You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by mhildebr <ma...@marksellsit.com> on 2008/05/07 03:14:34 UTC
Spoofed Email But Different User Name
Is there a way to have Spamassassin look for spoofed email addresses being
used as the sender's address (myname@mydomain.com) but using a different
user name (Viagra instead of myname)? It seems like it would be simple to
check the user name and filter results from that. Thanks for any help.
--
View this message in context: http://www.nabble.com/Spoofed-Email-But-Different-User-Name-tp17093694p17093694.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Spoofed Email But Different User Name
Posted by mouss <mo...@netoyen.net>.
Chris St. Pierre wrote:
> On Tue, 6 May 2008, mhildebr wrote:
>
>> Is there a way to have Spamassassin look for spoofed email addresses
>> being
>> used as the sender's address (myname@mydomain.com) but using a different
>> user name (Viagra instead of myname)? It seems like it would be
>> simple to
>> check the user name and filter results from that. Thanks for any help.
>
> Bad idea. My name can be easily and legitimately displayed in dozens
> of different ways, without even considering typos:
>
> Chris St. Pierre
> Chris St Pierre
> Chris St-Pierre
> Chris Saint Pierre
> Chris Saint-Pierre
> Christopher St. Pierre
> ...
> Christopher A. St. Pierre
> ...
> Chris A. St. Pierre
> ...
they all match
chris.*pierre
or to be more conservative
[chris]{3}.*[pierre]{3}
>
> And so on and so forth. And if someone accidentally mistypes my name,
they aren't supposed to use your name in their From header, are they?
> suddenly I'm Chirs St. Pierre or something like that, and your filter
> blocks the message.
>
> A better idea would be to just let Bayes do its thing and notice the
> token -- in this case, 'Viagra' -- and score accordingly.
agreed.
>
> Or, you can manually list out the various spellings of each users'
> name, and then come up with a fancy algorithm to route around
> misspellings, perhaps using something like Levenshtein distance to
> figure out how egregiously misspelled a name is. It'll be way more
> work than it's worth, but if that's what tickles you, go for it.
Re: Spoofed Email But Different User Name
Posted by "Chris St. Pierre" <st...@NebrWesleyan.edu>.
On Tue, 6 May 2008, mhildebr wrote:
> Is there a way to have Spamassassin look for spoofed email addresses being
> used as the sender's address (myname@mydomain.com) but using a different
> user name (Viagra instead of myname)? It seems like it would be simple to
> check the user name and filter results from that. Thanks for any help.
Bad idea. My name can be easily and legitimately displayed in dozens
of different ways, without even considering typos:
Chris St. Pierre
Chris St Pierre
Chris St-Pierre
Chris Saint Pierre
Chris Saint-Pierre
Christopher St. Pierre
...
Christopher A. St. Pierre
...
Chris A. St. Pierre
...
And so on and so forth. And if someone accidentally mistypes my name,
suddenly I'm Chirs St. Pierre or something like that, and your filter
blocks the message.
A better idea would be to just let Bayes do its thing and notice the
token -- in this case, 'Viagra' -- and score accordingly.
Or, you can manually list out the various spellings of each users'
name, and then come up with a fancy algorithm to route around
misspellings, perhaps using something like Levenshtein distance to
figure out how egregiously misspelled a name is. It'll be way more
work than it's worth, but if that's what tickles you, go for it.
Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University
Re: Spoofed Email But Different User Name
Posted by mouss <mo...@netoyen.net>.
mhildebr wrote:
> Is there a way to have Spamassassin look for spoofed email addresses being
> used as the sender's address (myname@mydomain.com) but using a different
> user name (Viagra instead of myname)? It seems like it would be simple to
> check the user name and filter results from that. Thanks for any help.
>
if you have the list of all valid display names, then you can write
rules for that. something like
header __FROM_MARK From =~ /<mark@example\.com>/
header __REALLY_FROM_MARK From =~ /.*milderbr.*<mark@example\.com>/
meta FAKE_FROM_MARK (__FROM_MARK && !_REALLY_FROM_MARK)
score FAKE_FROM_MARK 0.1
but this does not scale. Instead, look for other patterns that catch
this spam. you can show (or use pastebin...) a sample if you want hints.
Re: Spoofed Email But Different User Name
Posted by Matt Kettler <mk...@verizon.net>.
mhildebr wrote:
> Is there a way to have Spamassassin look for spoofed email addresses being
> used as the sender's address (myname@mydomain.com) but using a different
> user name (Viagra instead of myname)? It seems like it would be simple to
> check the user name and filter results from that. Thanks for any help.
>
A quick-and-dirty way would be set up SPF records for your domain and
enable the SPF plugin.
However, to do this you would have to know all the servers that are
authorized to send mail as your domain, (ie: all your smarthosts).
This also messes with folks who run SPF after getting mail via
forwarding services. However anyone using a forwarding service to
receive their mail should be trusting the service that forwards their
mail, unless the forwarder is doing SRS.