Re: How to check from that is not on the header?

Wed, 26 Sep 2012 08:41:17 -0700 

Alex, from prypiat.
Yes, I recycle.


On 12-09-26 11:09 AM, Sergio wrote:
> Hi all,
> how may I can check a FROM different to the one on the headers?
>
> I have seen that some emails on the FROM on the header has something
> different than the FROM on the email, as an example:

You are talking about the envelope from versus the body from.

Envelope from is used at SMTP transaction time. Body from is within the
headers, therefore it's part of the DATA command, and is possibly spoofed.

>
> FROM THE HEADERS:
> Received: from (127.0.0.1) by mail62.us1.rsgsv.net
> <http://mail62.us1.rsgsv.net> (PowerMTA(TM) v3.5r16) id hcc8go0lj3g4
> for <fernando.lo...@puntocel.com.gt
> <mailto:fernando.lo...@puntocel.com.gt>>; Wed, 26 Sep 2012 14:28:26
> +0000 (envelope-from
> <bounce-mc.us4_7777769.128085-fernando.lopez=puntocel.com...@mail62.us1.rsgsv.net
> <mailto:puntocel.com...@mail62.us1.rsgsv.net>>)
> Subject:
> =?utf-8?Q?Masaje=20de=20Reflexolog=C3=ADa=20de=20pies=20con=20sales=20minerales=20relajantes=20y=20aromaterapia?=
> _*From: =?utf-8?Q?Cucupons.com?= <ma...@cucupons.com
> <mailto:ma...@cucupons.com>>*_
> Reply-To: =?utf-8?Q?Cucupons.com?= <ma...@cucupons.com
> <mailto:ma...@cucupons.com>>
>
> But the FROM that I want to block is the one that comes on the email:
> FROM:
> bounce-mc.us4_7776669.128085-Aileen.Miffs=anyemail....@mail62.us1.rsgsv.net
> <mailto:anyemail....@mail62.us1.rsgsv.net>
>
>
> I have the following rule:
>
> header    BLACKLIST_R     From =~ /rsgsv\.net/i
> score    BLACKLIST_R    5.0
>

You may either do that:

header  BL_FROM_rsgsv  Received =~ /rsgsv\.net/i
score  BL_FROM_rsgsv  5.0

But you are subject to FPs in case that domain send you a legitimate
email some day.

Note that you may look upon a X-Envelope-From header also, depending on
your MTA and how and when it may log it in the headers.

Or you may choose to work on the body From:
header  BL_FROM_rsgsv  From:addr =~ /cucupons\.com/i
score  BL_FROM_rsgsv  5.0

But as this part of the mail is spoofable, you are succeptible to miss
some spams.


> But at the time of checking, it checks "cucupons.com
> <http://cucupons.com>" and the rule fails.
>
> What I have to use in order to check the FROM that comes on the email
> instead of the FROM that is on the headers?
>
> TIA.
>
> Sergio

Reply via email to