Re: From name containing a spoofed email address

Mon, 22 Jan 2018 07:09:30 -0800 

Note the clause "__F_DM2". Its purpose is to whitelist legit e-mail from known 
incompetent admins. You can remove the clause if you wish, and use the global 
whitelist.cf instead.

Sent with [ProtonMail](https://protonmail.com) Secure Email.

-------- Original Message --------
On 22 January 2018 4:05 PM, Rupert Gallagher <r...@protonmail.com> wrote:

> This is my current solution for a problem that has been discussed many times 
> in this list.
> I wrote it last year, and it serves me well. Feel free to use it, if you find 
> it useful.
>
> This part goes into your local.cf:
>
> header   __F_DM1 eval:from_domains_mismatch()
> header   __F_DM2 From:addr =~ /\@(pec|legalmail|telecompost)(\.[^\.]+)?\.it/
> meta       F_DM ( __F_DM1 && ! __F_DM2 )
> describe   F_DM From:name domain mismatches From:addr domain
> priority   F_DM -1
> score      F_DM 5.0
>
> This part goes into the general HeaderEval.pm:
>
> $self->register_eval_rule("from_domains_mismatch");
> [...]
> sub from_domains_mismatch {
>   my ($self, $pms) = @_;
>   my $temp;
>   $temp = $pms->get('From:addr');
>   $temp =~ /@(.+)/; my $fromAddrDomain; $fromAddrDomain = "$1";
>   $temp = $pms->get('From:name');
>   $temp =~ /@([^\@\"\s]+)/; my $fromNameDomain; $fromNameDomain = "$1";
>   dbg("from_domains_mismatch: fromNameDomain=$fromNameDomain, 
> fromAddrDomain=$fromAddrDomain");
>   if ( $fromNameDomain eq "" ) {
>      return 0; # all well
>   } else {
>      if( $fromNameDomain eq $fromAddrDomain ) {
>         return 0; # all well, they match
>      } else {
>         return 1; # mismatch, possibly spam
>      }
>   }
> }
>
> R.G.
>
> Sent with [ProtonMail](https://protonmail.com) Secure Email.
>
> -------- Original Message --------
> On 17 January 2018 8:31 PM, David Jones <djo...@ena.com> wrote:
>
>> Would a plugin need to be created (or an existing one enhanced) to be
>> able to detect this type of spoofed From header?
>>
>> From: ["h...@hulumail.com](mailto:%22h...@hulumail.com) !" 
>> lany...@hotmail.com
>>
>> https://pastebin.com/vVhGjC8H
>>
>> Does anyone else think this would be a good idea to make a rule that at
>> least checks both the From:name and From:addr to see if there is an
>> email address in the From:name and if the domain is different add some
>> points?
>>
>> We are seeing more and more of this now that SPF, DKIM, and DMARC are
>> making it harder to spoof common/major brands that have properly
>> implemented some or all of them.
>>
>> David Jones

Reply via email to