On Tue, 14 Apr 2020 at 18:45, Rick King <rk...@zimbra.com> wrote: > > Postfix version 3.1.1 > > Hello List! > > We have a customer that occasionally receives messages like this... > > Return-Path: <to...@external-domain.tld> > From: "Free iPad <jsm...@mydomain.tld>" <to...@external-domain.tld> > To: <us...@mydomain.tld> > Subject:Free iPad > > From the looks of it, messages like these are from legit domains with a > carefully crafted "displayName". > > So the "displayName" is "Free iPad <jsm...@mydomain.tld>", and the "true" > sender is to...@external-domain.tld. > > We were thinking using a header_check rule, something like this; but didn't > work due to the "backtracking limit exceeded" warning. > > /^From:(.*)*\<*@*\> \<*@*\>/ REJECT #Sorry, we do not allow emails with > multiple FROM senders > > Is it possible to use header_check feature to reject messages with carefully > crafted displayName?
You can use header_checks in this way, but if you have Spamassassin it is easier to use its FromNameSpoof plugin. https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_FromNameSpoof.txt Spamassassin also looks at headers after conversion from other encodings which helps catch obfuscated cases.
