You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Eduardo Maia <em...@ipbrick.com> on 2022/06/23 14:56:07 UTC
block emails with fake FROM
Hi,
I'm trying to block the emails with fake FROM like:
From: "Nick Blue <ni...@domain.pt>" <yk...@omega-eng.co.jp>
I have installed spamassassin v3.4.6 and after I enabled the
FromNameSpoof plugin.
I added the following lines on the files:
1- /etc/spamassassin/v342.pre :
loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof
2 - /etc/spamassassin/local.cf
header LOCAL_FROMNAME_SPOOF eval:check_fromname_spoof()
score LOCAL_FROMNAME_SPOOF 5.0
My question is about how to configure this plugin and also which score i
should give on the new rules ?
Thanks,
Best regards,
--
Assinatura
Eduardo Maia
/IPBrick IDI/ IPBRICK R&D <https://www.ipbrick.com/>
Av. da França, 821
4250-214 Porto
Portugal TEL: +351 220 126 921
TLM: +351 933 568 871
FAX: +351 225 189 722
UCoIP: emaia@ipbrick.com
www.ipbrick.com <https://www.ipbrick.com/>
www.youtube.com/ipbricksa <https://www.youtube.com/ipbricksa> UCoIP
<http://emaia.ipbrick.com/> Facebook
<http://www.facebook.com/pages/IPBrick/263923950988/> Twitter
<http://twitter.com/IPBrick/> Linked In
<https://www.linkedin.com/company/ipbrick-international> Instagram
<https://www.instagram.com/ipbricksa>
Re: block emails with fake FROM
Posted by Benny Pedersen <me...@junc.eu>.
On 2022-06-23 18:08, Matus UHLAR - fantomas wrote:
>> 2 - /etc/spamassassin/local.cf
>> header LOCAL_FROMNAME_SPOOF eval:check_fromname_spoof()
>> score LOCAL_FROMNAME_SPOOF 5.0
>
>> My question is about how to configure this plugin and also which score
>> i should give on the new rules ?
>
> you have just described how you configured it.
> the next question is how do you block them.
set score on that rule to 1000 ?
if blocking high score spams
Re: block emails with fake FROM
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>seems it did not catch this one:
>>
>> From: " Dr Perfect <he...@gepesdaru.hu>"@mail.gepesdaru.hu
>>
>> but still it's a leap forward
On 24.06.22 08:12, Alex wrote:
>Is it designed to also identify From addresses that have no name component?
>
> From: LiVE@beroe-inc.com
I guess this one is correct via RC5321
>This is an invoice phish that isn't tagged. Ideas on how to block these
>would be appreciated.
>
>https://pastebin.com/FXX8cx5f
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)
Re: block emails with fake FROM
Posted by Alex <my...@gmail.com>.
Hi,
seems it did not catch this one:
>
> From: " Dr Perfect <he...@gepesdaru.hu>"@mail.gepesdaru.hu
>
> but still it's a leap forward
>
Is it designed to also identify From addresses that have no name component?
From: LiVE@beroe-inc.com
This is an invoice phish that isn't tagged. Ideas on how to block these
would be appreciated.
https://pastebin.com/FXX8cx5f
This is with v4 SA from a week ago with FromNameSpoof enabled.
$ spamassassin --version
SpamAssassin version 4.0.0-r1901426
running on Perl version 5.34.1
Jun 24 08:11:42.828 [3222587] dbg: plugin: loading
Mail::SpamAssassin::Plugin::FromNameSpoof from @INC
Jun 24 08:11:46.669 [3222587] dbg: FromNameSpoof: no From-name addr found
Re: block emails with fake FROM
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On 23.06.22 15:56, Eduardo Maia wrote:
>>I'm trying to block the emails with fake FROM like:
>>
>>From: "Nick Blue <ni...@domain.pt>" <yk...@omega-eng.co.jp>
>>
>>I have installed spamassassin v3.4.6 and after I enabled the
>>FromNameSpoof plugin.
On 23.06.22 18:08, Matus UHLAR - fantomas wrote:
>I have checked FromNameSpoof plugin from SA 3.4.6 and it does not
>detect all mail with this kind of From:
>
>out of 59 examples I got onto one server, 20 were detected, 39 undetected.
>
>SA 4.0 (beta) catched all of them
seems it did not catch this one:
From: " Dr Perfect <he...@gepesdaru.hu>"@mail.gepesdaru.hu
but still it's a leap forward
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
Re: block emails with fake FROM
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 23.06.22 15:56, Eduardo Maia wrote:
>I'm trying to block the emails with fake FROM like:
>
>From: "Nick Blue <ni...@domain.pt>" <yk...@omega-eng.co.jp>
>
>I have installed spamassassin v3.4.6 and after I enabled the
>FromNameSpoof plugin.
I have checked FromNameSpoof plugin from SA 3.4.6 and it does not detect all
mail with this kind of From:
out of 59 examples I got onto one server, 20 were detected, 39 undetected.
SA 4.0 (beta) catched all of them
>I added the following lines on the files:
>
>1- /etc/spamassassin/v342.pre :
>loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof
>
>2 - /etc/spamassassin/local.cf
>header LOCAL_FROMNAME_SPOOF eval:check_fromname_spoof()
>score LOCAL_FROMNAME_SPOOF 5.0
>My question is about how to configure this plugin and also which score
>i should give on the new rules ?
you have just described how you configured it.
the next question is how do you block them.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.
Re: block emails with fake FROM
Posted by Benny Pedersen <me...@junc.eu>.
On 2022-06-23 16:56, Eduardo Maia wrote:
> From: "Nick Blue <ni...@domain.pt>" <yk...@omega-eng.co.jp>
header FOO From:Name =~ /\b@/
others may refine it :=)
note From:Addr must accept more then one @, but not From:Name
i dont know if the plugin is better or not, also remember dkim revails
bogus adressing, eq no dkim pass
if more then one From:Addr then all dkim must pass to not be forged
lots of bugs