spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From RW <rwmailli...@googlemail.com>
Subject Re: From name containing a spoofed email address
Date Thu, 18 Jan 2018 13:33:16 GMT
On Thu, 18 Jan 2018 11:52:36 +0000 (UTC)
Pedro David Marco wrote:

>  David,
> This rule can do the full job... i have tested it with good
> results..   (Can be tested here: https://regex101.com/r/Vpmhjz/3 ) It
> checks if the level domain next to the TLD in the From:name matches
> the domain next to the TLD in From:email header
>  FROM_DOMAINS_MISMATCH
> From !~ /(?:[^<].+?)\@(?:.+?\.)*?(.+?\.)(?:.+?).*?<.+?(\@\1|\@.*?\.\1)/describe
>   FROM_DOMAINS_MISMATCH Domain name mismatch in From header


!~ matches are dangerous because they match by default if you
don't anticipate all the legitimate formats. The above will FP on a
simple email address. It could be rewritten as a __FROM_DOMAINS_MATCH
and used in a meta rule.


It's also not a complete solution as it doesn't handle third-level
domains correctly e.g. in

"support@paypal.co.uk" <jkhjhjk@bogus.co.uk>

"co" will match "co". This is why it's probably best to do it in perl
where the tlds from 20_aux_tlds.cf can be used.

Mime
View raw message