Hi - I received a spam message with the following double From address:
From: struth...@psfc.mit.edu, "Lorraine M." <alexa.mora...@glcamerica.com>
But neither of the 2 previously suggested rules were triggered by it.
I'm sure a simple modification to the rules will cause it to trigger.
Can we get an official rule to test for invalid double addresses? Do I
need to open a ticket? - Mark
header __FROM_QUOTES From =~ /"/
header __FROM_MAYBE_SPOOF From:name =~ /\w@\w/
meta __FROM_SPOOF __FROM_MAYBE_SPOOF && !__FROM_QUOTE
describe __FROM_NAME_CONTAINS_AT name part of FROM contains "@" sign
header __FROM_NAME_CONTAINS_AT From:name =~ /\@/
describe __FROM_MULTIPLE_ADDR address part of FROM contains more than
one mail address (additional text)
header __FROM_MULTIPLE_ADDR From:addr =~ /\s/
describe __FROM_NAME_ADDRESS_EQUAL constructions like
"us...@companya.com" <us...@companyb.com>
header __FROM_NAME_ADDRESS_EQUAL From =~
/["']?(\w+@\w+\.\w+)["']?\s*\<\1\>/i
header __FROM_NAME_CONTAINS_ADDRESS From =~
/["']?(\w+@\w+\.\w+)["']?\s*\</i
meta FROM_SPOOF_SENDER1 __FROM_NAME_CONTAINS_AT && __FROM_MULTIPLE_ADDR
meta FROM_SPOOF_SENDER2 __FROM_NAME_CONTAINS_ADDRESS && !
__FROM_NAME_ADDRESS_EQUAL
meta FROM_ADDRESS_TWICE __FROM_NAME_CONTAINS_ADDRESS &&
__FROM_NAME_ADDRESS_EQUAL
