You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Dan Mahoney (Gushi)" <da...@prime.gushi.org> on 2021/01/27 19:55:48 UTC
Help writing a rule
All,
I'm noticing a pattern of email like:
From: "GUSHI.ORG Administrator" <so...@host.cn>
To: you@gushi.org
Subject: Your mailbox has exceeded its quota
Or some such nonsense.
Now, DMARC and SPF and DKIM would be able to block the domain if they
tried to spoof it in the From email address. But mail clients helpfully
these days aren't showing the actual email address to people. Ergo, I'm
looking to do the following:
Catch a case where the REALNAME of the FROM address contains a domain that
is in the TO header. This would seem to require a macro of some kind to
capture the value and do the comparison, so this doesn't seem to be the
kind of thing one can do (dynamically) with a regular rule.
Note my unanswered question a week or two ago seeking macros for the spamc
username, lhs, and rhs for use in rules.
I mean, certainly, I could hardcode the domain name, but I'd like
something more flexible.
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------
Re: [sa-list] Re: Help writing a rule
Posted by "Dan Mahoney (Gushi)" <da...@prime.gushi.org>.
On Wed, 27 Jan 2021, John Hardin wrote:
> On Wed, 27 Jan 2021, Dan Mahoney (Gushi) wrote:
>
>> All,
>>
>> I'm noticing a pattern of email like:
>>
>> From: "GUSHI.ORG Administrator" <so...@host.cn>
>> To: you@gushi.org
>> Subject: Your mailbox has exceeded its quota
>>
>> Or some such nonsense.
>>
>> Now, DMARC and SPF and DKIM would be able to block the domain if they tried
>> to spoof it in the From email address. But mail clients helpfully these
>> days aren't showing the actual email address to people. Ergo, I'm looking
>> to do the following:
>>
>> Catch a case where the REALNAME of the FROM address contains a domain that
>> is in the TO header. This would seem to require a macro of some kind to
>> capture the value and do the comparison, so this doesn't seem to be the
>> kind of thing one can do (dynamically) with a regular rule.
>
> It can be done with a regular rule, as header rules can match across multiple
> headers.
>
> There is already a rule like that in the base ruleset:
>
> https://ruleqa.spamassassin.org/20210127-r1885943-n/PDS_FROM_NAME_TO_DOMAIN/detail
>
> Jan 27 12:03:34.724 [29312] dbg: rules: ran header rule
> __PDS_FROM_NAME_TO_DOMAIN ======> got hit: "From: "GUSHI.ORG Administrator"
> <so...@host.cn>
> Jan 27 12:03:34.724 [29312] dbg: rules: [...] To: you@gushi.org"
>
> PDS_FROM_NAME_TO_DOMAIN should have hit on that message. Did it?
Let me spoof something out to the day job and we'll find out.
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------
Re: Help writing a rule
Posted by John Hardin <jh...@impsec.org>.
On Wed, 27 Jan 2021, Dan Mahoney (Gushi) wrote:
> All,
>
> I'm noticing a pattern of email like:
>
> From: "GUSHI.ORG Administrator" <so...@host.cn>
> To: you@gushi.org
> Subject: Your mailbox has exceeded its quota
>
> Or some such nonsense.
>
> Now, DMARC and SPF and DKIM would be able to block the domain if they tried
> to spoof it in the From email address. But mail clients helpfully these days
> aren't showing the actual email address to people. Ergo, I'm looking to do
> the following:
>
> Catch a case where the REALNAME of the FROM address contains a domain that is
> in the TO header. This would seem to require a macro of some kind to capture
> the value and do the comparison, so this doesn't seem to be the kind of thing
> one can do (dynamically) with a regular rule.
It can be done with a regular rule, as header rules can match across
multiple headers.
There is already a rule like that in the base ruleset:
https://ruleqa.spamassassin.org/20210127-r1885943-n/PDS_FROM_NAME_TO_DOMAIN/detail
Jan 27 12:03:34.724 [29312] dbg: rules: ran header rule __PDS_FROM_NAME_TO_DOMAIN ======> got hit: "From: "GUSHI.ORG Administrator" <so...@host.cn>
Jan 27 12:03:34.724 [29312] dbg: rules: [...] To: you@gushi.org"
PDS_FROM_NAME_TO_DOMAIN should have hit on that message. Did it?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Today: the 54th anniversary of the loss of Apollo 1