How to reject spam where sender = receiver

My spamassassin plug doesn't check mail where sender address and receiver address are equal. Like this

Return-Path: <op@domen.com>
X-Spam-Status: No, hits=0.0 required=3.2
        tests=DNSBL_RELAYS.ORDB.ORG: 5.00,DNSBL_BL.SPAMCOP.NET: 5.00,DNSBL_SBL-XBL.SPAMHAUS.ORG: 5.00,
        BAYES_99: 4.07,HELO_DYNAMIC_IPADDR2: 3.818,HTML_IMAGE_ONLY_32: 1.052,
        HTML_MESSAGE: 0.001,MIME_HTML_ONLY: 0.001,NO_REAL_NAME: 0.961,
        URIBL_AB_SURBL: 3.812,URIBL_JP_SURBL: 4.087,URIBL_OB_SURBL: 3.008,
        URIBL_SBL: 1.639,URIBL_SC_SURBL: 4.498,URIBL_WS_SURBL: 2.14,
        CUSTOM_RULE_FROM: ALLOW,TOTAL_SCORE: 44.087
X-Spam-Level:
Received: from 75-148-3-221-WashingtonDC.hfc.comcastbusiness.net ([75.148.3.221])
        by mail.tvtb.ru
        for op@domen.com;
        Sun, 25 Oct 2009 07:53:00 +1000
To: operzal@tvtb.ru
Subject: A path leading to your well-being
From: <op@domen.com>
MIME-Version: 1.0
Importance: High
Content-Type: text/html

How can I create a new rule which will check equality fields  TO and FROM ???

On Tue, 27 Oct 2009, rpc1 wrote:

I would suggest that is not really what you want to do, as you'll rarely
see that on spam that isn't addressed to your domain. What you probably
want to do is reject mail that is claiming to be from your domain, but
does not actually originate from your domain - in other words, mail where
someone is forging your domain name on the sender address.

Is that a better description of what you want to do?

That has been covered several times, I am pretty sure within the last
month. Please check the list archives for the past two months for a thread
having a subject like "to = from". You'll find a discussion of setting up
an SPF record for your domain and using whitelist_from_auth to enforce it,
and another discussion (involving me) of using milter-regex to reject such
forged sender addresses at SMTP time. Both methods work well, I would
modestly say milter-regex works better because it bypasses SA and is thus
a lighter solution overall.

<mutter>Maybe I should throw a rule like that into the sandbox and see how
well it does...</mutter>

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@...    FALaholic #11174     pgpk -a jhardin@...
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   ...the Fates notice those who buy chainsaws...
                                               -- www.darwinawards.com
-----------------------------------------------------------------------
  4 days until Halloween

John Hardin schrieb:
If you do not like SPF and you do not have remote users who are allowed
to send mail with local domain you can add a rule to header checks.

e.g Postfix :

/etc/postfix/header_checks :

/^From:.*example\.com/                                         REJECT


Cheers
Ralph

John Hardin wrote:
> <mutter>Maybe I should throw a rule like that into the sandbox and see
> how well it does...</mutter>

I had a dialog with Karsten about this a few years ago ... the regex
is nontrivial and dangerous, so the recommended method is a plugin.
I've actually written such a thing already, though slightly different
in that it ignores the domain.  Easy to tailor one way or another.
It's attached.

Result:  Mixed bag.  Might be nice to see in the masscheck.

FROM_EQUALS_TO:  1.313% of spam, 0.657% of ham
FROM_NOT_REPLY:  5.840% of spam, 2.868% of ham

Spam and ham are non-authoritative and include FPs and FNs.  I also
greylist, reducing all spam numbers.

# SenderChecks v1.0
# (C) 2009 By Adam Katz <antispamATkhopiscom> http://khopesh.com/Anti-spam
# Apache License 2.0

=pod
################

# Example usage:

loadplugin Mail::SpamAssassin::Plugin::SenderChecks  sender-checks.pm
header __FROM_EQ_TO eval:check_for_from_equals_to()
meta FROM_EQUALS_TO !(ALL_TRUSTED || DKIM_VERIFIED) && __FROM_EQ_TO
describe FROM_EQUALS_TO From: and To: have the same username
score FROM_EQUALS_TO 0.1

header __FROM_V_REPLY eval:check_for_from_v_replyto_dom()
header __PREC_BULK Precedence =~ /bulk|list/
meta FROM_NOT_REPLY !(__PREC_BULK||ALL_TRUSTED||DKIM_VERIFIED) && __FROM_V_REPLY
describe FROM_NOT_REPLY From: and Reply-To: have different domains
score FROM_NOT_REPLY 0.1

################
=cut

package Mail::SpamAssassin::Plugin::SenderChecks;

use strict;
use warnings;

use Mail::SpamAssassin;
use Mail::SpamAssassin::Plugin;
our @ISA = qw(Mail::SpamAssassin::Plugin);

sub new {
  my ($class, $mailsa) = @_;
  $class = ref($class) || $class;
  my $self = $class->SUPER::new( $mailsa );
  bless ($self, $class);
  $self->register_eval_rule ( 'check_for_from_equals_to' );
  $self->register_eval_rule ( 'check_for_from_v_replyto_dom' );

  return $self;
}

# Adapted from http://wiki.apache.org/spamassassin/FromNotReplyTo
# Spammers often forge the sender email to use the same username as
# the victim, while most legitimate e-mails does not.
sub check_for_from_v_replyto_dom {
  my ($self, $msg) = @_;

  my $from = $msg->get( 'From:addr' );
  $from =~ s/.*@//;
  my $replyTo = $msg->get( 'Reply-To:addr' );
  $replyTo =~ s/.*@//;

  Mail::SpamAssassin::Plugin::dbg(
    "SenderChecks: matching from/replyto: $from/$replyTo" );

  if ( $from ne '' && $replyTo ne '' && $from ne $replyTo ) {
    return 1;
  }

  return 0;
}

# Spammers often forge the sender email to use the same username as
# the victim, while most legitimate e-mails does not.
sub check_for_from_equals_to {
  my ($self, $msg) = @_;

  my $from = $msg->get( 'From:addr' );
  $from =~ s/@.*//;
  my $to = $msg->get( 'To:addr' );
  $to =~ s/@.*//;

  Mail::SpamAssassin::Plugin::dbg("SenderChecks: matching from/to: $from/$to");

  if ( $from ne '' && $from eq $to ) {
    return 1;
  }

  return 0;
}

On Tue, 27 Oct 2009, Adam Katz wrote:

I just threw a basic (by no means thorough) rule into my sandbox. We'll
see how it does, I can kill it easily enough.

> FROM_EQUALS_TO:  1.313% of spam, 0.657% of ham

That's a fairly low S/O.

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@...    FALaholic #11174     pgpk -a jhardin@...
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   ...the Fates notice those who buy chainsaws...
                                               -- www.darwinawards.com
-----------------------------------------------------------------------
  4 days until Halloween

On ons 28 okt 2009 00:36:10 CET, rpc1 wrote

> My spamassassin plug doesn't check mail where sender address and receiver
> address are equal. Like this

http://www.nabble.com/postfwd-stop-equal-sender-recipient-spams-td21164908.html

or setup spf for your domain and test with spf in your mta

i do the later now, but if you dont want to use spf, use the postfwd rule

--
xpoint

Benny Pedersen wrote:
I scored that 0.1 ... rejecting based on sender==recipient would
effectively be scoring it far higher, and would most certainly reject
legitimate mail (lots of people send announcements via Bcc or Cc while
addressing the message back to themselves).

Also, SPF only works for domains you control iff the sender were
forging one of them.  My plugin maches username1@domain1 to
username2@domain2 if username1 == username2 regardless of domain.

On ons 28 okt 2009 15:42:19 CET, Adam Katz wrote

[snip]
> forging one of them.  My plugin maches username1@domain1 to
> username2@domain2 if username1 == username2 regardless of domain.

legit users can not use smtp auth ?, hmm :)

--
xpoint

28.10.2009 16:42, Adam Katz kirjoitti:
>
> I scored that 0.1 ... rejecting based on sender==recipient would
> effectively be scoring it far higher, and would most certainly reject
> legitimate mail (lots of people send announcements via Bcc or Cc while
> addressing the message back to themselves).
>

Thanks for the plugin! I scored it as 1.0, and it definitely hits most
of my spam.

I sometimes send notes to myself, but 1.0 is not dangerous yet.

--
http://www.iki.fi/jarif/

Tomorrow will be cancelled due to lack of interest.

Jari Fredriksson wrote:
The only data we have on this at the moment is my own S/O of 0.665,
which (as John mentioned) is rather mild.  I wouldn't push it beyond
0.75 on the aggressive side.

Thanks for useful answers !!!