spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Hardin <jhar...@impsec.org>
Subject Re: FROM header with two email addresses
Date Mon, 02 Oct 2017 19:07:30 GMT
On Mon, 2 Oct 2017, David Jones wrote:

> On 10/02/2017 01:11 PM, John Hardin wrote:
>>  On Mon, 2 Oct 2017, David Jones wrote:
>> 
>> >  On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:
>> > > 
>> > > >   I recently stumbled onto a mail with a Spam link where the FROM

>> > > header >   field looked like this:
>> > > > >   From: "Firstname Lastname@" <recipient-domain.com >

>> > >  sendername@real-senders-domain.com>
>> > > 
>> > >   Jakob, just wanted to let you know I identified this issue as well 
>> > >  and
>> > >   just opened a ticket about it yesterday to try and figure out a rule
>> > >   against it.  Can you send me spamples via pastebin, please?
>> > > 
>> > > 
>> > >   Regards,
>> > >   KAM
>> > > 
>> > 
>> >  I am seeing this more and more on my SA filters and being reported by my 
>> >  customers:
>> > 
>> >  https://pastebin.com/f07Gq1kZ
>> > 
>> >  https://pastebin.com/FMsJNGba
>> > 
>> >  This is catching this pretty well so far:
>> > 
>> >  header          FROM_SPOOF_EMAIL_DISPLAY    From =~ 
>> >  /\@[a-z_]+?\.[a-z]{2,3} \</i
>> >  describe        FROM_SPOOF_EMAIL_DISPLAY    From trying to spoof
an 
>> >  email address in the display name
>>
>>  You probably want to let SA do the header parsing and write your rule
>>  against From:name or From:addr instead.
>> 
>
> Thank you for the suggestions.  I didn't know about the From:name and 
> From:addr parsing by SA.  As it turns out, the double quotes missing are very 
> important.  When I use the From:name which properly has the quotes, I am 
> hitting many false positives.  It appears that legit sending people or mail 
> clients are putting email addresses in their "Display Name". It's the ones 
> without quotes that are spam a high percentage of the time in my mail flow.

Not surprising.

> I have gone back to my original rule that catches senders that put an email 
> addresss in the Display Name and do not have quotes.

How about:

header  __FROM_QUOTES           From =~ /"/
header  __FROM_MAYBE_SPOOF      From:name =~ /\w@\w/
meta    __FROM_SPOOF            __FROM_MAYBE_SPOOF && !__FROM_QUOTES

(warning: totally untested)

>>  If you're testing your rules in a sandbox using debug mode, this may help:
>>
>>     header   __FROM_NAME  From:name =~ /.*/
>>     header   __FROM_ADDR  From:addr =~ /.*/
>>
>>  That way you can see what's actually being parsed from the header.
>>
>>
>>  Potentially this might be as simple as:
>>
>>     header  __FROM_MAYBE_SPOOF      From:name =~ /\w@\w/
>>
>>  or
>>
>>     header  __FROM_MULTIPLE_ADDR    From:addr =~ /\s/
>>
>>  No idea how FP-prone those might be, though, so it's probably prudent to
>>  meta them with other stuff as well...

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   The world has enough Mouse Clicking System Engineers.
                                                        -- Dave Pooser
-----------------------------------------------------------------------
  186 days since the first commercial re-flight of an orbital booster (SpaceX)
Mime
  • Unnamed multipart/mixed (inline, None, 0 bytes)
View raw message