spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chip <jeffsch...@gmail.com>
Subject Re: From name containing a spoofed email address
Date Mon, 22 Jan 2018 23:35:10 GMT
Finally!  Thank you!

On 01/22/2018 06:32 PM, John Hardin wrote:
> On Mon, 22 Jan 2018, Chip wrote:
>
>> Understood, so then what would a From:name that contains a domain look
>> like since it seems the filter needs to compare the domain found in
>> From:addr to From:name in order to pass it as ham.
>
>   From: "Joe User (Your Bank) <joeuser@yourbank.com>"
> <joeblow@phishing.com>
>
>
>> Or am I on another planet altogether here, just say so and I'll shut up.
>>
>> On 01/22/2018 06:21 PM, Chip wrote:
>>> Ah, okay.  Thanks for the clarification.
>>>
>>> So this filter, what would it make of that message?  Spam or ham?
>>>
>>> On 01/22/2018 06:16 PM, shanew@shanew.net wrote:
>>>> I think what's tripping you up is what parts of the mail "From:addr"
>>>> and "From:name" refer to.  In the example you give:
>>>>
>>>> From: blablabla <blablabla@gmail.com>
>>>>
>>>> From:name will be "blablabla"
>>>> and
>>>> From:addr will be "blablabla@gmail.com"
>>>>
>>>> Since there's no "@" in From:name, there's clearly not an email
>>>> address there, so there's nothing to compare to the domain part of
>>>> From:addr.
>>>>
>>>> The "bounces.em.secureserver.net" you're referring to is part of the
>>>> EnvelopeFrom (AKA ReturnPath).  This particular check doesn't consider
>>>> that domain name in any way whatsoever.
>>>>
>>>> On Mon, 22 Jan 2018, Chip wrote:
>>>>
>>>>> I might be wrong here understand I'm still learning, but the
>>>>> purpose of
>>>>> the filter, from what I've been able to grasp, is that it checks  the
>>>>> From:addr and From:name values in SA to find
>>>>> their domain and triggering a rule hit if there is a domain in the
>>>>> From:name that doesn't match the domain in the From:addr.
>>>>>
>>>>> In the example I sent From: (as in From:name) contains the domain
>>>>> "gmail.com" - blablabla@gmail.com
>>>>>
>>>>> From:addr contains "bounces.em.secureserver.net"
>>>>>
>>>>> Thus mismatch between From:name that doesn't match the domain in the
>>>>> From:addr.
>>>>>
>>>>> Thus it would identify this message as probably spam, which it is
>>>>> not.
>>>>>
>>>>> Are people talking about a name like "bla@blabla@domain.com"? in this
>>>>> thread meaning the actual "@" character in the "name" or are we
>>>>> comparing domains from the From:add to the domain in the From:name?
>>>>>
>>>>>
>>>>>
>>>>> On 01/22/2018 05:56 PM, RW wrote:
>>>>>> On Mon, 22 Jan 2018 17:44:00 -0500
>>>>>> Chip wrote:
>>>>>>
>>>>>>> Following is the full header with identifiable information
>>>>>>> anonymized.
>>>>>> I don't see   what you are getting at, in:
>>>>>>
>>>>>>
>>>>>>   From: blablabla <blablabla@gmail.com>
>>>>>>
>>>>>> blablabla doesn't  contain an "@".
>>>>>>
>>
>


Mime
View raw message