You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2017/03/28 17:58:43 UTC
Matching To and Received addresses
Hi,
Is there an existing rule that detects when the To address differs
from the address to which the email is to be delivered?
We've received a number of messages directed at executives based on
the recipient address and Received address, both of which are within
the same domain but to different people.
From lynne20man@aol.com Mon Mar 27 10:33:00 2017
Return-Path: <ly...@aol.com>
Received: from localhost (localhost [127.0.0.1])
by mail01.example.com (Postfix) with ESMTP id 30F1A6801B259
for <ma...@example.com>; Mon, 27 Mar 2017 10:33:00 -0400 (EDT)
From: Dorothy <ly...@aol.com>
To: dorothy@example.com
I'd like to be able to use the fact that the To address is not the
same as the address shown in the Received header in a meta of some
kind.
How frequent would you think that would appear in ham alone? It's the
basis for a number of phishing attacks here, so I'd like to see about
using it in some way.
Thanks,
Alex
Re: Matching To and Received addresses
Posted by John Hardin <jh...@impsec.org>.
On Wed, 29 Mar 2017, Alex wrote:
> Would I need to create one ALL rule for each user involved?
Probably not, the username part could be
something like (?:user1|user2|user3)@example\.com
> I don't understand how ALL would help here.
You can't incorporate matches in one rule into a different rule, so it
would need to be an ALL headers rule that matched two headers (the
Received: with the envelope to address and the To:/CC: header) to detect
an address mismatch. See the TO_EQ_FROM rules for an example.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You are in a maze of twisty little protocols,
all written by Microsoft.
----------------------------------------------------------------------
3 days until April Fools' day
Re: Matching To and Received addresses
Posted by Alex <my...@gmail.com>.
Hi,
On Tue, Mar 28, 2017 at 2:27 PM, John Hardin <jh...@impsec.org> wrote:
> On Tue, 28 Mar 2017, Dominic Benson wrote:
>
>>> On 28 Mar 2017, at 19:04, Markus <ma...@clardy.eu> wrote:
>>>
>>> So you can't compare the "for <ma...@example.com>" with "To:
>>> dorothy@example.com".
>
> You can do that with a Header ALL rule; it will work more reliably as a
> local rule because you know how your local MTA is annotating the envelope
> recipient address in the headers, where a rule provided as part of the base
> set would be hit-or-miss and hugely complex and would better be done in a
> plugin.
It's probably not worth it if it requires a plugin. I had checked the
check_for_forged_yahoo_received_headers() function, thought my
situation was similar, and suspected this would be the approach.
My intention was to create a meta specifically for the users that were
targeted most frequently, not a more generic site-wide thing that
could hit mailing lists, etc.
Would I need to create one ALL rule for each user involved? I don't
understand how ALL would help here.
alex
Re: Matching To and Received addresses
Posted by Markus Clardy <ma...@clardy.eu>.
On 03/28/2017 08:09 PM, Dianne Skoll wrote:
> The "for..." clause is optional and a lot of MTAs don't add it.
> Almost all MTAs will refuse to add it if it's for more than
> one local recipient.
True, but that is what OP is asking about comparing to, which is why I
had mentioned it.
Re: Matching To and Received addresses
Posted by Dianne Skoll <df...@roaringpenguin.com>.
On Tue, 28 Mar 2017 19:49:10 +0100
Markus <ma...@clardy.eu> wrote:
> Honestly didn't even think of mailing lists such as this, nor BCC
> (don't deal with BCC emails very much to be honest).
> Though, would you not be able to test against the bottom most
> Received header compared to the To: header?
The "for..." clause is optional and a lot of MTAs don't add it.
Almost all MTAs will refuse to add it if it's for more than
one local recipient.
Regards,
Dianne.
Re: Matching To and Received addresses
Posted by Markus <ma...@clardy.eu>.
Honestly didn't even think of mailing lists such as this, nor BCC (don't
deal with BCC emails very much to be honest).
Though, would you not be able to test against the bottom most Received
header compared to the To: header?
Received: from localhost (jhardin@localhost)
by athena.impsec.org (8.14.9/8.14.9/Submit) with ESMTP id v2SIRaf8032513
for <us...@spamassassin.apache.org>; Tue, 28 Mar 2017 11:27:36 -0700
X-Authentication-Warning: athena.impsec.org: jhardin owned process doing -bs
Date: Tue, 28 Mar 2017 11:27:36 -0700 (PDT)
From: John Hardin <jh...@impsec.org>
To:users@spamassassin.apache.org
I mean, even in a mailing list those would still be the same? Obviously
in this case, you can't test them compared to all Received headers, as
that would definitely cause problems.
On 28/03/17 19:27, John Hardin wrote:
> On Tue, 28 Mar 2017, Dominic Benson wrote:
>
>>> On 28 Mar 2017, at 19:04, Markus <ma...@clardy.eu> wrote:
>>>
>>> So you can't compare the "for <ma...@example.com>" with "To:
>>> dorothy@example.com".
>
> You can do that with a Header ALL rule; it will work more reliably as
> a local rule because you know how your local MTA is annotating the
> envelope recipient address in the headers, where a rule provided as
> part of the base set would be hit-or-miss and hugely complex and would
> better be done in a plugin.
>
>>> How likely is it to be in legitimate mail? Highly unlikely (if
>>> ever), so you'd be pretty safe outright rejecting mail that behaves
>>> this way, to be honest.
>>
>> On the face of it I would have thought that CC and BCC both seem like
>> quite commonplace ways for this to come up in ham.
>
> Indeed. Markus must not get much email.
>
> If you do develop such a rule for metas, be very careful how you use it.
>
Re: Matching To and Received addresses
Posted by John Hardin <jh...@impsec.org>.
On Tue, 28 Mar 2017, Dominic Benson wrote:
>> On 28 Mar 2017, at 19:04, Markus <ma...@clardy.eu> wrote:
>>
>> So you can't compare the "for <ma...@example.com>" with "To: dorothy@example.com".
You can do that with a Header ALL rule; it will work more reliably as a
local rule because you know how your local MTA is annotating the envelope
recipient address in the headers, where a rule provided as part of the
base set would be hit-or-miss and hugely complex and would better be done
in a plugin.
>> How likely is it to be in legitimate mail? Highly unlikely (if ever),
>> so you'd be pretty safe outright rejecting mail that behaves this way,
>> to be honest.
>
> On the face of it I would have thought that CC and BCC both seem like quite commonplace ways for this to come up in ham.
Indeed. Markus must not get much email.
If you do develop such a rule for metas, be very careful how you use it.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Ignorance is no excuse for a law.
-----------------------------------------------------------------------
4 days until April Fools' day
Re: Matching To and Received addresses
Posted by Dominic Benson <do...@lenny.cus.org>.
> On 28 Mar 2017, at 19:04, Markus <ma...@clardy.eu> wrote:
>
> Hello Alex,
>
> To my knowledge, you can't compare equality without a SpamAssassin plugin.
>
> So you can't compare the "for <ma...@example.com>" with "To: dorothy@example.com".
>
> With a plugin, you could definitely do that, but that would cause a bit more overhead (and some perl development).
>
>
> How likely is it to be in legitimate mail? Highly unlikely (if ever), so you'd be pretty safe outright rejecting mail that behaves this way, to be honest.
On the face of it I would have thought that CC and BCC both seem like quite commonplace ways for this to come up in ham. As indeed do mailing lists, so I would be very cautious with proceeding further with this.
>
> - Markus
Dominic
Re: Matching To and Received addresses
Posted by Dianne Skoll <df...@roaringpenguin.com>.
On Tue, 28 Mar 2017 19:04:44 +0100
Markus <ma...@clardy.eu> wrote:
> How likely is it to be in legitimate mail? Highly unlikely (if ever),
> so you'd be pretty safe outright rejecting mail that behaves this
> way, to be honest.
You'd reject every single message in this mailing list if you did that.
Regards,
Dianne.
Re: Matching To and Received addresses
Posted by Markus <ma...@clardy.eu>.
Hello Alex,
To my knowledge, you can't compare equality without a SpamAssassin plugin.
So you can't compare the "for <ma...@example.com>" with "To:
dorothy@example.com".
With a plugin, you could definitely do that, but that would cause a bit
more overhead (and some perl development).
How likely is it to be in legitimate mail? Highly unlikely (if ever), so
you'd be pretty safe outright rejecting mail that behaves this way, to
be honest.
- Markus
On 28/03/17 18:58, Alex wrote:
> Hi,
>
> Is there an existing rule that detects when the To address differs
> from the address to which the email is to be delivered?
>
> We've received a number of messages directed at executives based on
> the recipient address and Received address, both of which are within
> the same domain but to different people.
>
> From lynne20man@aol.com Mon Mar 27 10:33:00 2017
> Return-Path: <ly...@aol.com>
> Received: from localhost (localhost [127.0.0.1])
> by mail01.example.com (Postfix) with ESMTP id 30F1A6801B259
> for <ma...@example.com>; Mon, 27 Mar 2017 10:33:00 -0400 (EDT)
> From: Dorothy <ly...@aol.com>
> To: dorothy@example.com
>
> I'd like to be able to use the fact that the To address is not the
> same as the address shown in the Received header in a meta of some
> kind.
>
> How frequent would you think that would appear in ham alone? It's the
> basis for a number of phishing attacks here, so I'd like to see about
> using it in some way.
>
> Thanks,
> Alex
Re: Matching To and Received addresses
Posted by John Hardin <jh...@impsec.org>.
On Wed, 29 Mar 2017, Matus UHLAR - fantomas wrote:
>> On Tuesday 28 March 2017 13:58:43 Alex wrote:
>> > I'd like to be able to use the fact that the To address is not the
>> > same as the address shown in the Received header in a meta of some
>> > kind.
>> >
>> > How frequent would you think that would appear in ham alone? It's the
>> > basis for a number of phishing attacks here, so I'd like to see about
>> > using it in some way.
>
> On 28.03.17 11:25, Alan Hodgson wrote:
>> Checking that the envelope recipient address is in To or Cc works great on
>> my
>> mail and also for any public role addresses like sales or support, but
>> probably not so much for general users. Any BCC will hit such a rule. And
>> of
>> course you have to exclude real mailing list mail.
>
> that means such rule should exclude __HAS_LIST_ID
...which makes it trivially easy for a phisher to bypass.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You are in a maze of twisty little protocols,
all written by Microsoft.
----------------------------------------------------------------------
3 days until April Fools' day
Re: Matching To and Received addresses
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On Tuesday 28 March 2017 13:58:43 Alex wrote:
>> I'd like to be able to use the fact that the To address is not the
>> same as the address shown in the Received header in a meta of some
>> kind.
>>
>> How frequent would you think that would appear in ham alone? It's the
>> basis for a number of phishing attacks here, so I'd like to see about
>> using it in some way.
On 28.03.17 11:25, Alan Hodgson wrote:
>Checking that the envelope recipient address is in To or Cc works great on my
>mail and also for any public role addresses like sales or support, but
>probably not so much for general users. Any BCC will hit such a rule. And of
>course you have to exclude real mailing list mail.
that means such rule should exclude __HAS_LIST_ID
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
Re: Matching To and Received addresses
Posted by Alan Hodgson <ah...@lists.simkin.ca>.
On Tuesday 28 March 2017 13:58:43 Alex wrote:
> I'd like to be able to use the fact that the To address is not the
> same as the address shown in the Received header in a meta of some
> kind.
>
> How frequent would you think that would appear in ham alone? It's the
> basis for a number of phishing attacks here, so I'd like to see about
> using it in some way.
>
Checking that the envelope recipient address is in To or Cc works great on my
mail and also for any public role addresses like sales or support, but
probably not so much for general users. Any BCC will hit such a rule. And of
course you have to exclude real mailing list mail.
I guess the question would be how many legit bcc's do your users get from non-
whitelisted senders?