On Mon, 22 Jan 2018, Chip wrote:
In the attached image "header" is highlighted. Which one applies in
this case as there is header=gmail *and* header=secure.net
What you have highlighted has nothing to do with the "From" header in SA
header rules. That content is in the "ARC-Authentication-Results",
"Authentication-Results" and "smtp.mailfrom" headers.
Regarding the example in question:
From: blablabla <blabla...@gmail.com>
"From:name" refers to the comment part - "blablabla"
"From:addr" refers to the address (non-comment) part - "<blabla...@gmail.com>"
Unfortunately the way that was obscured makes it a little less clear
what's going on. Perhaps this is clearer:
From: John Hardin <jhar...@impsec.org>
"From:name" = "John Hardin" (comment part)
"From:addr" = "<jhar...@impsec.org>" (address part)
On 01/22/2018 06:13 PM, John Hardin wrote:
On Mon, 22 Jan 2018, Chip wrote:
I might be wrong here understand I'm still learning, but the purpose of
the filter, from what I've been able to grasp, is that it checks the
From:addr and From:name values in SA to find
their domain and triggering a rule hit if there is a domain in the
From:name that doesn't match the domain in the From:addr.
In the example I sent From: (as in From:name) contains the domain
"gmail.com" - blabla...@gmail.com
From:addr contains "bounces.em.secureserver.net"
"From:addr" is *not* the envelope from address. It is the non-comment
part of the message From: header.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #20: The faster you finish the fight,
the less shot you will get.
-----------------------------------------------------------------------
Tomorrow: John Moses Browning's 163rd Birthday
