Bug 3959 - Observed spoofed FROM addresses in WHITELIST
Summary: Observed spoofed FROM addresses in WHITELIST
Status: RESOLVED WONTFIX
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: 3.0.0
Hardware: Other other
: P5 normal
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-11-07 23:57 UTC by Jeff Guthridge
Modified: 2004-11-08 00:55 UTC (History)
0 users


Attachment Type Modified Status Actions Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Guthridge 2004-11-07 23:57:26 UTC 
Please forgive me if this is a known issue, or should be sent elsewhere.

I've been seeing a trend.  I've got my prefs set pretty tight and it catches
almost everything.  What is getting through is doing so in a rather clever way.

I have whitelisted certain addresses on my domain (like mine, for instance) to
make sure if I foreward something around to someone else in my organization,
they get it.

I'm seeing my email address spoofed as the FROM address, and thus its
whitelisted and the rest of the scores being irrelavant.

Is there a way to lock the whitelist so that it requires the "name" to match the
"email" in order to count?   (Ergo    "Jeff Guthridge, jeff@arconian.com"
matches, while "Big Johnson, jeff@arconian.com" does not)

With the growing number of viruses and such that spoof their FROM headers,
spoofing the spam as to and from the intended target will only get more and more
popular as tools like SA get better and better.

Jeff
Comment 1 Fred T 2004-11-08 09:08:09 UTC 
From the docs:
"If you want to whitelist your own domain, be aware that spammers will often 
impersonate the domain of the recipient. The recommended solution is to instead 
use whitelist_from_rcvd."

http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Conf.html

I recommend you close this, we all know about the popular use of spoofing your 
own address in the from line.
Comment 2 Justin Mason 2004-11-08 09:55:04 UTC 
use whitelist_from_rcvd, that's not spoofable.  as Fred says, all other simple
forms of whitelist_from are spoofable, and are being actively spoofed by spammers.