Re: How to check from that is not on the header?

2012-09-27 Thread John Wilcock 

Le 26/09/2012 17:40, Alexandre Boyer a écrit :

Note that you may look upon a X-Envelope-From header also, depending on
your MTA and how and when it may log it in the headers.


Or, provided your spamassassin glue is configured properly, you can test 
on the sa-provided EnvelopeFrom pseudo-header.


John.

--
-- Over 5000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages- www.tradoc.fr

Re: How to check from that is not on the header?

2012-09-26 Thread Jari Fredriksson 
26.09.2012 18:09, Sergio kirjoitti:
 Hi all,
 how may I can check a FROM different to the one on the headers?

 I have seen that some emails on the FROM on the header has something
 different than the FROM on the email, as an example:

 FROM THE HEADERS:
 Received: from (127.0.0.1) by mail62.us1.rsgsv.net
 http://mail62.us1.rsgsv.net (PowerMTA(TM) v3.5r16) id hcc8go0lj3g4
 for fernando.lo...@puntocel.com.gt
 mailto:fernando.lo...@puntocel.com.gt; Wed, 26 Sep 2012 14:28:26
 + (envelope-from
 bounce-mc.us4_769.128085-fernando.lopez=puntocel.com...@mail62.us1.rsgsv.net
 mailto:puntocel.com...@mail62.us1.rsgsv.net)
 Subject:
 =?utf-8?Q?Masaje=20de=20Reflexolog=C3=ADa=20de=20pies=20con=20sales=20minerales=20relajantes=20y=20aromaterapia?=
 _*From: =?utf-8?Q?Cucupons.com?= ma...@cucupons.com
 mailto:ma...@cucupons.com*_
 Reply-To: =?utf-8?Q?Cucupons.com?= ma...@cucupons.com
 mailto:ma...@cucupons.com

 But the FROM that I want to block is the one that comes on the email:
 FROM:
 bounce-mc.us4_7776669.128085-Aileen.Miffs=anyemail@mail62.us1.rsgsv.net
 mailto:anyemail@mail62.us1.rsgsv.net


 I have the following rule:

 headerBLACKLIST_R From =~ /rsgsv\.net/i
 scoreBLACKLIST_R5.0

 But at the time of checking, it checks cucupons.com
 http://cucupons.com and the rule fails.

 What I have to use in order to check the FROM that comes on the email
 instead of the FROM that is on the headers?

 TIA.

 Sergio

The rsgsv.net is not in a From-header, it is in a Received-header.

So

headerBLACKLIST_R ^Received: =~ /rsgsv\.net/i
scoreBLACKLIST_R5.0

That will blacklist all mail that have been sent, received or other wise
processed by server named .*rsgsv.net

-- 

You now have Asian Flu.




signature.asc
Description: OpenPGP digital signature

Re: How to check from that is not on the header?

2012-09-26 Thread Alexandre Boyer 

Alex, from prypiat.
Yes, I recycle.


On 12-09-26 11:09 AM, Sergio wrote:
 Hi all,
 how may I can check a FROM different to the one on the headers?

 I have seen that some emails on the FROM on the header has something
 different than the FROM on the email, as an example:

You are talking about the envelope from versus the body from.

Envelope from is used at SMTP transaction time. Body from is within the
headers, therefore it's part of the DATA command, and is possibly spoofed.


 FROM THE HEADERS:
 Received: from (127.0.0.1) by mail62.us1.rsgsv.net
 http://mail62.us1.rsgsv.net (PowerMTA(TM) v3.5r16) id hcc8go0lj3g4
 for fernando.lo...@puntocel.com.gt
 mailto:fernando.lo...@puntocel.com.gt; Wed, 26 Sep 2012 14:28:26
 + (envelope-from
 bounce-mc.us4_769.128085-fernando.lopez=puntocel.com...@mail62.us1.rsgsv.net
 mailto:puntocel.com...@mail62.us1.rsgsv.net)
 Subject:
 =?utf-8?Q?Masaje=20de=20Reflexolog=C3=ADa=20de=20pies=20con=20sales=20minerales=20relajantes=20y=20aromaterapia?=
 _*From: =?utf-8?Q?Cucupons.com?= ma...@cucupons.com
 mailto:ma...@cucupons.com*_
 Reply-To: =?utf-8?Q?Cucupons.com?= ma...@cucupons.com
 mailto:ma...@cucupons.com

 But the FROM that I want to block is the one that comes on the email:
 FROM:
 bounce-mc.us4_7776669.128085-Aileen.Miffs=anyemail@mail62.us1.rsgsv.net
 mailto:anyemail@mail62.us1.rsgsv.net


 I have the following rule:

 headerBLACKLIST_R From =~ /rsgsv\.net/i
 scoreBLACKLIST_R5.0


You may either do that:

header  BL_FROM_rsgsv  Received =~ /rsgsv\.net/i
score  BL_FROM_rsgsv  5.0

But you are subject to FPs in case that domain send you a legitimate
email some day.

Note that you may look upon a X-Envelope-From header also, depending on
your MTA and how and when it may log it in the headers.

Or you may choose to work on the body From:
header  BL_FROM_rsgsv  From:addr =~ /cucupons\.com/i
score  BL_FROM_rsgsv  5.0

But as this part of the mail is spoofable, you are succeptible to miss
some spams.


 But at the time of checking, it checks cucupons.com
 http://cucupons.com and the rule fails.

 What I have to use in order to check the FROM that comes on the email
 instead of the FROM that is on the headers?

 TIA.

 Sergio

Re: How to check from that is not on the header?

2012-09-26 Thread Axb 

On 09/26/2012 05:40 PM, Alexandre Boyer wrote:


Alex, from prypiat.
Yes, I recycle.


On 12-09-26 11:09 AM, Sergio wrote:

Hi all,
how may I can check a FROM different to the one on the headers?

I have seen that some emails on the FROM on the header has something
different than the FROM on the email, as an example:


You are talking about the envelope from versus the body from.

Envelope from is used at SMTP transaction time. Body from is within the
headers, therefore it's part of the DATA command, and is possibly spoofed.



FROM THE HEADERS:
Received: from (127.0.0.1) by mail62.us1.rsgsv.net
http://mail62.us1.rsgsv.net (PowerMTA(TM) v3.5r16) id hcc8go0lj3g4
for fernando.lo...@puntocel.com.gt
mailto:fernando.lo...@puntocel.com.gt; Wed, 26 Sep 2012 14:28:26
+ (envelope-from
bounce-mc.us4_769.128085-fernando.lopez=puntocel.com...@mail62.us1.rsgsv.net
mailto:puntocel.com...@mail62.us1.rsgsv.net)
Subject:
=?utf-8?Q?Masaje=20de=20Reflexolog=C3=ADa=20de=20pies=20con=20sales=20minerales=20relajantes=20y=20aromaterapia?=
_*From: =?utf-8?Q?Cucupons.com?= ma...@cucupons.com
mailto:ma...@cucupons.com*_
Reply-To: =?utf-8?Q?Cucupons.com?= ma...@cucupons.com
mailto:ma...@cucupons.com

But the FROM that I want to block is the one that comes on the email:
FROM:
bounce-mc.us4_7776669.128085-Aileen.Miffs=anyemail@mail62.us1.rsgsv.net
mailto:anyemail@mail62.us1.rsgsv.net


I have the following rule:

headerBLACKLIST_R From =~ /rsgsv\.net/i
scoreBLACKLIST_R5.0



You may either do that:

header  BL_FROM_rsgsv  Received =~ /rsgsv\.net/i
score  BL_FROM_rsgsv  5.0

But you are subject to FPs in case that domain send you a legitimate
email some day.

Note that you may look upon a X-Envelope-From header also, depending on
your MTA and how and when it may log it in the headers.

Or you may choose to work on the body From:
header  BL_FROM_rsgsv  From:addr =~ /cucupons\.com/i
score  BL_FROM_rsgsv  5.0

But as this part of the mail is spoofable, you are succeptible to miss
some spams.



But at the time of checking, it checks cucupons.com
http://cucupons.com and the rule fails.

What I have to use in order to check the FROM that comes on the email
instead of the FROM that is on the headers?


consider that sender may change ESP or pretty From: and you're rule is 
useless


in such cases, uri rules are way more efective
sometimes tracking their reply-to header helps as well

Re: How to check from that is not on the header?

2012-09-26 Thread SM 

Hi Sergio,
At 08:09 26-09-2012, Sergio wrote:

how may I can check a FROM different to the one on the headers?

I have seen that some emails on the FROM on the header has something 
different than the FROM on the email, as an example:


FROM THE HEADERS:
Received: from (127.0.0.1) by 
http://mail62.us1.rsgsv.netmail62.us1.rsgsv.net (PowerMTA(TM) 
v3.5r16) id hcc8go0lj3g4 for 
mailto:fernando.lo...@puntocel.com.gtfernando.lo...@puntocel.com.gt; 
Wed, 26 Sep 2012 14:28:26 + (envelope-from 
bounce-mc.us4_769.128085-fernando.lopez=mailto:puntocel.com...@mail62.us1.rsgsv.netpuntocel.com...@mail62.us1.rsgsv.net)
Subject: 
=?utf-8?Q?Masaje=20de=20Reflexolog=C3=ADa=20de=20pies=20con=20sales=20minerales=20relajantes=20y=20aromaterapia?=

From: =?utf-8?Q?Cucupons.com?= mailto:ma...@cucupons.comma...@cucupons.com
Reply-To: =?utf-8?Q?Cucupons.com?= 
mailto:ma...@cucupons.comma...@cucupons.com


But the FROM that I want to block is the one that comes on the email:
FROM: 
bounce-mc.us4_7776669.128085-Aileen.Miffs=mailto:anyemail@mail62.us1.rsgsv.netanyemail@mail62.us1.rsgsv.net



I have the following rule:

headerBLACKLIST_R From =~ /rsgsv\.net/i
scoreBLACKLIST_R5.0


That's for the From: in the message header fields.

But at the time of checking, it checks 
http://cucupons.comcucupons.com and the rule fails.


What I have to use in order to check the FROM that comes on the 
email instead of the FROM that is on the headers?


There is usually a Return-Path: header field which would have the 
bounce-mc.us4_769.128085-fernando.lopez=mailto:puntocel.com...@mail62.us1.rsgsv.netpuntocel.com...@mail62.us1.rsgsv.net 
email address on teh right-hand side.  If you don't have that header 
field, you could base your rule on 
http://wiki.apache.org/spamassassin/EnvelopeSenderInReceived


Regards,
-sm

Re: How to check from that is not on the header?

2012-09-26 Thread Matthias Leisi 
On Wed, Sep 26, 2012 at 5:09 PM, Sergio sec...@gmail.com wrote:

 FROM THE HEADERS:
 Received: from (127.0.0.1) by mail62.us1.rsgsv.net (PowerMTA(TM) v3.5r16) id
 hcc8go0lj3g4 for fernando.lo...@puntocel.com.gt; Wed, 26 Sep 2012 14:28:26
 + (envelope-from
 bounce-mc.us4_769.128085-fernando.lopez=puntocel.com...@mail62.us1.rsgsv.net)

An alternative view: For quite some time ( 6 years, actually), I've
had the following rule with pretty good result:

header  SR_POWERMTA Received =~ /PowerMTA/i
score   SR_POWERMTA 0.650

-- Matthias