Makes sense to me. Just trying to check off boxes on open items for 3.4.2
release.
--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
On Sat, Aug 25, 2018 at 9:08 AM, David Jones wrote:
On 08/24/2018 07:02 PM, Kevin A. McGrail wrote:
On 1/18/2018 6:52 AM, Pedro David Marco wrote:
David,
This rule can do the full job... i have tested it with good results..
(Can be tested here: https://regex101.com/r/Vpmhjz/3 )
It checks if the level domain next to the TLD in the From:name
On 1/18/2018 6:52 AM, Pedro David Marco wrote:
> David,
>
> This rule can do the full job... i have tested it with good results..
> (Can be tested here: https://regex101.com/r/Vpmhjz/3 )
>
> It checks if the level domain next to the TLD in the From:name matches
> the domain next to the TLD in
On Fri, 2018-01-26 at 16:26 -0600, sha...@shanew.net wrote:
> Just a hunch, but did you make sure to add the "$self->register..."
> line inside the "sub new {" block with all the others in
> HeaderEval.pm?
>
Yep, sure did, thanks for that. All is well now.
>
> On Fri, 26 Jan 2018, Chris wrote:
Just a hunch, but did you make sure to add the "$self->register..."
line inside the "sub new {" block with all the others in HeaderEval.pm?
On Fri, 26 Jan 2018, Chris wrote:
On Mon, 2018-01-22 at 10:05 -0500, Rupert Gallagher wrote:
This is my current solution for a problem that has been
On Mon, 2018-01-22 at 10:05 -0500, Rupert Gallagher wrote:
> This is my current solution for a problem that has been discussed
> many times in this list.
> I wrote it last year, and it serves me well. Feel free to use it, if
> you find it useful.
>
> This part goes into your local.cf:
>
>
Just to add to the confusion, uh, I mean options. Here's what I've
got so far. I'm using it in production currently, but it's still very
young code, so use it at your own risk.
https://github.com/enkidushane/sa-frommismatch/
I purposely avoided using uri_to_domain because it's in flux right
On 01/22/2018 06:40 PM, Alex wrote:
Hi,
This part goes into the general HeaderEval.pm:
$self->register_eval_rule("from_domains_mismatch");
[...]
I'd like to try this, but this is not in the current 3.4.2 svn.
I am running this by manually patching the HeaderEval.pm and so far it's
Hi,
> This part goes into the general HeaderEval.pm:
>
> $self->register_eval_rule("from_domains_mismatch");
> [...]
I'd like to try this, but this is not in the current 3.4.2 svn.
On Mon, 22 Jan 2018 10:05:14 -0500
Rupert Gallagher wrote:
> This is my current solution for a problem that has been discussed
> many times in this list.
> sub from_domains_mismatch {
> my ($self, $pms) = @_;
> my $temp;
> $temp = $pms->get('From:addr');
> $temp =~ /@(.+)/; my
On Mon, 22 Jan 2018 17:16:49 -0600 (CST)
sha...@shanew.net wrote:
> Since there's no "@" in From:name, there's clearly not an email
> address there, so there's nothing to compare to the domain part of
> From:addr.
FWIW it doesn't actually check that the @ is part of something that
looks like an
Thanks to those for being patient with me. I see the issue was I didn't
understand that the spammer is "cramming" or somehow the different
domains get "crammed" into the From:
I mistakenly thought these where two different distinct fields.
On 01/22/2018 06:32 PM, John Hardin wrote:
> On Mon, 22
Finally! Thank you!
On 01/22/2018 06:32 PM, John Hardin wrote:
> On Mon, 22 Jan 2018, Chip wrote:
>
>> Understood, so then what would a From:name that contains a domain look
>> like since it seems the filter needs to compare the domain found in
>> From:addr to From:name in order to pass it as
On Mon, 22 Jan 2018, Chip wrote:
Understood, so then what would a From:name that contains a domain look
like since it seems the filter needs to compare the domain found in
From:addr to From:name in order to pass it as ham.
From: "Joe User (Your Bank) "
On Mon, 22 Jan 2018, Chip wrote:
In the attached image "header" is highlighted. Which one applies in
this case as there is header=gmail *and* header=secure.net
What you have highlighted has nothing to do with the "From" header in SA
header rules. That content is in the
Understood, so then what would a From:name that contains a domain look
like since it seems the filter needs to compare the domain found in
From:addr to From:name in order to pass it as ham.
Or am I on another planet altogether here, just say so and I'll shut up.
On 01/22/2018 06:21 PM, Chip
Ah, okay. Thanks for the clarification.
So this filter, what would it make of that message? Spam or ham?
On 01/22/2018 06:16 PM, sha...@shanew.net wrote:
> I think what's tripping you up is what parts of the mail "From:addr"
> and "From:name" refer to. In the example you give:
>
> From:
I think what's tripping you up is what parts of the mail "From:addr"
and "From:name" refer to. In the example you give:
From: blablabla
From:name will be "blablabla"
and
From:addr will be "blabla...@gmail.com"
Since there's no "@" in From:name, there's clearly not an
On Mon, 22 Jan 2018, Chip wrote:
I might be wrong here understand I'm still learning, but the purpose of
the filter, from what I've been able to grasp, is that it checks the
From:addr and From:name values in SA to find
their domain and triggering a rule hit if there is a domain in the
I might be wrong here understand I'm still learning, but the purpose of
the filter, from what I've been able to grasp, is that it checks the
From:addr and From:name values in SA to find
their domain and triggering a rule hit if there is a domain in the
From:name that doesn't match the domain in
On Mon, 22 Jan 2018 17:44:00 -0500
Chip wrote:
> Following is the full header with identifiable information
> anonymized.
I don't see what you are getting at, in:
From: blablabla
blablabla doesn't contain an "@".
Following is the full header with identifiable information anonymized.
I have other examples of commercial bulk senders suggesting - even
promoting - the idea that it's okay to input your external email address
in the From: of the message editor.
I actually did notice the dmarc=fail as well as
This particular effort is looking at the From header, not the EnvFrom
header (though there is a check From==EnvFrom as well). What we're
looking for here are things like:
From: "b...@usaa.com"
Or look at the pastebin example at the start of the thread.
Also, without seeing
So it's my understanding that SA does the following with this rule,
which is it is checking the From:addr and From:name values in SA to find
their domain and triggering a rule hit if there is a domain in the
From:name that doesn't match the domain in the From:addr.
However, when I examine the
NOTE: as always, this is testing software - use at your own risk!
I've a bug report open for this particular feature - if added then it would
allow for all sorts of addrlists to be built -
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7354
For now, by all means you can either
* create
On Mon, Jan 22, 2018 at 4:06 PM, Paul Stead
wrote:
> Thanks for that Alex, I've added a version check into the code, hopefully
> it'll catch everything.
>
> Thanks for other feedback from other users (
Looking good so far. I'll follow up with examples as they hit.
Thanks for that Alex, I've added a version check into the code, hopefully it'll
catch everything.
Thanks for other feedback from other users (
Paul
On 22/01/2018, 19:18, "Alex" wrote:
On Mon, Jan 22, 2018 at 11:21 AM, Paul Stead
On Mon, Jan 22, 2018 at 11:21 AM, Paul Stead
wrote:
> https://github.com/fmbla/spamassassin-fromnamespoof
>
> Reduced quite a few of the FPs after thinking about this over the weekend -
> feel free to check this out, let me know any feedback
I'm using the current
https://github.com/fmbla/spamassassin-fromnamespoof
Reduced quite a few of the FPs after thinking about this over the weekend -
feel free to check this out, let me know any feedback
Paul
On 19/01/2018, 18:16, "Paul Stead" wrote:
I too have a plugin written
On 01/22/2018 09:05 AM, Rupert Gallagher wrote:
This is my current solution for a problem that has been discussed many
times in this list.
I wrote it last year, and it serves me well. Feel free to use it, if you
find it useful.
This part goes into your local.cf:
header __F_DM1
Hi Robert. I'm new here. But intrigued by what looks like a good solution.
Without too much detail can you explain the solution a bit? Just want to
get a basic understanding of the workflow. Thank you.
__
"Perhaps sleep did not evolve. Perhaps it was the thing from which
Note the clause "__F_DM2". Its purpose is to whitelist legit e-mail from known
incompetent admins. You can remove the clause if you wish, and use the global
whitelist.cf instead.
Sent with [ProtonMail](https://protonmail.com) Secure Email.
Original Message
On 22 January 2018
This is my current solution for a problem that has been discussed many times in
this list.
I wrote it last year, and it serves me well. Feel free to use it, if you find
it useful.
This part goes into your local.cf:
header __F_DM1 eval:from_domains_mismatch()
header __F_DM2 From:addr =~
On Sat, 20 Jan 2018 00:33:32 -0500
"Bill Cole" wrote:
> On 19 Jan 2018, at 20:02 (-0500), jdow wrote:
> > After your first time being a victim of cyberstalking you'll soon
> > enough wish your "from" line was as generic as mine. People who put
> > their
On 19 Jan 2018, at 16:17 (-0500), Chip wrote:
Do you mean don't whitelist_auth *@example.com *unless* they have
published spf/dkim?
I can't speak to Dave's meaning (although I value it...) but in fact
whitelist_auth directives only have any effect if the domain has
published SPF or DKIM
On 19 Jan 2018, at 20:02 (-0500), jdow wrote:
After your first time being a victim of cyberstalking you'll soon
enough wish your "from" line was as generic as mine. People who put
their full name in the From: line haven't been mugged yet. I spent a
year learning about this 1985-1986.
I
On 19 Jan 2018, at 10:20 (-0500), Rupert Gallagher wrote:
> Empty Message
You're repeating yourself...
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole
After your first time being a victim of cyberstalking you'll soon enough wish
your "from" line was as generic as mine. People who put their full name in the
From: line haven't been mugged yet. I spent a year learning about this 1985-1986.
As a byproduct of this habit of mine, when I see a "To:
On 01/19/2018 03:17 PM, Chip wrote:
Okay, trying to understand.
You say:
whitelist_auth *@*.chase.com
whitelist_auth serv...@paypal.com
This would trust emails from any subdomain under chase.com and
serv...@paypal.com that hit SPF_PASS or DKIM_VALID_AU rules.
Okay, got that.
Okay, trying to understand.
You say:
whitelist_auth *@*.chase.com
whitelist_auth serv...@paypal.com
This would trust emails from any subdomain under chase.com and
serv...@paypal.com that hit SPF_PASS or DKIM_VALID_AU rules.
Okay, got that.
But I'm confused when you further
On 01/19/2018 02:21 PM, Jeffs Chips wrote:
I would be very interested in knowing what features in SA flag spoofed
email addresses. Knowing the methods used or plugins available to
detect spoofed emails is integral to the project I'm working on.
That is the million dollar question. If we
I would be very interested in knowing what features in SA flag spoofed
email addresses. Knowing the methods used or plugins available to detect
spoofed emails is integral to the project I'm working on.
__
"Perhaps sleep did not evolve. Perhaps it was the thing from which
Thanks! FYI for some reason Gmail is classifying these emails as spam.
__
"Perhaps sleep did not evolve. Perhaps it was the thing from which
wakefulness emerged.” -- Matthew Walker, Sleep Scientist
On Jan 19, 2018 3:11 PM, "John Hardin" wrote:
> On Fri, 19
On Fri, 19 Jan 2018, AJ Weber wrote:
False Positive
i.e. SA incorrectly classifying a message as SPAM.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C
False Positive
On 1/19/2018 2:55 PM, Jeffs Chips wrote:
I am trying to follow this interesting thread - can someone tell me
what "FP" means?
__
"Perhaps sleep did not evolve. Perhaps it was the thing from which
wakefulness emerged.” -- Matthew Walker, Sleep Scientist
On
I am trying to follow this interesting thread - can someone tell me what
"FP" means?
__
"Perhaps sleep did not evolve. Perhaps it was the thing from which
wakefulness emerged.” -- Matthew Walker, Sleep Scientist
On Jan 19, 2018 12:02 AM, "Pedro David Marco"
I too have a plugin written I've been using for a short while from the last
time this was brought up, I too would like to get some spamples of spoofed
From:name emails.
There are a few FP situations, I get around these by seeing what the difference
in between the length of the found email
I've got a basic plugin written for this now, but I'd like to do a
litle more testing before I make it widely available. If you have
mail samples (ham or spam) with an "@" character in the name part of
the From field that you're willing to share, let me know.
BTW, I've already run into some
Empty Message
Empty Message
On Friday 19 January 2018 at 07:40:07, Rupert Gallagher wrote:
> See my post of 25/20/2017 to this list.
My calendar doesn't go that far :(
Antony.
--
I wasn't sure about having a beard at first, but then it grew on me.
Please reply to the
See my post of 25/20/2017 to this list.
Sent from ProtonMail Mobile
On Wed, Jan 17, 2018 at 20:31, David Jones wrote:
> Would a plugin need to be created (or an existing one enhanced) to be able to
> detect this type of spoofed From header? From: "h...@hulumail.com !"
>
>!~ matches are dangerous because they match by default if you
>don't anticipate all the legitimate formats. The above will FP on a
>simple email address. It could be rewritten as a __FROM_DOMAINS_MATCH
>and used in a meta rule.
fool me, your are right, RW, thanks...
>It's also not a complete
On Thu, 18 Jan 2018, RW wrote:
I think the hard part is handling IDNs, e.g.
"=?UTF-8?B?Zm9vQGLDvGNoZXIuY29t?="
the display name should decode to the UTF-8 byte sequence for
foo@bücher.com, but I presume the address would be left as the ASCII
IDN.
In the short term
On Thu, 18 Jan 2018 11:52:36 + (UTC)
Pedro David Marco wrote:
> David,
> This rule can do the full job... i have tested it with good
> results.. (Can be tested here: https://regex101.com/r/Vpmhjz/3 ) It
> checks if the level domain next to the TLD in the From:name matches
> the domain next
David,
This rule can do the full job... i have tested it with good results.. (Can be
tested here: https://regex101.com/r/Vpmhjz/3 )
It checks if the level domain next to the TLD in the From:name matches the
domain next to the TLD in From:email
header FROM_DOMAINS_MISMATCH From !~
On Wed, 17 Jan 2018 15:32:38 -0600 (CST)
sha...@shanew.net wrote:
> I started working on this, and quickly realized the hard part is
> determining/parsing the domain out of the From:name variable.
I think the hard part is handling IDNs, e.g.
"=?UTF-8?B?Zm9vQGLDvGNoZXIuY29t?="
I started working on this, and quickly realized the hard part is
determining/parsing the domain out of the From:name variable.
Is there any existing code in SA that "recognizes" email addresses
that can be called and/or re-used?
On Wed, 17 Jan 2018, David Jones wrote:
Would a plugin need to be
On Wed, 2018-01-17 at 13:31 -0600, David Jones wrote:
> Would a plugin need to be created (or an existing one enhanced) to
> be
> able to detect this type of spoofed From header?
>
> From: "h...@hulumail.com !"
>
> https://pastebin.com/vVhGjC8H
>
> Does anyone else think
I swear I came across a rule like this just the other day, but now I
can't find it, which is probably a sign of faulty memory. In any
case, the existing HeaderEval Plugin seems like a good place for this
(it already does a check for EnvFrom and From domain mismatches).
On Wed, 17 Jan 2018,
Yes, I think it's a security risk and numerous phishing scams use this.
On 1/17/2018 2:31 PM, David Jones wrote:
Would a plugin need to be created (or an existing one enhanced) to be
able to detect this type of spoofed From header?
From: "h...@hulumail.com !"
Would a plugin need to be created (or an existing one enhanced) to be
able to detect this type of spoofed From header?
From: "h...@hulumail.com !"
https://pastebin.com/vVhGjC8H
Does anyone else think this would be a good idea to make a rule that at
least checks both the
62 matches
Mail list logo