After your first time being a victim of cyberstalking you'll soon enough wish
your "from" line was as generic as mine. People who put their full name in the
From: line haven't been mugged yet. I spent a year learning about this 1985-1986.
As a byproduct of this habit of mine, when I see a "To: John" or other name than
mine it's automatically spam, especially when it cannot even get the gender right.
{^_-}
On 2018-01-19 08:10, sha...@shanew.net wrote:
I've got a basic plugin written for this now, but I'd like to do a
litle more testing before I make it widely available. If you have
mail samples (ham or spam) with an "@" character in the name part of
the From field that you're willing to share, let me know.
BTW, I've already run into some false-positive situations, the most
common being things from yahoogroups, which apparently writes the
"true" sender address in the name part of From (they also dkim sign,
so not too hard to work around). I started trying to handle these in
the plugin itself, but I'm beginning to think these would be better as
separate rules and then combined as metas to mitigate the actual
mismatch score.
On Wed, 17 Jan 2018, David Jones wrote:
Would a plugin need to be created (or an existing one enhanced) to be able to
detect this type of spoofed From header?
From: "h...@hulumail.com !" <lany...@hotmail.com>
https://pastebin.com/vVhGjC8H
Does anyone else think this would be a good idea to make a rule that at least
checks both the From:name and From:addr to see if there is an email address in
the From:name and if the domain is different add some points?
We are seeing more and more of this now that SPF, DKIM, and DMARC are making
it harder to spoof common/major brands that have properly implemented some or
all of them.
