From users-return-116989-archive-asf-public=cust-asf.ponee.io@spamassassin.apache.org Thu Jan 18 14:33:25 2018 Return-Path: X-Original-To: archive-asf-public@eu.ponee.io Delivered-To: archive-asf-public@eu.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by mx-eu-01.ponee.io (Postfix) with ESMTP id 8C331180654 for ; Thu, 18 Jan 2018 14:33:25 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 7C046160C36; Thu, 18 Jan 2018 13:33:25 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id C31E9160C2B for ; Thu, 18 Jan 2018 14:33:24 +0100 (CET) Received: (qmail 81314 invoked by uid 500); 18 Jan 2018 13:33:23 -0000 Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@spamassassin.apache.org Received: (qmail 81302 invoked by uid 99); 18 Jan 2018 13:33:23 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 Jan 2018 13:33:23 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 94D511808DC for ; Thu, 18 Jan 2018 13:33:22 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.12 X-Spam-Level: X-Spam-Status: No, score=-0.12 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=googlemail.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id MZREAUx1W0oR for ; Thu, 18 Jan 2018 13:33:21 +0000 (UTC) Received: from mail-wm0-f52.google.com (mail-wm0-f52.google.com [74.125.82.52]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 369A45F3E1 for ; Thu, 18 Jan 2018 13:33:21 +0000 (UTC) Received: by mail-wm0-f52.google.com with SMTP id i186so21924214wmi.4 for ; Thu, 18 Jan 2018 05:33:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=saUwLxL5CVtiJIMMoNCw1HpcXdlkQUIpGMwy+5PCqBg=; b=T8OJEBY7zep/W7s/S8l+gBeOEiLscXc5NFQ1/Wx3OnsFpBk8j4rXDb1LxFgnqwKI9n 4JWSnSs2IbOnrwSwy8Ntag+z4O/3dYUA7tgmx58zynp035lU34DVWB02XpkoImuAQ8Gp clDInOA1Pg4YQS/GWxTTUXW/CZpjo88scSoNnbV6coRCDJM5dyDJ5z17JjTBmj2xU3r+ MwT1vy8b/MZRHsQlh8BBc3NZ4frpTVad87jyr0LDcDbqYF8e3Nmj7507w1oAQBY0DdjE 0+zqs8NK7SsLxWqQCoCvkV2h8XfMTpXpZ7T5m7TuBbXmcQaexhgG1XKrC8IiI1TcxXeI H2Wg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=saUwLxL5CVtiJIMMoNCw1HpcXdlkQUIpGMwy+5PCqBg=; b=pjNdLORVAsYUbdtyMA5gtIMpBixHx7TOcyv+SXrvVBdvb3ejX1Pv5u90DBi6c0rj2b +e1Hq4hiMZvVEZy05oM2QzDK0hUnLFjeR0iWTT7ARRAK0XQjG7IdVbZH1xMyVo+j5d3c 49vX0TaXccNQ0Im+zKUHPXBTbyTJlFsiKcu2YxaIbzSZIFia6QSGaOyvJBt0tGIu9nmx f03vOCuKUEPXs6BeiT981SOB5/jJ0mdpO/na0pWBcJUnryq88/4LgaoukwTKjNDkNvsr fJhEc2dO33J0Tix6mWmp93vKMvUGMDH4mDPKZMvwN4vARfB+llZN4m2Q+sJuJ9rzdUbJ rqNQ== X-Gm-Message-State: AKwxytfE+ei0W1uQ14rgcxDYS7kLUY0oq5uw6eyPNhGjPo5RKg7p2in+ zZpYQP/K8Za4lWtwSIOwBvwa2g== X-Google-Smtp-Source: ACJfBot4L7a7ghjmqcSpqPS0re8J33EtJ6Rki9gArD5bcBkWr4tkwuEDjf3rdMMh3oAVqOivcuySPA== X-Received: by 10.80.173.207 with SMTP id b15mr8076865edd.281.1516282400561; Thu, 18 Jan 2018 05:33:20 -0800 (PST) Received: from gumby.homeunix.com ([81.17.24.158]) by smtp.gmail.com with ESMTPSA id q45sm1198882eda.53.2018.01.18.05.33.18 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 18 Jan 2018 05:33:19 -0800 (PST) Date: Thu, 18 Jan 2018 13:33:16 +0000 From: RW To: users@spamassassin.apache.org Subject: Re: From name containing a spoofed email address Message-ID: <20180118133316.7bf3baa2@gumby.homeunix.com> In-Reply-To: <1385637576.377616.1516276356458@mail.yahoo.com> References: <1385637576.377616.1516276356458@mail.yahoo.com> X-Mailer: Claws Mail 3.15.1 (GTK+ 2.24.31; amd64-portbld-freebsd11.1) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Thu, 18 Jan 2018 11:52:36 +0000 (UTC) Pedro David Marco wrote: > David, > This rule can do the full job... i have tested it with good > results..=C2=A0 =C2=A0(Can be tested here: https://regex101.com/r/Vpmhjz/= 3 ) It > checks if the level domain next to the TLD in the From:name matches > the domain next to the TLD in From:email header > =C2=A0FROM_DOMAINS_MISMATCH > From !~ /(?:[^<].+?)\@(?:.+?\.)*?(.+?\.)(?:.+?).*?<.+?(\@\1|\@.*?\.\1)/de= scribe > =C2=A0 FROM_DOMAINS_MISMATCH Domain name mismatch in From header !~ matches are dangerous because they match by default if you don't anticipate all the legitimate formats. The above will FP on a simple email address. It could be rewritten as a __FROM_DOMAINS_MATCH and used in a meta rule. It's also not a complete solution as it doesn't handle third-level domains correctly e.g. in "support@paypal.co.uk" "co" will match "co". This is why it's probably best to do it in perl where the tlds from 20_aux_tlds.cf can be used.