On 2024-07-17 at 13:17:16 UTC-0400 (Wed, 17 Jul 2024 10:17:16 -0700)
Kirk Ismay <[email protected]>
is rumored to have said:
I have a spammer using a malformed From header, as follows:
From: <UPS>[email protected]
The envelope from is: [email protected], and I've set up blocks
for that address.
Sendmail is munging the From: header to change <UPS> to
<[email protected]>, so it ends up looking like a local address to my
users.
How do I detect similar mangled From headers in Spamassassin?
I believe SA already has a more general rule that will catch the *BAD*
form, but depending on how you've integrated SA and Sendmail, it may
only see the "cleaned up" form that Sendmail provides. I believe SA sees
the unmolested headers only in a milter interface, NOT if you've got it
hooked into a mailer.
If not, here's a rule that should work:
header FROM_ANGLE_UNQUAL From =~ /<[^<\@]*>[^\@]*\@/
Also does anyone know how to prevent Sendmail from rewriting the From
header like this? The documentation for confFROM_HEADER is a
somewhat cryptic:
https://www.sendmail.org/~ca/email/doc8.12/cf/m4/tweaking_config.html#confFROM_HEADER
I'd rather it say <UPS@suspected-spammer> instead, or reject it
entirely.
Thanks,
Kirk
Remove FEATURE(always_add_domain) from your .mc and remake sendmail.cf.
Consult the Ops guide and/or cf/README for all of the effects of that.
--
Bill Cole
[email protected] or [email protected]
(AKA @[email protected] and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
