Note the clause "__F_DM2". Its purpose is to whitelist legit e-mail from known incompetent admins. You can remove the clause if you wish, and use the global whitelist.cf instead.
Sent with [ProtonMail](https://protonmail.com) Secure Email. -------- Original Message -------- On 22 January 2018 4:05 PM, Rupert Gallagher <r...@protonmail.com> wrote: > This is my current solution for a problem that has been discussed many times > in this list. > I wrote it last year, and it serves me well. Feel free to use it, if you find > it useful. > > This part goes into your local.cf: > > header __F_DM1 eval:from_domains_mismatch() > header __F_DM2 From:addr =~ /\@(pec|legalmail|telecompost)(\.[^\.]+)?\.it/ > meta F_DM ( __F_DM1 && ! __F_DM2 ) > describe F_DM From:name domain mismatches From:addr domain > priority F_DM -1 > score F_DM 5.0 > > This part goes into the general HeaderEval.pm: > > $self->register_eval_rule("from_domains_mismatch"); > [...] > sub from_domains_mismatch { > my ($self, $pms) = @_; > my $temp; > $temp = $pms->get('From:addr'); > $temp =~ /@(.+)/; my $fromAddrDomain; $fromAddrDomain = "$1"; > $temp = $pms->get('From:name'); > $temp =~ /@([^\@\"\s]+)/; my $fromNameDomain; $fromNameDomain = "$1"; > dbg("from_domains_mismatch: fromNameDomain=$fromNameDomain, > fromAddrDomain=$fromAddrDomain"); > if ( $fromNameDomain eq "" ) { > return 0; # all well > } else { > if( $fromNameDomain eq $fromAddrDomain ) { > return 0; # all well, they match > } else { > return 1; # mismatch, possibly spam > } > } > } > > R.G. > > Sent with [ProtonMail](https://protonmail.com) Secure Email. > > -------- Original Message -------- > On 17 January 2018 8:31 PM, David Jones <djo...@ena.com> wrote: > >> Would a plugin need to be created (or an existing one enhanced) to be >> able to detect this type of spoofed From header? >> >> From: ["h...@hulumail.com](mailto:%22h...@hulumail.com) !" >> lany...@hotmail.com >> >> https://pastebin.com/vVhGjC8H >> >> Does anyone else think this would be a good idea to make a rule that at >> least checks both the From:name and From:addr to see if there is an >> email address in the From:name and if the domain is different add some >> points? >> >> We are seeing more and more of this now that SPF, DKIM, and DMARC are >> making it harder to spoof common/major brands that have properly >> implemented some or all of them. >> >> David Jones