On Thu, 11 May 2023, Marc wrote:
I was wondering if spamassassin is applying some sort of algorithm to
comparing sender domain against recipient domain to detect a phishing
attempt?
There is a suite of meta rules and subrules with names containing
TO_EQ_FROM in the default rule channel. Consult the rules files for
implementation details.
hmmm, I guess not
some test message with these headers
test2:~# spamassassin -D < spam-test.txt > out2
Date: Mon, 24 Oct 2016 22:10:07 +0200
To: recipi...@alexander.com
From: Lara <sen...@a1exander.com>
Try this:
header __TO_OUR_DOMAIN To:addr =~ /alexander\.com/i
header __FROM_OUR_DOMAIN_FUZZY From =~
/(?!alexander)<A><L><E><X><A><N><D><E><R>\.com/i
replace_rules __FROM_OUR_DOMAIN_FUZZY
meta OUR_DOMAIN_SPOOFED_FROM __TO_OUR_DOMAIN &&
__FROM_OUR_DOMAIN_FUZZY
Note that the Levenshtein distance plugin would be a more general
solution, but this might be quite useful.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
An operating system design that requires a system reboot in order
to install a document viewing utility does not earn my respect.
-----------------------------------------------------------------------
Tomorrow: the 75th anniversary of Israel's independence
