All,
I'm noticing a pattern of email like:
From: "GUSHI.ORG Administrator" <somera...@host.cn>
To: y...@gushi.org
Subject: Your mailbox has exceeded its quota
Or some such nonsense.
Now, DMARC and SPF and DKIM would be able to block the domain if they
tried to spoof it in the From email address. But mail clients helpfully
these days aren't showing the actual email address to people. Ergo, I'm
looking to do the following:
Catch a case where the REALNAME of the FROM address contains a domain that
is in the TO header. This would seem to require a macro of some kind to
capture the value and do the comparison, so this doesn't seem to be the
kind of thing one can do (dynamically) with a regular rule.
Note my unanswered question a week or two ago seeking macros for the spamc
username, lhs, and rhs for use in rules.
I mean, certainly, I could hardcode the domain name, but I'd like
something more flexible.
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------
