On 02/16/2018 02:40 PM, Michael Storz wrote:
Am 2018-02-15 19:27, schrieb David Jones:
We have covered this issue a few times recently on this list but I
don't think anything definitive was ever decided or recommended to
detect and block this sort of spoofing:
https://pastebin.com/juXLD8vr
This appears to be a spoofed email from a compromised account trying
to be a known corespondent to this customer of mine.
The Message-ID is suspicious since it's an inbound email to the
hck12.net domain.
David,
You can reject this kind of spam using
ALL =~ /^To: .+\@([^>]+)\nMessage-ID: <\d{8,13}\.201[78]\d{5,11}\@\1>/m
and the message-id and the boundary. I am doing this since May last year.
Michael
I have been testing out Paul Stead's plugin as a broad solution for this
issue:
https://github.com/fmbla/spamassassin-fromnamespoof
So far it's working pretty well. I don't get many of these but often
times these are very targeted and potentially problematic emails that
try to trick finance people into wiring lots of money. They typically
come from compromised accounts making them hard to block.
--
David Jones
