On Wed, 27 Jan 2021, John Hardin wrote:
On Wed, 27 Jan 2021, Dan Mahoney (Gushi) wrote:
All,
I'm noticing a pattern of email like:
From: "GUSHI.ORG Administrator" <somera...@host.cn>
To: y...@gushi.org
Subject: Your mailbox has exceeded its quota
Or some such nonsense.
Now, DMARC and SPF and DKIM would be able to block the domain if they tried
to spoof it in the From email address. But mail clients helpfully these
days aren't showing the actual email address to people. Ergo, I'm looking
to do the following:
Catch a case where the REALNAME of the FROM address contains a domain that
is in the TO header. This would seem to require a macro of some kind to
capture the value and do the comparison, so this doesn't seem to be the
kind of thing one can do (dynamically) with a regular rule.
It can be done with a regular rule, as header rules can match across multiple
headers.
There is already a rule like that in the base ruleset:
https://ruleqa.spamassassin.org/20210127-r1885943-n/PDS_FROM_NAME_TO_DOMAIN/detail
Jan 27 12:03:34.724 [29312] dbg: rules: ran header rule
__PDS_FROM_NAME_TO_DOMAIN ======> got hit: "From: "GUSHI.ORG Administrator"
<somera...@host.cn>
Jan 27 12:03:34.724 [29312] dbg: rules: [...] To: y...@gushi.org"
PDS_FROM_NAME_TO_DOMAIN should have hit on that message. Did it?
Let me spoof something out to the day job and we'll find out.
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------