Re: [sa] Re: Faked _From_ field using our domain - how to filter/score?

[Charles Gregory <cg...@hwcn.org>]

On Wed, 13 Jan 2010, Mike Wallace wrote:
: I do this but it only works for rejecting a forged envelope. It doesn't 
: work if it's only a forged From header which the example shows.
: 
: Does anyone know of a way to handle this type of scenario, where the 
: envelope From is valid and the From header is forged and typically 
: matches the To header?

The key word here is 'valid'. You need to decide what makes the appearance 
of the 'From' header 'valid', and thereby categorize a message as spam 
when it fails to exhibit all the criteria of a valid e-mail from that 
sender. Nearly all methodology involves a degree of 'configuration' 
supplied by the user.

1) Reject all mail where the sender envelope does not match the 'From' 
header.  Or reject all mail originating from anywhere other than an 
'authorized' source. 
    - Obviouslty this FP's on mailing list mail, so the user must supply 
      a LIST of valid senders (or other identifying criteria) when their
      address will appear in a 'From' header of mail they do not send.

2) If the users agrees and understands (good luck with that! LOL) you can 
have them specify (by any convenient mechanism including an e-mail to a 
robot) their full legitimate 'From' header. Most spam that uses a faked 
>From header does not have a way to generate the correct 'name' portion of 
the header. 

    For example, I personally have a test for:
    header From =~ /^"?([^C]|C[^h]|Ch[^a])[^<]+...@hwcn.org>/

I also add a modest score for a similar hit on the 'To' header.

- Charles