spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Hardin <jhar...@impsec.org>
Subject Re: FROM header with two email addresses
Date Mon, 02 Oct 2017 18:11:14 GMT
On Mon, 2 Oct 2017, David Jones wrote:

> On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:
>> 
>> >  I recently stumbled onto a mail with a Spam link where the FROM header 
>> >  field looked like this:
>> > 
>> >  From: "Firstname Lastname@" <recipient-domain.com 
>> >  sendername@real-senders-domain.com>
>>
>>  Jakob, just wanted to let you know I identified this issue as well and
>>  just opened a ticket about it yesterday to try and figure out a rule
>>  against it.  Can you send me spamples via pastebin, please?
>>
>>
>>  Regards,
>>  KAM
>> 
>
> I am seeing this more and more on my SA filters and being reported by my 
> customers:
>
> https://pastebin.com/f07Gq1kZ
>
> https://pastebin.com/FMsJNGba
>
> This is catching this pretty well so far:
>
> header          FROM_SPOOF_EMAIL_DISPLAY    From =~ /\@[a-z_]+?\.[a-z]{2,3} 
> \</i
> describe        FROM_SPOOF_EMAIL_DISPLAY    From trying to spoof an email 
> address in the display name

You probably want to let SA do the header parsing and write your rule 
against From:name or From:addr instead.

If you're testing your rules in a sandbox using debug mode, this may help:

   header   __FROM_NAME  From:name =~ /.*/
   header   __FROM_ADDR  From:addr =~ /.*/

That way you can see what's actually being parsed from the header.


Potentially this might be as simple as:

   header  __FROM_MAYBE_SPOOF      From:name =~ /\w@\w/

or

   header  __FROM_MULTIPLE_ADDR    From:addr =~ /\s/

No idea how FP-prone those might be, though, so it's probably prudent to 
meta them with other stuff as well...


-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   If you ask amateurs to act as front-line security personnel,
   you shouldn't be surprised when you get amateur security.
                                                     -- Bruce Schneier
-----------------------------------------------------------------------
  186 days since the first commercial re-flight of an orbital booster (SpaceX)
Mime
  • Unnamed multipart/mixed (inline, None, 0 bytes)
View raw message