Re: Rule for detecting two email addresses in From: field.
On 10/4/19 12:22 PM, A. Schulze wrote: Hi Grant, Maybe we're talking about different things :-) Based on your description, I believe we are talking about different things. Thank you for the clarification. The OpenDMARC bug could be triggered by this RFC5322.From: From: user , user I seem to recall that it is within RFC spec to have multiple addresses in the From: header. I would assume that all would need to pass DMARC alignment tests for the message to also pass DMARC alignment tests. This would likely be difficult to do if the From: addresses are part of separate domains, especially if they are from separate organizations. Mallory could send a message which authenticates as badguy.example but OpenDMARC report "dmarc=pass domain=yahoo.example" That's fixed with https://github.com/trusteddomainproject/OpenDMARC/pull/48/commits/f6b615e345037408b88b2ffd1acd03239af8a858 That seems like a problem. I'm glad that it was fixed. But back to SA: there is a difference between this comma separated list and the display name containing a second address ... Agreed. I still think that the MUA has some culpability in both cases; multiple addresses in one From: header and multiple From: headers. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: Rule for detecting two email addresses in From: field.
Am 04.10.19 um 16:40 schrieb Grant Taylor: > On 10/4/19 6:43 AM, A. Schulze wrote: >> that happen from time to time but currently I suspect the sender like to >> trigger a Bug in OpenDMARC to generate dmarc=pass for messages that >> otherwise would be classified as dmarc=reject. > > Based on my understanding of DMARC, which could be wrong, I don't think this > is a bug in OpenDMARC, as an implementation, but rather an unexpected > behavior around the DMARC standard. > > My understanding is that the DMARC standard is to check alignment of the > From: address, which means the part inside angle brackets, outside of the > optional double quoted friendly name. > > From: "John Doe " > > Thus DMARC is supposed to /only/ check and /not/ check > . Hi Grant, Maybe we're talking about different things :-) The OpenDMARC bug could be triggered by this RFC5322.From: From: user , user Mallory could send a message which authenticates as badguy.example but OpenDMARC report "dmarc=pass domain=yahoo.example" That's fixed with https://github.com/trusteddomainproject/OpenDMARC/pull/48/commits/f6b615e345037408b88b2ffd1acd03239af8a858 But back to SA: there is a difference between this comma separated list and the display name containing a second address ... Andreas
Re: Rule for detecting two email addresses in From: field.
I use a plugin that detects mismatches, but tries to be a little smart about what counts as a mismatch (like making sure the mismatch isn't really just that one address is from a subdomain of the other's domain, or someone carelessly using the "@" character in the name part of the From header). https://github.com/enkidushane/sa-frommismatch On Fri, 4 Oct 2019, Philip wrote: Morning List, Lately I'm getting a bunch of emails that are showing up with two email addresses in the From: field. From: "Persons Name " When you look in your mail client (Outlook, Thunderbird) it's showing only "Persons Name " Is there a way I can mark From: that has 2 email addresses in it as spam? Pro's Cons? Phil -- Public key #7BBC68D9 at| Shane Williams http://pgp.mit.edu/| System Admin - UT CompSci =--+--- All syllogisms contain three lines | sha...@shanew.net Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: Rule for detecting two email addresses in From: field.
On 10/4/19 6:43 AM, A. Schulze wrote: that happen from time to time but currently I suspect the sender like to trigger a Bug in OpenDMARC to generate dmarc=pass for messages that otherwise would be classified as dmarc=reject. Based on my understanding of DMARC, which could be wrong, I don't think this is a bug in OpenDMARC, as an implementation, but rather an unexpected behavior around the DMARC standard. My understanding is that the DMARC standard is to check alignment of the From: address, which means the part inside angle brackets, outside of the optional double quoted friendly name. From: "John Doe " Thus DMARC is supposed to /only/ check and /not/ check . As such, some enterprising individuals have taken to using putting an address they want to pretend to be inside the double quoted friendly name while using something else they control in the actual from address. Thus their messages /do/ /pass/ DMARC alignment tests while still appearing to be from what humans (mis)perceive as the address inside the double quoted friendly name. To me, this is what the DMARC specification states. Thus why enterprising individuals have taken to using this work around to make messages appear to be from j...@example.net. This is also why some DMARC implementations have started going beyond the DMARC specification and looking for what appears to be an email address inside the double quoted friendly name and applying DMARC alignment tests to that in addition to what the specification says. Hence why I referred to these implementations as over zealous. I'm aware, the Debian package of opendmarc was updated some weeks ago: https://www.debian.org/security/2019/dsa-4526 I thought that this bug was based on multiple From: headers in a message. From: "unknown" From: "John Doe " The first part of this issue centering around the fact that some DMARC implementations would test the first From: header for alignment and ignoring other From: headers, assuming that there is only one. The second part of this issue centering around the fact that some MUAs only display the last From: header and ignore other From: headers. The combined interaction being that the questionable message passes DMARC alignment tests without any problems and the last From: address is displayed to the end user. Thus making a message seemingly from John Doe passed DMARC when was the real sender that passed DMARC. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: Rule for detecting two email addresses in From: field.
On 10/4/19 5:41 AM, Reindl Harald wrote: there is nothing ill advised because otherwise you have no way to see the original address of the sender There is nothing ill advised about having the information. There is unfortunately a potential gotcha if the information is formatted as "" inside of the friendly name / double quoted. The problem comes from over zealous DMARC implementations that look inside the friendly name / double quoted portion in addition to the actual email address. I recommend that people format the information differently so that it does not appear as an actual email address to such questionable DMARC implementations. E.g. "user at example.com". Thus the information is there for the end user to utilize with much less risk of running afoul of over zealous DMARC implementations. Implementations which, as I understand it, go against the DMARC standard. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: Rule for detecting two email addresses in From: field.
Am 04.10.19 um 01:12 schrieb Philip: > Lately I'm getting a bunch of emails that are showing up with two email > addresses in the From: field. that happen from time to time but currently I suspect the sender like to trigger a Bug in OpenDMARC to generate dmarc=pass for messages that otherwise would be classified as dmarc=reject. I'm aware, the Debian package of opendmarc was updated some weeks ago: https://www.debian.org/security/2019/dsa-4526 Andreas
Re: Rule for detecting two email addresses in From: field.
On 4-10-2019 1:12, Philip wrote: Morning List, Lately I'm getting a bunch of emails that are showing up with two email addresses in the From: field. From: "Persons Name " When you look in your mail client (Outlook, Thunderbird) it's showing only "Persons Name " Is there a way I can mark From: that has 2 email addresses in it as spam? Pro's Cons? Phil header FR_D_AT From =~ /\S+\@[\w\-\.]+.*\S+\@[\w\-\.]+/ describe FR_D_AT From has double email address? score FR_D_AT 0.1 header FR_NA_SAME From =~ /(\S+\@[\w\-\.]+).*\1/ describe FR_NA_SAME From name and address is the same email address. tflags FR_NA_SAME nice score FR_NA_SAME -0.1 meta SPOOF_EMAIL (FR_D_AT && ! FR_NA_SAME) describe SPOOF_EMAIL From name and address have different email address! score SPOOF_EMAIL 2.5 -- bOnK
Re: Rule for detecting two email addresses in From: field.
On 04-10-19 04:31, Bill Cole wrote: On 3 Oct 2019, at 20:01, Rick Cooper wrote: Philip wrote: Morning List, Lately I'm getting a bunch of emails that are showing up with two email addresses in the From: field. From: "Persons Name " When you look in your mail client (Outlook, Thunderbird) it's showing only "Persons Name " Is there a way I can mark From: that has 2 email addresses in it as spam? Pro's Cons? Phil From: =~ /^.*?<.+?\@.+?>.*?<.+\@.+?>/g Can't imagine the circumstance where such a from: format would be required I've seen it used as a perfectly reasonable workaround for the misfeature described above of many MUAs of hiding the address field in To/From/CC headers. Because many people actually want to know what the actual address is. I would disagree on the "reasonable" here. People using a mailclient should configure it as they wish. My client hides email addresses for everyone in my address book, but not for 'unknown' addresses. That is how I like it, and I don't think senders should try to enforce a workaround for this because their recipients are too stupid to configure their email client (or switch to a decent one). Anyway, the main harm is done when the email adresses in the 'addr' field and the 'name' are different, and that's detectable. Kind regards, Tom
Re: Rule for detecting two email addresses in From: field.
On 3 Oct 2019, at 20:01, Rick Cooper wrote: Philip wrote: Morning List, Lately I'm getting a bunch of emails that are showing up with two email addresses in the From: field. From: "Persons Name " When you look in your mail client (Outlook, Thunderbird) it's showing only "Persons Name " Is there a way I can mark From: that has 2 email addresses in it as spam? Pro's Cons? Phil From: =~ /^.*?<.+?\@.+?>.*?<.+\@.+?>/g Can't imagine the circumstance where such a from: format would be required I've seen it used as a perfectly reasonable workaround for the misfeature described above of many MUAs of hiding the address field in To/From/CC headers. Because many people actually want to know what the actual address is. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Re: Rule for detecting two email addresses in From: field.
On 10/3/19 6:01 PM, Rick Cooper wrote: Can't imagine the circumstance where such a from: format would be required I've seen people (mis)use it as a way to work around DMARC alignment in mailing lists. They move the purported senders to the friendly / pretty name and use the mailing list address as the actual From: address. E.g. From: "Grant " I think such use is ill advised and likely to end up running afoul of over zealous DMARC filters. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: Rule for detecting two email addresses in From: field.
On Fri, 4 Oct 2019, Philip wrote:
Morning List,
Lately I'm getting a bunch of emails that are showing up with two email
addresses in the From: field.
From: "Persons Name "
When you look in your mail client (Outlook, Thunderbird) it's showing only
"Persons Name "
Is there a way I can mark From: that has 2 email addresses in it as spam?
Pro's Cons?
Phil
I seem to remember past discussions of this sort of thing.
Bottom line, it's a mixed bag. There are legitimate messages that include an
address'ey looking in the "comment" part of the 'From:' header.
Use the "header rule_name From:name =~ /target\@some\.place/"
format rule (IE use the From:name field).
This works best when looking for spear-phishing type messages where you're
looking for specific kinds of deception, EG:
header T_PAPAL_PHISH4From:name =~
/\b(?:Pay[Pp]al|service)\@paypal\.com\b/
For a general rule, I wouldn't treat it as a hard spam sign but use it in
combination with meta's
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
RE: Rule for detecting two email addresses in From: field.
Philip wrote: > Morning List, > > Lately I'm getting a bunch of emails that are showing up with two > email addresses in the From: field. > > From: "Persons Name " > > When you look in your mail client (Outlook, Thunderbird) it's showing > only "Persons Name " > > Is there a way I can mark From: that has 2 email addresses in it as > spam? Pro's Cons? > > Phil From: =~ /^.*?<.+?\@.+?>.*?<.+\@.+?>/g Can't imagine the circumstance where such a from: format would be required Rick
Rule for detecting two email addresses in From: field.
Morning List, Lately I'm getting a bunch of emails that are showing up with two email addresses in the From: field. From: "Persons Name " When you look in your mail client (Outlook, Thunderbird) it's showing only "Persons Name " Is there a way I can mark From: that has 2 email addresses in it as spam? Pro's Cons? Phil
