Re: FROM header with two email addresses

On Tue, 2017-10-24 at 13:22 +0200, Merijn van den Kroonenberg wrote: > > Hello all, I was the original poster of this topic but was away for a > > couple of days. > > I find it amazing to see the number of suggestions and ideas that have > > come up here. > > > > However none of the constuctions

Re: FROM header with two email addresses

> Hello all, I was the original poster of this topic but was away for a > couple of days. > I find it amazing to see the number of suggestions and ideas that have > come up here. > > However none of the constuctions matched "my" From: lines of the form > > From: "Firstname Lastname@"

Re: FROM header with two email addresses

On Mon, 16 Oct 2017 13:19:06 -0400 Mark London wrote: > Hi - I received a spam message with the following double From address: > > From: struth...@psfc.mit.edu, "Lorraine M." > > > But neither of the 2 previously suggested rules were triggered by > it. I'm sure a

Re: FROM header with two email addresses

Hi - I received a spam message with the following double From address: From: struth...@psfc.mit.edu, "Lorraine M." But neither of the 2 previously suggested rules were triggered by it. I'm sure a simple modification to the rules will cause it to trigger. Can

Re: FROM header with two email addresses

On Thu, 5 Oct 2017 07:38:23 -0400 Kevin A. McGrail wrote: On 10/5/2017 7:19 AM, Jakob Curdes wrote: Not a lot, but the trick is that Outlooks displays both parts, and users think that it is an internal mail because the "Firstname Lastname" is real in the company and the "recipient-domain.com"

Re: FROM header with two email addresses

On Thu, 5 Oct 2017 07:38:23 -0400 Kevin A. McGrail wrote: > On 10/5/2017 7:19 AM, Jakob Curdes wrote: > > Not a lot, but the trick is that Outlooks displays both parts, and > > users think that it is an internal mail because the "Firstname > > Lastname" is real in the company and the

Re: FROM header with two email addresses

On 10/5/2017 7:19 AM, Jakob Curdes wrote: Not a lot, but the trick is that Outlooks displays both parts, and users think that it is an internal mail because the "Firstname Lastname" is real in the company and the "recipient-domain.com" is the real recipient domain. So it is a trick to

Re: FROM header with two email addresses

Hello all, I was the original poster of this topic but was away for a couple of days. I find it amazing to see the number of suggestions and ideas that have come up here. However none of the constuctions matched "my" From: lines of the form From: "Firstname Lastname@"

Re: FROM header with two email addresses

On Thu, 5 Oct 2017 12:41:26 +0200 Jakob Curdes wrote: > Hello all, I was the original poster of this topic but was away for a > couple of days. > I find it amazing to see the number of suggestions and ideas that > have come up here. > > However none of the constuctions matched "my" From: lines

Re: FROM header with two email addresses

Hello all, I was the original poster of this topic but was away for a couple of days. I find it amazing to see the number of suggestions and ideas that have come up here. However none of the constuctions matched "my" From: lines of the form From: "Firstname Lastname@"

Re: FROM header with two email addresses

Am 2017-10-02 19:43, schrieb David Jones: On 09/27/2017 09:52 AM, Kevin A. McGrail wrote: I recently stumbled onto a mail with a Spam link where the FROM header field looked like this: From: "Firstname Lastname@" sendern...@real-senders-domain.com> Jakob, just wanted to let you know I

Re: FROM header with two email addresses

On Mon, 2017-10-02 at 23:18 +0200, Benny Pedersen wrote: > John Hardin skrev den 2017-10-02 23:13: > > > Where?  \w is not case-sensitive. > > perfect then, i had not know that, learning still so > Do you have a copy of the 'Camel Book'? AKA "Programming Perl" by Larry Wall, Tom Christiansen &

Re: FROM header with two email addresses

John Hardin skrev den 2017-10-02 23:13: Where? \w is not case-sensitive. perfect then, i had not know that, learning still so

Re: FROM header with two email addresses

On Mon, 2 Oct 2017, Benny Pedersen wrote: John Hardin skrev den 2017-10-02 21:07: How about: header __FROM_QUOTES From =~ /"/ header  __FROM_MAYBE_SPOOF  From:name =~ /\w@\w/ meta__FROM_SPOOF__FROM_MAYBE_SPOOF && !__FROM_QUOTES (warning: totally untested)

Re: FROM header with two email addresses

John Hardin skrev den 2017-10-02 21:07: How about: header __FROM_QUOTES From =~ /"/ header  __FROM_MAYBE_SPOOF  From:name =~ /\w@\w/ meta__FROM_SPOOF__FROM_MAYBE_SPOOF && !__FROM_QUOTES (warning: totally untested) +1 i can only see one problem with it, that

Re: FROM header with two email addresses

David Jones skrev den 2017-10-02 20:54: I have gone back to my original rule that catches senders that put an email addresss in the Display Name and do not have quotes. also matches what i see, non spam have " around from:name while spam have not testing if there is a @ in from:name is 2nd

Re: FROM header with two email addresses

On Mon, 2 Oct 2017, David Jones wrote: On 10/02/2017 01:11 PM, John Hardin wrote: On Mon, 2 Oct 2017, David Jones wrote: > On 09/27/2017 09:52 AM, Kevin A. McGrail wrote: > > > > >   I recently stumbled onto a mail with a Spam link where the FROM > > header >   field looked like this: > >

Re: FROM header with two email addresses

On 10/02/2017 01:11 PM, John Hardin wrote: On Mon, 2 Oct 2017, David Jones wrote: On 09/27/2017 09:52 AM, Kevin A. McGrail wrote: >  I recently stumbled onto a mail with a Spam link where the FROM header >  field looked like this: > >  From: "Firstname Lastname@"

Re: FROM header with two email addresses

On Mon, 2 Oct 2017, David Jones wrote: On 09/27/2017 09:52 AM, Kevin A. McGrail wrote: > I recently stumbled onto a mail with a Spam link where the FROM header > field looked like this: > > From: "Firstname Lastname@" > sendern...@real-senders-domain.com> Jakob, just wanted to let

Re: FROM header with two email addresses

David Jones skrev den 2017-10-02 19:43: https://pastebin.com/f07Gq1kZ https://pastebin.com/FMsJNGba This is catching this pretty well so far: header FROM_SPOOF_EMAIL_DISPLAYFrom =~ /\@[a-z_]+?\.[a-z]{2,3} \ describeFROM_SPOOF_EMAIL_DISPLAYFrom trying to spoof an

Re: FROM header with two email addresses

On 09/27/2017 09:52 AM, Kevin A. McGrail wrote: I recently stumbled onto a mail with a Spam link where the FROM header field looked like this: From: "Firstname Lastname@" sendern...@real-senders-domain.com> Jakob, just wanted to let you know I identified this issue as well and just

Re: FROM header with two email addresses

Miles Fidelman skrev den 2017-09-27 20:42: This could also be an attempt to get a mailing list to work. i have seen few mails get dkim fail from apache.org, very few, but its not normaly not dmarc fail for me on this, what is worse is that opendmarc have still brokken spf support :( even

Re: FROM header with two email addresses

On Wed, 2017-09-27 at 11:42 -0700, Miles Fidelman wrote: > This could also be an attempt to get a mailing list to work. > > There's a continuing problem with email list traffic getting bounced by > DKIM, and various work-arounds - the gist is that the mail has to come > from the list manager,

Re: FROM header with two email addresses

This could also be an attempt to get a mailing list to work. There's a continuing problem with email list traffic getting bounced by DKIM, and various work-arounds - the gist is that the mail has to come from the list manager, but you still need a way to indicate the original author of the

Re: FROM header with two email addresses

Am 27.09.2017 16:54 schrieb "Kevin A. McGrail" : I recently stumbled onto a mail with a Spam link where the FROM header field looked like this: From: "Firstname Lastname@" mailto:sendern...@real-senders-domain.com> > Jakob, just wanted to let you know I

Re: FROM header with two email addresses

Kevin A. McGrail skrev den 2017-09-27 16:52: I recently stumbled onto a mail with a Spam link where the FROM header field looked like this: From: "Firstname Lastname@" Jakob, just wanted to let you know I identified this issue as well and just opened a ticket about it yesterday to try and

Re: FROM header with two email addresses

I recently stumbled onto a mail with a Spam link where the FROM header field looked like this: From: "Firstname Lastname@" sendern...@real-senders-domain.com> Jakob, just wanted to let you know I identified this issue as well and just opened a ticket about it yesterday to try and figure

Re: FROM header with two email addresses

On 27 Sep 2017, at 3:16, Jakob Curdes wrote: Hello all, I recently stumbled onto a mail with a Spam link where the FROM header field looked like this: From: "Firstname Lastname@" sendern...@real-senders-domain.com> which is displayed in different ways on different devices but most do

FROM header with two email addresses

Hello all, I recently stumbled onto a mail with a Spam link where the FROM header field looked like this: From: "Firstname Lastname@" which is displayed in different ways on different devices but most do display something resembling an internal from address, maybe with an additional second