That's a really good point that both option 2 and 4 would catch (and cause 2x the score) the apparently very common tactic of having a sender name followed by 2 email addresses in < > in the from line. I think a bunch of people could be confused by the score if they pay attention.
I suggest that you change the description of option 2 to indicate that this will catch 2 different domains in the same line too. And some other slight description changes to make it easier to decipher: 1 - FROM: and SENDER: header tags are both missing 2 - different domains found in FROM: and SENDER: email addresses - or if multiple addresses in a single header (FROM: or SENDER:) of different domains are found 4 - multiple FROM: addresses or FROM: header tags found (potential 2x score if option 2 is also enabled) 8 - multiple SENDER: addresses or SENDER: header tags found (potential 2x score if option 2 is also enabled) 16 - FROM: contains an an invalid email address or no address 32 - SENDER: contains an invalid email address or no address It was me (or at least I was one of the people) who said that sender and from domains can be different. Several reputable mailing services do this (unfortunately). That means that I'm going to use 61 as my DoNoFromSelect, so the x2 score wouldn't apply for me. I love the new option to remove the WL flag. It doesn't matter how it gets whitelisted, if they break the DoNoFromSelect rules, bye bye, WL removed, add the score for breaking the rules. That will help stop fraud attempts when a scammer spoofs a whitelisted address in the FROM line. Looking forward to trying this all. Thank you again! Ken On Wed, Dec 5, 2018 at 1:22 AM Thomas Eckardt <thomas.ecka...@thockar.com> wrote: > If you select DoNoFromWL and option 2 and 4 are enabled, the feature will > hit (score) two times for from: <realaddr...@ourvendor.com> > <f...@actuallythesender.com> > Adding two times the valence value should block the mail. > > There are too many possible ways to get a mail whitelisted (whitelist > (envelope, from, sender, reply-to.....), white-Domains, whiteRe, FBMTV, > NOTSPAMTAG, DKIM, DMARC ......). > The same applies to noprocessing. > Yes it is possible to remove any of both flags. > > My first idea is to remove both flags, if we get more than one hit in this > feature. But i got some feedback in the forum, where it was legit to have > different domains in from: and sender: This would be only one hit ....??? I > need to think about this... > > For testing, I'll implement this using a hidden variable in the next > release. > > 0 - no action > 1 - remove the whitelisting flag > 2 - remve the noprocessing flag > 3 - remove both > > Default setting will be 0. So nothing changes per default. > > How ever, this will require DoNoFromWL and/or DoNoFromNP to be enabled ! > > Thomas > > > > > > Von: "K Post" <nntp.p...@gmail.com> > An: "ASSP development mailing list" < > assp-test@lists.sourceforge.net> > Datum: 04.12.2018 20:41 > Betreff: Re: [Assp-test] fixes in assp 2.6.2 *Fortress* build 18337 > ------------------------------ > > > > And another question- > We're seeing a lot of emails with a from line like: > From: Known User Name <realaddr...@ourvendor.com> > <f...@actuallythesender.com> > > realaddr...@ourvendor.com is whitelisted > With option 4, we can now score this but will the mail still go through > because realadde...@ourvendor.com is whitelisted? > Is there a way to remove the whitelist flag if the only reason it's > whitelisted is due to a match in a line that was caught by DoNoFromSelect? > > On Tue, Dec 4, 2018 at 2:30 PM K Post <*nntp.p...@gmail.com* > <nntp.p...@gmail.com>> wrote: > > This is great. Thank you so much. > For options 32, if there is NO sender line at all, I assume this won't > match (there's no email address because there's no line at all)? > > Options 4 and 8 are going to be great at scoring all of these spoofed > emails we've been seeing this week (fake invoices)!! > > > > On Mon, Dec 3, 2018 at 3:51 PM Thomas Eckardt < > *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote: > Hi all, > > fixed in assp 2.6.2 *Fortress* build 18337: > > - DoNoFrom detected email addresses in the text part of the header text - > like: "do not detect this address *u...@domain.com* <u...@domain.com> but > the next one" <*other.u...@other-domain.org* <other.u...@other-domain.org> > > > > - under rare conditions the file name in a blocked mail resend request was > wrong parsed, the file was'nt found and the resend failed > > > added: > > - 'DoNoFromSelect','Select Checks for From: and Sender: Header' > Select which check should be done in DoNoFrom . > > 1 - from: and sender: header tag are both missing > 2 - different domains found in from: and sender: email addresses > 4 - multiple from: addresses or from: header tags found > 8 - multiple sender: addresses or sender: header tags found > 16 - no or an invalid email address found in from: header tag > 32 - no or an invalid email address found in sender: header tag > > Simply form the sum of the numbers in front of the checks you want to > select (0...63). Default vaule is 63 (1+2+4+8+16+32) - all checks are > selected.' > > > changed: > > > - $DoNoFromDomainCHK is removed - use DoNoFromSelect instead > > > > Thomas > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > _______________________________________________ > Assp-test mailing list > *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net> > *https://lists.sourceforge.net/lists/listinfo/assp-test* > <https://lists.sourceforge.net/lists/listinfo/assp-test> > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test >
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
