Re: Trying to catch spoofed ToCc

Thu, 07 Dec 2006 15:32:39 -0800 

Trying to catch spoofed ToCcNasty to do without using a plugin or eval rule, 
but it can be done.
The following is off the top of my head, and I almost guarantee it won't work 
correctly without testing and some minor tweak somewhere.  But you can try it 
and/or fool with it if you like.

header __SENT_TO_ME    ALL ~= 
/\n(?i:Delivered-To):\s+([^\n]+)\n.{0,300}\n(?i:To|Cc):[^\n]+\b\1\b/
meta NOT_SENT_TO_ME    !__SENT_TO_ME

You can give that a try, but I warn you you may have to fiddle with it for half 
an hour to get it to work right.  Or maybe it will work now.

        Loren

  ----- Original Message ----- 
  From: Jason Oriente 
  To: users@spamassassin.apache.org 
  Sent: Thursday, December 07, 2006 3:04 PM
  Subject: Trying to catch spoofed ToCc




  In my mail setup, it is gospel that (ignoring BCC and mailing lists) the full 
email address in the Delivered-To will match an email address in the ToCc.  

  Example below. 

  Return-Path: <[EMAIL PROTECTED]> 
  Delivered-To: [EMAIL PROTECTED] 
  Received: from mx01.domain.ext (unknown [172.16.0.149]) 
          by localdelivery01 (Postfix) with ESMTP id EB9CA921E8C57 
          for <[EMAIL PROTECTED]>; Mon, 27 Nov 2006 19:36:46 -0500 (EST) 
  From: <[EMAIL PROTECTED]> 
  To: Jason <[EMAIL PROTECTED]> 
  Cc: Jason <[EMAIL PROTECTED]> 
  Subject: Testing 

  I have created a matching rule to statically qualify the validity of a domain 
(below). 
  
#--------------------------------------------------------------------------------------------------------
 
  header  __HEAD_01_01   Delivered-To =~  /[EMAIL PROTECTED]/i 
  header  __HEAD_01_02   ToCc !~  /[EMAIL PROTECTED]/i 
  
#--------------------------------------------------------------------------------------------------------
 
  meta    HEAD_01        (__HEAD_01_01 && __HEAD_01_02) 
  score   HEAD_01        5.0 
  
#--------------------------------------------------------------------------------------------------------
 

  I host hundreds of domains, so I cannot create static rules for each.  My 
goal is to have a rule, much like the one above, but will qualify the entire 
email address from the Delivered-To to the ToCc.  No match equals a score.

  Any insight would be much appreciated. 



  Thank you, 
  Jason

Reply via email to