Re: From name containing a spoofed email address

Mon, 22 Jan 2018 07:11:28 -0800 

Hi Robert. I'm new here. But intrigued by what looks like a good solution.

Without too much detail can you explain the solution a bit?  Just want to
get a basic understanding of the workflow.  Thank you.

__________________
 "Perhaps sleep did not evolve. Perhaps it was the thing from which
wakefulness emerged.” -- Matthew Walker, Sleep Scientist

On Jan 22, 2018 10:05 AM, "Rupert Gallagher" <r...@protonmail.com> wrote:

> This is my current solution for a problem that has been discussed many
> times in this list.
> I wrote it last year, and it serves me well. Feel free to use it, if you
> find it useful.
>
> This part goes into your local.cf:
>
> header   __F_DM1 eval:from_domains_mismatch()
> header   __F_DM2 From:addr =~ /\@(pec|legalmail|telecompost)
> (\.[^\.]+)?\.it/
> meta       F_DM ( __F_DM1 && ! __F_DM2 )
> describe   F_DM From:name domain mismatches From:addr domain
> priority   F_DM -1
> score      F_DM 5.0
>
> This part goes into the general HeaderEval.pm:
>
> $self->register_eval_rule("from_domains_mismatch");
> [...]
> sub from_domains_mismatch {
>   my ($self, $pms) = @_;
>   my $temp;
>   $temp = $pms->get('From:addr');
>   $temp =~ /@(.+)/; my $fromAddrDomain; $fromAddrDomain = "$1";
>   $temp = $pms->get('From:name');
>   $temp =~ /@([^\@\"\s]+)/; my $fromNameDomain; $fromNameDomain = "$1";
>   dbg("from_domains_mismatch: fromNameDomain=$fromNameDomain,
> fromAddrDomain=$fromAddrDomain");
>   if ( $fromNameDomain eq "" ) {
>      return 0; # all well
>   } else {
>      if( $fromNameDomain eq $fromAddrDomain ) {
>         return 0; # all well, they match
>      } else {
>         return 1; # mismatch, possibly spam
>      }
>   }
> }
>
> R.G.
>
>
>
> Sent with ProtonMail <https://protonmail.com> Secure Email.
>
> -------- Original Message --------
> On 17 January 2018 8:31 PM, David Jones <djo...@ena.com> wrote:
>
> Would a plugin need to be created (or an existing one enhanced) to be
> able to detect this type of spoofed From header?
>
> From: "h...@hulumail.com !" lany...@hotmail.com
>
> https://pastebin.com/vVhGjC8H
>
> Does anyone else think this would be a good idea to make a rule that at
> least checks both the From:name and From:addr to see if there is an
> email address in the From:name and if the domain is different add some
> points?
>
> We are seeing more and more of this now that SPF, DKIM, and DMARC are
> making it harder to spoof common/major brands that have properly
> implemented some or all of them.
>
> David Jones
>
>
>

Reply via email to