I have been receiving a lot of mails that are "From" my domain. These mails have usually a different return path (spf passes), but have for example my email in the to and the from header. Spam-assassin doesn't catch all of these mails.
Now the plan is to somehow rewrite the headers to warn the users that the mail is not legit so if the from address is from my domain and there is no dkim signature I would like to classify it as spam or write something in the subject, but I am open to other alternatives.
I have solved it by using a few spam-assassin rules:
1) check if mail is from my domain
2) check if mail is to my domain
3) if both 1) and 2) are true add +5 spam score
4) if 1) and 2) are true and dkim is valid add -6 spam score
I'd add to that these items:
You can really mitigate this problem quickly through effective email authentication.