This particular effort is looking at the From header, not the EnvFrom
header (though there is a check From==EnvFrom as well). What we're
looking for here are things like:
From: "b...@usaa.com" <bgef...@gmail.com>
Or look at the pastebin example at the start of the thread.
Also, without seeing the full email, I can't say for sure, while your
example may be legitimate email, the "dmarc=fail" suggests that
the sender is, in fact, spoofing that gmail address (as in, it lacks a
valid DKIM and/or doesn't come from a server approved by gmail's SPF
record). It's just that spoofing isn't a sure-fire way to determine
that something is spam (if only...).
On Mon, 22 Jan 2018, Chip wrote:
So it's my understanding that SA does the following with this rule,
which is it is checking the From:addr and From:name values in SA to find
their domain and triggering a rule hit if there is a domain in the
From:name that doesn't match the domain in the From:addr.
However, when I examine the headers from many legitimate non-spoofed
emails from bulk senders such as constantcontact, madmimi, sendgrid,
etc. it is very common to find a legitimate sender with a From:addr such
as n...@gmail.com which clearly conflicts with the domain name in the
From:addr, address being, for example, with madmini bulk sending as an
example:
smtp.mailfrom=sp_12xxxxx.55xx.1.d2b655xxxxxxxx21fe5d9342...@bounces.em.secureserver.net;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Return-Path:
<sp_12xxxxx.55xx.1.d2b655xxxxxxxx21fe5d9342...@bounces.em.secureserver.net;>
Received: from m205.em.secureserver.net (m205.em.secureserver.net.
[1xx.xx.xxx.xx])
From: balblabla <blabla...@gmail.com>
would this rule classify that email as probably spam when in fact it
most certainly is not.
So what am I not understand here?
On 01/22/2018 10:20 AM, David Jones wrote:
On 01/22/2018 09:05 AM, Rupert Gallagher wrote:
This is my current solution for a problem that has been discussed
many times in this list.
I wrote it last year, and it serves me well. Feel free to use it, if
you find it useful.
This part goes into your local.cf:
header __F_DM1 eval:from_domains_mismatch()
header __F_DM2 From:addr =~
/\@(pec|legalmail|telecompost)(\.[^\.]+)?\.it/
meta F_DM ( __F_DM1 && ! __F_DM2 )
describe F_DM From:name domain mismatches From:addr domain
priority F_DM -1
score F_DM 5.0
This part goes into the general HeaderEval.pm:
$self->register_eval_rule("from_domains_mismatch");
[...]
sub from_domains_mismatch {
my ($self, $pms) = @_;
my $temp;
$temp = $pms->get('From:addr');
$temp =~ /@(.+)/; my $fromAddrDomain; $fromAddrDomain = "$1";
$temp = $pms->get('From:name');
$temp =~ /@([^\@\"\s]+)/; my $fromNameDomain; $fromNameDomain = "$1";
dbg("from_domains_mismatch: fromNameDomain=$fromNameDomain,
fromAddrDomain=$fromAddrDomain");
if ( $fromNameDomain eq "" ) {
return 0; # all well
} else {
if( $fromNameDomain eq $fromAddrDomain ) {
return 0; # all well, they match
} else {
return 1; # mismatch, possibly spam
}
}
}
R.G.
This looks like a simple and valuable approach that should be
considered for inclusion into SA for everyone. Do you mind opening up
a bug at https://bz.apache.org/SpamAssassin/ in the Plugins section?
We could put this in for everyone with a low score and give it a trial
run before increasing the score. I will run it locally as well and
see how it goes.
Sent with ProtonMail <https://protonmail.com> Secure Email.
-------- Original Message --------
On 17 January 2018 8:31 PM, David Jones <djo...@ena.com> wrote:
Would a plugin need to be created (or an existing one enhanced) to be
able to detect this type of spoofed From header?
From: "h...@hulumail.com <mailto:%22h...@hulumail.com> !"
lany...@hotmail.com <mailto:lany...@hotmail.com>
https://pastebin.com/vVhGjC8H
Does anyone else think this would be a good idea to make a rule
that at
least checks both the From:name and From:addr to see if there is an
email address in the From:name and if the domain is different
add some
points?
We are seeing more and more of this now that SPF, DKIM, and
DMARC are
making it harder to spoof common/major brands that have properly
implemented some or all of them.
David Jones
--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT CompSci
=----------------------------------+-------------------------------
All syllogisms contain three lines | sha...@shanew.net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
