You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Charles Gregory <cg...@hwcn.org> on 2010/01/13 21:29:19 UTC
Re: [sa] Re: Faked _From_ field using our domain - how to
filter/score?
On Wed, 13 Jan 2010, Mike Wallace wrote:
: I do this but it only works for rejecting a forged envelope. It doesn't
: work if it's only a forged From header which the example shows.
:
: Does anyone know of a way to handle this type of scenario, where the
: envelope From is valid and the From header is forged and typically
: matches the To header?
The key word here is 'valid'. You need to decide what makes the appearance
of the 'From' header 'valid', and thereby categorize a message as spam
when it fails to exhibit all the criteria of a valid e-mail from that
sender. Nearly all methodology involves a degree of 'configuration'
supplied by the user.
1) Reject all mail where the sender envelope does not match the 'From'
header. Or reject all mail originating from anywhere other than an
'authorized' source.
- Obviouslty this FP's on mailing list mail, so the user must supply
a LIST of valid senders (or other identifying criteria) when their
address will appear in a 'From' header of mail they do not send.
2) If the users agrees and understands (good luck with that! LOL) you can
have them specify (by any convenient mechanism including an e-mail to a
robot) their full legitimate 'From' header. Most spam that uses a faked
>From header does not have a way to generate the correct 'name' portion of
the header.
For example, I personally have a test for:
header From =~ /^"?([^C]|C[^h]|Ch[^a])[^<]+...@hwcn.org>/
I also add a modest score for a similar hit on the 'To' header.
- Charles