On Wed, 25 Oct 2017 09:26:37 -0400
Rupert Gallagher wrote:
> This is my rule for a case that has also been discussed in this list.
> I wrote it two weeks ago, and it works so far.
>
> This part goes into your local.cf:
>
> header __F_DM1 eval:from_domains_mismatch()
I wrote something similar as an ordinary rule
header FROM_DISPLAYS_FAKE_ADDR From
=~ /^\s*("?)\s*([\w+.-]+\@[a-z0-9-]+(?:\.[a-z0-9-]+)+)\s*\1\s*<(?!\2>)/i
However, when I looked at my ham archive I found that it could be
improved a bit by checking the organizational domain rather than the
full RHS (this is easier to do in perl with tld support).
e.g. "f...@example.com <b...@email.example.com>
and a little bit further by just comparing the first 3 letters of the
main domain label.
e.g. "f...@example.com <b...@email.example-online.com>
This may not be representative but I found that the rest of of the FPs
could have been avoided with
&& (FREEMAIL_FROM || !DKIM_VALID_AU)
the spam rarely hits DKIM_VALID_AU unless it's freemail.
One thing to watch out for is mismatches between unicode and punycode
versions of the same address. The above rule only targets ascii
domains in the display field for that reason.
