On Wed, 27 Jan 2021, Dan Mahoney (Gushi) wrote:
All,
I'm noticing a pattern of email like:
From: "GUSHI.ORG Administrator" <somera...@host.cn>
To: y...@gushi.org
Subject: Your mailbox has exceeded its quota
Or some such nonsense.
Now, DMARC and SPF and DKIM would be able to block the domain if they tried
to spoof it in the From email address. But mail clients helpfully these days
aren't showing the actual email address to people. Ergo, I'm looking to do
the following:
Catch a case where the REALNAME of the FROM address contains a domain that is
in the TO header. This would seem to require a macro of some kind to capture
the value and do the comparison, so this doesn't seem to be the kind of thing
one can do (dynamically) with a regular rule.
It can be done with a regular rule, as header rules can match across
multiple headers.
There is already a rule like that in the base ruleset:
https://ruleqa.spamassassin.org/20210127-r1885943-n/PDS_FROM_NAME_TO_DOMAIN/detail
Jan 27 12:03:34.724 [29312] dbg: rules: ran header rule __PDS_FROM_NAME_TO_DOMAIN ======> got hit:
"From: "GUSHI.ORG Administrator" <somera...@host.cn>
Jan 27 12:03:34.724 [29312] dbg: rules: [...] To: y...@gushi.org"
PDS_FROM_NAME_TO_DOMAIN should have hit on that message. Did it?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Today: the 54th anniversary of the loss of Apollo 1
