On 27 Sep 2017, at 3:16, Jakob Curdes wrote:
Hello all,
I recently stumbled onto a mail with a Spam link where the FROM header
field looked like this:
From: "Firstname Lastname@" <recipient-domain.com
sendern...@real-senders-domain.com>
which is displayed in different ways on different devices but most do
display something resembling an internal from address, maybe with an
additional second external address.
Or if the MUA is minimally competent, it displays the whole broken
pathological From header, not some misparsed deception. But like
poverty, it seems that Outlook will always be with us...
So it is a way to make users think this is an internal sender -
probably it gets harder and harder to circumvent the ever-growing SPF
rejections.
(The real sender domain has a valid SPF and DKIM entry).
SPF has nothing to do with From headers.
I find it amazing that a DKIM implementation would not choke on that
From, since it is syntactically improper.
I wonder whether it is possible to detect such a header with
spamassassin means?
A custom rule would work.
I only see the following rules that hit:
[BAYES_50=1.85,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,DKIM_VERIFIED=-0.2,FSL_HELO_BARE_IP_2=1.999,NAME_EMAIL_DIFF=1.043,RCVD_IN_DNSWL_NONE=-0.0001,RCVD_NOT_IN_IPREPDNS=0.0001,SPF_PASS=-0.5,URIBL_BLOCKED=0.001
Ok, so you do realize that URIBL_BLOCKED is a serious problem, right? I
mean, you're trying to do checks of URL's against a URIDNSBL that won't
give you a real answer until you fix your DNS, reduce your query volume,
or pay for a direct datafeed. Fix hthat problem and you are likely to
catch a bunch more spam.
I looked into the NAME_EMAIL_DIFF rule but this seems to be a slightly
different scope and I would not want to just raise the score for that
rule, it would probably give many false positives.
Indeed, NAME_EMAIL_DIFF is not part of the default ruleset, so I'd be
very careful with it.
This is spamassassin 3.3.1 on Centos 6.
Antique aficionado? :)
I don't think you'd solve this particular case by updating to a modern
version of SA but it is possible, since the are a number of rules that
only work in 3.4.x
