spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jakob Curdes ...@info-systems.de>
Subject Re: FROM header with two email addresses
Date Thu, 05 Oct 2017 10:41:26 GMT
Hello all, I was the original poster of this topic but was away for a 
couple of days.
I find it amazing to see the number of suggestions and ideas that have 
come up here.

However none of the constuctions matched "my" From: lines of the form

From: "Firstname Lastname@" <recipient-domain.com 
sendername@real-senders-domain.com 
<mailto:sendername@real-senders-domain.com>>

I therefore now constructed the following rules:

describe __FROM_NAME_CONTAINS_AT name part of FROM contains "@" sign
header  __FROM_NAME_CONTAINS_AT From:name =~ /\@/
describe __FROM_MULTIPLE_ADDR address part of FROM contains more than 
one mail address (additional text)
header  __FROM_MULTIPLE_ADDR    From:addr =~ /\s/

describe __FROM_NAME_ADDRESS_EQUAL constructions like 
"user1@companya.com" <user2@companyb.com>
header  __FROM_NAME_ADDRESS_EQUAL From =~ 
/["']?(\w+@\w+\.\w+)["']?\s*\<\1\>/i
header  __FROM_NAME_CONTAINS_ADDRESS From =~ 
/["']?(\w+@\w+\.\w+)["']?\s*\</i

meta FROM_SPOOF_SENDER1  __FROM_NAME_CONTAINS_AT && __FROM_MULTIPLE_ADDR
meta FROM_SPOOF_SENDER2  __FROM_NAME_CONTAINS_ADDRESS && ! 
__FROM_NAME_ADDRESS_EQUAL
meta FROM_ADDRESS_TWICE  __FROM_NAME_CONTAINS_ADDRESS && 
__FROM_NAME_ADDRESS_EQUAL

(the last META could even get a slightly negative score, I occasionally 
see people entering their email address in the name field).

and am now waiting to see some hits. I consider the risk of false 
positives low in this case, if these METAs are matched somebody is 
trying to trick you.

Regards JC


Mime
View raw message