Trying to catch spoofed ToCc
In my mail setup, it is gospel that (ignoring BCC and mailing lists) the full email address in the Delivered-To will match an email address in the ToCc. Example below. Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from mx01.domain.ext (unknown [172.16.0.149]) by localdelivery01 (Postfix) with ESMTP id EB9CA921E8C57 for [EMAIL PROTECTED]; Mon, 27 Nov 2006 19:36:46 -0500 (EST) From: [EMAIL PROTECTED] To: Jason [EMAIL PROTECTED] Cc: Jason [EMAIL PROTECTED] Subject: Testing I have created a matching rule to statically qualify the validity of a domain (below). #- --- header __HEAD_01_01 Delivered-To =~ /[EMAIL PROTECTED]/i header __HEAD_01_02 ToCc !~ /[EMAIL PROTECTED]/i #- --- metaHEAD_01(__HEAD_01_01 __HEAD_01_02) score HEAD_015.0 #- --- I host hundreds of domains, so I cannot create static rules for each. My goal is to have a rule, much like the one above, but will qualify the entire email address from the Delivered-To to the ToCc. No match equals a score. Any insight would be much appreciated. Thank you, Jason
Re: Trying to catch spoofed ToCc
Trying to catch spoofed ToCcNasty to do without using a plugin or eval rule,
but it can be done.
The following is off the top of my head, and I almost guarantee it won't work
correctly without testing and some minor tweak somewhere. But you can try it
and/or fool with it if you like.
header __SENT_TO_MEALL ~=
/\n(?i:Delivered-To):\s+([^\n]+)\n.{0,300}\n(?i:To|Cc):[^\n]+\b\1\b/
meta NOT_SENT_TO_ME!__SENT_TO_ME
You can give that a try, but I warn you you may have to fiddle with it for half
an hour to get it to work right. Or maybe it will work now.
Loren
- Original Message -
From: Jason Oriente
To: users@spamassassin.apache.org
Sent: Thursday, December 07, 2006 3:04 PM
Subject: Trying to catch spoofed ToCc
In my mail setup, it is gospel that (ignoring BCC and mailing lists) the full
email address in the Delivered-To will match an email address in the ToCc.
Example below.
Return-Path: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from mx01.domain.ext (unknown [172.16.0.149])
by localdelivery01 (Postfix) with ESMTP id EB9CA921E8C57
for [EMAIL PROTECTED]; Mon, 27 Nov 2006 19:36:46 -0500 (EST)
From: [EMAIL PROTECTED]
To: Jason [EMAIL PROTECTED]
Cc: Jason [EMAIL PROTECTED]
Subject: Testing
I have created a matching rule to statically qualify the validity of a domain
(below).
#
header __HEAD_01_01 Delivered-To =~ /[EMAIL PROTECTED]/i
header __HEAD_01_02 ToCc !~ /[EMAIL PROTECTED]/i
#
metaHEAD_01(__HEAD_01_01 __HEAD_01_02)
score HEAD_015.0
#
I host hundreds of domains, so I cannot create static rules for each. My
goal is to have a rule, much like the one above, but will qualify the entire
email address from the Delivered-To to the ToCc. No match equals a score.
Any insight would be much appreciated.
Thank you,
Jason
Re: Trying to catch spoofed ToCc
Loren Wilton wrote:
Nasty to do without using a plugin or eval rule, but it can be done.
The following is off the top of my head, and I almost guarantee it won't
work correctly without testing and some minor tweak somewhere. But you
can try it and/or fool with it if you like.
header __SENT_TO_MEALL ~=
/\n(?i:Delivered-To):\s+([^\n]+)\n.{0,300}\n(?i:To|Cc):[^\n]+\b\1\b/
meta NOT_SENT_TO_ME!__SENT_TO_ME
You can give that a try, but I warn you you may have to fiddle with it
for half an hour to get it to work right. Or maybe it will work now.
Loren
That looks pretty good, but I think that sort of user-specific action
might be best done in the user's procmail file-
(Well, assuming of course that that the user is using procmail!)
but something like
# if it's not to or cc me at this point, it's probably spam
:0
* !^(To|Cc).*{my email address}
possibly-spam
Towards the very end of the procmail script does the trick.
-Mike
Re: Trying to catch spoofed ToCc
Hi, I am doing exactly that for my personal mailbox, and it took me a few months to define all my exceptions (mostly mailing list and forum related). Are you sure you want to do this for hundreds of domains Wolfgang Hamann This is a multi-part message in MIME format. --_=_NextPart_001_01C71A54.2968304F Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable In my mail setup, it is gospel that (ignoring BCC and mailing lists) the full email address in the Delivered-To will match an email address in the ToCc. =20 Example below. =20 Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from mx01.domain.ext (unknown [172.16.0.149]) by localdelivery01 (Postfix) with ESMTP id EB9CA921E8C57 for [EMAIL PROTECTED]; Mon, 27 Nov 2006 19:36:46 -0500 (EST) From: [EMAIL PROTECTED] To: Jason [EMAIL PROTECTED] Cc: Jason [EMAIL PROTECTED] Subject: Testing =20 I have created a matching rule to statically qualify the validity of a domain (below). #- --- header __HEAD_01_01 Delivered-To =3D~ /[EMAIL PROTECTED]/i header __HEAD_01_02 ToCc !~ /[EMAIL PROTECTED]/i #- --- metaHEAD_01(__HEAD_01_01 __HEAD_01_02) score HEAD_015.0 #- --- =20 I host hundreds of domains, so I cannot create static rules for each. My goal is to have a rule, much like the one above, but will qualify the entire email address from the Delivered-To to the ToCc. No match equals a score. =20 Any insight would be much appreciated. =20 =20 Thank you, Jason =20
