This is my current solution for a problem that has been discussed many times in
this list.
I wrote it last year, and it serves me well. Feel free to use it, if you find
it useful.
This part goes into your local.cf:
header __F_DM1 eval:from_domains_mismatch()
header __F_DM2 From:addr =~ /\@(pec|legalmail|telecompost)(\.[^\.]+)?\.it/
meta F_DM ( __F_DM1 && ! __F_DM2 )
describe F_DM From:name domain mismatches From:addr domain
priority F_DM -1
score F_DM 5.0
This part goes into the general HeaderEval.pm:
$self->register_eval_rule("from_domains_mismatch");
[...]
sub from_domains_mismatch {
my ($self, $pms) = @_;
my $temp;
$temp = $pms->get('From:addr');
$temp =~ /@(.+)/; my $fromAddrDomain; $fromAddrDomain = "$1";
$temp = $pms->get('From:name');
$temp =~ /@([^\@\"\s]+)/; my $fromNameDomain; $fromNameDomain = "$1";
dbg("from_domains_mismatch: fromNameDomain=$fromNameDomain,
fromAddrDomain=$fromAddrDomain");
if ( $fromNameDomain eq "" ) {
return 0; # all well
} else {
if( $fromNameDomain eq $fromAddrDomain ) {
return 0; # all well, they match
} else {
return 1; # mismatch, possibly spam
}
}
}
R.G.
Sent with [ProtonMail](https://protonmail.com) Secure Email.
-------- Original Message --------
On 17 January 2018 8:31 PM, David Jones <djo...@ena.com> wrote:
> Would a plugin need to be created (or an existing one enhanced) to be
> able to detect this type of spoofed From header?
>
> From: ["h...@hulumail.com](mailto:%22h...@hulumail.com) !" lany...@hotmail.com
>
> https://pastebin.com/vVhGjC8H
>
> Does anyone else think this would be a good idea to make a rule that at
> least checks both the From:name and From:addr to see if there is an
> email address in the From:name and if the domain is different add some
> points?
>
> We are seeing more and more of this now that SPF, DKIM, and DMARC are
> making it harder to spoof common/major brands that have properly
> implemented some or all of them.
>
> David Jones
