On 2023-08-22 at 16:18:43 UTC-0400 (Tue, 22 Aug 2023 13:18:43 -0700)
D Benham <fatherofn...@benham.net>
is rumored to have said:
Hello,
I saw this question out on the 'Net and thought I'd post it here. I
can see a few false positives besides the OP's BCC that could arise,
but it still seems like it's a logical check that should have been
done before.
Is there a way to compare the RCPT TO address to the addresses in the
To and Cc lines to make sure there's at least one match?
All the needed information is available in SA, so such a check is
possible.
There is already a HEADER_FROM_DIFFERENT_DOMAINS rule which checks the
envelope sender domain against the From header address domain. It uses
an eval which I guess we could replicate for RCPT vs. To|Cc.
I am aware that BCC would trigger a score but I am ok with that at
this time. It seems like it would be a possibly useful check so I was
surprised that I couldn't find anything of the sort in my searches.
I'm not sure that it actually would be worthwhile. E.g. the vast
majority of my legit mail is from lists like this one, which never have
any of my addresses in headers unless someone CC's me a post sent to the
list (which I despise...)
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
