On Tue, 14 Apr 2020 at 18:45, Rick King <[email protected]> wrote: > > Postfix version 3.1.1 > > Hello List! > > We have a customer that occasionally receives messages like this... > > Return-Path: <[email protected]> > From: "Free iPad <[email protected]>" <[email protected]> > To: <[email protected]> > Subject:Free iPad > > From the looks of it, messages like these are from legit domains with a > carefully crafted "displayName". > > So the "displayName" is "Free iPad <[email protected]>", and the "true" > sender is [email protected]. > > We were thinking using a header_check rule, something like this; but didn't > work due to the "backtracking limit exceeded" warning. > > /^From:(.*)*\<*@*\> \<*@*\>/ REJECT #Sorry, we do not allow emails with > multiple FROM senders > > Is it possible to use header_check feature to reject messages with carefully > crafted displayName?
You can use header_checks in this way, but if you have Spamassassin it is easier to use its FromNameSpoof plugin. https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_FromNameSpoof.txt Spamassassin also looks at headers after conversion from other encodings which helps catch obfuscated cases.
