You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Joey J <ja...@gmail.com> on 2020/12/24 05:02:38 UTC
How to Block messages from display name not matching expected sender
email address
Hello,
I'm trying to figure out how to write a rule that looks for matches of
certain names against the display name, and then insuring its from a list
of valid email addresses.
So a phishing email come in from "Boss Man<Bo...@Gmail.com>"
So I want to check if the display name is "Boss Man" and if so, make sure
the sending email address is BossMan@RealCompany.com or BossMan@Company2.com,
otherwise score it with 10.
Also, would there be a way to forward that email to a specific user, not
send it to the original recipient?
Thanks
--
Thanks!
Joey
Re: How to Block messages from display name not matching expected
sender email address
Posted by John Hardin <jh...@impsec.org>.
On Thu, 24 Dec 2020, Bill Cole wrote:
> On 24 Dec 2020, at 0:02, Joey J wrote:
>
>> I'm trying to figure out how to write a rule that looks for matches of
>> certain names against the display name, and then insuring its from a list
>> of valid email addresses.
>>
>> So a phishing email come in from "Boss Man<Bo...@Gmail.com>"
>>
>> So I want to check if the display name is "Boss Man" and if so, make sure
>> the sending email address is BossMan@RealCompany.com or
>> BossMan@Company2.com,
>> otherwise score it with 10.
>
> header __BOSSNAME From:name =~ /Boss Man/
> header __BOSSADDR From:addr =~ /BossMan\@RealCompany.com|BossMan@Company2.com/
Missed escaping the second @ sign, and the periods...
> meta BOSSPHISH __BOSSNAME && !__BOSSADDR
> score BOSSPHISH 10
If you have a list of such addresses, you'd probably benefit from writing
a script to generate the rules from that list rather than manually
maintaining all the rules.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
Tomorrow: Christmas
Re: How to Block messages from display name not matching expected
sender email address
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 24 Dec 2020, at 0:02, Joey J wrote:
> Hello,
>
> I'm trying to figure out how to write a rule that looks for matches of
> certain names against the display name, and then insuring its from a
> list
> of valid email addresses.
>
> So a phishing email come in from "Boss Man<Bo...@Gmail.com>"
>
> So I want to check if the display name is "Boss Man" and if so, make
> sure
> the sending email address is BossMan@RealCompany.com or
> BossMan@Company2.com,
> otherwise score it with 10.
header __BOSSNAME From:name =~ /Boss Man/
header __BOSSADDR From:addr =~
/BossMan\@RealCompany.com|BossMan@Company2.com/
meta BOSSPHISH __BOSSNAME && !__BOSSADDR
score BOSSPHISH 10
> Also, would there be a way to forward that email to a specific user,
> not
> send it to the original recipient?
That's a function of your MTA and depends on how you've attached
SpamAssassin to it.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire