How to change and forward a spamassasin flagged email?

[MiamiJack]

Hello All,

I was able to create an anti-phishing spamassasin rule which is working, but would like to add some additional information and notify someone that the process was attempted.

Basically a spammer/phishing person send an email which we determine is 100% phishing based on criteria.
We can score that message with a 10, and basically get it rejected, but I would like to do something with the 2 additional functions.

First I would like to add to the beginning of the emails message:
** WARNING XXXX **
Original Message.

Secondly I want to send the identified message including the warning to a different email address, lets say the IT team so they are made aware of the attempt.

Thank you!

 

[Stoiko Ivanov]

I guess the thread ended up in the wrong forum? (Proxmox Backup Server instead of Proxmox Mail Gateway)

I'll move it to the PMG forum.

That should be doable by adding a rule which matched on all mails with SPAM level 10 and higher (the 'problem' here is that it will also match on mails which also have a spamscore of 10, without triggering your rule)

add an action: BCC - to the IT Team
add an action: Modify Spam Subject

I hope this helps!

 

[MiamiJack]

Thank you @Stoiko Ivanov, I'm not sure where this rule would be placed, can you give me some direction to look for in the docs?
I believe this can't be done from within SA.

Also, taking into consideration what you mentioned above about scoring it as a 10, and then all messages flagged as a 10 would match, could I score it something crazy like 100 and really that would be the only match?

Thank you!

 

[Stoiko Ivanov]

I'm not sure where this rule would be placed, can you give me some direction to look for in the docs?
I believe this can't be done from within SA.

spamassassin gives the message a score of 10 (or more) -> the rule system does something with the mail - any rule which has a 'What Object' of Spam Level (and a level <10) will match that mail

* either add a rule with spam level 10 and a priority higher than all other rules having a spam level what object
* or edit a rule with a spam level what object
and add the actions

Also, taking into consideration what you mentioned above about scoring it as a 10, and then all messages flagged as a 10 would match, could I score it something crazy like 100 and really that would be the only match?

a score of 10 is rather seldom (and usually a very good indicator of actual spam - so modifying the spam-subject on those mails seems like a good idea)

in theory it is possible to also have mails not matching your rule receiving a score > 100 - so I would suggest you try your rule with a score of 10 first.….

I hope this helps!

 

[MiamiJack]

So using the rule system is my only option?
I ask that because in certain SA rules I may want to notify a specific user of something but my only option in a rule is "notify admin".
Also, I see in the what section of the rule lets say spam level 10, I would probably need to make it a unique number like spam level 100, but not seeing a way to create the what object of 100.

So if I get this correctly, I would make a rule, have it match spam level 100, notify (someone or admin), and then delete the message.

Thanks