spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From RW <>
Subject Re: From name containing a spoofed email address
Date Thu, 18 Jan 2018 13:33:16 GMT
On Thu, 18 Jan 2018 11:52:36 +0000 (UTC)
Pedro David Marco wrote:

>  David,
> This rule can do the full job... i have tested it with good
> results..   (Can be tested here: ) It
> checks if the level domain next to the TLD in the From:name matches
> the domain next to the TLD in From:email header
> From !~ /(?:[^<].+?)\@(?:.+?\.)*?(.+?\.)(?:.+?).*?<.+?(\@\1|\@.*?\.\1)/describe
>   FROM_DOMAINS_MISMATCH Domain name mismatch in From header

!~ matches are dangerous because they match by default if you
don't anticipate all the legitimate formats. The above will FP on a
simple email address. It could be rewritten as a __FROM_DOMAINS_MATCH
and used in a meta rule.

It's also not a complete solution as it doesn't handle third-level
domains correctly e.g. in

"" <>

"co" will match "co". This is why it's probably best to do it in perl
where the tlds from can be used.

View raw message