You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Jason Oriente <Ja...@pathcom.com> on 2006/12/08 00:04:03 UTC

Trying to catch spoofed ToCc

> In my mail setup, it is gospel that (ignoring BCC and mailing lists)
> the full email address in the Delivered-To will match an email address
> in the ToCc.  
> Example below.
> 
> Return-Path: <so...@somewhere.com>
> Delivered-To: jason@domain.ext
> Received: from mx01.domain.ext (unknown [172.16.0.149])
>         by localdelivery01 (Postfix) with ESMTP id EB9CA921E8C57
>         for <ja...@domain.ext>; Mon, 27 Nov 2006 19:36:46 -0500 (EST)
> From: <so...@somewhere.com>
> To: Jason <ja...@domain.ext>
> Cc: Jason <bl...@domain.ext>
> Subject: Testing
> 
> I have created a matching rule to statically qualify the validity of a
> domain (below).
> #---------------------------------------------------------------------
> -----------------------------------
> header  __HEAD_01_01   Delivered-To =~  /\@domain\.ext/i
> header  __HEAD_01_02   ToCc !~  /\@domain\.ext/i
> #---------------------------------------------------------------------
> -----------------------------------
> meta    HEAD_01        (__HEAD_01_01 && __HEAD_01_02)
> score   HEAD_01        5.0
> #---------------------------------------------------------------------
> -----------------------------------
> 
> I host hundreds of domains, so I cannot create static rules for each.
> My goal is to have a rule, much like the one above, but will qualify
> the entire email address from the Delivered-To to the ToCc.  No match
> equals a score.
> 
> Any insight would be much appreciated.
> 
> 
> Thank you,
> Jason
>

Re: Trying to catch spoofed ToCc

Posted by Mike Pepe <la...@doki-doki.net>.

Loren Wilton wrote:
> Nasty to do without using a plugin or eval rule, but it can be done.
> The following is off the top of my head, and I almost guarantee it won't 
> work correctly without testing and some minor tweak somewhere.  But you 
> can try it and/or fool with it if you like.
>  
> header __SENT_TO_ME    ALL ~= 
> /\n(?i:Delivered-To):\s+([^\n]+)\n.{0,300}\n(?i:To|Cc):[^\n]+\b\1\b/
> meta NOT_SENT_TO_ME    !__SENT_TO_ME
>  
> You can give that a try, but I warn you you may have to fiddle with it 
> for half an hour to get it to work right.  Or maybe it will work now.
>  
>         Loren

That looks pretty good, but I think that sort of user-specific action 
might be best done in the user's procmail file-

(Well, assuming of course that that the user is using procmail!)

but something like

# if it's not to or cc me at this point, it's probably spam

:0
* !^(To|Cc).*{my email address}
possibly-spam

Towards the very end of the procmail script does the trick.

-Mike

Re: Trying to catch spoofed ToCc

Posted by Loren Wilton <lw...@earthlink.net>.

Trying to catch spoofed ToCcNasty to do without using a plugin or eval rule, but it can be done.
The following is off the top of my head, and I almost guarantee it won't work correctly without testing and some minor tweak somewhere.  But you can try it and/or fool with it if you like.

header __SENT_TO_ME    ALL ~= /\n(?i:Delivered-To):\s+([^\n]+)\n.{0,300}\n(?i:To|Cc):[^\n]+\b\1\b/
meta NOT_SENT_TO_ME    !__SENT_TO_ME

You can give that a try, but I warn you you may have to fiddle with it for half an hour to get it to work right.  Or maybe it will work now.

        Loren

  ----- Original Message ----- 
  From: Jason Oriente 
  To: users@spamassassin.apache.org 
  Sent: Thursday, December 07, 2006 3:04 PM
  Subject: Trying to catch spoofed ToCc




  In my mail setup, it is gospel that (ignoring BCC and mailing lists) the full email address in the Delivered-To will match an email address in the ToCc.  

  Example below. 

  Return-Path: <so...@somewhere.com> 
  Delivered-To: jason@domain.ext 
  Received: from mx01.domain.ext (unknown [172.16.0.149]) 
          by localdelivery01 (Postfix) with ESMTP id EB9CA921E8C57 
          for <ja...@domain.ext>; Mon, 27 Nov 2006 19:36:46 -0500 (EST) 
  From: <so...@somewhere.com> 
  To: Jason <ja...@domain.ext> 
  Cc: Jason <bl...@domain.ext> 
  Subject: Testing 

  I have created a matching rule to statically qualify the validity of a domain (below). 
  #-------------------------------------------------------------------------------------------------------- 
  header  __HEAD_01_01   Delivered-To =~  /\@domain\.ext/i 
  header  __HEAD_01_02   ToCc !~  /\@domain\.ext/i 
  #-------------------------------------------------------------------------------------------------------- 
  meta    HEAD_01        (__HEAD_01_01 && __HEAD_01_02) 
  score   HEAD_01        5.0 
  #-------------------------------------------------------------------------------------------------------- 

  I host hundreds of domains, so I cannot create static rules for each.  My goal is to have a rule, much like the one above, but will qualify the entire email address from the Delivered-To to the ToCc.  No match equals a score.

  Any insight would be much appreciated. 



  Thank you, 
  Jason