You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Rupert Gallagher <ru...@protonmail.com> on 2017/10/25 13:26:37 UTC
New rule --- From:name domain mismatches From:addr domain
This is my rule for a case that has also been discussed in this list.
I wrote it two weeks ago, and it works so far.
This part goes into your local.cf:
header __F_DM1 eval:from_domains_mismatch()
header __F_DM2 From:addr =~ /\@(exception1|exception2)(\.[^\.]+)?\.it/
meta F_DM ( __F_DM1 && ! __F_DM2 )
describe F_DM From:name domain mismatches From:addr domain
priority F_DM -1
score F_DM 5.0
This part goes into HeaderEval.pm:
$self->register_eval_rule("from_domains_mismatch");
...
sub from_domains_mismatch {
my ($self, $pms) = @_;
my $temp;
$temp = $pms->get('From:addr');
$temp =~ /@(.+)/; my $fromAddrDomain; $fromAddrDomain = "$1";
$temp = $pms->get('From:name');
$temp =~ /@([^\@\"\s]+)/; my $fromNameDomain; $fromNameDomain = "$1";
dbg("from_domains_mismatch: fromNameDomain=$fromNameDomain, fromAddrDomain=$fromAddrDomain");
if ( $fromNameDomain eq "" ) {
return 0; # all well
} else {
if( $fromNameDomain eq $fromAddrDomain ) {
return 0; # all well, they match
} else {
return 1; # mismatch, possibly spam
}
}
}
Note that some legitimate e-mail providers, who send e-mail on behalf of their client, make the mistake of re-writing the From header, injecting their own address in it. The "exception1|exception2" above is meant to mitigate this case while they solve this problem.
R.G.
Re: New rule --- From:name domain mismatches From:addr domain
Posted by Rupert Gallagher <ru...@protonmail.com>.
Empty Message
Re: New rule --- From:name domain mismatches From:addr domain
Posted by Merijn van den Kroonenberg <me...@web2all.nl>.
>
> This may not be representative but I found that the rest of of the FPs
> could have been avoided with
>
> && (FREEMAIL_FROM || !DKIM_VALID_AU)
>
> the spam rarely hits DKIM_VALID_AU unless it's freemail.
Actually a decent portion of spam is sent with DKIM_VALID_AU, either from
spammer owned domains or from hacked servers. But you might not see them
in SA if they are blocked at MTA level with blacklists.
>
> One thing to watch out for is mismatches between unicode and punycode
> versions of the same address. The above rule only targets ascii
> domains in the display field for that reason.
>
Re: New rule --- From:name domain mismatches From:addr domain
Posted by RW <rw...@googlemail.com>.
On Wed, 25 Oct 2017 09:26:37 -0400
Rupert Gallagher wrote:
> This is my rule for a case that has also been discussed in this list.
> I wrote it two weeks ago, and it works so far.
>
> This part goes into your local.cf:
>
> header __F_DM1 eval:from_domains_mismatch()
I wrote something similar as an ordinary rule
header FROM_DISPLAYS_FAKE_ADDR From
=~ /^\s*("?)\s*([\w+.-]+\@[a-z0-9-]+(?:\.[a-z0-9-]+)+)\s*\1\s*<(?!\2>)/i
However, when I looked at my ham archive I found that it could be
improved a bit by checking the organizational domain rather than the
full RHS (this is easier to do in perl with tld support).
e.g. "foo@example.com <ba...@email.example.com>
and a little bit further by just comparing the first 3 letters of the
main domain label.
e.g. "foo@EXAmple.com <ba...@email.EXAmple-online.com>
This may not be representative but I found that the rest of of the FPs
could have been avoided with
&& (FREEMAIL_FROM || !DKIM_VALID_AU)
the spam rarely hits DKIM_VALID_AU unless it's freemail.
One thing to watch out for is mismatches between unicode and punycode
versions of the same address. The above rule only targets ascii
domains in the display field for that reason.
Re: New rule --- From:name domain mismatches From:addr domain
Posted by Rupert Gallagher <ru...@protonmail.com>.
Also copy and paste in a reply does not work. Crapware...
Sent from ProtonMail Mobile
On Fri, Jan 19, 2018 at 16:18, Rupert Gallagher <ru...@protonmail.com> wrote:
> It turns out that PM does not forward e-mails.
>
> Sent from ProtonMail Mobile
>
> On Fri, Jan 19, 2018 at 16:16, Reindl Harald <h....@thelounge.net> wrote:
>
>> Am 19.01.2018 um 16:14 schrieb Rupert Gallagher: > Empty Message how many of them are expected? what idiotic MUA does that?
Re: New rule --- From:name domain mismatches From:addr domain
Posted by Rupert Gallagher <ru...@protonmail.com>.
It turns out that PM does not forward e-mails.
Sent from ProtonMail Mobile
On Fri, Jan 19, 2018 at 16:16, Reindl Harald <h....@thelounge.net> wrote:
> Am 19.01.2018 um 16:14 schrieb Rupert Gallagher: > Empty Message how many of them are expected? what idiotic MUA does that?
Fwd: New rule --- From:name domain mismatches From:addr domain
Posted by Rupert Gallagher <ru...@protonmail.com>.
Empty Message