Re: From name containing a spoofed email address

Makes sense to me. Just trying to check off boxes on open items for 3.4.2 release. -- Kevin A. McGrail VP Fundraising, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171 On Sat, Aug 25, 2018 at 9:08 AM, David Jones wrote:

Re: From name containing a spoofed email address

On 08/24/2018 07:02 PM, Kevin A. McGrail wrote: On 1/18/2018 6:52 AM, Pedro David Marco wrote: David, This rule can do the full job... i have tested it with good results..  (Can be tested here: https://regex101.com/r/Vpmhjz/3 ) It checks if the level domain next to the TLD in the From:name

Re: From name containing a spoofed email address

On 1/18/2018 6:52 AM, Pedro David Marco wrote: > David, > > This rule can do the full job... i have tested it with good results..  >  (Can be tested here: https://regex101.com/r/Vpmhjz/3 ) > > It checks if the level domain next to the TLD in the From:name matches > the domain next to the TLD in

Re: From name containing a spoofed email address

On Fri, 2018-01-26 at 16:26 -0600, sha...@shanew.net wrote: > Just a hunch, but did you make sure to add the "$self->register..." > line inside the "sub new {" block with all the others in > HeaderEval.pm? > Yep, sure did, thanks for that. All is well now. > > On Fri, 26 Jan 2018, Chris wrote:

Re: From name containing a spoofed email address

Just a hunch, but did you make sure to add the "$self->register..." line inside the "sub new {" block with all the others in HeaderEval.pm? On Fri, 26 Jan 2018, Chris wrote: On Mon, 2018-01-22 at 10:05 -0500, Rupert Gallagher wrote: This is my current solution for a problem that has been

Re: From name containing a spoofed email address

On Mon, 2018-01-22 at 10:05 -0500, Rupert Gallagher wrote: > This is my current solution for a problem that has been discussed > many times in this list.  > I wrote it last year, and it serves me well. Feel free to use it, if > you find it useful.  > > This part goes into your local.cf: > >

Re: From name containing a spoofed email address

Just to add to the confusion, uh, I mean options. Here's what I've got so far. I'm using it in production currently, but it's still very young code, so use it at your own risk. https://github.com/enkidushane/sa-frommismatch/ I purposely avoided using uri_to_domain because it's in flux right

Re: From name containing a spoofed email address

On 01/22/2018 06:40 PM, Alex wrote: Hi, This part goes into the general HeaderEval.pm: $self->register_eval_rule("from_domains_mismatch"); [...] I'd like to try this, but this is not in the current 3.4.2 svn. I am running this by manually patching the HeaderEval.pm and so far it's

Re: From name containing a spoofed email address

Hi, > This part goes into the general HeaderEval.pm: > > $self->register_eval_rule("from_domains_mismatch"); > [...] I'd like to try this, but this is not in the current 3.4.2 svn.

Re: From name containing a spoofed email address

On Mon, 22 Jan 2018 10:05:14 -0500 Rupert Gallagher wrote: > This is my current solution for a problem that has been discussed > many times in this list. > sub from_domains_mismatch { > my ($self, $pms) = @_; > my $temp; > $temp = $pms->get('From:addr'); > $temp =~ /@(.+)/; my

Re: From name containing a spoofed email address

On Mon, 22 Jan 2018 17:16:49 -0600 (CST) sha...@shanew.net wrote: > Since there's no "@" in From:name, there's clearly not an email > address there, so there's nothing to compare to the domain part of > From:addr. FWIW it doesn't actually check that the @ is part of something that looks like an

Re: From name containing a spoofed email address

Thanks to those for being patient with me.  I see the issue was I didn't understand that the spammer is "cramming" or somehow the different domains get "crammed" into the From: I mistakenly thought these where two different distinct fields. On 01/22/2018 06:32 PM, John Hardin wrote: > On Mon, 22

Re: From name containing a spoofed email address

Finally!  Thank you! On 01/22/2018 06:32 PM, John Hardin wrote: > On Mon, 22 Jan 2018, Chip wrote: > >> Understood, so then what would a From:name that contains a domain look >> like since it seems the filter needs to compare the domain found in >> From:addr to From:name in order to pass it as

Re: From name containing a spoofed email address

On Mon, 22 Jan 2018, Chip wrote: Understood, so then what would a From:name that contains a domain look like since it seems the filter needs to compare the domain found in From:addr to From:name in order to pass it as ham. From: "Joe User (Your Bank) "

Re: From name containing a spoofed email address

On Mon, 22 Jan 2018, Chip wrote: In the attached image "header" is highlighted.  Which one applies in this case as there is header=gmail *and* header=secure.net What you have highlighted has nothing to do with the "From" header in SA header rules. That content is in the

Re: From name containing a spoofed email address

Understood, so then what would a From:name that contains a domain look like since it seems the filter needs to compare the domain found in From:addr to From:name in order to pass it as ham. Or am I on another planet altogether here, just say so and I'll shut up. On 01/22/2018 06:21 PM, Chip

Re: From name containing a spoofed email address

Ah, okay.  Thanks for the clarification. So this filter, what would it make of that message?  Spam or ham? On 01/22/2018 06:16 PM, sha...@shanew.net wrote: > I think what's tripping you up is what parts of the mail "From:addr" > and "From:name" refer to.  In the example you give: > > From:

Re: From name containing a spoofed email address

I think what's tripping you up is what parts of the mail "From:addr" and "From:name" refer to. In the example you give: From: blablabla From:name will be "blablabla" and From:addr will be "blabla...@gmail.com" Since there's no "@" in From:name, there's clearly not an

Re: From name containing a spoofed email address

On Mon, 22 Jan 2018, Chip wrote: I might be wrong here understand I'm still learning, but the purpose of the filter, from what I've been able to grasp, is that it checks  the From:addr and From:name values in SA to find their domain and triggering a rule hit if there is a domain in the

Re: From name containing a spoofed email address

I might be wrong here understand I'm still learning, but the purpose of the filter, from what I've been able to grasp, is that it checks  the From:addr and From:name values in SA to find their domain and triggering a rule hit if there is a domain in the From:name that doesn't match the domain in

Re: From name containing a spoofed email address

On Mon, 22 Jan 2018 17:44:00 -0500 Chip wrote: > Following is the full header with identifiable information > anonymized. I don't see what you are getting at, in: From: blablabla blablabla doesn't contain an "@".

Re: From name containing a spoofed email address

Following is the full header with identifiable information anonymized.  I have other examples of commercial bulk senders suggesting - even promoting - the idea that it's okay to input your external email address in the From: of the message editor. I actually did notice the dmarc=fail as well as

Re: From name containing a spoofed email address

This particular effort is looking at the From header, not the EnvFrom header (though there is a check From==EnvFrom as well). What we're looking for here are things like: From: "b...@usaa.com" Or look at the pastebin example at the start of the thread. Also, without seeing

Re: From name containing a spoofed email address

So it's my understanding that SA does the following with this rule, which is it is checking the From:addr and From:name values in SA to find their domain and triggering a rule hit if there is a domain in the From:name that doesn't match the domain in the From:addr. However, when I examine the

Re: From name containing a spoofed email address

NOTE: as always, this is testing software - use at your own risk! I've a bug report open for this particular feature - if added then it would allow for all sorts of addrlists to be built - https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7354 For now, by all means you can either * create

Re: From name containing a spoofed email address

On Mon, Jan 22, 2018 at 4:06 PM, Paul Stead wrote: > Thanks for that Alex, I've added a version check into the code, hopefully > it'll catch everything. > > Thanks for other feedback from other users ( Looking good so far. I'll follow up with examples as they hit.

Re: From name containing a spoofed email address

Thanks for that Alex, I've added a version check into the code, hopefully it'll catch everything. Thanks for other feedback from other users ( Paul On 22/01/2018, 19:18, "Alex" wrote: On Mon, Jan 22, 2018 at 11:21 AM, Paul Stead

Re: From name containing a spoofed email address

On Mon, Jan 22, 2018 at 11:21 AM, Paul Stead wrote: > https://github.com/fmbla/spamassassin-fromnamespoof > > Reduced quite a few of the FPs after thinking about this over the weekend - > feel free to check this out, let me know any feedback I'm using the current

Re: From name containing a spoofed email address

https://github.com/fmbla/spamassassin-fromnamespoof Reduced quite a few of the FPs after thinking about this over the weekend - feel free to check this out, let me know any feedback Paul On 19/01/2018, 18:16, "Paul Stead" wrote: I too have a plugin written

Re: From name containing a spoofed email address

On 01/22/2018 09:05 AM, Rupert Gallagher wrote: This is my current solution for a problem that has been discussed many times in this list. I wrote it last year, and it serves me well. Feel free to use it, if you find it useful. This part goes into your local.cf: header   __F_DM1

Re: From name containing a spoofed email address

Hi Robert. I'm new here. But intrigued by what looks like a good solution. Without too much detail can you explain the solution a bit? Just want to get a basic understanding of the workflow. Thank you. __ "Perhaps sleep did not evolve. Perhaps it was the thing from which

Re: From name containing a spoofed email address

Note the clause "__F_DM2". Its purpose is to whitelist legit e-mail from known incompetent admins. You can remove the clause if you wish, and use the global whitelist.cf instead. Sent with [ProtonMail](https://protonmail.com) Secure Email. Original Message On 22 January 2018

Re: From name containing a spoofed email address

This is my current solution for a problem that has been discussed many times in this list. I wrote it last year, and it serves me well. Feel free to use it, if you find it useful. This part goes into your local.cf: header __F_DM1 eval:from_domains_mismatch() header __F_DM2 From:addr =~

Danger of using your real name (was Re: From name containing a spoofed email address)

On Sat, 20 Jan 2018 00:33:32 -0500 "Bill Cole" wrote: > On 19 Jan 2018, at 20:02 (-0500), jdow wrote: > > After your first time being a victim of cyberstalking you'll soon > > enough wish your "from" line was as generic as mine. People who put > > their

Re: From name containing a spoofed email address

On 19 Jan 2018, at 16:17 (-0500), Chip wrote: Do you mean don't whitelist_auth *@example.com *unless* they have published spf/dkim? I can't speak to Dave's meaning (although I value it...) but in fact whitelist_auth directives only have any effect if the domain has published SPF or DKIM

Re: From name containing a spoofed email address

On 19 Jan 2018, at 20:02 (-0500), jdow wrote: After your first time being a victim of cyberstalking you'll soon enough wish your "from" line was as generic as mine. People who put their full name in the From: line haven't been mugged yet. I spent a year learning about this 1985-1986. I

Re: From name containing a spoofed email address

On 19 Jan 2018, at 10:20 (-0500), Rupert Gallagher wrote: > Empty Message You're repeating yourself... -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Currently Seeking Steady Work: https://linkedin.com/in/billcole

Re: From name containing a spoofed email address

After your first time being a victim of cyberstalking you'll soon enough wish your "from" line was as generic as mine. People who put their full name in the From: line haven't been mugged yet. I spent a year learning about this 1985-1986. As a byproduct of this habit of mine, when I see a "To:

Re: From name containing a spoofed email address

On 01/19/2018 03:17 PM, Chip wrote: Okay, trying to understand. You say: whitelist_auth *@*.chase.com whitelist_auth serv...@paypal.com This would trust emails from any subdomain under chase.com and serv...@paypal.com that hit SPF_PASS or DKIM_VALID_AU rules. Okay, got that.

Re: From name containing a spoofed email address

Okay, trying to understand. You say: whitelist_auth *@*.chase.com whitelist_auth serv...@paypal.com This would trust emails from any subdomain under chase.com and serv...@paypal.com that hit SPF_PASS or DKIM_VALID_AU rules. Okay, got that. But I'm confused when you further

Re: From name containing a spoofed email address

On 01/19/2018 02:21 PM, Jeffs Chips wrote: I would be very interested in knowing what features in SA  flag spoofed email addresses.  Knowing the methods used or plugins available to detect spoofed emails is integral to the project I'm working on. That is the million dollar question. If we

Re: From name containing a spoofed email address

I would be very interested in knowing what features in SA flag spoofed email addresses. Knowing the methods used or plugins available to detect spoofed emails is integral to the project I'm working on. __ "Perhaps sleep did not evolve. Perhaps it was the thing from which

Re: From name containing a spoofed email address

Thanks! FYI for some reason Gmail is classifying these emails as spam. __ "Perhaps sleep did not evolve. Perhaps it was the thing from which wakefulness emerged.” -- Matthew Walker, Sleep Scientist On Jan 19, 2018 3:11 PM, "John Hardin" wrote: > On Fri, 19

Re: From name containing a spoofed email address

On Fri, 19 Jan 2018, AJ Weber wrote: False Positive i.e. SA incorrectly classifying a message as SPAM. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C

Re: From name containing a spoofed email address

False Positive On 1/19/2018 2:55 PM, Jeffs Chips wrote: I am trying to follow this interesting thread - can someone tell me what "FP" means? __  "Perhaps sleep did not evolve. Perhaps it was the thing from which wakefulness emerged.” -- Matthew Walker, Sleep Scientist On

Re: From name containing a spoofed email address

I am trying to follow this interesting thread - can someone tell me what "FP" means? __ "Perhaps sleep did not evolve. Perhaps it was the thing from which wakefulness emerged.” -- Matthew Walker, Sleep Scientist On Jan 19, 2018 12:02 AM, "Pedro David Marco"

Re: From name containing a spoofed email address

I too have a plugin written I've been using for a short while from the last time this was brought up, I too would like to get some spamples of spoofed From:name emails. There are a few FP situations, I get around these by seeing what the difference in between the length of the found email

Re: From name containing a spoofed email address

I've got a basic plugin written for this now, but I'd like to do a litle more testing before I make it widely available. If you have mail samples (ham or spam) with an "@" character in the name part of the From field that you're willing to share, let me know. BTW, I've already run into some

Re: From name containing a spoofed email address

Empty Message

Re: From name containing a spoofed email address

Empty Message

Re: From name containing a spoofed email address

On Friday 19 January 2018 at 07:40:07, Rupert Gallagher wrote: > See my post of 25/20/2017 to this list. My calendar doesn't go that far :( Antony. -- I wasn't sure about having a beard at first, but then it grew on me. Please reply to the

Re: From name containing a spoofed email address

See my post of 25/20/2017 to this list. Sent from ProtonMail Mobile On Wed, Jan 17, 2018 at 20:31, David Jones wrote: > Would a plugin need to be created (or an existing one enhanced) to be able to > detect this type of spoofed From header? From: "h...@hulumail.com !" >

Re: From name containing a spoofed email address

>!~ matches are dangerous because they match by default if you >don't anticipate all the legitimate formats. The above will FP on a >simple email address. It could be rewritten as a __FROM_DOMAINS_MATCH >and used in a meta rule. fool me, your are right, RW, thanks... >It's also not a complete

Re: From name containing a spoofed email address

On Thu, 18 Jan 2018, RW wrote: I think the hard part is handling IDNs, e.g. "=?UTF-8?B?Zm9vQGLDvGNoZXIuY29t?=" the display name should decode to the UTF-8 byte sequence for foo@bücher.com, but I presume the address would be left as the ASCII IDN. In the short term

Re: From name containing a spoofed email address

On Thu, 18 Jan 2018 11:52:36 + (UTC) Pedro David Marco wrote: > David, > This rule can do the full job... i have tested it with good > results..   (Can be tested here: https://regex101.com/r/Vpmhjz/3 ) It > checks if the level domain next to the TLD in the From:name matches > the domain next

Re: From name containing a spoofed email address

David, This rule can do the full job... i have tested it with good results..   (Can be tested here: https://regex101.com/r/Vpmhjz/3 ) It checks if the level domain next to the TLD in the From:name matches the domain next to the TLD in From:email header       FROM_DOMAINS_MISMATCH From !~

Re: From name containing a spoofed email address

On Wed, 17 Jan 2018 15:32:38 -0600 (CST) sha...@shanew.net wrote: > I started working on this, and quickly realized the hard part is > determining/parsing the domain out of the From:name variable. I think the hard part is handling IDNs, e.g. "=?UTF-8?B?Zm9vQGLDvGNoZXIuY29t?="

Re: From name containing a spoofed email address

I started working on this, and quickly realized the hard part is determining/parsing the domain out of the From:name variable. Is there any existing code in SA that "recognizes" email addresses that can be called and/or re-used? On Wed, 17 Jan 2018, David Jones wrote: Would a plugin need to be

Re: From name containing a spoofed email address

On Wed, 2018-01-17 at 13:31 -0600, David Jones wrote: > Would a plugin need to be created (or an existing one enhanced) to > be  > able to detect this type of spoofed From header? > > From: "h...@hulumail.com !" > > https://pastebin.com/vVhGjC8H > > Does anyone else think

Re: From name containing a spoofed email address

I swear I came across a rule like this just the other day, but now I can't find it, which is probably a sign of faulty memory. In any case, the existing HeaderEval Plugin seems like a good place for this (it already does a check for EnvFrom and From domain mismatches). On Wed, 17 Jan 2018,

Re: From name containing a spoofed email address

Yes, I think it's a security risk and numerous phishing scams use this. On 1/17/2018 2:31 PM, David Jones wrote: Would a plugin need to be created (or an existing one enhanced) to be able to detect this type of spoofed From header? From: "h...@hulumail.com !"

From name containing a spoofed email address

Would a plugin need to be created (or an existing one enhanced) to be able to detect this type of spoofed From header? From: "h...@hulumail.com !" https://pastebin.com/vVhGjC8H Does anyone else think this would be a good idea to make a rule that at least checks both the