spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chip <jeffsch...@gmail.com>
Subject Re: From name containing a spoofed email address
Date Mon, 22 Jan 2018 21:48:54 GMT
So it's my understanding that SA does the following with this rule,
which is it is checking the From:addr and From:name values in SA to find
their domain and triggering a rule hit if there is a domain in the
From:name that doesn't match the domain in the From:addr.

However, when I examine the headers from many legitimate non-spoofed
emails from bulk senders such as constantcontact, madmimi, sendgrid,
etc. it is very common to find a legitimate sender with a From:addr such
as name@gmail.com which clearly conflicts with the domain name in the
From:addr, address being, for example, with madmini bulk sending as an
example:

smtp.mailfrom=sp_12xxxxx.55xx.1.d2b655xxxxxxxx21fe5d93421ff@bounces.em.secureserver.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Return-Path:
<sp_12xxxxx.55xx.1.d2b655xxxxxxxx21fe5d93421ff@bounces.em.secureserver.net;>
Received: from m205.em.secureserver.net (m205.em.secureserver.net.
[1xx.xx.xxx.xx])

From: balblabla <blablabla@gmail.com>

would this rule classify that email as probably spam when in fact it
most certainly is not.

So what am I not understand here?

On 01/22/2018 10:20 AM, David Jones wrote:
> On 01/22/2018 09:05 AM, Rupert Gallagher wrote:
>> This is my current solution for a problem that has been discussed
>> many times in this list.
>> I wrote it last year, and it serves me well. Feel free to use it, if
>> you find it useful.
>>
>> This part goes into your local.cf:
>>
>> header   __F_DM1 eval:from_domains_mismatch()
>> header   __F_DM2 From:addr =~
>> /\@(pec|legalmail|telecompost)(\.[^\.]+)?\.it/
>> meta       F_DM ( __F_DM1 && ! __F_DM2 )
>> describe   F_DM From:name domain mismatches From:addr domain
>> priority   F_DM -1
>> score      F_DM 5.0
>>
>> This part goes into the general HeaderEval.pm:
>>
>> $self->register_eval_rule("from_domains_mismatch");
>> [...]
>> sub from_domains_mismatch {
>>    my ($self, $pms) = @_;
>>    my $temp;
>>    $temp = $pms->get('From:addr');
>>    $temp =~ /@(.+)/; my $fromAddrDomain; $fromAddrDomain = "$1";
>>    $temp = $pms->get('From:name');
>>    $temp =~ /@([^\@\"\s]+)/; my $fromNameDomain; $fromNameDomain = "$1";
>>    dbg("from_domains_mismatch: fromNameDomain=$fromNameDomain,
>> fromAddrDomain=$fromAddrDomain");
>>    if ( $fromNameDomain eq "" ) {
>>       return 0; # all well
>>    } else {
>>       if( $fromNameDomain eq $fromAddrDomain ) {
>>          return 0; # all well, they match
>>       } else {
>>          return 1; # mismatch, possibly spam
>>       }
>>    }
>> }
>>
>> R.G.
>>
>>
>
> This looks like a simple and valuable approach that should be
> considered for inclusion into SA for everyone.  Do you mind opening up
> a bug at https://bz.apache.org/SpamAssassin/ in the Plugins section?
>
> We could put this in for everyone with a low score and give it a trial
> run before increasing the score.  I will run it locally as well and
> see how it goes.
>
>
>>
>> Sent with ProtonMail <https://protonmail.com> Secure Email.
>>
>> -------- Original Message --------
>> On 17 January 2018 8:31 PM, David Jones <djones@ena.com> wrote:
>>
>>> Would a plugin need to be created (or an existing one enhanced) to be
>>> able to detect this type of spoofed From header?
>>>
>>> From: "hulu@hulumail.com <mailto:%22hulu@hulumail.com> !"
>>> lanya-f@hotmail.com <mailto:lanya-f@hotmail.com>
>>>
>>>
>>>
>>>     https://pastebin.com/vVhGjC8H
>>>
>>>     Does anyone else think this would be a good idea to make a rule
>>>     that at
>>>     least checks both the From:name and From:addr to see if there is an
>>>     email address in the From:name and if the domain is different
>>> add some
>>>     points?
>>>
>>>     We are seeing more and more of this now that SPF, DKIM, and
>>> DMARC are
>>>     making it harder to spoof common/major brands that have properly
>>>     implemented some or all of them.
>>>
>>> David Jones
>>
>


Mime
View raw message