I realized that my responce below went directly to Clark, so I decided I would resent it to the list. >From cratz Sun Aug 3 12:29:45 2003 Date: Sun, 3 Aug 2003 12:29:45 -0700 (PDT) From: Tony Cratz <[EMAIL PROTECTED]> Subject: Re: [SAtalk] "From: FORGERYs" Can they be detected? To: [EMAIL PROTECTED] X-Mailer: dtmail 1.3.0 @(#)CDE Version 1.4 SunOS 5.8 i86pc i386 Mime-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: WN00vQe9Gxj/knr5xYYw5Q== Content-Length: 2521 Status: RO
> I receive SPAM emails that bypass SpamAssassin that have my email address > forged in the "From: ". > Is there any way to detect these? > I have also received at least one rejection notice from Yahoo for invalid > To: addresses that I never mailed to but a SPAMMER must have again > forged my email address in the From:. > > Clark Anderson This has also been a problem for myself. Part of the reason for me, is because my system which uses mimedefang is setup to scan ALL Email which passes through my system both incoming and outgoing. I put my Email address in the site wide whitelist. And as you pointed out SPAMMERS have been using this trick for a while of saying that you sent an Email to your self. So lets take a look at the format of the "From: " line. It is: headername {space} sender-name {space} <[EMAIL PROTECTED]> In this case, the headername is "From:". The sender-name is normally what is in the /etc/passwd file as the comment field. It can be srounded by double-qoutes and contains a matching single-quotes in it. The last part is the Email addresses where the message is coming from. So if we use myself as an example the headerline would look as: From: Tony Cratz <[EMAIL PROTECTED]> That would be if I sent a message. But the SPAMMERS have only been using the part that would be in a whitelist being the Email address. And using a different sender-name. With this knowledge I decided it was time to write a couple of rules. The first to check if my Email address was listed in the from line. The second to check if the sender-name was in the format that I use. And then a meta rule to combine the two tests so that if the sender-email was my Email address but the sender-name is not in the format I use then it will rescore the message so that it removes any whitelist effect so that it can be scored correctly as SPAM. The rules I'm currently using are: header T_FROM_CRATZ_EMAIL From =~ /<[EMAIL PROTECTED]>/i describe T_FROM_CRATZ_EMAIL '[EMAIL PROTECTED] E-mail address' header T_FROM_TONY_CRATZ From =~ /tony\scratz/i describe T_FROM_TONY_CRATZ 'Email user name Tony Cratz' meta NOT_FROM_CRATZ (T_FROM_CRATZ_EMAIL && !T_FROM_TONY_CRATZ) score NOT_FROM_CRATZ 200.0 This is the first set of rules I have written. There may be a better way to write it. And so far I have not had a large test base on it. But shortly after putting it into place it caught a fresh SPAM message. Tony ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk