please, when possible, use plaintext e-mail with mailing lists.
On 11.03.22 14:35, Nikolaos Milas wrote:
Is there a way to drop mails which have two different mail addresses in
the From header?
This is a common trick of abusers.
For example, mails with a header like:
From: "<John Doe> [1][email protected]"
[2]<[email protected]>
This is from a real mail (with a password-protected zip attachment) which
obviously is infected.
Can you please provide some amavis/SA setting(s) and/or script doing that
job?
I've had this problem too, in spamassassin you can:
uncomment in v343.pre:
loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
define rule:
body L_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
define meta rule for already existing __PDS_FROM_2_EMAILS:
meta L_FROM_2_EMAILS (__PDS_FROM_2_EMAILS)
- there's T_PDS_FROM_2_EMAILS which unfortunately does not hit when e.g.
DKIM signature exists
and maybe meta rule for these:
meta L_FROM_2_ENCRYPTED L_OLEMACRO_ZIP_PW && __PDS_FROM_2_EMAILS
--
Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.
