Could we help you? Please click the banners. We are young and desperately need the money
Spam emails often include recipient addresses directly in their body text - a technique commonly used in phishing attempts and mass spam campaigns. This article shows you how to implement a SpamAssassin rule that detects such patterns and scores emails accordingly. We'll also cover an intelligent solution to prevent false positives when dealing with legitimate email replies.
Spammers frequently include recipient email addresses in their message body for various reasons:
Copy/Paste the following plugin code and proceed as described in the Installation and Configuration section below:
package Mail::SpamAssassin::Plugin::CheckToCCAddress;
use strict;
use warnings;
use Mail::SpamAssassin::Plugin;
use vars qw(@ISA);
@ISA = qw(Mail::SpamAssassin::Plugin);
sub new {
my ($class, $mailsa) = @_;
$class = ref($class) || $class;
my $self = $class->SUPER::new($mailsa);
bless ($self, $class);
$self->register_eval_rule('check_address_in_body');
return $self;
}
sub check_address_in_body {
my ($self, $pms, @header_names) = @_;
my $body_ref = $pms->get_decoded_body_text_array();
return 0 unless $body_ref;
my $body = join("\n", @$body_ref);
# First check if FROM address is in body (indicating a reply)
my @from_addresses = $pms->get("From:addr");
foreach my $from_addr (@from_addresses) {
next unless $from_addr;
$from_addr =~ s/^\s+|\s+$//g;
if ($body =~ /\b\Q$from_addr\E\b/i) {
# Found FROM address in body, likely a reply, skip check
return 0;
}
}
# If we get here, proceed with normal TO/CC check
foreach my $header (@header_names) {
my @addresses = $pms->get("${header}:addr");
foreach my $addr (@addresses) {
next unless $addr;
$addr =~ s/^\s+|\s+$//g;
if ($body =~ /\b\Q$addr\E\b/i) {
return 1;
}
}
}
return 0;
}
Save the plugin code (below) into the following fileCheckToCCAddress.pm
in your SpamAssassin plugin directory (typically):/usr/share/perl5/Mail/SpamAssassin/Plugin/
or
/etc/spamassassin
Add the following lines to your /etc/spamassassin/local.cf
file. You can use your preferred text editor like vim or nano:
# Load the CheckToCCAddress plugin
loadplugin Mail::SpamAssassin::Plugin::CheckToCCAddress CheckToCCAddress.pm
# Define the rule that checks for recipient addresses in body
header TO_CC_IN_BODY eval:check_address_in_body('To','Cc')
describe TO_CC_IN_BODY Recipient address found in message body
score TO_CC_IN_BODY 2.0
# Optional: Add tflags if you want this rule to be shown in report
# tflags TO_CC_IN_BODY learn
After adding these lines, verify the configuration:
spamassassin --lint
spamassassin -D --lint 2>&1 |grep CheckToCCAddress
You should see a line lkike this:
Nov 12 11:50:45.047 [688419] dbg: plugin: loading Mail::SpamAssassin::Plugin::CheckToCCAddress from /etc/spamassassin/CheckToCCAddress.pm
sudo systemctl reload spamassassin
or on older systems:
sudo service spamassassin restart
spamassassin -D --test-mode < test_email.txt | grep TO_CC_IN_BODY
You can adjust the score value (2.0) based on your needs. Higher scores will be more aggressive in marking emails as spam when recipient addresses are found in the body. Some guidelines for scoring:
A common issue with TO/CC address detection is false positives from legitimate email replies that contain signatures. Our plugin implements a FROM check to handle this:
Feature | This Plugin | Basic Regex Match | Quote Detection |
---|---|---|---|
Detects TO/CC in Body | Yes | Yes | Yes |
False Positive Prevention | Yes | No | Limited |
Reply Detection | Smart | None | Basic |
Performance Impact | Low | Very Low | Medium |
After implementation, monitor your mail logs for the TO_CC_IN_BODY rule hits. You may need to adjust the score based on your environment:
This SpamAssassin rule provides an effective way to detect spam emails that use recipient addresses in their body while intelligently avoiding false positives from legitimate replies. The implementation is lightweight, efficient, and can be easily customized to suit your specific needs.
The plugin is written in Perl (`.pm` stands for Perl Module) since SpamAssassin itself is a Perl-based application. Key Perl-specific elements in our code include:
package Mail::SpamAssassin::Plugin::CheckToCCAddress;
- defines the Perl namespace for our module=~
If you're new to Perl, don't worry - the code is relatively straightforward. The most important parts to understand are:
check_address_in_body
) that SpamAssassin can callA basic understanding of Perl is helpful but not required for using this plugin, though it would be necessary if you want to modify or extend its functionality.