spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Miles Fidelman <mfidel...@meetinghouse.net>
Subject Re: FROM header with two email addresses
Date Wed, 27 Sep 2017 18:42:05 GMT
This could also be an attempt to get a mailing list to work.

There's a continuing problem with email list traffic getting bounced by 
DKIM, and various work-arounds - the gist is that the mail has to come 
from the list manager, but you still need a way to indicate the original 
author of the message.  Hacks abound. But basically, DKIM is just broken.

Miles Fidelman


On 9/27/17 12:16 AM, Jakob Curdes wrote:
> Hello all,
>
> I recently stumbled onto a mail with a Spam link where the FROM header 
> field looked like this:
>
> From: "Firstname Lastname@" <recipient-domain.com 
> sendername@real-senders-domain.com>
>
> which is displayed in different ways on different devices but most do 
> display something resembling an internal from address, maybe with an 
> additional second external address.
> So it is a way to make users think this is an internal sender - 
> probably it gets harder and harder to circumvent the ever-growing SPF 
> rejections.
> (The real sender domain has a valid SPF and DKIM entry).
>
> I wonder whether it is possible to detect such a header with 
> spamassassin means? I only see the following rules that hit:
>
> [BAYES_50=1.85,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,DKIM_VERIFIED=-0.2,FSL_HELO_BARE_IP_2=1.999,NAME_EMAIL_DIFF=1.043,RCVD_IN_DNSWL_NONE=-0.0001,RCVD_NOT_IN_IPREPDNS=0.0001,SPF_PASS=-0.5,URIBL_BLOCKED=0.001

>
>
> I looked into the NAME_EMAIL_DIFF rule but this seems to be a slightly 
> different scope and I would not want to just raise the score for that 
> rule, it would probably give many false positives.
> This is spamassassin 3.3.1 on Centos 6.
>
> Regards and thanks, JC

-- 
In theory, there is no difference between theory and practice.
In practice, there is.  .... Yogi Berra


Mime
View raw message