I put together a new SpamAssassin rule that will help identify spam from spoofed email addresses.
Some email providers always sign email with DKIM or DomainKeys … based on this assumption, if you get a message from one of those domains and it isn’t signed, you can assume its more likely to be spam.
This particular rule operates on the assumption that all mail from Yahoo & Gmail will be signed. It does not, however, raise the score a huge amount … because it’s just more LIKELY to be spam if it’s not signed … it’s not guaranteed to be spam. Some people may use the Yahoo or Gmail account’s in the from address, but not actually send from that service.
As an added bonus, I created a rule that simply identifies spam that is expected to be signed and actually is.
To add other domains to the list, modify the __FROM_DKIM_SIGNING_DOMAIN rule.
header __FROM_DKIM_SIGNER from:addr =~ /yahoo\.com|gmail\.com|googlemail\.com|google\.com/i meta NOT_SIGNED_BUT_EXPECTED __FROM_DKIM_SIGNER && !(DKIM_SIGNED && DKIM_VALID) describe NOT_SIGNED_BUT_EXPECTED Message should have been signed by DKIM but wasn't score NOT_SIGNED_BUT_EXPECTED 5 meta SIGNED_AND_EXPECTED __FROM_DKIM_SIGNER && DKIM_SIGNED && DKIM_VALID describe SIGNED_AND_EXPECTED Message should be been signed by DKIM and was score SIGNED_AND_EXPECTED -0.1
Caveat: This rule is by no means perfect … if you have any suggestions for improvement, feel free to let me know.