I wrote my own plugin for that but I don't score very high anymore because of things likes this: (obviously Mr Bill is not real but the netsuite address is)
From: "Mr Bill ([email protected])" <[email protected]> I find more and more companies, I believe intuit is doing something like that, that do this. I could of course add a whitelist of sorts but I prefer to bump the score a bit, enough to tag as low scoring spam. For detecting possible fraud addresses involving our own people I wrote a backend look up for exim that looks at any name like "Rick Cooper" and compares that to a DB with all email addresses for all employees in all locations and then , if the actual [email protected] doesn't match any of those listed for that name, it rewrites the subject and appends a noticeable disclaimer to the subject line stating the email is not from [email protected] and any other addresses that person may have. It also adds a X-Header that SA can score on at the same time. Rick -----Original Message----- From: micah anderson [mailto:[email protected]] Sent: Thursday, April 09, 2020 10:17 AM To: [email protected] Subject: Spoofed From: names Hi, What is the current state of the art for dealing with tricking people in the From with the "Name" part? For example: From: "[email protected]"<[email protected]> The "Real Name" part is used to put a fake email address of the actual domain (example.com would be my domain, or gmail.com or something other than air-compressor.ml). This has come up before[0], but at the time generic solutions seemed problematic due to various false positives, or missing features in spamassassin itself. I'm wondering what the current state is now. I can do a relatively easy meta-rule for my domain, something like this, but I'm not sure how well this would work, or if there are better methods now: header __LOCAL_FROM_QUOTE_ISUS From =~ /\".*\@example\.com\"/ header __LOCAL_FROM_CONTAIN_NOTUS From !~ /<.*\@example\.com/>/ meta TRICKY_FROM ((( __LOCAL_FROM_QUOTA_ISUS ) + ( __LOCAL_FROM_CONTAIN_NOTUS )) > 1) describe TRICKY_FROM From has example.com in quotes, but not in path score TRICKY_FROM 5 0. https://www.mail-archive.com/[email protected]/msg100800.html -- micah
