Re: How to check from that is not on the header?
Le 26/09/2012 17:40, Alexandre Boyer a écrit : Note that you may look upon a X-Envelope-From header also, depending on your MTA and how and when it may log it in the headers. Or, provided your spamassassin glue is configured properly, you can test on the sa-provided EnvelopeFrom pseudo-header. John. -- -- Over 5000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages- www.tradoc.fr
Re: How to check from that is not on the header?
26.09.2012 18:09, Sergio kirjoitti: Hi all, how may I can check a FROM different to the one on the headers? I have seen that some emails on the FROM on the header has something different than the FROM on the email, as an example: FROM THE HEADERS: Received: from (127.0.0.1) by mail62.us1.rsgsv.net http://mail62.us1.rsgsv.net (PowerMTA(TM) v3.5r16) id hcc8go0lj3g4 for fernando.lo...@puntocel.com.gt mailto:fernando.lo...@puntocel.com.gt; Wed, 26 Sep 2012 14:28:26 + (envelope-from bounce-mc.us4_769.128085-fernando.lopez=puntocel.com...@mail62.us1.rsgsv.net mailto:puntocel.com...@mail62.us1.rsgsv.net) Subject: =?utf-8?Q?Masaje=20de=20Reflexolog=C3=ADa=20de=20pies=20con=20sales=20minerales=20relajantes=20y=20aromaterapia?= _*From: =?utf-8?Q?Cucupons.com?= ma...@cucupons.com mailto:ma...@cucupons.com*_ Reply-To: =?utf-8?Q?Cucupons.com?= ma...@cucupons.com mailto:ma...@cucupons.com But the FROM that I want to block is the one that comes on the email: FROM: bounce-mc.us4_7776669.128085-Aileen.Miffs=anyemail@mail62.us1.rsgsv.net mailto:anyemail@mail62.us1.rsgsv.net I have the following rule: headerBLACKLIST_R From =~ /rsgsv\.net/i scoreBLACKLIST_R5.0 But at the time of checking, it checks cucupons.com http://cucupons.com and the rule fails. What I have to use in order to check the FROM that comes on the email instead of the FROM that is on the headers? TIA. Sergio The rsgsv.net is not in a From-header, it is in a Received-header. So headerBLACKLIST_R ^Received: =~ /rsgsv\.net/i scoreBLACKLIST_R5.0 That will blacklist all mail that have been sent, received or other wise processed by server named .*rsgsv.net -- You now have Asian Flu. signature.asc Description: OpenPGP digital signature
Re: How to check from that is not on the header?
Alex, from prypiat. Yes, I recycle. On 12-09-26 11:09 AM, Sergio wrote: Hi all, how may I can check a FROM different to the one on the headers? I have seen that some emails on the FROM on the header has something different than the FROM on the email, as an example: You are talking about the envelope from versus the body from. Envelope from is used at SMTP transaction time. Body from is within the headers, therefore it's part of the DATA command, and is possibly spoofed. FROM THE HEADERS: Received: from (127.0.0.1) by mail62.us1.rsgsv.net http://mail62.us1.rsgsv.net (PowerMTA(TM) v3.5r16) id hcc8go0lj3g4 for fernando.lo...@puntocel.com.gt mailto:fernando.lo...@puntocel.com.gt; Wed, 26 Sep 2012 14:28:26 + (envelope-from bounce-mc.us4_769.128085-fernando.lopez=puntocel.com...@mail62.us1.rsgsv.net mailto:puntocel.com...@mail62.us1.rsgsv.net) Subject: =?utf-8?Q?Masaje=20de=20Reflexolog=C3=ADa=20de=20pies=20con=20sales=20minerales=20relajantes=20y=20aromaterapia?= _*From: =?utf-8?Q?Cucupons.com?= ma...@cucupons.com mailto:ma...@cucupons.com*_ Reply-To: =?utf-8?Q?Cucupons.com?= ma...@cucupons.com mailto:ma...@cucupons.com But the FROM that I want to block is the one that comes on the email: FROM: bounce-mc.us4_7776669.128085-Aileen.Miffs=anyemail@mail62.us1.rsgsv.net mailto:anyemail@mail62.us1.rsgsv.net I have the following rule: headerBLACKLIST_R From =~ /rsgsv\.net/i scoreBLACKLIST_R5.0 You may either do that: header BL_FROM_rsgsv Received =~ /rsgsv\.net/i score BL_FROM_rsgsv 5.0 But you are subject to FPs in case that domain send you a legitimate email some day. Note that you may look upon a X-Envelope-From header also, depending on your MTA and how and when it may log it in the headers. Or you may choose to work on the body From: header BL_FROM_rsgsv From:addr =~ /cucupons\.com/i score BL_FROM_rsgsv 5.0 But as this part of the mail is spoofable, you are succeptible to miss some spams. But at the time of checking, it checks cucupons.com http://cucupons.com and the rule fails. What I have to use in order to check the FROM that comes on the email instead of the FROM that is on the headers? TIA. Sergio
Re: How to check from that is not on the header?
On 09/26/2012 05:40 PM, Alexandre Boyer wrote: Alex, from prypiat. Yes, I recycle. On 12-09-26 11:09 AM, Sergio wrote: Hi all, how may I can check a FROM different to the one on the headers? I have seen that some emails on the FROM on the header has something different than the FROM on the email, as an example: You are talking about the envelope from versus the body from. Envelope from is used at SMTP transaction time. Body from is within the headers, therefore it's part of the DATA command, and is possibly spoofed. FROM THE HEADERS: Received: from (127.0.0.1) by mail62.us1.rsgsv.net http://mail62.us1.rsgsv.net (PowerMTA(TM) v3.5r16) id hcc8go0lj3g4 for fernando.lo...@puntocel.com.gt mailto:fernando.lo...@puntocel.com.gt; Wed, 26 Sep 2012 14:28:26 + (envelope-from bounce-mc.us4_769.128085-fernando.lopez=puntocel.com...@mail62.us1.rsgsv.net mailto:puntocel.com...@mail62.us1.rsgsv.net) Subject: =?utf-8?Q?Masaje=20de=20Reflexolog=C3=ADa=20de=20pies=20con=20sales=20minerales=20relajantes=20y=20aromaterapia?= _*From: =?utf-8?Q?Cucupons.com?= ma...@cucupons.com mailto:ma...@cucupons.com*_ Reply-To: =?utf-8?Q?Cucupons.com?= ma...@cucupons.com mailto:ma...@cucupons.com But the FROM that I want to block is the one that comes on the email: FROM: bounce-mc.us4_7776669.128085-Aileen.Miffs=anyemail@mail62.us1.rsgsv.net mailto:anyemail@mail62.us1.rsgsv.net I have the following rule: headerBLACKLIST_R From =~ /rsgsv\.net/i scoreBLACKLIST_R5.0 You may either do that: header BL_FROM_rsgsv Received =~ /rsgsv\.net/i score BL_FROM_rsgsv 5.0 But you are subject to FPs in case that domain send you a legitimate email some day. Note that you may look upon a X-Envelope-From header also, depending on your MTA and how and when it may log it in the headers. Or you may choose to work on the body From: header BL_FROM_rsgsv From:addr =~ /cucupons\.com/i score BL_FROM_rsgsv 5.0 But as this part of the mail is spoofable, you are succeptible to miss some spams. But at the time of checking, it checks cucupons.com http://cucupons.com and the rule fails. What I have to use in order to check the FROM that comes on the email instead of the FROM that is on the headers? consider that sender may change ESP or pretty From: and you're rule is useless in such cases, uri rules are way more efective sometimes tracking their reply-to header helps as well
Re: How to check from that is not on the header?
Hi Sergio, At 08:09 26-09-2012, Sergio wrote: how may I can check a FROM different to the one on the headers? I have seen that some emails on the FROM on the header has something different than the FROM on the email, as an example: FROM THE HEADERS: Received: from (127.0.0.1) by http://mail62.us1.rsgsv.netmail62.us1.rsgsv.net (PowerMTA(TM) v3.5r16) id hcc8go0lj3g4 for mailto:fernando.lo...@puntocel.com.gtfernando.lo...@puntocel.com.gt; Wed, 26 Sep 2012 14:28:26 + (envelope-from bounce-mc.us4_769.128085-fernando.lopez=mailto:puntocel.com...@mail62.us1.rsgsv.netpuntocel.com...@mail62.us1.rsgsv.net) Subject: =?utf-8?Q?Masaje=20de=20Reflexolog=C3=ADa=20de=20pies=20con=20sales=20minerales=20relajantes=20y=20aromaterapia?= From: =?utf-8?Q?Cucupons.com?= mailto:ma...@cucupons.comma...@cucupons.com Reply-To: =?utf-8?Q?Cucupons.com?= mailto:ma...@cucupons.comma...@cucupons.com But the FROM that I want to block is the one that comes on the email: FROM: bounce-mc.us4_7776669.128085-Aileen.Miffs=mailto:anyemail@mail62.us1.rsgsv.netanyemail@mail62.us1.rsgsv.net I have the following rule: headerBLACKLIST_R From =~ /rsgsv\.net/i scoreBLACKLIST_R5.0 That's for the From: in the message header fields. But at the time of checking, it checks http://cucupons.comcucupons.com and the rule fails. What I have to use in order to check the FROM that comes on the email instead of the FROM that is on the headers? There is usually a Return-Path: header field which would have the bounce-mc.us4_769.128085-fernando.lopez=mailto:puntocel.com...@mail62.us1.rsgsv.netpuntocel.com...@mail62.us1.rsgsv.net email address on teh right-hand side. If you don't have that header field, you could base your rule on http://wiki.apache.org/spamassassin/EnvelopeSenderInReceived Regards, -sm
Re: How to check from that is not on the header?
On Wed, Sep 26, 2012 at 5:09 PM, Sergio sec...@gmail.com wrote: FROM THE HEADERS: Received: from (127.0.0.1) by mail62.us1.rsgsv.net (PowerMTA(TM) v3.5r16) id hcc8go0lj3g4 for fernando.lo...@puntocel.com.gt; Wed, 26 Sep 2012 14:28:26 + (envelope-from bounce-mc.us4_769.128085-fernando.lopez=puntocel.com...@mail62.us1.rsgsv.net) An alternative view: For quite some time ( 6 years, actually), I've had the following rule with pretty good result: header SR_POWERMTA Received =~ /PowerMTA/i score SR_POWERMTA 0.650 -- Matthias