Hello all,
I recently stumbled onto a mail with a Spam link where the FROM header field
looked like this:
From: "Firstname Lastname@" <recipient-domain.com
sendern...@real-senders-domain.com>
which is displayed in different ways on different devices but most do display something resembling
an internal from address, maybe with an additional second external address.
So it is a way to make users think this is an internal sender - probably it gets harder and harder
to circumvent the ever-growing SPF rejections.
(The real sender domain has a valid SPF and DKIM entry).
I wonder whether it is possible to detect such a header with spamassassin means? I only see the
following rules that hit:
[BAYES_50=1.85,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,DKIM_VERIFIED=-0.2,FSL_HELO_BARE_IP_2=1.999,NAME_EMAIL_DIFF=1.043,RCVD_IN_DNSWL_NONE=-0.0001,RCVD_NOT_IN_IPREPDNS=0.0001,SPF_PASS=-0.5,URIBL_BLOCKED=0.001
I looked into the NAME_EMAIL_DIFF rule but this seems to be a slightly different scope and I would
not want to just raise the score for that rule, it would probably give many false positives.
This is spamassassin 3.3.1 on Centos 6.
Regards and thanks, JC
