Understood, so then what would a From:name that contains a domain look like since it seems the filter needs to compare the domain found in From:addr to From:name in order to pass it as ham.
Or am I on another planet altogether here, just say so and I'll shut up. On 01/22/2018 06:21 PM, Chip wrote: > Ah, okay. Thanks for the clarification. > > So this filter, what would it make of that message? Spam or ham? > > On 01/22/2018 06:16 PM, sha...@shanew.net wrote: >> I think what's tripping you up is what parts of the mail "From:addr" >> and "From:name" refer to. In the example you give: >> >> From: blablabla <blabla...@gmail.com> >> >> From:name will be "blablabla" >> and >> From:addr will be "blabla...@gmail.com" >> >> Since there's no "@" in From:name, there's clearly not an email >> address there, so there's nothing to compare to the domain part of >> From:addr. >> >> The "bounces.em.secureserver.net" you're referring to is part of the >> EnvelopeFrom (AKA ReturnPath). This particular check doesn't consider >> that domain name in any way whatsoever. >> >> On Mon, 22 Jan 2018, Chip wrote: >> >>> I might be wrong here understand I'm still learning, but the purpose of >>> the filter, from what I've been able to grasp, is that it checks the >>> From:addr and From:name values in SA to find >>> their domain and triggering a rule hit if there is a domain in the >>> From:name that doesn't match the domain in the From:addr. >>> >>> In the example I sent From: (as in From:name) contains the domain >>> "gmail.com" - blabla...@gmail.com >>> >>> From:addr contains "bounces.em.secureserver.net" >>> >>> Thus mismatch between From:name that doesn't match the domain in the >>> From:addr. >>> >>> Thus it would identify this message as probably spam, which it is not. >>> >>> Are people talking about a name like "bla@bla...@domain.com"? in this >>> thread meaning the actual "@" character in the "name" or are we >>> comparing domains from the From:add to the domain in the From:name? >>> >>> >>> >>> On 01/22/2018 05:56 PM, RW wrote: >>>> On Mon, 22 Jan 2018 17:44:00 -0500 >>>> Chip wrote: >>>> >>>>> Following is the full header with identifiable information >>>>> anonymized. >>>> I don't see what you are getting at, in: >>>> >>>> >>>> From: blablabla <blabla...@gmail.com> >>>> >>>> blablabla doesn't contain an "@". >>>>
