> Hello all, I was the original poster of this topic but was away for a > couple of days. > I find it amazing to see the number of suggestions and ideas that have > come up here. > > However none of the constuctions matched "my" From: lines of the form > > From: "Firstname Lastname@" <recipient-domain.com > sendern...@real-senders-domain.com > <mailto:sendern...@real-senders-domain.com>> > > I therefore now constructed the following rules: > > describe __FROM_NAME_CONTAINS_AT name part of FROM contains "@" sign > header __FROM_NAME_CONTAINS_AT From:name =~ /\@/ > describe __FROM_MULTIPLE_ADDR address part of FROM contains more than > one mail address (additional text) > header __FROM_MULTIPLE_ADDR   From:addr =~ /\s/ >
My comments in this mail are only about the "us...@companya.com" <us...@companyb.com> situation, not about actual double from addresses. > describe __FROM_NAME_ADDRESS_EQUAL constructions like > "us...@companya.com" <us...@companyb.com> > header __FROM_NAME_ADDRESS_EQUAL From =~ > /["']?(\w+@\w+\.\w+)["']?\s*\<\1\>/i > header __FROM_NAME_CONTAINS_ADDRESS From =~ > /["']?(\w+@\w+\.\w+)["']?\s*\</i The above rules do not catch: "us...@sub.companya.com" <us...@companyb.com> "us...@company-a.com" <us...@companyb.com> And give false positive on: "first.l...@companya.com" <first.l...@companya.com> (or other non word chars in the user part) So you could allow more characters in the user part of the e-mail address and dots and dashes in the domain part. Also anchor the beginning to prevent partial matches (which caused the false positives on first.l...@companya.com instead of just not hitting at all). header __FROM_NAME_ADDRESS_EQUAL From =~ /^["']?([\w\.\+\-]+@[\w\-\.]+\.\w+)["']?\s*\<\1\>/i header __FROM_NAME_CONTAINS_ADDRESS From =~ /^["']?([\w\.\+\-]+@[\w\-\.]+\.\w+)["']?\s*\</i > > meta FROM_SPOOF_SENDER1 __FROM_NAME_CONTAINS_AT && __FROM_MULTIPLE_ADDR > meta FROM_SPOOF_SENDER2 __FROM_NAME_CONTAINS_ADDRESS && ! > __FROM_NAME_ADDRESS_EQUAL It looks like the FROM_SPOOF_SENDER2 rule has the same intention as a rule currently in testing: T_PDS_FROM_2_EMAILS Which is in john hardins sandbox with note: Paul Stead on SA list 11/2014 header __PDS_FROM_2_EMAILS From =~ /^\W+([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i meta PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__CLICK_HERE && !__BUGGED_IMG && !__RP_MATCHES_RCVD > meta FROM_ADDRESS_TWICE __FROM_NAME_CONTAINS_ADDRESS && > __FROM_NAME_ADDRESS_EQUAL > > (the last META could even get a slightly negative score, I occasionally > see people entering their email address in the name field). > > and am now waiting to see some hits. I consider the risk of false > positives low in this case, if these METAs are matched somebody is > trying to trick you. > > Regards JC > >