Rule to match when multiple FROM addresses exist

[Simeon Ott <s....@onnet.ch>]

Hi

Occasionally I get spam mails with non-quoted display names like 

John, Doe, Lastname <someone@somewhere.com <ma...@somewhere.com>>

My MTA (Postfix) thinks this are multiple FROM addresses and adds my local servername to John and Doe. Spamassassin gets the forwarded Mail with a From Header like:

From: John@localservername, Doe@localservername, Example <someone@somewhere.com <ma...@somewhere.com>>

Any suggestion how-to match this kind of From-Headers? I would like to score the mail when multiple FROM addresses exist (I know that multiple FROM addresses are allowed according to the specific RFC)

Or is there a possible option to reject this mail earlier on MTA level (Postfix)?

thanks in advance for your help
simeon

Re: Rule to match when multiple FROM addresses exist

[Bill Cole <sa...@billmail.scconsult.com>]

On 1 Dec 2017, at 6:01 (-0500), Simeon Ott wrote:

> Hi
>
> Occasionally I get spam mails with non-quoted display names like
>
> John, Doe, Lastname <someone@somewhere.com 
> <ma...@somewhere.com>>
>
> My MTA (Postfix) thinks this are multiple FROM addresses and adds my 
> local servername to John and Doe.

That's a Postfix misconfiguration. Ancient versions of Postfix did that 
and you can make modern Postfix continue that misbehavior if you really 
need it, but you really should fix it. You should leave 
remote_header_rewrite_domain and local_header_rewrite_clients at their 
defaults (since v2.2) unless you have very special local needs to 
support no-domain mail coming from external sources.

If you are using the classic amavisd sandwich rig (with 2 smtpd 
instances) then you may need to look at which smtpd is doing the header 
rewrites and assure that it is the external-facing (port 25) one ONLY.

> Spamassassin gets the forwarded Mail with a From Header like:
>
> From: John@localservername, Doe@localservername, Example 
> <someone@somewhere.com <ma...@somewhere.com>>

META: Your mail client mangled your message to this list by adding the 
'mailto:' garbage above, confusing the details of your issue. If you can 
make it send only plain text to mailing lists that would help prevent 
such problems.

> Any suggestion how-to match this kind of From-Headers? I would like to 
> score the mail when multiple FROM addresses exist (I know that 
> multiple FROM addresses are allowed according to the specific RFC)
>
> Or is there a possible option to reject this mail earlier on MTA level 
> (Postfix)?

Postfix first needs to be fixed to not append any domains to non-local 
mail, then you can catch *some* of the problem messages with 
carefully-crafted Postfix header_checks. Unfortunately, that can't catch 
all cases because headers can be encoded to allow non-ASCII characters 
and header_checks doesn't decode such headers before checking them.

You can probably get more and better help if you need it on the 
Postfix-Users list (see http://www.postfix.org/lists.html) where the 
active participants include the creator of Postfix and other real 
Postfix experts (I just play one on other lists...)



-- 
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole

Re: Rule to match when multiple FROM addresses exist

[Simeon Ott <s....@onnet.ch>]

On 2017-12-01 16:17, Bill Cole wrote:
> On 1 Dec 2017, at 8:44 (-0500), Tom Hendrikx wrote:
> 
>> You're mistaken about postfix. It does not rewrite the From headers in
>> the way you describe, unless you explicitly configured it to.
> 
> It will if it is very old (<2.2) OR if it has an organically-evolved
> configuration that has maintained backward-compatibility since 2.1. It
> is also possible in a "Before-Queue Content Filter" smtpd-proxy
> configuration that is commonly used with amavisd, if the after-filter
> smtpd isn't prevented from treating its input as local (see
> documentation of append_at_myorigin, which is on by default)
> 
>> You should
>> change your postfix configuration, or verify the input data that 
>> postfix
>> receives (maybe the addresses were already malformed before they 
>> entered
>> your system?
>> 
>> The easy way to catch these messages is to set your machine name to 
>> some
>> domain that never receives mail.
> 
> That's a good fix for a broader range of misbehaviors.

Thank you Tom for your suggestions. I implemented a rule matching my 
local servername which works great.
And thank you Bill for the clarification. I indeed use amavisd as a 
before-queue content filter and this is exactly the reason why the From 
header looks like this.

all solved!
Simeon

Re: Rule to match when multiple FROM addresses exist

[Bill Cole <sa...@billmail.scconsult.com>]

On 1 Dec 2017, at 8:44 (-0500), Tom Hendrikx wrote:

> You're mistaken about postfix. It does not rewrite the From headers in
> the way you describe, unless you explicitly configured it to.

It will if it is very old (<2.2) OR if it has an organically-evolved 
configuration that has maintained backward-compatibility since 2.1. It 
is also possible in a "Before-Queue Content Filter" smtpd-proxy 
configuration that is commonly used with amavisd, if the after-filter 
smtpd isn't prevented from treating its input as local (see 
documentation of append_at_myorigin, which is on by default)

> You should
> change your postfix configuration, or verify the input data that 
> postfix
> receives (maybe the addresses were already malformed before they 
> entered
> your system?
>
> The easy way to catch these messages is to set your machine name to 
> some
> domain that never receives mail.

That's a good fix for a broader range of misbehaviors.

-- 
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole

Re: Rule to match when multiple FROM addresses exist

[RW <rw...@googlemail.com>]

On Fri, 1 Dec 2017 14:44:42 +0100
Tom Hendrikx wrote:


> You're mistaken about postfix. It does not rewrite the From headers in
> the way you describe, 

I didn't say it did, so I can't be mistaken. 

Re: Rule to match when multiple FROM addresses exist

[Tom Hendrikx <to...@whyscream.net>]

On 01-12-17 14:15, RW wrote:
> On Fri, 1 Dec 2017 12:01:35 +0100
> Simeon Ott wrote:
> 
>> Hi
>>
>> Occasionally I get spam mails with non-quoted display names like 
>>
>> John, Doe, Lastname <someone@somewhere.com
>> <ma...@somewhere.com>>
>>
>> My MTA (Postfix) thinks this are multiple FROM addresses and adds my
>> local servername to John and Doe. Spamassassin gets the forwarded
>> Mail with a From Header like:
>>
>> From: John@localservername, Doe@localservername, Example
>> <someone@somewhere.com <ma...@somewhere.com>>
>>
>> Any suggestion how-to match this kind of From-Headers? 
> 
> Does Postfix keep the the original From header with a rewritten
> header name? If there's an Original-From or similar it would be better
> to detect the original problem rather than a side effect.
> 
> If that mailto thing repeats, I'd go after that too. Maybe 
> 
> header   ...   From =~ />\s*>\s*$/
> 

You're mistaken about postfix. It does not rewrite the From headers in
the way you describe, unless you explicitly configured it to. You should
change your postfix configuration, or verify the input data that postfix
receives (maybe the addresses were already malformed before they entered
your system?

The easy way to catch these messages is to set your machine name to some
domain that never receives mail.

email addresses: john.doe@company.tld
server domain: mailserver.company.tld

Automatic generated addresses would look like
john.doe@mailserver.company.tld, these are easily recogized because
nobody uses them.

Kind regards,
	Tom

Re: Rule to match when multiple FROM addresses exist

[RW <rw...@googlemail.com>]

On Fri, 1 Dec 2017 12:01:35 +0100
Simeon Ott wrote:

> Hi
> 
> Occasionally I get spam mails with non-quoted display names like 
> 
> John, Doe, Lastname <someone@somewhere.com
> <ma...@somewhere.com>>
> 
> My MTA (Postfix) thinks this are multiple FROM addresses and adds my
> local servername to John and Doe. Spamassassin gets the forwarded
> Mail with a From Header like:
> 
> From: John@localservername, Doe@localservername, Example
> <someone@somewhere.com <ma...@somewhere.com>>
> 
> Any suggestion how-to match this kind of From-Headers? 

Does Postfix keep the the original From header with a rewritten
header name? If there's an Original-From or similar it would be better
to detect the original problem rather than a side effect.

If that mailto thing repeats, I'd go after that too. Maybe 

header   ...   From =~ />\s*>\s*$/