So it's my understanding that SA does the following with this rule,
which is it is checking the From:addr and From:name values in SA to find
their domain and triggering a rule hit if there is a domain in the
From:name that doesn't match the domain in the From:addr.
However, when I examine the headers from many legitimate non-spoofed
emails from bulk senders such as constantcontact, madmimi, sendgrid,
etc. it is very common to find a legitimate sender with a From:addr such
as n...@gmail.com which clearly conflicts with the domain name in the
From:addr, address being, for example, with madmini bulk sending as an
example:
smtp.mailfrom=sp_12xxxxx.55xx.1.d2b655xxxxxxxx21fe5d9342...@bounces.em.secureserver.net;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Return-Path:
<sp_12xxxxx.55xx.1.d2b655xxxxxxxx21fe5d9342...@bounces.em.secureserver.net;>
Received: from m205.em.secureserver.net (m205.em.secureserver.net.
[1xx.xx.xxx.xx])
From: balblabla <blabla...@gmail.com>
would this rule classify that email as probably spam when in fact it
most certainly is not.
So what am I not understand here?
On 01/22/2018 10:20 AM, David Jones wrote:
> On 01/22/2018 09:05 AM, Rupert Gallagher wrote:
>> This is my current solution for a problem that has been discussed
>> many times in this list.
>> I wrote it last year, and it serves me well. Feel free to use it, if
>> you find it useful.
>>
>> This part goes into your local.cf:
>>
>> header __F_DM1 eval:from_domains_mismatch()
>> header __F_DM2 From:addr =~
>> /\@(pec|legalmail|telecompost)(\.[^\.]+)?\.it/
>> meta F_DM ( __F_DM1 && ! __F_DM2 )
>> describe F_DM From:name domain mismatches From:addr domain
>> priority F_DM -1
>> score F_DM 5.0
>>
>> This part goes into the general HeaderEval.pm:
>>
>> $self->register_eval_rule("from_domains_mismatch");
>> [...]
>> sub from_domains_mismatch {
>> my ($self, $pms) = @_;
>> my $temp;
>> $temp = $pms->get('From:addr');
>> $temp =~ /@(.+)/; my $fromAddrDomain; $fromAddrDomain = "$1";
>> $temp = $pms->get('From:name');
>> $temp =~ /@([^\@\"\s]+)/; my $fromNameDomain; $fromNameDomain = "$1";
>> dbg("from_domains_mismatch: fromNameDomain=$fromNameDomain,
>> fromAddrDomain=$fromAddrDomain");
>> if ( $fromNameDomain eq "" ) {
>> return 0; # all well
>> } else {
>> if( $fromNameDomain eq $fromAddrDomain ) {
>> return 0; # all well, they match
>> } else {
>> return 1; # mismatch, possibly spam
>> }
>> }
>> }
>>
>> R.G.
>>
>>
>
> This looks like a simple and valuable approach that should be
> considered for inclusion into SA for everyone. Do you mind opening up
> a bug at https://bz.apache.org/SpamAssassin/ in the Plugins section?
>
> We could put this in for everyone with a low score and give it a trial
> run before increasing the score. I will run it locally as well and
> see how it goes.
>
>
>>
>> Sent with ProtonMail <https://protonmail.com> Secure Email.
>>
>> -------- Original Message --------
>> On 17 January 2018 8:31 PM, David Jones <djo...@ena.com> wrote:
>>
>>> Would a plugin need to be created (or an existing one enhanced) to be
>>> able to detect this type of spoofed From header?
>>>
>>> From: "h...@hulumail.com <mailto:%22h...@hulumail.com> !"
>>> lany...@hotmail.com <mailto:lany...@hotmail.com>
>>>
>>>
>>>
>>> https://pastebin.com/vVhGjC8H
>>>
>>> Does anyone else think this would be a good idea to make a rule
>>> that at
>>> least checks both the From:name and From:addr to see if there is an
>>> email address in the From:name and if the domain is different
>>> add some
>>> points?
>>>
>>> We are seeing more and more of this now that SPF, DKIM, and
>>> DMARC are
>>> making it harder to spoof common/major brands that have properly
>>> implemented some or all of them.
>>>
>>> David Jones
>>
>
