You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jason Oriente <Ja...@pathcom.com> on 2006/12/08 00:04:03 UTC
Trying to catch spoofed ToCc
> In my mail setup, it is gospel that (ignoring BCC and mailing lists)
> the full email address in the Delivered-To will match an email address
> in the ToCc.
> Example below.
>
> Return-Path: <so...@somewhere.com>
> Delivered-To: jason@domain.ext
> Received: from mx01.domain.ext (unknown [172.16.0.149])
> by localdelivery01 (Postfix) with ESMTP id EB9CA921E8C57
> for <ja...@domain.ext>; Mon, 27 Nov 2006 19:36:46 -0500 (EST)
> From: <so...@somewhere.com>
> To: Jason <ja...@domain.ext>
> Cc: Jason <bl...@domain.ext>
> Subject: Testing
>
> I have created a matching rule to statically qualify the validity of a
> domain (below).
> #---------------------------------------------------------------------
> -----------------------------------
> header __HEAD_01_01 Delivered-To =~ /\@domain\.ext/i
> header __HEAD_01_02 ToCc !~ /\@domain\.ext/i
> #---------------------------------------------------------------------
> -----------------------------------
> meta HEAD_01 (__HEAD_01_01 && __HEAD_01_02)
> score HEAD_01 5.0
> #---------------------------------------------------------------------
> -----------------------------------
>
> I host hundreds of domains, so I cannot create static rules for each.
> My goal is to have a rule, much like the one above, but will qualify
> the entire email address from the Delivered-To to the ToCc. No match
> equals a score.
>
> Any insight would be much appreciated.
>
>
> Thank you,
> Jason
>
Re: Trying to catch spoofed ToCc
Posted by Mike Pepe <la...@doki-doki.net>.
Loren Wilton wrote:
> Nasty to do without using a plugin or eval rule, but it can be done.
> The following is off the top of my head, and I almost guarantee it won't
> work correctly without testing and some minor tweak somewhere. But you
> can try it and/or fool with it if you like.
>
> header __SENT_TO_ME ALL ~=
> /\n(?i:Delivered-To):\s+([^\n]+)\n.{0,300}\n(?i:To|Cc):[^\n]+\b\1\b/
> meta NOT_SENT_TO_ME !__SENT_TO_ME
>
> You can give that a try, but I warn you you may have to fiddle with it
> for half an hour to get it to work right. Or maybe it will work now.
>
> Loren
That looks pretty good, but I think that sort of user-specific action
might be best done in the user's procmail file-
(Well, assuming of course that that the user is using procmail!)
but something like
# if it's not to or cc me at this point, it's probably spam
:0
* !^(To|Cc).*{my email address}
possibly-spam
Towards the very end of the procmail script does the trick.
-Mike
Re: Trying to catch spoofed ToCc
Posted by Loren Wilton <lw...@earthlink.net>.
Trying to catch spoofed ToCcNasty to do without using a plugin or eval rule, but it can be done.
The following is off the top of my head, and I almost guarantee it won't work correctly without testing and some minor tweak somewhere. But you can try it and/or fool with it if you like.
header __SENT_TO_ME ALL ~= /\n(?i:Delivered-To):\s+([^\n]+)\n.{0,300}\n(?i:To|Cc):[^\n]+\b\1\b/
meta NOT_SENT_TO_ME !__SENT_TO_ME
You can give that a try, but I warn you you may have to fiddle with it for half an hour to get it to work right. Or maybe it will work now.
Loren
----- Original Message -----
From: Jason Oriente
To: users@spamassassin.apache.org
Sent: Thursday, December 07, 2006 3:04 PM
Subject: Trying to catch spoofed ToCc
In my mail setup, it is gospel that (ignoring BCC and mailing lists) the full email address in the Delivered-To will match an email address in the ToCc.
Example below.
Return-Path: <so...@somewhere.com>
Delivered-To: jason@domain.ext
Received: from mx01.domain.ext (unknown [172.16.0.149])
by localdelivery01 (Postfix) with ESMTP id EB9CA921E8C57
for <ja...@domain.ext>; Mon, 27 Nov 2006 19:36:46 -0500 (EST)
From: <so...@somewhere.com>
To: Jason <ja...@domain.ext>
Cc: Jason <bl...@domain.ext>
Subject: Testing
I have created a matching rule to statically qualify the validity of a domain (below).
#--------------------------------------------------------------------------------------------------------
header __HEAD_01_01 Delivered-To =~ /\@domain\.ext/i
header __HEAD_01_02 ToCc !~ /\@domain\.ext/i
#--------------------------------------------------------------------------------------------------------
meta HEAD_01 (__HEAD_01_01 && __HEAD_01_02)
score HEAD_01 5.0
#--------------------------------------------------------------------------------------------------------
I host hundreds of domains, so I cannot create static rules for each. My goal is to have a rule, much like the one above, but will qualify the entire email address from the Delivered-To to the ToCc. No match equals a score.
Any insight would be much appreciated.
Thank you,
Jason