Return-Path: <users-return-116060-archive-asf-public=cust-asf.ponee.io@spamassassin.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 34658200D11
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Mon,  2 Oct 2017 21:07:48 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 32DE01609EF; Mon,  2 Oct 2017 19:07:48 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 77A331609C0
	for <archive-asf-public@cust-asf.ponee.io>; Mon,  2 Oct 2017 21:07:47 +0200 (CEST)
Received: (qmail 55328 invoked by uid 500); 2 Oct 2017 19:07:46 -0000
Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:users-help@spamassassin.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@spamassassin.apache.org>
List-Post: <mailto:users@spamassassin.apache.org>
List-Id: <users.spamassassin.apache.org>
Delivered-To: mailing list users@spamassassin.apache.org
Received: (qmail 55317 invoked by uid 99); 2 Oct 2017 19:07:45 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Oct 2017 19:07:45 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 0EA3819A1D8
	for <users@spamassassin.apache.org>; Mon,  2 Oct 2017 19:07:45 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 0.797
X-Spam-Level: 
X-Spam-Status: No, score=0.797 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001,
	SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id fLW8oJtLX_FY for <users@spamassassin.apache.org>;
	Mon,  2 Oct 2017 19:07:43 +0000 (UTC)
Received: from mail2.impsec.org (ga.impsec.org [108.161.139.220])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 64D005FB06
	for <users@spamassassin.apache.org>; Mon,  2 Oct 2017 19:07:43 +0000 (UTC)
Received: from athena.impsec.org (localhost [127.0.0.1])
	by ga.impsec.org (8.14.7/8.14.7) with ESMTP id v92J7UeR001341
	for <users@spamassassin.apache.org>; Mon, 2 Oct 2017 13:07:30 -0600
Received: from athena.impsec.org (tunnel.impsec.org [127.0.0.1])
	by athena.impsec.org (8.14.9/8.14.9) with ESMTP id v92J7U3r000557
	for <users@spamassassin.apache.org>; Mon, 2 Oct 2017 12:07:30 -0700
Received: from localhost (jhardin@localhost)
	by athena.impsec.org (8.14.9/8.14.9/Submit) with ESMTP id v92J7UGD000551
	for <users@spamassassin.apache.org>; Mon, 2 Oct 2017 12:07:30 -0700
X-Authentication-Warning: athena.impsec.org: jhardin owned process doing -bs
Date: Mon, 2 Oct 2017 12:07:30 -0700 (PDT)
From: John Hardin <jhardin@impsec.org>
To: users@spamassassin.apache.org
Subject: Re: FROM header with two email addresses
In-Reply-To: <a2c4055b-592b-fb4f-580d-410a99babf95@ena.com>
Message-ID: <alpine.LNX.2.00.1710021204300.25845@athena.impsec.org>
References: <3feda60d-bbfc-9289-cf12-7b4f14b0b8f8@info-systems.de> <3566A129-AED8-42ED-9650-16E6038D8AD1@billmail.scconsult.com> <c10b1892-c709-c834-3afa-128b2be54edf@mcgrail.com> <cdc169f3-7eed-fb4e-6f3d-b85d1a6140ba@ena.com> <alpine.LNX.2.00.1710021101450.25845@athena.impsec.org>
 <a2c4055b-592b-fb4f-580d-410a99babf95@ena.com>
User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="16648705-1090975088-1506971250=:25845"
X-Greylist: inspected by milter-greylist-4.5.16 (ga.impsec.org [127.0.0.1]); Mon, 02 Oct 2017 13:07:30 -0600 (CST) for IP:'127.0.0.1' DOMAIN:'localhost' HELO:'athena.impsec.org' FROM:'jhardin@impsec.org' RCPT:''
X-Greylist: Sender IP whitelisted, ACL 244 matched, not delayed by milter-greylist-4.5.16 (ga.impsec.org [127.0.0.1]); Mon, 02 Oct 2017 13:07:30 -0600 (CST)
archived-at: Mon, 02 Oct 2017 19:07:48 -0000

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--16648705-1090975088-1506971250=:25845
Content-Type: TEXT/PLAIN; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8BIT

On Mon, 2 Oct 2017, David Jones wrote:

> On 10/02/2017 01:11 PM, John Hardin wrote:
>>  On Mon, 2 Oct 2017, David Jones wrote:
>> 
>> >  On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:
>> > > 
>> > > >   I recently stumbled onto a mail with a Spam link where the FROM 
>> > > header >   field looked like this:
>> > > > >   From: "Firstname Lastname@" <recipient-domain.com > 
>> > >  sendername@real-senders-domain.com>
>> > > 
>> > >   Jakob, just wanted to let you know I identified this issue as well 
>> > >  and
>> > >   just opened a ticket about it yesterday to try and figure out a rule
>> > >   against it.  Can you send me spamples via pastebin, please?
>> > > 
>> > > 
>> > >   Regards,
>> > >   KAM
>> > > 
>> > 
>> >  I am seeing this more and more on my SA filters and being reported by my 
>> >  customers:
>> > 
>> >  https://pastebin.com/f07Gq1kZ
>> > 
>> >  https://pastebin.com/FMsJNGba
>> > 
>> >  This is catching this pretty well so far:
>> > 
>> >  header          FROM_SPOOF_EMAIL_DISPLAY    From =~ 
>> >  /\@[a-z_]+?\.[a-z]{2,3} \</i
>> >  describe        FROM_SPOOF_EMAIL_DISPLAY    From trying to spoof an 
>> >  email address in the display name
>>
>>  You probably want to let SA do the header parsing and write your rule
>>  against From:name or From:addr instead.
>> 
>
> Thank you for the suggestions.  I didn't know about the From:name and 
> From:addr parsing by SA.  As it turns out, the double quotes missing are very 
> important.  When I use the From:name which properly has the quotes, I am 
> hitting many false positives.  It appears that legit sending people or mail 
> clients are putting email addresses in their "Display Name". It's the ones 
> without quotes that are spam a high percentage of the time in my mail flow.

Not surprising.

> I have gone back to my original rule that catches senders that put an email 
> addresss in the Display Name and do not have quotes.

How about:

header  __FROM_QUOTES           From =~ /"/
header  __FROM_MAYBE_SPOOF      From:name =~ /\w@\w/
meta    __FROM_SPOOF            __FROM_MAYBE_SPOOF && !__FROM_QUOTES

(warning: totally untested)

>>  If you're testing your rules in a sandbox using debug mode, this may help:
>>
>>     header   __FROM_NAME  From:name =~ /.*/
>>     header   __FROM_ADDR  From:addr =~ /.*/
>>
>>  That way you can see what's actually being parsed from the header.
>>
>>
>>  Potentially this might be as simple as:
>>
>>     header  __FROM_MAYBE_SPOOF      From:name =~ /\w@\w/
>>
>>  or
>>
>>     header  __FROM_MULTIPLE_ADDR    From:addr =~ /\s/
>>
>>  No idea how FP-prone those might be, though, so it's probably prudent to
>>  meta them with other stuff as well...

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   The world has enough Mouse Clicking System Engineers.
                                                        -- Dave Pooser
-----------------------------------------------------------------------
  186 days since the first commercial re-flight of an orbital booster (SpaceX)
--16648705-1090975088-1506971250=:25845--