spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From RW <rwmailli...@googlemail.com>
Subject Re: New rule --- From:name domain mismatches From:addr domain
Date Wed, 25 Oct 2017 15:30:50 GMT
On Wed, 25 Oct 2017 09:26:37 -0400
Rupert Gallagher wrote:

> This is my rule for a case that has also been discussed in this list.
> I wrote it two weeks ago, and it works so far.
> 
> This part goes into your local.cf:
> 
> header   __F_DM1 eval:from_domains_mismatch()

I wrote something similar as an ordinary rule

header    FROM_DISPLAYS_FAKE_ADDR   From
=~ /^\s*("?)\s*([\w+.-]+\@[a-z0-9-]+(?:\.[a-z0-9-]+)+)\s*\1\s*<(?!\2>)/i

However, when I looked at my ham archive I found that it could be
improved a bit by checking the organizational domain rather than the
full RHS (this is easier to do in perl with tld support).

e.g. "foo@example.com <bar@email.example.com>

and a little bit further by just comparing the first 3 letters of the
main domain label.

e.g. "foo@EXAmple.com <bar@email.EXAmple-online.com>


This may not be representative but I found that the rest of of the FPs
could have been avoided with 

  && (FREEMAIL_FROM || !DKIM_VALID_AU)

the spam rarely hits DKIM_VALID_AU unless it's freemail.

One thing to watch out for is mismatches between unicode and punycode
versions  of the same address.  The above rule only targets ascii
domains in the display field for that reason. 

Mime
View raw message