Re: Matching To and Received addresses

2017-03-28 Thread Dianne Skoll 
On Tue, 28 Mar 2017 19:49:10 +0100
Markus  wrote:

> Honestly didn't even think of mailing lists such as this, nor BCC
> (don't deal with BCC emails very much to be honest).

> Though, would you not be able to test against the bottom most
> Received header compared to the To: header?

The "for..." clause is optional and a lot of MTAs don't add it.
Almost all MTAs will refuse to add it if it's for more than
one local recipient.

Regards,

Dianne.

Re: Matching To and Received addresses

2017-03-28 Thread Markus 
Honestly didn't even think of mailing lists such as this, nor BCC (don't 
deal with BCC emails very much to be honest).


Though, would you not be able to test against the bottom most Received 
header compared to the To: header?


Received: from localhost (jhardin@localhost)
by athena.impsec.org (8.14.9/8.14.9/Submit) with ESMTP id v2SIRaf8032513
for ; Tue, 28 Mar 2017 11:27:36 -0700
X-Authentication-Warning: athena.impsec.org: jhardin owned process doing -bs
Date: Tue, 28 Mar 2017 11:27:36 -0700 (PDT)
From: John Hardin 
To:users@spamassassin.apache.org

I mean, even in a mailing list those would still be the same? Obviously 
in this case, you can't test them compared to all Received headers, as 
that would definitely cause problems.


On 28/03/17 19:27, John Hardin wrote:

On Tue, 28 Mar 2017, Dominic Benson wrote:


On 28 Mar 2017, at 19:04, Markus  wrote:

So you can't compare the "for " with "To: 
doro...@example.com".


You can do that with a Header ALL rule; it will work more reliably as 
a local rule because you know how your local MTA is annotating the 
envelope recipient address in the headers, where a rule provided as 
part of the base set would be hit-or-miss and hugely complex and would 
better be done in a plugin.


How likely is it to be in legitimate mail? Highly unlikely (if 
ever), so you'd be pretty safe outright rejecting mail that behaves 
this way, to be honest.


On the face of it I would have thought that CC and BCC both seem like 
quite commonplace ways for this to come up in ham.


Indeed. Markus must not get much email.

If you do develop such a rule for metas, be very careful how you use it.

Re: Matching To and Received addresses

2017-03-28 Thread John Hardin 

On Tue, 28 Mar 2017, Dominic Benson wrote:


On 28 Mar 2017, at 19:04, Markus  wrote:

So you can't compare the "for " with "To: 
doro...@example.com".


You can do that with a Header ALL rule; it will work more reliably as a 
local rule because you know how your local MTA is annotating the envelope 
recipient address in the headers, where a rule provided as part of the 
base set would be hit-or-miss and hugely complex and would better be done 
in a plugin.


How likely is it to be in legitimate mail? Highly unlikely (if ever), 
so you'd be pretty safe outright rejecting mail that behaves this way, 
to be honest.


On the face of it I would have thought that CC and BCC both seem like quite 
commonplace ways for this to come up in ham.


Indeed. Markus must not get much email.

If you do develop such a rule for metas, be very careful how you use it.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Ignorance is no excuse for a law.
---
 4 days until April Fools' day

Re: Matching To and Received addresses

2017-03-28 Thread Alan Hodgson 
On Tuesday 28 March 2017 13:58:43 Alex wrote:
> I'd like to be able to use the fact that the To address is not the
> same as the address shown in the Received header in a meta of some
> kind.
> 
> How frequent would you think that would appear in ham alone? It's the
> basis for a number of phishing attacks here, so I'd like to see about
> using it in some way.
> 

Checking that the envelope recipient address is in To or Cc works great on my 
mail and also for any public role addresses like sales or support, but 
probably not so much for general users. Any BCC will hit such a rule.  And of 
course you have to exclude real mailing list mail.

I guess the question would be how many legit bcc's do your users get from non-
whitelisted senders?

Re: Matching To and Received addresses

2017-03-28 Thread Dianne Skoll 
On Tue, 28 Mar 2017 19:04:44 +0100
Markus  wrote:

> How likely is it to be in legitimate mail? Highly unlikely (if ever),
> so you'd be pretty safe outright rejecting mail that behaves this
> way, to be honest.

You'd reject every single message in this mailing list if you did that.

Regards,

Dianne.

Re: Matching To and Received addresses

2017-03-28 Thread Dominic Benson 

> On 28 Mar 2017, at 19:04, Markus  wrote:
> 
> Hello Alex,
> 
> To my knowledge, you can't compare equality without a SpamAssassin plugin.
> 
> So you can't compare the "for " with "To: 
> doro...@example.com".
> 
> With a plugin, you could definitely do that, but that would cause a bit more 
> overhead (and some perl development).
> 
> 
> How likely is it to be in legitimate mail? Highly unlikely (if ever), so 
> you'd be pretty safe outright rejecting mail that behaves this way, to be 
> honest.

On the face of it I would have thought that CC and BCC both seem like quite 
commonplace ways for this to come up in ham. As indeed do mailing lists, so I 
would be very cautious with proceeding further with this. 
> 
> - Markus

Dominic

Re: Matching To and Received addresses

2017-03-28 Thread Markus 

Hello Alex,

To my knowledge, you can't compare equality without a SpamAssassin plugin.

So you can't compare the "for " with "To: 
doro...@example.com".


With a plugin, you could definitely do that, but that would cause a bit 
more overhead (and some perl development).



How likely is it to be in legitimate mail? Highly unlikely (if ever), so 
you'd be pretty safe outright rejecting mail that behaves this way, to 
be honest.


 - Markus


On 28/03/17 18:58, Alex wrote:

Hi,

Is there an existing rule that detects when the To address differs
from the address to which the email is to be delivered?

We've received a number of messages directed at executives based on
the recipient address and Received address, both of which are within
the same domain but to different people.

 From lynne20...@aol.com  Mon Mar 27 10:33:00 2017
Return-Path: 
Received: from localhost (localhost [127.0.0.1])
 by mail01.example.com (Postfix) with ESMTP id 30F1A6801B259
 for ; Mon, 27 Mar 2017 10:33:00 -0400 (EDT)
From: Dorothy 
To: doro...@example.com

I'd like to be able to use the fact that the To address is not the
same as the address shown in the Received header in a meta of some
kind.

How frequent would you think that would appear in ham alone? It's the
basis for a number of phishing attacks here, so I'd like to see about
using it in some way.

Thanks,
Alex

Matching To and Received addresses

2017-03-28 Thread Alex 
Hi,

Is there an existing rule that detects when the To address differs
from the address to which the email is to be delivered?

We've received a number of messages directed at executives based on
the recipient address and Received address, both of which are within
the same domain but to different people.

>From lynne20...@aol.com  Mon Mar 27 10:33:00 2017
Return-Path: 
Received: from localhost (localhost [127.0.0.1])
by mail01.example.com (Postfix) with ESMTP id 30F1A6801B259
for ; Mon, 27 Mar 2017 10:33:00 -0400 (EDT)
From: Dorothy 
To: doro...@example.com

I'd like to be able to use the fact that the To address is not the
same as the address shown in the Received header in a meta of some
kind.

How frequent would you think that would appear in ham alone? It's the
basis for a number of phishing attacks here, so I'd like to see about
using it in some way.

Thanks,
Alex