Re: block emails with fake FROM
seems it did not catch this one: From: " Dr Perfect "@mail.gepesdaru.hu but still it's a leap forward On 24.06.22 08:12, Alex wrote: Is it designed to also identify From addresses that have no name component? From: l...@beroe-inc.com I guess this one is correct via RC5321 This is an invoice phish that isn't tagged. Ideas on how to block these would be appreciated. https://pastebin.com/FXX8cx5f -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org)
Re: block emails with fake FROM
Hi, seems it did not catch this one: > > From: " Dr Perfect "@mail.gepesdaru.hu > > but still it's a leap forward > Is it designed to also identify From addresses that have no name component? From: l...@beroe-inc.com This is an invoice phish that isn't tagged. Ideas on how to block these would be appreciated. https://pastebin.com/FXX8cx5f This is with v4 SA from a week ago with FromNameSpoof enabled. $ spamassassin --version SpamAssassin version 4.0.0-r1901426 running on Perl version 5.34.1 Jun 24 08:11:42.828 [3222587] dbg: plugin: loading Mail::SpamAssassin::Plugin::FromNameSpoof from @INC Jun 24 08:11:46.669 [3222587] dbg: FromNameSpoof: no From-name addr found
Re: block emails with fake FROM
On 2022-06-23 18:08, Matus UHLAR - fantomas wrote: 2 - /etc/spamassassin/local.cf header LOCAL_FROMNAME_SPOOF eval:check_fromname_spoof() score LOCAL_FROMNAME_SPOOF 5.0 My question is about how to configure this plugin and also which score i should give on the new rules ? you have just described how you configured it. the next question is how do you block them. set score on that rule to 1000 ? if blocking high score spams
Re: block emails with fake FROM
On 23.06.22 15:56, Eduardo Maia wrote: I'm trying to block the emails with fake FROM like: From: "Nick Blue " I have installed spamassassin v3.4.6 and after I enabled the FromNameSpoof plugin. On 23.06.22 18:08, Matus UHLAR - fantomas wrote: I have checked FromNameSpoof plugin from SA 3.4.6 and it does not detect all mail with this kind of From: out of 59 examples I got onto one server, 20 were detected, 39 undetected. SA 4.0 (beta) catched all of them seems it did not catch this one: From: " Dr Perfect "@mail.gepesdaru.hu but still it's a leap forward -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
Re: block emails with fake FROM
On 23.06.22 15:56, Eduardo Maia wrote: I'm trying to block the emails with fake FROM like: From: "Nick Blue " I have installed spamassassin v3.4.6 and after I enabled the FromNameSpoof plugin. I have checked FromNameSpoof plugin from SA 3.4.6 and it does not detect all mail with this kind of From: out of 59 examples I got onto one server, 20 were detected, 39 undetected. SA 4.0 (beta) catched all of them I added the following lines on the files: 1- /etc/spamassassin/v342.pre : loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof 2 - /etc/spamassassin/local.cf header LOCAL_FROMNAME_SPOOF eval:check_fromname_spoof() score LOCAL_FROMNAME_SPOOF 5.0 My question is about how to configure this plugin and also which score i should give on the new rules ? you have just described how you configured it. the next question is how do you block them. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I don't have lysdexia. The Dog wouldn't allow that.
Re: block emails with fake FROM
On 2022-06-23 16:56, Eduardo Maia wrote: From: "Nick Blue " header FOO From:Name =~ /\b@/ others may refine it :=) note From:Addr must accept more then one @, but not From:Name i dont know if the plugin is better or not, also remember dkim revails bogus adressing, eq no dkim pass if more then one From:Addr then all dkim must pass to not be forged lots of bugs
block emails with fake FROM
Hi, I'm trying to block the emails with fake FROM like: From: "Nick Blue " I have installed spamassassin v3.4.6 and after I enabled the FromNameSpoof plugin. I added the following lines on the files: 1- /etc/spamassassin/v342.pre : loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof 2 - /etc/spamassassin/local.cf header LOCAL_FROMNAME_SPOOF eval:check_fromname_spoof() score LOCAL_FROMNAME_SPOOF 5.0 My question is about how to configure this plugin and also which score i should give on the new rules ? Thanks, Best regards, -- Assinatura Eduardo Maia /IPBrick IDI/ IPBRICK R <https://www.ipbrick.com/> Av. da França, 821 4250-214 Porto PortugalTEL: +351 220 126 921 TLM: +351 933 568 871 FAX: +351 225 189 722 UCoIP: em...@ipbrick.com www.ipbrick.com <https://www.ipbrick.com/> www.youtube.com/ipbricksa <https://www.youtube.com/ipbricksa> UCoIP <http://emaia.ipbrick.com/> Facebook <http://www.facebook.com/pages/IPBrick/263923950988/> Twitter <http://twitter.com/IPBrick/> Linked In <https://www.linkedin.com/company/ipbrick-international> Instagram <https://www.instagram.com/ipbricksa>
