Thanks to those for being patient with me. I see the issue was I didn't understand that the spammer is "cramming" or somehow the different domains get "crammed" into the From:
I mistakenly thought these where two different distinct fields. On 01/22/2018 06:32 PM, John Hardin wrote: > On Mon, 22 Jan 2018, Chip wrote: > >> Understood, so then what would a From:name that contains a domain look >> like since it seems the filter needs to compare the domain found in >> From:addr to From:name in order to pass it as ham. > > From: "Joe User (Your Bank) <joeu...@yourbank.com>" > <joeb...@phishing.com> > > >> Or am I on another planet altogether here, just say so and I'll shut up. >> >> On 01/22/2018 06:21 PM, Chip wrote: >>> Ah, okay. Thanks for the clarification. >>> >>> So this filter, what would it make of that message? Spam or ham? >>> >>> On 01/22/2018 06:16 PM, sha...@shanew.net wrote: >>>> I think what's tripping you up is what parts of the mail "From:addr" >>>> and "From:name" refer to. In the example you give: >>>> >>>> From: blablabla <blabla...@gmail.com> >>>> >>>> From:name will be "blablabla" >>>> and >>>> From:addr will be "blabla...@gmail.com" >>>> >>>> Since there's no "@" in From:name, there's clearly not an email >>>> address there, so there's nothing to compare to the domain part of >>>> From:addr. >>>> >>>> The "bounces.em.secureserver.net" you're referring to is part of the >>>> EnvelopeFrom (AKA ReturnPath). This particular check doesn't consider >>>> that domain name in any way whatsoever. >>>> >>>> On Mon, 22 Jan 2018, Chip wrote: >>>> >>>>> I might be wrong here understand I'm still learning, but the >>>>> purpose of >>>>> the filter, from what I've been able to grasp, is that it checks the >>>>> From:addr and From:name values in SA to find >>>>> their domain and triggering a rule hit if there is a domain in the >>>>> From:name that doesn't match the domain in the From:addr. >>>>> >>>>> In the example I sent From: (as in From:name) contains the domain >>>>> "gmail.com" - blabla...@gmail.com >>>>> >>>>> From:addr contains "bounces.em.secureserver.net" >>>>> >>>>> Thus mismatch between From:name that doesn't match the domain in the >>>>> From:addr. >>>>> >>>>> Thus it would identify this message as probably spam, which it is >>>>> not. >>>>> >>>>> Are people talking about a name like "bla@bla...@domain.com"? in this >>>>> thread meaning the actual "@" character in the "name" or are we >>>>> comparing domains from the From:add to the domain in the From:name? >>>>> >>>>> >>>>> >>>>> On 01/22/2018 05:56 PM, RW wrote: >>>>>> On Mon, 22 Jan 2018 17:44:00 -0500 >>>>>> Chip wrote: >>>>>> >>>>>>> Following is the full header with identifiable information >>>>>>> anonymized. >>>>>> I don't see what you are getting at, in: >>>>>> >>>>>> >>>>>> From: blablabla <blabla...@gmail.com> >>>>>> >>>>>> blablabla doesn't contain an "@". >>>>>> >> >
