Re: Matching To and Received addresses
On Tue, 28 Mar 2017 19:49:10 +0100 Markuswrote: > Honestly didn't even think of mailing lists such as this, nor BCC > (don't deal with BCC emails very much to be honest). > Though, would you not be able to test against the bottom most > Received header compared to the To: header? The "for..." clause is optional and a lot of MTAs don't add it. Almost all MTAs will refuse to add it if it's for more than one local recipient. Regards, Dianne.
Re: Matching To and Received addresses
Honestly didn't even think of mailing lists such as this, nor BCC (don't deal with BCC emails very much to be honest). Though, would you not be able to test against the bottom most Received header compared to the To: header? Received: from localhost (jhardin@localhost) by athena.impsec.org (8.14.9/8.14.9/Submit) with ESMTP id v2SIRaf8032513 for; Tue, 28 Mar 2017 11:27:36 -0700 X-Authentication-Warning: athena.impsec.org: jhardin owned process doing -bs Date: Tue, 28 Mar 2017 11:27:36 -0700 (PDT) From: John Hardin To:users@spamassassin.apache.org I mean, even in a mailing list those would still be the same? Obviously in this case, you can't test them compared to all Received headers, as that would definitely cause problems. On 28/03/17 19:27, John Hardin wrote: On Tue, 28 Mar 2017, Dominic Benson wrote: On 28 Mar 2017, at 19:04, Markus wrote: So you can't compare the "for " with "To: doro...@example.com". You can do that with a Header ALL rule; it will work more reliably as a local rule because you know how your local MTA is annotating the envelope recipient address in the headers, where a rule provided as part of the base set would be hit-or-miss and hugely complex and would better be done in a plugin. How likely is it to be in legitimate mail? Highly unlikely (if ever), so you'd be pretty safe outright rejecting mail that behaves this way, to be honest. On the face of it I would have thought that CC and BCC both seem like quite commonplace ways for this to come up in ham. Indeed. Markus must not get much email. If you do develop such a rule for metas, be very careful how you use it.
Re: Matching To and Received addresses
On Tue, 28 Mar 2017, Dominic Benson wrote: On 28 Mar 2017, at 19:04, Markuswrote: So you can't compare the "for " with "To: doro...@example.com". You can do that with a Header ALL rule; it will work more reliably as a local rule because you know how your local MTA is annotating the envelope recipient address in the headers, where a rule provided as part of the base set would be hit-or-miss and hugely complex and would better be done in a plugin. How likely is it to be in legitimate mail? Highly unlikely (if ever), so you'd be pretty safe outright rejecting mail that behaves this way, to be honest. On the face of it I would have thought that CC and BCC both seem like quite commonplace ways for this to come up in ham. Indeed. Markus must not get much email. If you do develop such a rule for metas, be very careful how you use it. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Ignorance is no excuse for a law. --- 4 days until April Fools' day
Re: Matching To and Received addresses
On Tuesday 28 March 2017 13:58:43 Alex wrote: > I'd like to be able to use the fact that the To address is not the > same as the address shown in the Received header in a meta of some > kind. > > How frequent would you think that would appear in ham alone? It's the > basis for a number of phishing attacks here, so I'd like to see about > using it in some way. > Checking that the envelope recipient address is in To or Cc works great on my mail and also for any public role addresses like sales or support, but probably not so much for general users. Any BCC will hit such a rule. And of course you have to exclude real mailing list mail. I guess the question would be how many legit bcc's do your users get from non- whitelisted senders?
Re: Matching To and Received addresses
On Tue, 28 Mar 2017 19:04:44 +0100 Markuswrote: > How likely is it to be in legitimate mail? Highly unlikely (if ever), > so you'd be pretty safe outright rejecting mail that behaves this > way, to be honest. You'd reject every single message in this mailing list if you did that. Regards, Dianne.
Re: Matching To and Received addresses
> On 28 Mar 2017, at 19:04, Markuswrote: > > Hello Alex, > > To my knowledge, you can't compare equality without a SpamAssassin plugin. > > So you can't compare the "for " with "To: > doro...@example.com". > > With a plugin, you could definitely do that, but that would cause a bit more > overhead (and some perl development). > > > How likely is it to be in legitimate mail? Highly unlikely (if ever), so > you'd be pretty safe outright rejecting mail that behaves this way, to be > honest. On the face of it I would have thought that CC and BCC both seem like quite commonplace ways for this to come up in ham. As indeed do mailing lists, so I would be very cautious with proceeding further with this. > > - Markus Dominic
Re: Matching To and Received addresses
Hello Alex, To my knowledge, you can't compare equality without a SpamAssassin plugin. So you can't compare the "for" with "To: doro...@example.com". With a plugin, you could definitely do that, but that would cause a bit more overhead (and some perl development). How likely is it to be in legitimate mail? Highly unlikely (if ever), so you'd be pretty safe outright rejecting mail that behaves this way, to be honest. - Markus On 28/03/17 18:58, Alex wrote: Hi, Is there an existing rule that detects when the To address differs from the address to which the email is to be delivered? We've received a number of messages directed at executives based on the recipient address and Received address, both of which are within the same domain but to different people. From lynne20...@aol.com Mon Mar 27 10:33:00 2017 Return-Path: Received: from localhost (localhost [127.0.0.1]) by mail01.example.com (Postfix) with ESMTP id 30F1A6801B259 for ; Mon, 27 Mar 2017 10:33:00 -0400 (EDT) From: Dorothy To: doro...@example.com I'd like to be able to use the fact that the To address is not the same as the address shown in the Received header in a meta of some kind. How frequent would you think that would appear in ham alone? It's the basis for a number of phishing attacks here, so I'd like to see about using it in some way. Thanks, Alex
Matching To and Received addresses
Hi, Is there an existing rule that detects when the To address differs from the address to which the email is to be delivered? We've received a number of messages directed at executives based on the recipient address and Received address, both of which are within the same domain but to different people. >From lynne20...@aol.com Mon Mar 27 10:33:00 2017 Return-Path:Received: from localhost (localhost [127.0.0.1]) by mail01.example.com (Postfix) with ESMTP id 30F1A6801B259 for ; Mon, 27 Mar 2017 10:33:00 -0400 (EDT) From: Dorothy To: doro...@example.com I'd like to be able to use the fact that the To address is not the same as the address shown in the Received header in a meta of some kind. How frequent would you think that would appear in ham alone? It's the basis for a number of phishing attacks here, so I'd like to see about using it in some way. Thanks, Alex