You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@spamassassin.apache.org on 2020/11/01 10:50:57 UTC
[Bug 7869] New: FromNameSpoof not detecting spoof email
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7869
Bug ID: 7869
Summary: FromNameSpoof not detecting spoof email
Product: Spamassassin
Version: unspecified
Hardware: PC
OS: Windows NT
Status: NEW
Severity: normal
Priority: P2
Component: Plugins
Assignee: dev@spamassassin.apache.org
Reporter: rica.boeru@gmail.com
Target Milestone: Undefined
When FromName is like: "Name <na...@example.com>" the plugin doesn't detect
spoofing.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7869] FromNameSpoof not detecting spoof email
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7869
RW <rw...@googlemail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |rwmaillists@googlemail.com
--- Comment #2 from RW <rw...@googlemail.com> ---
This example does work:
printf 'To: a@bar.com\nFrom: "Name <na...@example.com>" <fg...@foo.com>\n\n'
what may cause some confusion is that check_fromname_spoof() doesn't work
without a To header. This seems like an unnecessary condition.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7869] FromNameSpoof not detecting spoof email
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7869
--- Comment #6 from RW <rw...@googlemail.com> ---
It works for me:
$ printf 'From: "Name Surname <na...@nowhere.org>" <te...@test.org>\nTo:
bar@foo.com\n' | spamassassin -LD 2>&1 | grep -o
'__PLUGIN_FROMNAME_SPOOF.*hit'
__PLUGIN_FROMNAME_SPOOF ======> got hit
$ printf 'From: "Name Surname name@nowhere.org" <te...@test.org>\nTo:
bar@foo.com\n' | spamassassin -LD 2>&1 | grep -o
'__PLUGIN_FROMNAME_SPOOF.*hit'
__PLUGIN_FROMNAME_SPOOF ======> got hit
Did you miss what I wrote about a To header?
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7869] FromNameSpoof not detecting spoof email
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7869
Aurel <ri...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |rica.boeru@gmail.com
--- Comment #5 from Aurel <ri...@gmail.com> ---
This is detected as spoofing:
From: "name@nowhere.org" <te...@test.org>
This is not detected:
From: "Name Surname <na...@nowhere.org>" <te...@test.org>
This is not detected:
From: "Name Surname name@nowhere.org" <te...@test.org>
The plugin works great when there is only email in the FromName but when it's
an email + text it doesn't work.
Thank you!
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7869] FromNameSpoof not detecting spoof email
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7869
--- Comment #4 from John Hardin <jh...@impsec.org> ---
See bug 7723
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7869] FromNameSpoof not detecting spoof email
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7869
--- Comment #7 from Aurel <ri...@gmail.com> ---
The To: header is present.
How to reproduce:
Open your email client, modify From name: instead of "Your Name" put something
like: "Your Name <te...@example.com>" and send an email.
This should trigger the FrommMailSpoof but it doesn't
Or you can save any email you want, modify the FromName like above ant test it.
In fact if you put something like "Your Name | test@example.com" or any other
combination of "text + email" the plugin doesn't work.
I notice this in a production server: FronName where there is only an email
address trigger the plugin, others with 'text +email' doesn't
And the To header is present!
I think this plugin can be very important to stop spoofing. Last week a lot of
emails with emotet malware came with FrameName spoofing.
I am not very confident to put an email with all headers unaltered here, and as
I said you can reproduce the bug very easy.
Thank you
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7869] FromNameSpoof not detecting spoof email
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7869
John Hardin <jh...@impsec.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jhardin@impsec.org
--- Comment #1 from John Hardin <jh...@impsec.org> ---
Please provide a complete (all headers intact) sample email that exhibits this
behavior.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7869] FromNameSpoof not detecting spoof email
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7869
Bill Cole <bi...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |billcole@apache.org
Status|NEW |RESOLVED
Resolution|--- |WORKSFORME
--- Comment #11 from Bill Cole <bi...@apache.org> ---
Resolving, as reporter has confirmed that the problem was only seen in old
version.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7869] FromNameSpoof not detecting spoof email
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7869
--- Comment #10 from Aurel <ri...@gmail.com> ---
On debian 10.6 with spamassassin 3.4.2-1, FromNameSpoof version 0.9 works
partially as I explained.
After installing spamassassin 3.4.4-1 from debian backports it works!
Same emails, same settings, same tests only difference is spamassassin version.
Sorry for bothering you and thank you again fot this useful plugin.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7869] FromNameSpoof not detecting spoof email
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7869
--- Comment #3 from John Hardin <jh...@impsec.org> ---
(In reply to RW from comment #2)
> what may cause some confusion is that check_fromname_spoof() doesn't work
> without a To header. This seems like an unnecessary condition.
The plugin also checks for From name == To name, but it has this fairly early
in the core _check_fromnamespoof():
my @toaddrs = $pms->all_to_addrs();
return 0 unless @toaddrs;
Perhaps that is a bit too aggressive of a shortcut? It seems the to-address
cleanups and checks could be put into an if (@toaddrs) {} block instead so that
they don't skip the from-address checks in the absence of a to address.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7869] FromNameSpoof not detecting spoof email
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7869
--- Comment #8 from Aurel <ri...@gmail.com> ---
Forgot to mention: I have spamassassin 3.4.2-1 on debian 10
I repaced FromNameSpoof.pm with the last version. This version indeed detect
"Name name@example.com" but doesn't detect "Name <na...@example.com>"
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7869] FromNameSpoof not detecting spoof email
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7869
--- Comment #9 from RW <rw...@googlemail.com> ---
Again it works for me. You are going to have to supply an email that reproduces
this. My guess is that when you edited it you did something to corrupt the
headers.
--
You are receiving this mail because:
You are the assignee for the bug.