On Tue, 3 Nov 2015, Richard Mealing wrote:
From: John Hardin [mailto:jhar...@impsec.org]
So, to generalize the pattern: *your* (the recipient) domain is
(somewhere) in the username part of the From email address?
Hi John - Yup!
From address is - fastnet.co.uk.12056010.bob.jones885@vmta27.toprea...
It's not actually that, but similar. We are seeing this quite a bit and
This sounds like a fairly minor variation of the __TO_EQ_FROM and
__PDS_TO_EQ_FROM_NAME rules in my sandbox.
Catching the case where the From header is after the To or (if your
Received headers include the recipient address) Received header(s) is
fairly simple, but if the From header is first that's a lot more difficult
- there's no clear way to know *how much* of the From address to capture
to match to the recipient domain.
Can you post the full headers from such a message to pastebin? (...or, if
you would want to keep the email addresses private, zip one up and send it
to me rather than mangling it - you'd be mangling stuff the rule's looking
for.)
I wondered if anyone else was. I guess not?
I haven't noticed such, but my email volume isn't that large.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If you are "fighting for social justice," then you are defining
yourself as someone who considers regular old everyday
*equal* justice to be something you don't want. -- GOF at TSM
-----------------------------------------------------------------------
8 days until Veterans Day
