envelope recipient in most cases, but I can
>assure
>you that it could not have been mimedefang at lists.roaringpenguin.com
>
>In any case in which you are on a Bcc list, which is typically the case
>in a
>mailing list, your address will not show up in the To or Cc headers.
>
>Anyway, if you are interested in rules for detecting spam I suggest that
>you
>just download SpamAssassin. It already works with MimeDefang and
>benefits
>from lots of people putting together hundreds of rules that can come up
>with
>an aggregate score to filter spam from nonspam.
>
> -- sidney
>