I realized that my responce below went directly to Clark, so I
decided I would resent it to the list.
>From cratz Sun Aug 3 12:29:45 2003
Date: Sun, 3 Aug 2003 12:29:45 -0700 (PDT)
From: Tony Cratz <[EMAIL PROTECTED]>
Subject: Re: [SAtalk] "From: FORGERYs" Can they be detected?
To: [EMAIL PROTECTED]
X-Mailer: dtmail 1.3.0 @(#)CDE Version 1.4 SunOS 5.8 i86pc i386
Mime-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: WN00vQe9Gxj/knr5xYYw5Q==
Content-Length: 2521
Status: RO
> I receive SPAM emails that bypass SpamAssassin that have my email address
> forged in the "From: ".
> Is there any way to detect these?
> I have also received at least one rejection notice from Yahoo for invalid
> To: addresses that I never mailed to but a SPAMMER must have again
> forged my email address in the From:.
>
> Clark Anderson
This has also been a problem for myself. Part of the reason for
me, is because my system which uses mimedefang is setup to scan
ALL Email which passes through my system both incoming and outgoing.
I put my Email address in the site wide whitelist.
And as you pointed out SPAMMERS have been using this trick for
a while of saying that you sent an Email to your self.
So lets take a look at the format of the "From: " line. It is:
headername {space} sender-name {space} <[EMAIL PROTECTED]>
In this case, the headername is "From:". The sender-name is
normally what is in the /etc/passwd file as the comment field.
It can be srounded by double-qoutes and contains a matching
single-quotes in it. The last part is the Email addresses where
the message is coming from. So if we use myself as an example
the headerline would look as:
From: Tony Cratz <[EMAIL PROTECTED]>
That would be if I sent a message. But the SPAMMERS have only
been using the part that would be in a whitelist being the
Email address. And using a different sender-name.
With this knowledge I decided it was time to write a couple of
rules. The first to check if my Email address was listed in the
from line. The second to check if the sender-name was in the
format that I use. And then a meta rule to combine the two tests
so that if the sender-email was my Email address but the sender-name
is not in the format I use then it will rescore the message so
that it removes any whitelist effect so that it can be scored
correctly as SPAM.
The rules I'm currently using are:
header T_FROM_CRATZ_EMAIL From =~ /<[EMAIL PROTECTED]>/i
describe T_FROM_CRATZ_EMAIL '[EMAIL PROTECTED] E-mail address'
header T_FROM_TONY_CRATZ From =~ /tony\scratz/i
describe T_FROM_TONY_CRATZ 'Email user name Tony Cratz'
meta NOT_FROM_CRATZ (T_FROM_CRATZ_EMAIL && !T_FROM_TONY_CRATZ)
score NOT_FROM_CRATZ 200.0
This is the first set of rules I have written. There may be a
better way to write it. And so far I have not had a large test
base on it. But shortly after putting it into place it caught
a fresh SPAM message.
Tony
-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
