> Hello all, I was the original poster of this topic but was away for a
> couple of days.
> I find it amazing to see the number of suggestions and ideas that have
> come up here.
>
> However none of the constuctions matched "my" From: lines of the form
>
> From: "Firstname Lastname@" <recipient-domain.com
> sendern...@real-senders-domain.com
> <mailto:sendern...@real-senders-domain.com>>
>
> I therefore now constructed the following rules:
>
> describe __FROM_NAME_CONTAINS_AT name part of FROM contains "@" sign
> header __FROM_NAME_CONTAINS_AT From:name =~ /\@/
> describe __FROM_MULTIPLE_ADDR address part of FROM contains more than
> one mail address (additional text)
> header __FROM_MULTIPLE_ADDR   From:addr =~ /\s/
>
My comments in this mail are only about the
"us...@companya.com" <us...@companyb.com>
situation, not about actual double from addresses.
> describe __FROM_NAME_ADDRESS_EQUAL constructions like
> "us...@companya.com" <us...@companyb.com>
> header __FROM_NAME_ADDRESS_EQUAL From =~
> /["']?(\w+@\w+\.\w+)["']?\s*\<\1\>/i
> header __FROM_NAME_CONTAINS_ADDRESS From =~
> /["']?(\w+@\w+\.\w+)["']?\s*\</i
The above rules do not catch:
"us...@sub.companya.com" <us...@companyb.com>
"us...@company-a.com" <us...@companyb.com>
And give false positive on:
"first.l...@companya.com" <first.l...@companya.com>
(or other non word chars in the user part)
So you could allow more characters in the user part of the e-mail address
and dots and dashes in the domain part. Also anchor the beginning to
prevent partial matches (which caused the false positives on
first.l...@companya.com instead of just not hitting at all).
header __FROM_NAME_ADDRESS_EQUAL From =~
/^["']?([\w\.\+\-]+@[\w\-\.]+\.\w+)["']?\s*\<\1\>/i
header __FROM_NAME_CONTAINS_ADDRESS From =~
/^["']?([\w\.\+\-]+@[\w\-\.]+\.\w+)["']?\s*\</i
>
> meta FROM_SPOOF_SENDER1Â __FROM_NAME_CONTAINS_AT && __FROM_MULTIPLE_ADDR
> meta FROM_SPOOF_SENDER2Â __FROM_NAME_CONTAINS_ADDRESS && !
> __FROM_NAME_ADDRESS_EQUAL
It looks like the FROM_SPOOF_SENDER2 rule has the same intention as a rule
currently in testing: T_PDS_FROM_2_EMAILS
Which is in john hardins sandbox with note: Paul Stead on SA list 11/2014
header __PDS_FROM_2_EMAILS From =~
/^\W+([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i
meta PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML &&
!__VIA_RESIGNER && !__CLICK_HERE && !__BUGGED_IMG && !__RP_MATCHES_RCVD
> meta FROM_ADDRESS_TWICEÂ __FROM_NAME_CONTAINS_ADDRESS &&
> __FROM_NAME_ADDRESS_EQUAL
>
> (the last META could even get a slightly negative score, I occasionally
> see people entering their email address in the name field).
>
> and am now waiting to see some hits. I consider the risk of false
> positives low in this case, if these METAs are matched somebody is
> trying to trick you.
>
> Regards JC
>
>
