block emails with fake FROM

[Eduardo Maia <em...@ipbrick.com>]

Hi,

I'm trying to block the emails with fake FROM like:

From: "Nick Blue <ni...@domain.pt>" <yk...@omega-eng.co.jp>

I have installed spamassassin  v3.4.6 and after I enabled the 
FromNameSpoof plugin.

I added the following lines on the files:

1- /etc/spamassassin/v342.pre :

loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof


2 - /etc/spamassassin/local.cf

header LOCAL_FROMNAME_SPOOF eval:check_fromname_spoof()
score LOCAL_FROMNAME_SPOOF 5.0


My question is about how to configure this plugin and also which score i 
should give on the new rules ?



Thanks,

Best regards,

-- 
Assinatura
Eduardo Maia
/IPBrick IDI/ 	IPBRICK R&D <https://www.ipbrick.com/>
Av. da França, 821
4250-214 Porto
Portugal 	TEL: +351 220 126 921
TLM: +351 933 568 871
FAX: +351 225 189 722
UCoIP: emaia@ipbrick.com
www.ipbrick.com <https://www.ipbrick.com/>
www.youtube.com/ipbricksa <https://www.youtube.com/ipbricksa> 	UCoIP 
<http://emaia.ipbrick.com/> Facebook 
<http://www.facebook.com/pages/IPBrick/263923950988/> Twitter 
<http://twitter.com/IPBrick/> Linked In 
<https://www.linkedin.com/company/ipbrick-international> Instagram 
<https://www.instagram.com/ipbricksa>

Re: block emails with fake FROM

[Benny Pedersen <me...@junc.eu>]

On 2022-06-23 18:08, Matus UHLAR - fantomas wrote:

>> 2 - /etc/spamassassin/local.cf
>> header LOCAL_FROMNAME_SPOOF eval:check_fromname_spoof()
>> score LOCAL_FROMNAME_SPOOF 5.0
> 
>> My question is about how to configure this plugin and also which score 
>> i should give on the new rules ?
> 
> you have just described how you configured it.
> the next question is how do you block them.

set score on that rule to 1000 ?

if blocking high score spams

Re: block emails with fake FROM

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

>seems it did not catch this one:
>>
>> From: " Dr Perfect <he...@gepesdaru.hu>"@mail.gepesdaru.hu
>>
>> but still it's a leap forward

On 24.06.22 08:12, Alex wrote:
>Is it designed to also identify From addresses that have no name component?
>
> From: LiVE@beroe-inc.com

I guess this one is correct via RC5321

>This is an invoice phish that isn't tagged. Ideas on how to block these
>would be appreciated.
>
>https://pastebin.com/FXX8cx5f

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)

Re: block emails with fake FROM

[Alex <my...@gmail.com>]

Hi,

seems it did not catch this one:
>
> From: " Dr Perfect <he...@gepesdaru.hu>"@mail.gepesdaru.hu
>
> but still it's a leap forward
>

Is it designed to also identify From addresses that have no name component?

 From: LiVE@beroe-inc.com

This is an invoice phish that isn't tagged. Ideas on how to block these
would be appreciated.

https://pastebin.com/FXX8cx5f

This is with v4 SA from a week ago with FromNameSpoof enabled.

$ spamassassin --version
SpamAssassin version 4.0.0-r1901426
  running on Perl version 5.34.1

Jun 24 08:11:42.828 [3222587] dbg: plugin: loading
Mail::SpamAssassin::Plugin::FromNameSpoof from @INC
Jun 24 08:11:46.669 [3222587] dbg: FromNameSpoof: no From-name addr found

Re: block emails with fake FROM

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

>On 23.06.22 15:56, Eduardo Maia wrote:
>>I'm trying to block the emails with fake FROM like:
>>
>>From: "Nick Blue <ni...@domain.pt>" <yk...@omega-eng.co.jp>
>>
>>I have installed spamassassin  v3.4.6 and after I enabled the 
>>FromNameSpoof plugin.

On 23.06.22 18:08, Matus UHLAR - fantomas wrote:
>I have checked FromNameSpoof plugin from SA 3.4.6 and it does not 
>detect all mail with this kind of From:
>
>out of 59 examples I got onto one server, 20 were detected, 39 undetected.
>
>SA 4.0 (beta) catched all of them

seems it did not catch this one:

From: " Dr Perfect <he...@gepesdaru.hu>"@mail.gepesdaru.hu

but still it's a leap forward

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*

Re: block emails with fake FROM

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

On 23.06.22 15:56, Eduardo Maia wrote:
>I'm trying to block the emails with fake FROM like:
>
>From: "Nick Blue <ni...@domain.pt>" <yk...@omega-eng.co.jp>
>
>I have installed spamassassin  v3.4.6 and after I enabled the 
>FromNameSpoof plugin.

I have checked FromNameSpoof plugin from SA 3.4.6 and it does not detect all 
mail with this kind of From:

out of 59 examples I got onto one server, 20 were detected, 39 undetected.

SA 4.0 (beta) catched all of them

>I added the following lines on the files:
>
>1- /etc/spamassassin/v342.pre :
>loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof
>
>2 - /etc/spamassassin/local.cf
>header LOCAL_FROMNAME_SPOOF eval:check_fromname_spoof()
>score LOCAL_FROMNAME_SPOOF 5.0

>My question is about how to configure this plugin and also which score 
>i should give on the new rules ?

you have just described how you configured it.
the next question is how do you block them.


-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.

Re: block emails with fake FROM

[Benny Pedersen <me...@junc.eu>]

On 2022-06-23 16:56, Eduardo Maia wrote:

> From: "Nick Blue <ni...@domain.pt>" <yk...@omega-eng.co.jp>

header FOO From:Name =~ /\b@/

others may refine it :=)

note From:Addr must accept more then one @, but not From:Name

i dont know if the plugin is better or not, also remember dkim revails 
bogus adressing, eq no dkim pass

if more then one From:Addr then all dkim must pass to not be forged

lots of bugs