You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Bram Mertens <br...@linux.be> on 2004/02/27 23:14:40 UTC
suggestion/question about testing faked From
Hi
I have received quite a few messages where my own address was used as
the from address. While most of those are now caught by other filters
I'd like to add a check for this.
Right now I have the following in ~/.spamassassin/user_prefs:
header LOCAL_TEST_RULE From =~ /(?<!Bram\sMertens)\s<bram-mertens\@linux\.be>/
score LOCAL_TEST_RULE 0.1
describe LOCAL_TEST_RULE Is someone faking to be me?
I'll explain what I want the regex to be doing:
Whenever I receive an e-mail I sent myself (from mailing list etc.) the
from header should be:
From: Bram Mertens <br...@linux.be>
This rule should catch all messages that look like:
From: "roger" <br...@linux.be>
Where '"roger"' can be anything other than 'Bram Mertens'
I haven't tested this thoroughly yet but I'd like your
comments/suggestions: are there any big mistakes in this rule?
TIA
--
# Mertens Bram "M8ram" <br...@linux.be> Linux User #249103 #
# SuSE Linux 8.2 (i586) kernel 2.4.20-4GB i686 256MB RAM #
# 11:05pm up 36 days 2:44, 6 users, load average: 0.24, 0.13, 0.10 #
Re: suggestion/question about testing faked From
Posted by Loren Wilton <lw...@earthlink.net>.
I apologise, I missed that you were only testing the From address. Yes,
your case will work for that check, I would think.
Loren
Re: suggestion/question about testing faked From
Posted by Mat Bowen <M....@lboro.ac.uk>.
On Sat, 28 Feb 2004 20:15:38 +0100, Bram Mertens wrote:
> On Sat, 2004-02-28 at 19:07, Mat Bowen wrote:
> [...]
>> I think it also allows through addresses like:
>>
>> From: Mr Mertens Bram <br...@linux.be>
>> From: Bob<br...@linux.be>
>>
>> where there is some text before the Mertens Bram in the first one
>> (or
>> likewise before Bram Mertens) and no space after the name in the
>> second one. Not sure if these will affect you in practise but
>> otherwise it seems to work great.
> [...]
>
> Indeed! Thanks for pointing that out, but I suppose this fixes both
> these problems:
> header M8RAM_FAKE_FROM From =~ /(?<!
> (?:^Bram\sMertens\s)|(?:^Mertens\sBram\s))<bram-mertens\@linux\.be>/
> score M8RAM_FAKE_FROM 1.0
> describe M8RAM_FAKE_FROM From contains my address but I didn't
> send this!
>
> TIA
Yes that seems to be perfect! I think i might pinch it ;-)
Thanks,
Mat
Re: suggestion/question about testing faked From
Posted by Bram Mertens <br...@linux.be>.
On Sat, 2004-02-28 at 19:07, Mat Bowen wrote:
[...]
> I think it also allows through addresses like:
>
> From: Mr Mertens Bram <br...@linux.be>
> From: Bob<br...@linux.be>
>
> where there is some text before the Mertens Bram in the first one (or
> likewise before Bram Mertens) and no space after the name in the
> second one. Not sure if these will affect you in practise but
> otherwise it seems to work great.
[...]
Indeed! Thanks for pointing that out, but I suppose this fixes both
these problems:
header M8RAM_FAKE_FROM From =~ /(?<!(?:^Bram\sMertens\s)|(?:^Mertens\sBram\s))<bram-mertens\@linux\.be>/
score M8RAM_FAKE_FROM 1.0
describe M8RAM_FAKE_FROM From contains my address but I didn't send this!
TIA
--
# Mertens Bram "M8ram" <br...@linux.be> Linux User #249103 #
# SuSE Linux 8.2 (i586) kernel 2.4.20-4GB i686 256MB RAM #
# 8:13pm up 36 days 23:51, 7 users, load average: 0.17, 0.16, 0.11 #
Re: suggestion/question about testing faked From
Posted by Mat Bowen <M....@lboro.ac.uk>.
On Sat, 28 Feb 2004 17:02:05 +0100, Bram Mertens wrote:
> On Sat, 2004-02-28 at 06:12, Loren Wilton wrote:
>> This is more complicated than it looks to do right.
>> You have to handle several cases. Off the top of my head, all
>> are valid
>> addresses:
>>
>> Joe Foo <jo...@foo.com>
>> "Joe Foo" joe@foo.com
>> "Joe Foo" <jo...@foo.com>
>> joe@foo.com
>> <jo...@foo.com>
>> "Joe the-one-and-only Foo" joe@foo.com
>
> They are valid addresses but when I send mail the From field should
> be
> what my MUA sets it no? No server relaying the message should alter
> this, right?
>
> When I started using Evolution I set it to:
> Mertens Bram <br...@linux.be>
> Later I altered it to:
> Bram Mertens <br...@linux.be>
>
> Am I wrong then to assume that messages containing:
> "Bram Mertens" <br...@linux.be>
> bram-mertens <br...@linux.be>
> are most likely faked? Or could this be altered by some mailing
> list
> software or something like that?
>
>> You also have to handle
>> fred@foo.com, joe@foo.com
>
> Is it possible to have more than one address in the From field? Or
> are
> you checking the TO and Cc fields?
>
>> After a good deal of work, I came up with the following check for
>> my name,
>> which so far seems reliable in all cases that I've checked
>>
>> header __TO_ME ToCc =~ /(?:^|\>,|\>|,)\s*(?:\"?Loren.*
>> ?\b?Wilton\s*\"?\s*
>> \<?lwilton\@earthlink\.net\>?|\<?lwilton\@earthlink\.net\>?)/
> [...]
>
> Thanks for thinking about this but again doesn't this check the To
> and
> Cc fields? I am looking for someone claiming to be me...
>
> As I said above I do have to check two cases so I edited my code to:
> header LOCAL_TEST_RULE From =~ /(?<!
> (?:Bram\sMertens)|(?:Mertens\sBram))\s<bram-mertens\@linux\.be>/
> score LOCAL_TEST_RULE 0.2
> describe LOCAL_TEST_RULE Is someone faking to be me?
>
> Doesn't this allow messages with the following From headers?
> From: Mertens Bram <br...@linux.be>
> From: Bram Mertens <br...@linux.be>
> (and off course everything that doesn't contain 'bram-
> mertens@linux.be')
>
> So it should trigger on:
> From: "odessa" <br...@linux.be>
> From: "michael" <br...@linux.be>
> From: "al" <br...@linux.be>
> From: "bram-mertens" <br...@linux.be>
> (and all other variants of this...)
>
> TIA
Hi,
I think it also allows through addresses like:
From: Mr Mertens Bram <br...@linux.be>
From: Bob<br...@linux.be>
where there is some text before the Mertens Bram in the first one (or
likewise before Bram Mertens) and no space after the name in the
second one. Not sure if these will affect you in practise but
otherwise it seems to work great.
Kind regards,
Mat
Re: suggestion/question about testing faked From
Posted by Bram Mertens <br...@linux.be>.
On Sat, 2004-02-28 at 06:12, Loren Wilton wrote:
> This is more complicated than it looks to do right.
> You have to handle several cases. Off the top of my head, all are valid
> addresses:
>
> Joe Foo <jo...@foo.com>
> "Joe Foo" joe@foo.com
> "Joe Foo" <jo...@foo.com>
> joe@foo.com
> <jo...@foo.com>
> "Joe the-one-and-only Foo" joe@foo.com
They are valid addresses but when I send mail the From field should be
what my MUA sets it no? No server relaying the message should alter
this, right?
When I started using Evolution I set it to:
Mertens Bram <br...@linux.be>
Later I altered it to:
Bram Mertens <br...@linux.be>
Am I wrong then to assume that messages containing:
"Bram Mertens" <br...@linux.be>
bram-mertens <br...@linux.be>
are most likely faked? Or could this be altered by some mailing list
software or something like that?
> You also have to handle
> fred@foo.com, joe@foo.com
Is it possible to have more than one address in the From field? Or are
you checking the TO and Cc fields?
> After a good deal of work, I came up with the following check for my name,
> which so far seems reliable in all cases that I've checked
>
> header __TO_ME ToCc =~ /(?:^|\>,|\>|,)\s*(?:\"?Loren.*?\b?Wilton\s*\"?\s*\<?lwilton\@earthlink\.net\>?|\<?lwilton\@earthlink\.net\>?)/
[...]
Thanks for thinking about this but again doesn't this check the To and
Cc fields? I am looking for someone claiming to be me...
As I said above I do have to check two cases so I edited my code to:
header LOCAL_TEST_RULE From =~ /(?<!(?:Bram\sMertens)|(?:Mertens\sBram))\s<bram-mertens\@linux\.be>/
score LOCAL_TEST_RULE 0.2
describe LOCAL_TEST_RULE Is someone faking to be me?
Doesn't this allow messages with the following From headers?
From: Mertens Bram <br...@linux.be>
From: Bram Mertens <br...@linux.be>
(and off course everything that doesn't contain 'bram-mertens@linux.be')
So it should trigger on:
From: "odessa" <br...@linux.be>
From: "michael" <br...@linux.be>
From: "al" <br...@linux.be>
From: "bram-mertens" <br...@linux.be>
(and all other variants of this...)
TIA
--
# Mertens Bram "M8ram" <br...@linux.be> Linux User #249103 #
# SuSE Linux 8.2 (i586) kernel 2.4.20-4GB i686 256MB RAM #
# 5:01pm up 36 days 20:40, 7 users, load average: 0.12, 0.13, 0.09 #
Re: suggestion/question about testing faked From
Posted by Loren Wilton <lw...@earthlink.net>.
This is more complicated than it looks to do right.
You have to handle several cases. Off the top of my head, all are valid
addresses:
Joe Foo <jo...@foo.com>
"Joe Foo" joe@foo.com
"Joe Foo" <jo...@foo.com>
joe@foo.com
<jo...@foo.com>
"Joe the-one-and-only Foo" joe@foo.com
You also have to handle
fred@foo.com, joe@foo.com
After a good deal of work, I came up with the following check for my name,
which so far seems reliable in all cases that I've checked
header __TO_ME ToCc =~ /(?:^|\>,|\>|,)\s*(?:\"?Loren
.*?\b?Wilton\s*\"?\s*\<?lwilton\@earthlink\.net\>?|\<?lwilton\@earthlink\.ne
t\>?)/
Note there are no spaces in that regexp, regardless of how it ended up
folded.
Loren
Re: suggestion/question about testing faked From
Posted by Chris <cp...@earthlink.net>.
On Friday 27 February 2004 04:14 pm, Bram Mertens wrote:
> Hi
>
> I have received quite a few messages where my own address was used as
> the from address. While most of those are now caught by other filters
> I'd like to add a check for this.
>
> Right now I have the following in ~/.spamassassin/user_prefs:
> header LOCAL_TEST_RULE From =~
> /(?<!Bram\sMertens)\s<bram-mertens\@linux\.be>/ score LOCAL_TEST_RULE
> 0.1
> describe LOCAL_TEST_RULE Is someone faking to be me?
>
Don't know if this is what you're looking for but its what I use, its very
effective. I didn't write it, just modified an existing rule I found.
header RM_t_bobbf ToCc =~ /cpollock\@earthlink\.com/ # 98%+ spam
describe RM_t_bobbf Definate spam destination email address
score RM_t_bobbf 10.0
header RM_t_bobbf2 From =~ /cpollock\@earthlink\.com/i
describe RM_t_bobbf2 Definately not from me
score RM_t_bobbf2 9.0
header RM_t_bobbf3 From =~ /cpollock\@earthlink\.net/i
describe RM_t_bobbf3 I may have sent it as a test, probably not
score RM_t_bobbf3 9.0
Chris
--
Regards
Chris
A 100% Microsoft free computer
Registered Linux User 283774 http://counter.li.org
8:17pm up 3 days, 22:36, 3 users, load average: 0.18, 0.43, 0.48