Ah, okay. Thanks for the clarification. So this filter, what would it make of that message? Spam or ham?
On 01/22/2018 06:16 PM, sha...@shanew.net wrote: > I think what's tripping you up is what parts of the mail "From:addr" > and "From:name" refer to. In the example you give: > > From: blablabla <blabla...@gmail.com> > > From:name will be "blablabla" > and > From:addr will be "blabla...@gmail.com" > > Since there's no "@" in From:name, there's clearly not an email > address there, so there's nothing to compare to the domain part of > From:addr. > > The "bounces.em.secureserver.net" you're referring to is part of the > EnvelopeFrom (AKA ReturnPath). This particular check doesn't consider > that domain name in any way whatsoever. > > On Mon, 22 Jan 2018, Chip wrote: > >> I might be wrong here understand I'm still learning, but the purpose of >> the filter, from what I've been able to grasp, is that it checks the >> From:addr and From:name values in SA to find >> their domain and triggering a rule hit if there is a domain in the >> From:name that doesn't match the domain in the From:addr. >> >> In the example I sent From: (as in From:name) contains the domain >> "gmail.com" - blabla...@gmail.com >> >> From:addr contains "bounces.em.secureserver.net" >> >> Thus mismatch between From:name that doesn't match the domain in the >> From:addr. >> >> Thus it would identify this message as probably spam, which it is not. >> >> Are people talking about a name like "bla@bla...@domain.com"? in this >> thread meaning the actual "@" character in the "name" or are we >> comparing domains from the From:add to the domain in the From:name? >> >> >> >> On 01/22/2018 05:56 PM, RW wrote: >>> On Mon, 22 Jan 2018 17:44:00 -0500 >>> Chip wrote: >>> >>>> Following is the full header with identifiable information >>>> anonymized. >>> I don't see what you are getting at, in: >>> >>> >>> From: blablabla <blabla...@gmail.com> >>> >>> blablabla doesn't contain an "@". >>> >> >
