On Thu, 18 Jan 2018 11:52:36 +0000 (UTC) Pedro David Marco wrote: > David, > This rule can do the full job... i have tested it with good > results.. (Can be tested here: https://regex101.com/r/Vpmhjz/3 ) It > checks if the level domain next to the TLD in the From:name matches > the domain next to the TLD in From:email header > FROM_DOMAINS_MISMATCH > From !~ > /(?:[^<].+?)\@(?:.+?\.)*?(.+?\.)(?:.+?).*?<.+?(\@\1|\@.*?\.\1)/describe > FROM_DOMAINS_MISMATCH Domain name mismatch in From header
!~ matches are dangerous because they match by default if you don't anticipate all the legitimate formats. The above will FP on a simple email address. It could be rewritten as a __FROM_DOMAINS_MATCH and used in a meta rule. It's also not a complete solution as it doesn't handle third-level domains correctly e.g. in "supp...@paypal.co.uk" <jkhj...@bogus.co.uk> "co" will match "co". This is why it's probably best to do it in perl where the tlds from 20_aux_tlds.cf can be used.
